Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help me with malware remove [Closed]


  • This topic is locked This topic is locked

#31
SomeNewUser

SomeNewUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Hi, sorry for delay - i had really tough few days, here is the log from ComboFix:

ComboFix 14-10-24.01 - SomeNewUser 24.10.2014  10:50:44.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1251.359.1033.18.2047.1102 [GMT 3:00]
Running from: c:\documents and settings\SomeNewUser\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\SomeNewUser\Desktop\CFScript.txt
 * Created a new restore point
.
FILE ::
"c:\docume~1\ADMINI~1\LOCALS~1\Temp\aswVmm.sys"
"c:\windows\system32\drivers\09AA0966.sys"
"c:\windows\system32\drivers\4232604E.sys"
"c:\windows\system32\drivers\48230029.sys"
"c:\windows\system32\drivers\7AC25C73.sys"
"c:\windows\system32\drivers\7D44203F.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
c:\documents and settings\All Users\Application Data\Malwarebytes
c:\documents and settings\All Users\Kaspersky Lab Setup Files
c:\documents and settings\SomeNewUser\Application Data\vT2Tj2gpD7Y
c:\documents and settings\SomeNewUser\Application Data\vT2Tj2gpD7Y\fblGdkWHp5nTHdNrzt3k.dat
c:\documents and settings\SomeNewUser\Application Data\vT2Tj2gpD7Y\SVGxwKWTDI8yRSOFDHaJr1gGdIJJXt3P.dat
c:\documents and settings\SomeNewUser\Local Settings\Application Data\ESET
c:\documents and settings\LocalService\Local Settings\Application Data\ESET
c:\program files\Common Files\Wise Installation Wizard
c:\program files\Common Files\Wise Installation Wizard\WISAF54923662584AC6A0435B5B89C6EB61_4_17_6_4336.MSI
c:\program files\Reason
c:\program files\Reason\herdProtect\Scanner\Quarantine.dat
c:\program files\SUPERAntiSpyware
c:\program files\SUPERAntiSpyware\High Contrast Black.set
c:\program files\SUPERAntiSpyware\SAS Default.set
c:\program files\SUPERAntiSpyware\SUPERDelete.exe
c:\windows\AF54923662584AC6A0435B5B89C6EB61.TMP
c:\windows\AF54923662584AC6A0435B5B89C6EB61.TMP\WiseCustomCalla21.exe
c:\windows\system32\drivers\09AA0966.sys
c:\windows\system32\drivers\4232604E.sys
c:\windows\system32\drivers\48230029.sys
c:\windows\system32\drivers\7AC25C73.sys
c:\windows\system32\drivers\7D44203F.sys
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ASWVMM
-------\Legacy_ESGIGUARD
-------\Legacy_LAVASOFT_AD-AWARE_SERVICE
-------\Legacy_MBAMSWISSARMY
-------\Service_aswVmm
-------\Service_esgiguard
-------\Service_Lavasoft Ad-Aware Service
-------\Service_MBAMSwissArmy
.
.
(((((((((((((((((((((((((   Files Created from 2014-09-24 to 2014-10-24  )))))))))))))))))))))))))))))))
.
.
2014-10-22 10:20 . 2014-10-22 10:20    --------    d-----w-    c:\program files\TRENDnet
2014-10-22 07:04 . 2014-10-22 07:04    110080    ----a-r-    c:\documents and settings\SomeNewUser\Application Data\Microsoft\Installer\{AF549236-6258-4AC6-A043-5B5B89C6EB61}\IconF7A21AF7.exe
2014-10-22 07:04 . 2014-10-22 07:04    110080    ----a-r-    c:\documents and settings\SomeNewUser\Application Data\Microsoft\Installer\{AF549236-6258-4AC6-A043-5B5B89C6EB61}\IconD7F16134.exe
2014-10-22 07:04 . 2014-10-22 07:04    110080    ----a-r-    c:\documents and settings\SomeNewUser\Application Data\Microsoft\Installer\{AF549236-6258-4AC6-A043-5B5B89C6EB61}\IconCF33A0CE.exe
2014-10-22 07:04 . 2014-10-22 07:04    --------    d-----w-    C:\sh4ldr
2014-10-19 19:51 . 2014-10-19 19:51    --------    d-----w-    c:\program files\Common Files\Java
2014-10-19 19:50 . 2014-10-19 19:50    146432    ----a-w-    c:\windows\system32\javacpl.cpl
2014-10-19 19:50 . 2014-10-19 19:50    --------    d-----w-    c:\program files\Java
2014-10-19 19:40 . 2014-10-19 19:40    --------    d-----w-    c:\documents and settings\All Users\Application Data\Oracle
2014-10-12 00:30 . 2014-10-20 09:46    --------    d-----w-    C:\FRST
2014-10-11 14:42 . 2014-10-11 14:42    --------    d-----w-    c:\program files\Windows Resource Kits
2014-10-10 21:02 . 2014-10-10 21:02    34808    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-10-10 21:02 . 2014-10-10 21:02    --------    d-----w-    c:\documents and settings\All Users\Application Data\RogueKiller
2014-10-10 20:52 . 2014-10-10 20:52    --------    d-----w-    c:\documents and settings\Administrator\Local Settings\Application Data\Google
2014-10-10 20:50 . 2008-04-14 12:00    221184    ----a-w-    c:\windows\system32\wmpns.dll
2014-10-10 20:49 . 2014-10-10 20:49    --------    d-----w-    c:\windows\ERUNT
2014-10-10 20:25 . 2014-10-10 20:44    --------    d-----w-    C:\AdwCleaner
2014-10-10 20:16 . 2014-10-10 20:16    --------    d-----w-    c:\windows\system32\drivers\netfilter.sys
2014-09-29 10:13 . 2012-09-10 12:40    159744    ----a-w-    c:\program files\Mozilla Firefox\updated\Plugins\npqtplugin7.dll
2014-09-29 10:13 . 2012-09-10 12:40    159744    ----a-w-    c:\program files\Mozilla Firefox\updated\Plugins\npqtplugin6.dll
2014-09-29 10:13 . 2012-09-10 12:40    159744    ----a-w-    c:\program files\Mozilla Firefox\updated\Plugins\npqtplugin5.dll
2014-09-29 10:13 . 2012-09-10 12:40    159744    ----a-w-    c:\program files\Mozilla Firefox\updated\Plugins\npqtplugin4.dll
2014-09-29 10:13 . 2012-09-10 12:40    159744    ----a-w-    c:\program files\Mozilla Firefox\updated\Plugins\npqtplugin3.dll
2014-09-29 10:13 . 2012-09-10 12:40    159744    ----a-w-    c:\program files\Mozilla Firefox\updated\Plugins\npqtplugin.dll
2014-09-29 10:13 . 2014-08-30 10:12    18544    ----a-w-    c:\program files\Mozilla Firefox\updated\plugin-container.exe
2014-09-29 10:13 . 2013-02-15 22:04    208448    ----a-w-    c:\program files\Mozilla Firefox\updated\Plugins\nppdf32.dll
2014-09-29 10:13 . 2007-04-10 14:21    163256    ----a-w-    c:\program files\Mozilla Firefox\updated\Plugins\np-mswmp.dll
2014-09-29 10:13 . 2005-09-29 09:23    13888    ----a-w-    c:\program files\Mozilla Firefox\updated\Plugins\NPOFFICE.DLL
2014-09-25 09:54 . 2014-09-25 09:54    --------    d-----w-    c:\program files\CoreFTP
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-19 19:50 . 2014-08-08 05:02    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-03 16876032]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-05-15 1634112]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-15 15504192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-10-07 507776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 1 (0x1)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
"HideSCAHealth"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\CodeMeter\\Runtime\\bin\\CodeMeter.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\SomeNewUser\\Application Data\\BitTorrent\\BitTorrent.exe"=
"c:\\Documents and Settings\\SomeNewUser\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer_Service.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/14/2012 12:39 PM 64288]
R0 mrdd;Marvell Removable Disk Control Driver;c:\windows\system32\drivers\mrdd.sys [7/25/2012 2:20 AM 18984]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2/9/2009 5:30 AM 152616]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/17/2013 2:17 PM 118768]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [10/4/2012 12:23 PM 2568120]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [3/1/2013 4:48 AM 36600]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [4/3/2014 8:21 PM 315008]
R2 TeamViewer9;TeamViewer 9;c:\program files\TeamViewer\Version9\TeamViewer_Service.exe [2/9/2014 12:06 PM 4799760]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [9/15/2009 1:59 PM 38248]
S0 69512100;69512100;c:\windows\system32\DRIVERS\69512100.sys --> c:\windows\system32\DRIVERS\69512100.sys [?]
S2 BT848;BtCap, WDM Video Capture;c:\windows\system32\drivers\BT848.SYS [1/26/2012 12:31 PM 294380]
S2 BTTUNER;BtTuner, WDM TV Tuner;c:\windows\system32\drivers\BTTUNER.SYS --> c:\windows\system32\drivers\BTTUNER.SYS [?]
S2 BTXBAR;BtXBar, WDM Crossbar;c:\windows\system32\drivers\BTXBAR.SYS --> c:\windows\system32\drivers\BTXBAR.SYS [?]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE --> c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [?]
S3 AndNetDiag;LGE AndroidNet USB Serial Port;c:\windows\system32\drivers\lgandnetdiag.sys [7/3/2012 11:43 AM 23168]
S3 AndNetDiag2;LGE AndroidNet For Diagnostics Port;c:\windows\system32\drivers\lgandnetdiag2.sys [5/12/2014 11:14 AM 23168]
S3 ANDNetModem;LGE AndroidNet USB Modem;c:\windows\system32\drivers\lgandnetmodem.sys [7/3/2012 11:43 AM 27776]
S3 andnetndis;LGE AndroidNet NDIS Ethernet Adapter;c:\windows\system32\drivers\lgandnetndis.sys [5/12/2014 11:14 AM 70656]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 11:01 AM 19984]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [7/25/2012 12:25 PM 3567]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [8/14/2012 1:13 PM 15688]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [8/14/2012 1:13 PM 10320]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [7/26/2012 2:52 PM 27064]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/10/2013 12:03 AM 685816]
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-28 14:29]
.
2014-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-28 14:29]
.
2014-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1177238915-1801674531-1003Core.job
- c:\documents and settings\SomeNewUser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-25 14:14]
.
2014-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1177238915-1801674531-1003UA.job
- c:\documents and settings\SomeNewUser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-25 14:14]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Free YouTube Download - c:\program files\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm
FF - ProfilePath - c:\documents and settings\SomeNewUser\Application Data\Mozilla\Firefox\Profiles\simr37uq.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - ExtSQL: 2014-08-26 11:59; [email protected]; c:\documents and settings\SomeNewUser\Application Data\Mozilla\Firefox\Profiles\simr37uq.default\extensions\[email protected]
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SpyHunter Security Suite - c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-10-24 10:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1957994488-1177238915-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0F880878-6CC4-50CF-CDDA-AB53857C41C7}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1957994488-1177238915-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BF312AE2-BBF0-A0A2-0968-A9E568C44577}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2496)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Apache Group\Apache2\bin\Apache.exe
c:\program files\Apache Group\Apache2\bin\Apache.exe
c:\windows\system32\crypserv.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\TightVNC\WinVNC.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\TeamViewer\Version9\TeamViewer.exe
c:\program files\TeamViewer\Version9\tv_w32.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Lexmark 1200 Series\lxczbmon.exe
.
**************************************************************************
.
Completion time: 2014-10-24  10:59:45 - machine was rebooted
ComboFix-quarantined-files.txt  2014-10-24 07:59
ComboFix2.txt  2014-10-22 06:29
.
Pre-Run: 1640808448 bytes free
Post-Run: 1842511872 bytes free
.
- - End Of File - - FFF917794D410266F38C5CA73C529DCB
8F558EB6672622401DA993E1E865C861


  • 0

Advertisements


#32
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

CF couldn't handle. I need a fresh scan to make a script for another tool.



FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.


  • 0

#33
SomeNewUser

SomeNewUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Hi, i just did, here are the logs:

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-10-2014
Ran by Administrator (administrator) on PC on 24-10-2014 11:11:34
Running from L:\
Loaded Profiles: SomeNewUser & Administrator (Available profiles: SomeNewUser & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 6
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Lexmark International, Inc.) C:\WINDOWS\system32\LEXBCES.EXE
(Lexmark International, Inc.) C:\WINDOWS\system32\LEXPPS.EXE
(Apache Software Foundation) C:\Program Files\Apache Group\Apache2\bin\Apache.exe
(Apache Software Foundation) C:\Program Files\Apache Group\Apache2\bin\Apache.exe
(CrypKey (Canada) Ltd.) C:\WINDOWS\system32\Crypserv.exe
(NVIDIA) C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(TightVNC Group) C:\Program Files\TightVNC\WinVNC.exe
(WIBU-SYSTEMS AG) C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\tv_w32.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [16876032 2008-07-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [1634112 2012-05-15] ()
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [Lexmark 1200 Series] => C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe [57344 2006-07-13] (Lexmark International, Inc.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...\Winlogon: [UIHost] C:\WINDOWS\system32\logonui.exe [514560 2008-04-14] ( (Microsoft Corporation))
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-1957994488-1177238915-1801674531-1003\...\Policies\Explorer: [TaskbarNoNotification] 0
BootExecute:

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...er=6&ar=msnhome
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vuf7q31d.default
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll No File
FF Plugin: hbgk.net/WebDvrCtrl -> C:\Program Files\WebControl\npWebCtrl.dll (TODO: <公司名>)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll (Mozilla Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-07-26]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

Chrome:
=======
CHR Profile: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx []
CHR StartMenuInternet: Google Chrome - C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apache2; C:\Program Files\Apache Group\Apache2\bin\Apache.exe [20541 2006-04-29] (Apache Software Foundation) [File not signed]
R2 CodeMeter.exe; C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe [2568120 2012-07-19] (WIBU-SYSTEMS AG)
R2 Crypkey License; C:\WINDOWS\system32\crypserv.exe [69632 2006-03-01] (CrypKey (Canada) Ltd.) [File not signed]
R2 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [311296 2006-04-18] (Lexmark International, Inc.)
R2 nTuneService; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [192832 2011-09-19] (NVIDIA)
R2 winvnc; C:\Program Files\TightVNC\WinVNC.exe [585728 2009-03-05] (TightVNC Group) [File not signed]
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
S2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AndNetDiag; C:\WINDOWS\System32\DRIVERS\lgandnetdiag.sys [23168 2013-04-18] (LG Electronics Inc.)
S3 AndNetDiag2; C:\WINDOWS\System32\DRIVERS\lgandnetdiag2.sys [23168 2013-04-18] (LG Electronics Inc.)
S3 ANDNetModem; C:\WINDOWS\System32\DRIVERS\lgandnetmodem.sys [27776 2013-06-28] (LG Electronics Inc.)
S3 andnetndis; C:\WINDOWS\System32\DRIVERS\lgandnetndis.sys [70656 2013-04-23] (LG Electronics Inc.)
R1 AsIO; C:\WINDOWS\System32\drivers\AsIO.sys [12400 2007-12-17] ()
R3 axsaki; C:\WINDOWS\System32\DRIVERS\axsaki.sys [102624 2003-03-30] ( ) [File not signed]
R3 axskbus; C:\WINDOWS\System32\DRIVERS\axskbus.sys [8640 2003-03-28] ( ) [File not signed]
S2 BT848; C:\WINDOWS\System32\drivers\BT848.SYS [294380 2002-02-22] (TelSignal Co., Ltd.) [File not signed]
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
R1 epfwtdir; C:\WINDOWS\System32\DRIVERS\epfwtdir.sys [118768 2013-09-17] (ESET)
S3 EsgScanner; C:\WINDOWS\System32\DRIVERS\EsgScanner.sys [19984 2012-06-22] ()
S3 L1e; C:\WINDOWS\System32\DRIVERS\l1e51x86.sys [36864 2008-06-26] (Atheros Communications, Inc.)
R0 Lbd; C:\WINDOWS\System32\DRIVERS\Lbd.sys [64288 2009-12-02] (Lavasoft AB)
R0 mrdd; C:\WINDOWS\System32\DRIVERS\mrdd.sys [18984 2008-11-12] (Marvell Semiconductor, Inc.)
R3 MTsensor; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()
R0 mv61xx; C:\WINDOWS\System32\DRIVERS\mv61xx.sys [152616 2009-02-09] (Marvell Semiconductor, Inc.)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R1 NetworkX; C:\WINDOWS\system32\ckldrv.sys [31846 2006-01-10] () [File not signed]
S3 nm; C:\WINDOWS\System32\DRIVERS\NMnt.sys [40320 2008-04-14] (Microsoft Corporation)
R2 NPF; C:\WINDOWS\System32\drivers\npf.sys [36600 2013-03-01] (Riverbed Technology, Inc.)
S3 PAC7302; C:\WINDOWS\System32\DRIVERS\PAC7302.SYS [461824 2009-04-28] (PixArt Imaging Inc.) [File not signed]
S3 PortTalk; C:\WINDOWS\System32\Drivers\PortTalk.sys [3567 2002-01-12] (Beyond Logic http://www.beyondlogic.org) [File not signed]
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [15688 2013-09-30] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [10320 2013-09-30] ()
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [46080 2006-05-16] (Sonic Solutions) [File not signed]
S3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation)
R0 snapman; C:\WINDOWS\System32\DRIVERS\snapman.sys [99776 2012-08-14] (Acronis) [File not signed]
S4 sptd; C:\WINDOWS\System32\Drivers\sptd.sys [685816 2013-10-10] (Duplex Secure Ltd.)
U3 TrueSight; C:\WINDOWS\system32\drivers\TrueSight.sys [34808 2014-10-11] ()
S3 w810bus; C:\WINDOWS\System32\DRIVERS\w810bus.sys [58288 2006-02-20] (MCCI)
S3 w810mdfl; C:\WINDOWS\System32\DRIVERS\w810mdfl.sys [8336 2006-02-20] (MCCI)
S3 w810mdm; C:\WINDOWS\System32\DRIVERS\w810mdm.sys [94064 2006-02-20] (MCCI)
S3 w810mgmt; C:\WINDOWS\System32\DRIVERS\w810mgmt.sys [85408 2006-02-20] (MCCI)
S3 w810obex; C:\WINDOWS\System32\DRIVERS\w810obex.sys [83344 2006-02-20] (MCCI)
S0 69512100; system32\DRIVERS\69512100.sys [X]
S2 BTTUNER; system32\drivers\BTTUNER.SYS [X]
S2 BTXBAR; system32\drivers\BTXBAR.SYS [X]
R3 catchme; \??\C:\ComboFix\catchme.sys [X]
S4 IntelIde; No ImagePath
U5 netfilter; C:\Windows\System32\Drivers\netfilter.sys [0 2014-10-10] () [File not signed]
U3 mbr; \??\C:\DOCUME~1\SomeNewUser\LOCALS~1\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-24 10:59 - 2014-10-24 11:11 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-10-24 10:59 - 2014-10-24 11:09 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Local Settings\temp
2014-10-24 10:59 - 2014-10-24 10:59 - 00020748 _____ () C:\ComboFix.txt
2014-10-24 10:59 - 2014-10-24 10:59 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-10-24 10:59 - 2014-10-24 10:59 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-10-24 10:56 - 2014-10-24 10:56 - 00000000 ____H () C:\Documents and Settings\All Users\Application Data\cm-lock
2014-10-24 10:48 - 2014-10-24 10:59 - 00000000 ____D () C:\ComboFix
2014-10-23 19:45 - 2014-10-23 19:45 - 00000077 _____ () C:\Documents and Settings\SomeNewUser\Desktop\desktop.scf
2014-10-23 18:17 - 2014-10-24 10:48 - 05583977 ____R (Swearware) C:\Documents and Settings\SomeNewUser\Desktop\ComboFix.exe
2014-10-22 13:21 - 2014-10-22 13:21 - 00000073 _____ () C:\WINDOWS\system32\-1
2014-10-22 13:21 - 2014-10-22 13:21 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap
2014-10-22 13:20 - 2014-10-22 15:56 - 00002519 _____ () C:\Documents and Settings\All Users\Desktop\TRENDnet Powerline Utility.lnk
2014-10-22 13:20 - 2014-10-22 13:20 - 00000000 ____D () C:\Program Files\TRENDnet
2014-10-22 13:20 - 2014-10-22 13:20 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\TRENDnet Inc
2014-10-22 10:04 - 2014-10-22 10:04 - 00001981 _____ () C:\Documents and Settings\SomeNewUser\Desktop\SpyHunter.lnk
2014-10-22 10:04 - 2014-10-22 10:04 - 00000000 ____D () C:\sh4ldr
2014-10-22 10:04 - 2014-10-22 10:04 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Start Menu\Programs\SpyHunter
2014-10-19 22:51 - 2014-10-19 22:51 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-10-19 22:50 - 2014-10-19 22:50 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-10-19 22:50 - 2014-10-19 22:50 - 00000000 ____D () C:\Program Files\Java
2014-10-19 22:40 - 2014-10-19 22:40 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Oracle
2014-10-15 11:03 - 2014-10-15 11:04 - 00008702 _____ () C:\Documents and Settings\SomeNewUser\Desktop\gmer.txt
2014-10-15 10:44 - 2014-10-15 10:45 - 00000160 _____ () C:\Documents and Settings\SomeNewUser\defogger_reenable
2014-10-14 18:58 - 2014-10-14 19:00 - 00042093 _____ () C:\Documents and Settings\SomeNewUser\Desktop\gmer-old.log
2014-10-14 18:57 - 2014-10-14 18:57 - 00021764 _____ () C:\Documents and Settings\Administrator\Desktop\gmer.log
2014-10-14 18:27 - 2014-10-14 18:23 - 00380416 _____ () C:\Documents and Settings\SomeNewUser\Desktop\d3v1cegw.exe
2014-10-12 03:30 - 2014-10-24 11:11 - 00000000 ____D () C:\FRST
2014-10-11 21:59 - 2014-10-11 21:59 - 00001919 _____ () C:\WINDOWS\epplauncher.mif
2014-10-11 21:59 - 2014-10-11 21:59 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2014-10-11 17:54 - 2014-10-11 18:04 - 00000013 _____ () C:\Documents and Settings\Administrator\Desktop\New Text Document.txt
2014-10-11 17:42 - 2014-10-11 17:42 - 00000000 ____D () C:\Program Files\Windows Resource Kits
2014-10-11 17:21 - 2014-10-11 17:21 - 00060408 _____ () C:\Documents and Settings\Administrator\Desktop\regscanner.zip
2014-10-11 16:05 - 2014-10-11 16:05 - 00014215 _____ () C:\WINDOWS\KB942288-v3.log
2014-10-11 16:05 - 2014-10-11 16:05 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB942288-v3$
2014-10-11 16:05 - 2007-11-30 05:39 - 00017272 ____N (Microsoft Corporation) C:\WINDOWS\system32\spmsg.dll
2014-10-11 15:57 - 2014-10-11 15:57 - 00011348 _____ () C:\Documents and Settings\Administrator\Desktop\safemsi.zip
2014-10-11 15:57 - 2014-10-11 15:57 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\safemsi
2014-10-11 15:44 - 2014-10-11 15:44 - 00001153 _____ () C:\Documents and Settings\Administrator\Desktop\fix2.zip
2014-10-11 15:44 - 2014-10-11 15:44 - 00000397 _____ () C:\Documents and Settings\Administrator\Desktop\fix1.zip
2014-10-11 02:40 - 2014-10-24 10:54 - 00008192 ____H () C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2014-10-11 02:40 - 2014-10-11 02:40 - 00000000 ____H () C:\WINDOWS\system32\config\system.tmp.LOG
2014-10-11 02:40 - 2014-10-11 02:40 - 00000000 ____H () C:\WINDOWS\system32\config\software.tmp.LOG
2014-10-11 02:40 - 2014-10-11 02:40 - 00000000 ____H () C:\WINDOWS\system32\config\SAM.tmp.LOG
2014-10-11 02:40 - 2014-10-11 02:40 - 00000000 ____H () C:\WINDOWS\system32\config\default.tmp.LOG
2014-10-11 02:31 - 2014-10-11 02:31 - 00000000 _RSHD () C:\cmdcons
2014-10-11 02:31 - 2014-08-26 14:30 - 00000245 _____ () C:\Boot.bak
2014-10-11 02:31 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2014-10-11 02:29 - 2014-10-24 10:59 - 00000000 ____D () C:\Qoobox
2014-10-11 02:29 - 2014-10-24 10:54 - 00000000 ____D () C:\WINDOWS\erdnt
2014-10-11 02:29 - 2011-06-26 09:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-10-11 02:29 - 2010-11-07 20:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-10-11 02:29 - 2009-04-20 07:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-10-11 02:29 - 2000-08-31 03:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-10-11 02:29 - 2000-08-31 03:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-10-11 02:29 - 2000-08-31 03:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-10-11 02:29 - 2000-08-31 03:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-10-11 02:29 - 2000-08-31 03:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-10-11 02:29 - 2000-08-31 03:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-10-11 01:30 - 2014-10-11 01:31 - 00004478 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Rkill.txt
2014-10-11 00:02 - 2014-10-11 00:02 - 00034808 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
2014-10-11 00:02 - 2014-10-11 00:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\RogueKiller
2014-10-10 23:52 - 2014-10-10 23:52 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
2014-10-10 23:51 - 2014-10-10 23:51 - 00001234 _____ () C:\Documents and Settings\Administrator\Desktop\JRT.txt
2014-10-10 23:50 - 2014-10-10 23:50 - 00000773 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk
2014-10-10 23:50 - 2014-10-10 23:50 - 00000744 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Outlook Express.lnk
2014-10-10 23:50 - 2008-04-14 15:00 - 00221184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmpns.dll
2014-10-10 23:49 - 2014-10-10 23:49 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-10-10 23:25 - 2014-10-10 23:44 - 00000000 ____D () C:\AdwCleaner
2014-10-10 23:16 - 2014-10-12 03:25 - 00000000 ___SH () C:\WINDOWS\VZT6nsdX.txt
2014-10-10 23:16 - 2014-10-10 23:16 - 00000000 ____D () C:\WINDOWS\system32\Drivers\netfilter.sys
2014-10-10 22:05 - 2014-10-18 19:38 - 00000000 __RSH () C:\Program Files\Common Files\TrustPort
2014-10-10 22:05 - 2014-10-18 19:38 - 00000000 __RSH () C:\Program Files\Common Files\Panda Security
2014-10-10 22:05 - 2014-10-18 19:38 - 00000000 __RSH () C:\Program Files\Common Files\MicroWorld
2014-10-10 22:05 - 2014-10-18 19:38 - 00000000 __RSH () C:\Program Files\Common Files\McAfee
2014-10-10 22:05 - 2014-10-18 19:38 - 00000000 __RSH () C:\Program Files\Common Files\InfoWatch
2014-10-10 22:05 - 2014-10-18 19:38 - 00000000 __RSH () C:\Program Files\Common Files\G Data
2014-10-10 22:05 - 2014-10-18 19:38 - 00000000 __RSH () C:\Program Files\Common Files\eAcceleration
2014-10-10 22:05 - 2014-10-18 19:38 - 00000000 __RSH () C:\Program Files\Common Files\Doctor Web
2014-10-10 22:05 - 2014-10-18 19:38 - 00000000 __RSH () C:\Program Files\Common Files\BullGuard Ltd
2014-10-10 22:05 - 2014-10-18 19:38 - 00000000 __RSH () C:\Program Files\Common Files\Bitdefender
2014-10-10 13:54 - 2014-10-10 23:55 - 00000855 _____ () C:\WINDOWS\system32\Drivers\etc\hosts.conf
2014-10-10 13:54 - 2014-10-10 13:54 - 00000000 ___SH () C:\WINDOWS\PsfjH4KN.txt
2014-10-10 13:54 - 2014-10-10 13:54 - 00000000 ___SH () C:\WINDOWS\F5Ws94kb.txt
2014-10-10 13:50 - 2014-10-10 09:30 - 00002048 _____ () C:\WINDOWS\bootstat2.dat
2014-10-02 13:48 - 2014-10-02 13:48 - 00000097 _____ () C:\New Text Document (2).txt
2014-09-29 22:00 - 2014-09-29 22:00 - 00000730 _____ () C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2014-09-25 12:54 - 2014-09-25 12:54 - 00000672 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Core FTP LE.lnk
2014-09-25 12:54 - 2014-09-25 12:54 - 00000000 ____D () C:\Program Files\CoreFTP
2014-09-25 12:54 - 2014-09-25 12:54 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Start Menu\Programs\Core FTP

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-24 11:09 - 2012-07-26 12:37 - 00000178 __SHC () C:\Documents and Settings\Administrator\ntuser.ini
2014-10-24 11:02 - 2012-07-25 02:03 - 00345876 _____ () C:\WINDOWS\WindowsUpdate.log
2014-10-24 10:58 - 2012-10-28 13:22 - 00878739 _____ () C:\WINDOWS\error.log
2014-10-24 10:58 - 2008-04-14 15:00 - 00001068 _____ () C:\WINDOWS\win.ini
2014-10-24 10:57 - 2008-04-14 15:00 - 00000435 _____ () C:\WINDOWS\system.ini
2014-10-24 10:56 - 2012-10-28 13:22 - 00017127 _____ () C:\WINDOWS\errord.log
2014-10-24 10:56 - 2012-08-28 17:29 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-24 10:56 - 2012-07-25 04:53 - 00000159 ____C () C:\WINDOWS\wiadebug.log
2014-10-24 10:56 - 2012-07-25 04:53 - 00000053 ____C () C:\WINDOWS\wiaservc.log
2014-10-24 10:56 - 2012-07-25 02:07 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-10-24 10:55 - 2012-07-25 04:51 - 00053248 _____ () C:\WINDOWS\system32\config\SECURITY.bak
2014-10-24 10:55 - 2012-07-25 04:51 - 00028672 _____ () C:\WINDOWS\system32\config\SAM.bak
2014-10-24 10:55 - 2012-07-25 04:50 - 28135424 _____ () C:\WINDOWS\system32\config\software.bak
2014-10-24 10:55 - 2012-07-25 04:50 - 10485760 _____ () C:\WINDOWS\system32\config\system.bak
2014-10-24 10:55 - 2012-07-25 04:50 - 00315392 _____ () C:\WINDOWS\system32\config\default.bak
2014-10-24 10:48 - 2012-07-25 02:07 - 00032638 _____ () C:\WINDOWS\SchedLgU.Txt
2014-10-24 10:46 - 2012-07-25 13:07 - 00000600 _____ () C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\PUTTY.RND
2014-10-24 10:40 - 2012-08-28 17:29 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-24 10:39 - 2012-07-25 13:26 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\Skype
2014-10-24 10:28 - 2012-07-25 17:14 - 00001082 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1177238915-1801674531-1003UA.job
2014-10-24 10:21 - 2012-07-25 13:26 - 00002497 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Microsoft Office Word 2003.lnk
2014-10-24 10:13 - 2012-07-25 13:26 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Skype
2014-10-24 02:25 - 2013-12-29 03:20 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\BitTorrent
2014-10-24 02:25 - 2012-07-25 02:07 - 00000278 ___SH () C:\Documents and Settings\SomeNewUser\ntuser.ini
2014-10-24 02:03 - 2012-07-25 17:08 - 00000000 ____D () C:\Program Files\The KMPlayer
2014-10-23 21:28 - 2012-07-25 17:14 - 00001030 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1177238915-1801674531-1003Core.job
2014-10-23 11:09 - 2014-03-03 19:17 - 00008114 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Mihail Zadornov.txt
2014-10-23 10:50 - 2008-04-14 15:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-10-22 23:24 - 2012-07-26 02:35 - 00065536 _____ () C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-10-22 23:24 - 2012-07-26 00:07 - 00000116 _____ () C:\WINDOWS\NeroDigital.ini
2014-10-22 23:08 - 2012-07-25 04:51 - 00176544 _____ () C:\WINDOWS\setupapi.log
2014-10-22 13:21 - 2012-11-20 03:23 - 00000000 ____D () C:\Program Files\WinPcap
2014-10-22 09:29 - 2012-07-25 02:07 - 00000000 ____D () C:\Documents and Settings\NetworkService
2014-10-20 03:41 - 2012-07-25 18:12 - 00002397 _____ () C:\Documents and Settings\All Users\Desktop\ACDSee 5.0.lnk
2014-10-20 03:21 - 2013-09-09 20:58 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Desktop\123
2014-10-19 22:50 - 2014-08-08 08:02 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-10-19 00:25 - 2013-10-05 02:11 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\vlc
2014-10-18 21:56 - 2012-10-05 23:41 - 00000000 ____D () C:\Program Files\Cheat Engine
2014-10-18 21:56 - 2012-07-25 17:22 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\CRE
2014-10-18 19:54 - 2012-07-27 10:16 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\My Documents\Readon Player
2014-10-18 19:53 - 2012-08-05 01:20 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\SimpleTV V03
2014-10-17 20:11 - 2013-11-06 09:41 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\uTorrent
2014-10-17 20:02 - 2012-07-25 12:48 - 00000000 ____D () C:\Installs
2014-10-15 12:09 - 2012-07-25 13:25 - 00002495 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Microsoft Office Excel 2003.lnk
2014-10-15 10:44 - 2012-07-25 02:07 - 00000000 ____D () C:\Documents and Settings\SomeNewUser
2014-10-15 04:11 - 2012-07-26 12:37 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-10-14 14:30 - 2014-04-21 01:06 - 00000000 ____D () C:\New Folder
2014-10-12 16:37 - 2012-07-26 11:39 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-10-12 03:29 - 2012-07-25 02:02 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-10-11 22:48 - 2013-12-29 03:21 - 00000823 _____ () C:\Documents and Settings\SomeNewUser\Desktop\BitTorrent.lnk
2014-10-11 22:41 - 2012-11-14 01:26 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-10-11 22:41 - 2012-07-25 02:04 - 00002577 _____ () C:\WINDOWS\system32\CONFIG.NT
2014-10-11 18:03 - 2012-07-25 04:52 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-10-11 16:05 - 2012-07-25 04:52 - 00068219 ____C () C:\WINDOWS\iis6.log
2014-10-11 16:05 - 2012-07-25 04:52 - 00030088 ____C () C:\WINDOWS\FaxSetup.log
2014-10-11 16:05 - 2012-07-25 04:52 - 00023640 ____C () C:\WINDOWS\ocgen.log
2014-10-11 16:05 - 2012-07-25 04:52 - 00021922 ____C () C:\WINDOWS\comsetup.log
2014-10-11 16:05 - 2012-07-25 04:52 - 00019266 ____C () C:\WINDOWS\tsoc.log
2014-10-11 16:05 - 2012-07-25 04:52 - 00015592 ____C () C:\WINDOWS\msmqinst.log
2014-10-11 16:05 - 2012-07-25 04:52 - 00011613 ____C () C:\WINDOWS\ntdtcsetup.log
2014-10-11 16:05 - 2012-07-25 04:52 - 00006039 ____C () C:\WINDOWS\netfxocm.log
2014-10-11 16:05 - 2012-07-25 04:52 - 00002762 ____C () C:\WINDOWS\MedCtrOC.log
2014-10-11 16:05 - 2012-07-25 04:52 - 00002185 ____C () C:\WINDOWS\tabletoc.log
2014-10-11 16:05 - 2012-07-25 04:52 - 00001911 ____C () C:\WINDOWS\ocmsn.log
2014-10-11 16:05 - 2012-07-25 04:52 - 00001798 ____C () C:\WINDOWS\msgsocm.log
2014-10-11 16:05 - 2012-07-25 04:52 - 00001393 _____ () C:\WINDOWS\imsins.log
2014-10-11 16:05 - 2012-07-25 04:43 - 00000000 ____D () C:\WINDOWS\system32\mui
2014-10-11 15:46 - 2014-01-13 15:53 - 00006238 __RSH () C:\Documents and Settings\All Users\ntuser.pol
2014-10-11 15:21 - 2014-02-25 21:19 - 00000000 __SHD () C:\WINDOWS\CSC
2014-10-11 02:31 - 2012-07-25 04:50 - 00000355 __RSH () C:\boot.ini
2014-10-11 00:27 - 2012-07-25 02:07 - 00001605 _____ () C:\Documents and Settings\SomeNewUser\Start Menu\Programs\Remote Assistance.lnk
2014-10-11 00:27 - 2012-07-25 02:04 - 00001605 ____C () C:\Documents and Settings\Default User\Start Menu\Programs\Remote Assistance.lnk
2014-10-11 00:20 - 2012-11-10 01:49 - 00000000 ____D () C:\Documents and Settings\All Users\Local Settings\Temp
2014-10-11 00:15 - 2012-07-25 02:04 - 00001513 _____ () C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk
2014-10-11 00:14 - 2012-07-26 12:37 - 00001605 ____C () C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2014-10-10 23:50 - 2012-07-26 12:37 - 00000798 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2014-10-10 23:50 - 2012-07-26 12:37 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2014-10-10 23:50 - 2012-07-25 02:01 - 00005832 ____C () C:\WINDOWS\wmsetup.log
2014-10-10 22:39 - 2012-07-25 04:51 - 00188301 _____ () C:\WINDOWS\setupact.log
2014-10-10 21:48 - 2012-07-26 15:00 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Ashampoo
2014-10-10 13:53 - 2013-04-12 15:45 - 00000000 ____D () C:\Program Files\Adobe
2014-10-10 13:53 - 2012-07-25 02:02 - 00000000 ____D () C:\WINDOWS\system32\Macromed
2014-10-10 09:30 - 2012-11-14 14:55 - 00187010 _____ () C:\aaw7boot.log
2014-10-09 18:52 - 2014-08-26 11:59 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\.ACEStream
2014-10-08 10:39 - 2012-07-25 18:40 - 00000041 _____ () C:\WINDOWS\crw.ini
2014-09-30 09:01 - 2012-07-25 12:04 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-09-29 22:00 - 2014-08-30 13:12 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-09-29 22:00 - 2012-07-25 12:04 - 00000736 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2014-09-28 00:55 - 2012-10-25 19:54 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\CoreFTP

Some content of TEMP:
====================
C:\Documents and Settings\SomeNewUser\Local Settings\temp\rtdrvmon.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

 

Addition.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 23-10-2014
Ran by Administrator at 2014-10-24 11:12:01
Running from L:\
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKLM\...\uTorrent) (Version: 1.8.5 - )
3Com TFTP Server (HKLM\...\{155940A6-F4CF-434F-BBFD-A26A4E3D02C0}) (Version: 1.05 - 3Com)
7-Zip 9.20 (HKLM\...\7-Zip) (Version:  - )
ACDSee 5.0 Standard (HKLM\...\{AF5E8D43-49AD-4BE7-A941-2BB0A8CACA62}) (Version: 5.0.0 - ACD Systems Ltd)
Acronis Disk Director Suite (HKLM\...\{2300EE96-0A41-4FAB-BD03-989EC44577A0}) (Version: 10.0.2117 - Acronis)
Adobe Reader XI (11.0.02) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.02 - Adobe Systems Incorporated)
Apache HTTP Server 2.0.58 (HKLM\...\{3A862C7D-0504-48BC-AEF8-7F7479C7C158}) (Version: 2.0.58 - Apache Software Foundation)
Apple Application Support (HKLM\...\{A83279FD-CA4B-4206-9535-90974DE76654}) (Version: 2.1.5 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver (HKLM\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.27 - Atheros Communications Inc.)
Avant Browser (remove only) (HKLM\...\AvantBrowser) (Version: 12.0.0.0 - Avant Force)
Bulgarian BDS (2000,XP,2003,Vista,7,2008) - Microinvest (HKLM\...\{67437C58-1E0A-40E0-915E-95DF37BB4196}) (Version: 1.0.3.40 - Microinvest Ltd.)
Bulgarian PHO (2000,XP,2003,Vista,7,2008) - Microinvest (HKLM\...\{B263EA04-647B-4F01-B528-936E87ABA8A6}) (Version: 1.0.3.40 - Microinvest Ltd.)
Cantennator 1.0 (HKLM\...\Cantennator_is1) (Version:  - Island Limited)
CDex extraction audio (HKLM\...\CDex) (Version:  - )
Cheat Engine 5.5 (HKLM\...\Cheat Engine 5.5_is1) (Version:  - Dark Byte)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6021.5000 - Microsoft Corporation)
Core FTP LE (HKLM\...\CoreFTP) (Version:  - )
CrystalDiskMark 3.0.1c (HKLM\...\CrystalDiskMark_is1) (Version: 3.0.1c - Crystal Dew World)
CSV to vCard (HKLM\...\{B9DCBBD4-20F5-424B-9C56-FFF62BE71CD7}_is1) (Version:  - csvtovcard.com)
Decal Converter (HKLM\...\{5BB207D6-0E1E-11D5-9B6A-00C04F7EC248}) (Version:  - )
Doro 1.42 (HKLM\...\Doro_is1) (Version:  - CompSoft)
EasyCleanBG (HKLM\...\EasyCleanBG) (Version:  - )
Ethereal 0.99.0 (HKLM\...\Ethereal) (Version: 0.99.0 - The Ethereal developer community, http://www.ethereal.com)
FlexType 2K (HKLM\...\FlexType 2K) (Version:  - )
FlexWord 2K (HKLM\...\FlexWord 2K) (Version:  - )
Foxit Reader 5.1 (HKLM\...\Foxit Reader_is1) (Version: 5.1.4.104 - Foxit Corporation)
Free YouTube Download version 3.2.18.1128 (HKLM\...\Free YouTube Download_is1) (Version: 3.2.18.1128 - DVDVideoSoft Ltd.)
GetDataBack for NTFS (HKLM\...\{56582EEA-3AEF-4D84-8B9D-C87A3CD9250F}) (Version: 4.24.000 - Runtime Software)
Google Earth Plug-in (HKLM\...\{4AB54F11-2F8C-11E3-B09F-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (Version: 1.3.25.5 - Google Inc.) Hidden
grepWin (HKLM\...\{AFDF754A-1694-4933-8E8F-58E97A525015}) (Version: 1.6.466 - Stefans Tools)
HD Tune Pro 5.00 (HKLM\...\HD Tune Pro_is1) (Version:  - EFD Software)
HDD Health v2.1 Beta (HKLM\...\HDD Health_is1) (Version:  - )
HP USB Key Utility (HKLM\...\HP USB Key Utility) (Version:  - )
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - Intel Corporation)
iSlim 300X (HKLM\...\{7EF900F4-61A8-4D95-8A65-488D3BECA206}) (Version: 1.0.0.28 - )
ISO to USB (HKLM\...\{D08A30AC-A663-4EA8-8D81-B98E17F19F1C}_is1) (Version:  - isotousb.com)
Jasc Paint Shop Pro 8 (HKLM\...\{81A34902-9D0B-4920-A25C-4CDC5D14B328}) (Version: 8.01.0000 - Jasc Software Inc)
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Java 8 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Java Auto Updater (Version: 2.8.25.18 - Oracle Corporation) Hidden
Java SE Development Kit 7 Update 40 (HKLM\...\{32A3A4F4-B792-11D6-A78A-00B0D0170400}) (Version: 1.7.0.400 - Oracle)
Java SE Development Kit 7 Update 51 (HKLM\...\{32A3A4F4-B792-11D6-A78A-00B0D0170510}) (Version: 1.7.0.510 - Oracle)
Lexmark 1200 Series (HKLM\...\Lexmark 1200 Series) (Version:  - )
LG United Mobile Driver (HKLM\...\{2A3A4BD6-6CE0-4E2A-80D2-1D0FF6ACBFBA}) (Version: 3.10.1.0 - LG Electronics)
marvell 61xx (HKLM\...\mv61xxDriver) (Version: 1.2.0.68 - Marvell)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.7969.0 - Microsoft Corporation)
Microsoft Office Visio Professional 2003 (HKLM\...\{90510409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.7969.0 - Microsoft Corporation)
Microsoft SMS Sender (HKLM\...\{394BE3D9-7F57-4638-A8D1-1D88671913B7}) (Version: 1.0.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
MiniTool Partition Wizard Home Edition 8.1.1 (HKLM\...\{05D996FA-ADCB-4D23-BA3C-A7C184A8FAC6}_is1) (Version:  - MiniTool Solution Ltd.)
Mozilla Firefox 32.0.3 (x86 en-US) (HKLM\...\Mozilla Firefox 32.0.3 (x86 en-US)) (Version: 32.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 32.0.3 - Mozilla)
Nero 6 Ultra Edition (HKLM\...\Nero - Burning Rom!UninstallKey) (Version:  - )
NVIDIA Control Panel 301.42 (Version: 301.42 - NVIDIA Corporation) Hidden
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10 - NVIDIA Corporation)
NVIDIA Graphics Driver 301.42 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 301.42 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.75.420 - NVIDIA Corporation) Hidden
NVIDIA nView 136.27 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView) (Version: 136.27 - NVIDIA Corporation)
NVIDIA Performance (HKLM\...\InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}) (Version: 6.5 - NVIDIA Corporation)
NVIDIA Performance (Version: 6.5 - NVIDIA Corporation) Hidden
NVIDIA PhysX (Version: 9.12.0213 - NVIDIA Corporation) Hidden
NVIDIA PhysX System Software 9.12.0213 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.0213 - NVIDIA Corporation)
NVIDIA System Monitor (HKLM\...\InstallShield_{E9CFBE78-ED91-4FCF-9E6F-210E477E527D}) (Version: 6.5 - NVIDIA Corporation)
NVIDIA System Monitor (Version: 6.5 - NVIDIA Corporation) Hidden
Opera 12.02 (HKLM\...\Opera 12.02.1578) (Version: 12.02.1578 - Opera Software ASA)
Opera 12.17 (HKLM\...\Opera 12.17.1863) (Version: 12.17.1863 - Opera Software ASA)
PC Probe II (HKLM\...\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}) (Version: 1.04.72 - ASUSTek)
QuickTime (HKLM\...\{7BE15435-2D3E-4B58-867F-9C75BED0208C}) (Version: 7.71.80.42 - Apple Inc.)
Readon TV Movie Radio Player 7.6.0.0 (HKLM\...\{80074966-5231-428D-9AE7-B7D5D2DC3246}) (Version: 7.6.0 - Readon Technology)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.5657 - Realtek Semiconductor Corp.)
Rename Master (HKLM\...\Rename Master_is1) (Version:  - )
Revo Uninstaller Pro 2.5.8 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 2.5.8 - VS Revo Group, Ltd.)
Rockstar Games Social Club (HKLM\...\Rockstar Games Social Club) (Version: 1.0.9.5 - Rockstar Games)
Scavenger (HKLM\...\Scavenger_is1) (Version:  - )
SeaTools for Windows (HKLM\...\SeaTools for Windows) (Version:  - Seagate Technology)
SimpleTV 0.4.6 r (HKLM\...\{290A2821-B1F8-4565-B49A-25F349A5B5CB}_is1) (Version:  - SergeyVS)
Skype™ 6.21 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.21.104 - Skype Technologies S.A.)
SMS Control Center Free (HKLM\...\{1EB31B96-CD37-45DC-B637-7D56BAE4D0D9}) (Version: 7.5.9.1 - KD Apps)
SopCast 3.4.8 (HKLM\...\SopCast) (Version: 3.4.8 - www.sopcast.com)
SpyHunter (HKLM\...\{AF549236-6258-4AC6-A043-5B5B89C6EB61}) (Version: 4.17.6.4336 - Enigma Software Group USA, LLC)
SysTools SQL Recovery (HKLM\...\SysTools Access Recovery v3.1 - DEMO Version_is1) (Version:  - )
TeamViewer 9 (HKLM\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)
The KMPlayer (remove only) (HKLM\...\The KMPlayer) (Version:  - )
TightVNC 1.3.10 (HKLM\...\TightVNC_is1) (Version: 1.3.10 - TightVNC Group)
TRENDnet Powerline Utility (HKLM\...\{B596801C-EA86-4920-8432-1B1B8AE148F0}) (Version: 7.1.0101 - TRENDnet)
Unlocker 1.8.0 (HKLM\...\Unlocker) (Version: 1.8.0 - Cedrick Collomb)
VLC media player 2.1.0 (HKLM\...\VLC media player) (Version: 2.1.0 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Where Is It? 3.20 (HKLM\...\Where Is It? 3.20) (Version: 3.20 - Robert Galle)
Winamp (remove only) (HKLM\...\Winamp) (Version:  - )
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Format 11 runtime (Version:  - Microsoft Corporation) Hidden
Windows Media Player Firefox Plugin (HKLM\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
Windows Resource Kit Tools - SubInAcl.exe (HKLM\...\{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}) (Version: 5.2.3790.1164 - Microsoft Corporation)
WinPcap 4.1.3 (HKLM\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
World of Warcraft (HKLM\...\World of Warcraft) (Version:  - Blizzard Entertainment)
XML Paper Specification Shared Components Pack 1.0 (Version:  - Microsoft Corporation) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.135\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.23.9\psuser.dll N (the data entry has 6 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Chrome\Application\38.0.2125.104\delegate_execute.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.145\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.123\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.153\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.24.15\psuser.dll  (the data entry has 7 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{91EFB276-CEFE-48EC-BB3A-57795A7B4008}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.149\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.22.3\psuser.dll N (the data entry has 6 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.165\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.115\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.22.5\psuser.dll N (the data entry has 6 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.24.7\psuser.dll N (the data entry has 6 more characters).

==================== Restore Points  =========================

24-10-2014 07:48:46 ComboFix created restore point

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2008-04-14 15:00 - 2014-10-24 10:56 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1177238915-1801674531-1003Core.job => ?
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1177238915-1801674531-1003UA.job => ?

==================== Loaded Modules (whitelisted) =============

2014-02-11 14:07 - 2006-01-19 13:33 - 00078336 _____ () C:\WINDOWS\System32\spool\PRTPROCS\W32X86\LXCZPP5C.dll
2008-04-14 15:00 - 2008-04-14 15:00 - 01288192 _____ () C:\WINDOWS\system32\quartz.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Documents and Settings\All Users\DRM:احتضان

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-1957994488-1177238915-1801674531-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
SomeNewUser (S-1-5-21-1957994488-1177238915-1801674531-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\SomeNewUser
ASPNET (S-1-5-21-1957994488-1177238915-1801674531-1004 - Limited - Enabled)
Guest (S-1-5-21-1957994488-1177238915-1801674531-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1957994488-1177238915-1801674531-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1957994488-1177238915-1801674531-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

Name: 1394 Net Adapter
Description: 1394 Net Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: NIC1394
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (10/24/2014 11:09:50 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application frst.exe, version 23.10.2014.0, faulting module frst.exe, version 23.10.2014.0, fault address 0x0001f440.
Processing media-specific event for [frst.exe!ws!]

Error: (10/22/2014 10:07:27 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x02d39a30.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/20/2014 00:45:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application frst.exe, version 20.10.2014.0, faulting module frst.exe, version 20.10.2014.0, fault address 0x0001f3f6.
Processing media-specific event for [frst.exe!ws!]

Error: (10/12/2014 04:36:44 PM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070005

Error: (10/12/2014 04:36:43 PM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070005

Error: (10/12/2014 11:57:00 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe . Error code = 0x80070005

Error: (10/12/2014 11:56:59 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe . Error code = 0x80070005

Error: (10/12/2014 11:29:56 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe . Error code = 0x80070005

Error: (10/12/2014 11:29:55 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe . Error code = 0x80070005

Error: (10/12/2014 11:04:06 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe . Error code = 0x80070005


System errors:
=============
Error: (10/24/2014 10:56:56 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
69512100

Error: (10/24/2014 10:56:52 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The BtXBar, WDM Crossbar service failed to start due to the following error:
%%2

Error: (10/24/2014 10:56:52 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The BtTuner, WDM TV Tuner service failed to start due to the following error:
%%2

Error: (10/24/2014 10:56:52 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The BtCap, WDM Video Capture service failed to start due to the following error:
%%1058

Error: (10/24/2014 10:56:52 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SpyHunter 4 Service service failed to start due to the following error:
%%3

Error: (10/24/2014 10:54:46 AM) (Source: PlugPlayManager) (EventID: 11) (User: )
Description: The device Root\LEGACY_UNLOCKERDRIVER5\0000 disappeared from the system without first being prepared for removal.

Error: (10/24/2014 10:54:46 AM) (Source: PlugPlayManager) (EventID: 11) (User: )
Description: The device Root\LEGACY_ESGIGUARD\0000 disappeared from the system without first being prepared for removal.

Error: (10/24/2014 10:54:46 AM) (Source: PlugPlayManager) (EventID: 11) (User: )
Description: The device Root\LEGACY_ASWVMM\0000 disappeared from the system without first being prepared for removal.

Error: (10/24/2014 10:50:42 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Crypkey License service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/24/2014 10:50:42 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Matrix Storage Event Monitor service terminated unexpectedly.  It has done this 1 time(s).


Microsoft Office Sessions:
=========================
Error: (10/24/2014 11:09:50 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: frst.exe23.10.2014.0frst.exe23.10.2014.00001f440

Error: (10/22/2014 10:07:27 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.0.2900.5512unknown0.0.0.002d39a30

Error: (10/20/2014 00:45:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: frst.exe20.10.2014.0frst.exe20.10.2014.00001f3f6

Error: (10/12/2014 04:36:44 PM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070005
Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Error: (10/12/2014 04:36:43 PM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070005
Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Error: (10/12/2014 11:57:00 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe . Error code = 0x80070005
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe

Error: (10/12/2014 11:56:59 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe . Error code = 0x80070005
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe

Error: (10/12/2014 11:29:56 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe . Error code = 0x80070005
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

Error: (10/12/2014 11:29:55 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe . Error code = 0x80070005
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

Error: (10/12/2014 11:04:06 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe . Error code = 0x80070005
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe


==================== Memory info ===========================

Processor: Pentium® Dual-Core CPU E5200 @ 2.50GHz
Percentage of memory in use: 24%
Total physical RAM: 2046.97 MB
Available physical RAM: 1552.26 MB
Total Pagefile: 3939.39 MB
Available Pagefile: 3650.11 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.56 MB

==================== Drives ================================

Drive c: (System) (Fixed) (Total:20 GB) (Free:1.75 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (Games) (Fixed) (Total:40 GB) (Free:0.12 GB) NTFS
Drive e: (Data) (Fixed) (Total:150 GB) (Free:0.39 GB) NTFS
Drive g: (4GB) (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32
Drive k: (500GB-1) (Fixed) (Total:200 GB) (Free:0.1 GB) NTFS
Drive l: (500GB-2) (Fixed) (Total:265.76 GB) (Free:0.18 GB) NTFS
Drive o: (Debian) (Fixed) (Total:12 GB) (Free:0.15 GB) NTFS
Drive p: (BT3) (Fixed) (Total:10 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 2CEB7248)
Partition 1: (Not Active) - (Size=200 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=265.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 232.9 GB) (Disk ID: 6036B098)
Partition 1: (Active) - (Size=20 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=190.9 GB) - (Type=05)

========================================================
Disk: 2 (Size: 3.7 GB) (Disk ID: 6F20736B)
No partition Table on disk 2.
Disk 2 is a removable device.

==================== End Of Log ============================


Edited by SomeNewUser, 24 October 2014 - 02:32 AM.

  • 0

#34
SomeNewUser

SomeNewUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

We are at a right path - those protected (hidden) files stop to appear after a windows reboot :)


  • 0

#35
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

Thanks for updating, however I still see plenty of work here.



BlitzBlank.png Fix with BlitzBlank

Please download BlitzBlank by EmsiSoft and save it to your desktop.
Download also the attached scriptfile named BlitzBlankScript and save it to your desktop.   Attached File  BlitzBlankScript.txt   994bytes   63 downloads

  • Right-click on BlitzBlank.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • The tool will warn you that is should be used only upon a trusted helper supervision. Accept the warning.
  • In the upper bar please press the BlitzBlankOpen.png icon.
  • An explorer window should appear. On your desktop please find the BlitzBlankScript file downloaded earlier and choose Open.
  • Click Execute Now button at the bottom.
  • You may be prompted that you are going to delete some entries. Please Agree.
  • The tool with prompt you to reboot. Please agree.
  • After the reboot, please navigate to the C:\BlitzBlank.log report.

Please include the content of that logfile in your next reply.


  • 0

#36
SomeNewUser

SomeNewUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Hi, the program crashes - when i open the *.txt file it close.


  • 0

#37
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

I don't know why. OK, let's make an attempt with another tool that was a very good one some time ago.

 

 

avz.png Scan with AVZ

Please download AVZ Antiviral Toolkit by Z-Oleg & Kaspersky and save the file to your desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Enter the AVZ4 directory, right-click on avz.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Go to File menu and select there Standard Scriprts.
  • Check script number 3. Advanced System Analysis.
  • Click Execute selected scripts.
  • In the Confirmation window please click Yes.
  • Your machine may be restarted during the script execution. It's absolutely normal.
  • Upon completion, you'll be prompted that the script has been executed. Click OK.
  • Navigate to the AVZ folder on your desktop. A subfolder named LOG should appear there.

Search for the file named virusinfo_syscheck.zip there and attach it to your next reply.
 
To attach it:
- after typing in your message, click More reply options instead of Post.
- below the post preview and the post editor, you should be able to see Attach files option - please click Choose file.
- in the pop-up window navigate to the desktop. Choose the one named Application.zip and attach it.

If the file will be to big to attach it (it may happen), then please host it on a Dropbox account or a site like mediafire.com, providing me the link to the uploaded file.


  • 0

#38
SomeNewUser

SomeNewUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Hi, the name of the file is virusinfo_syscure.zip (there are no virus_syscheck.zip), and here it is.

 

Attached Files


  • 0

#39
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

Hi :)



avz.png Scan with AVZ

Please re-run AVZ.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Enter the AVZ4 directory, right-click on avz.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Go to the File menu and select Database udate.
  • Press Start and allow the update to complete.
  • Once again go to the File menu and select there Custom Scripts.
  • In the shown window please paste the following:
    begin
    DeleteFile('C:\Program Files\Common Files\Bitdefender');
    DeleteFile('C:\Program Files\Common Files\BullGuard Ltd');
    DeleteFile('C:\Program Files\Common Files\Doctor Web');
    DeleteFile('C:\Program Files\Common Files\eAcceleration');
    DeleteFile('C:\Program Files\Common Files\G Data');
    DeleteFile('C:\Program Files\Common Files\InfoWatch');
    DeleteFile('C:\Program Files\Common Files\McAfee');
    DeleteFile('C:\Program Files\Common Files\MicroWorld');
    DeleteFile('C:\Program Files\Common Files\Panda Security');
    DeleteFile('C:\Program Files\Common Files\TrustPort');
    DeleteFile('C:\WINDOWS\VZT6nsdX.txt');
    DeleteFile('C:\WINDOWS\System32\DRIVERS\epfwtdir.sys');
    DeleteFile('C:\Windows\System32\Drivers\netfilter.sys');
    DeleteFile('C:\Documents and Settings\SomeNewUser\Desktop\SpyHunter.lnk');
     DeleteService('EsgScanner');
     SetServiceStart('EsgScanner', 4);
     StopService('EsgScanner');
     DeleteService('69512100');
     SetServiceStart('69512100', 4);
     StopService('69512100');
     DeleteService('SpyHunter 4 Service');
     SetServiceStart('SpyHunter 4 Service', 4);
     DeleteFile('C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE','32');
     DeleteFile('C:\WINDOWS\system32\DRIVERS\69512100.sys','32');
     DeleteFile('C:\WINDOWS\system32\DRIVERS\EsgScanner.sys','32');
    RebootWindows(true);
    end.
    
  • Click Execute selected scripts.
  • In the Confirmation window please click Yes.
  • Your machine may be restarted during the script execution. It's absolutely normal.
  • Upon completion, you'll be prompted that the script has been executed. Click OK.

Any report won't be generated.



FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.


  • 0

#40
SomeNewUser

SomeNewUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Hi, sorry again for the late - i had a realy hard time at work - we have a lot of crashes in this weather and has no time for nothing else than sleep and work :).

I will scan it in few minutes.

 

 

Here are the logs:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-10-2014 01
Ran by Administrator (administrator) on PC on 29-10-2014 11:07:10
Running from L:\
Loaded Profiles: SomeNewUser & Administrator (Available profiles: SomeNewUser & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 6
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Lexmark International, Inc.) C:\WINDOWS\system32\LEXBCES.EXE
(Lexmark International, Inc.) C:\WINDOWS\system32\LEXPPS.EXE
(Apache Software Foundation) C:\Program Files\Apache Group\Apache2\bin\Apache.exe
(CrypKey (Canada) Ltd.) C:\WINDOWS\system32\Crypserv.exe
(Apache Software Foundation) C:\Program Files\Apache Group\Apache2\bin\Apache.exe
(NVIDIA) C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Skype Technologies) C:\Program Files\Skype\Updater\Updater.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(TightVNC Group) C:\Program Files\TightVNC\WinVNC.exe
(WIBU-SYSTEMS AG) C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\tv_w32.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [16876032 2008-07-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [1634112 2012-05-15] ()
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [Lexmark 1200 Series] => C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe [57344 2006-07-13] (Lexmark International, Inc.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...\Winlogon: [UIHost] C:\WINDOWS\system32\logonui.exe [514560 2008-04-14] ( (Microsoft Corporation))
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-1957994488-1177238915-1801674531-1003\...\Policies\Explorer: [TaskbarNoNotification] 0
BootExecute:

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...er=6&ar=msnhome
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vuf7q31d.default
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll No File
FF Plugin: hbgk.net/WebDvrCtrl -> C:\Program Files\WebControl\npWebCtrl.dll (TODO: <公司名>)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll (Mozilla Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-07-26]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

Chrome:
=======
CHR Profile: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx []
CHR StartMenuInternet: Google Chrome - C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apache2; C:\Program Files\Apache Group\Apache2\bin\Apache.exe [20541 2006-04-29] (Apache Software Foundation) [File not signed]
R2 CodeMeter.exe; C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe [2568120 2012-07-19] (WIBU-SYSTEMS AG)
R2 Crypkey License; C:\WINDOWS\system32\crypserv.exe [69632 2006-03-01] (CrypKey (Canada) Ltd.) [File not signed]
R2 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [311296 2006-04-18] (Lexmark International, Inc.)
R2 nTuneService; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [192832 2011-09-19] (NVIDIA)
R2 winvnc; C:\Program Files\TightVNC\WinVNC.exe [585728 2009-03-05] (TightVNC Group) [File not signed]
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AndNetDiag; C:\WINDOWS\System32\DRIVERS\lgandnetdiag.sys [23168 2013-04-18] (LG Electronics Inc.)
S3 AndNetDiag2; C:\WINDOWS\System32\DRIVERS\lgandnetdiag2.sys [23168 2013-04-18] (LG Electronics Inc.)
S3 ANDNetModem; C:\WINDOWS\System32\DRIVERS\lgandnetmodem.sys [27776 2013-06-28] (LG Electronics Inc.)
S3 andnetndis; C:\WINDOWS\System32\DRIVERS\lgandnetndis.sys [70656 2013-04-23] (LG Electronics Inc.)
R1 AsIO; C:\WINDOWS\System32\drivers\AsIO.sys [12400 2007-12-17] ()
R3 axsaki; C:\WINDOWS\System32\DRIVERS\axsaki.sys [102624 2003-03-30] ( ) [File not signed]
R3 axskbus; C:\WINDOWS\System32\DRIVERS\axskbus.sys [8640 2003-03-28] ( ) [File not signed]
S2 BT848; C:\WINDOWS\System32\drivers\BT848.SYS [294380 2002-02-22] (TelSignal Co., Ltd.) [File not signed]
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S3 L1e; C:\WINDOWS\System32\DRIVERS\l1e51x86.sys [36864 2008-06-25] (Atheros Communications, Inc.)
R0 Lbd; C:\WINDOWS\System32\DRIVERS\Lbd.sys [64288 2009-12-02] (Lavasoft AB)
R0 mrdd; C:\WINDOWS\System32\DRIVERS\mrdd.sys [18984 2008-11-12] (Marvell Semiconductor, Inc.)
R3 MTsensor; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()
R0 mv61xx; C:\WINDOWS\System32\DRIVERS\mv61xx.sys [152616 2009-02-09] (Marvell Semiconductor, Inc.)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R1 NetworkX; C:\WINDOWS\system32\ckldrv.sys [31846 2006-01-10] () [File not signed]
S3 nm; C:\WINDOWS\System32\DRIVERS\NMnt.sys [40320 2008-04-14] (Microsoft Corporation)
R2 NPF; C:\WINDOWS\System32\drivers\npf.sys [36600 2013-03-01] (Riverbed Technology, Inc.)
S3 PAC7302; C:\WINDOWS\System32\DRIVERS\PAC7302.SYS [461824 2009-04-28] (PixArt Imaging Inc.) [File not signed]
S3 PortTalk; C:\WINDOWS\System32\Drivers\PortTalk.sys [3567 2002-01-12] (Beyond Logic http://www.beyondlogic.org) [File not signed]
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [15688 2013-09-30] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [10320 2013-09-30] ()
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [46080 2006-05-16] (Sonic Solutions) [File not signed]
S3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation)
R0 snapman; C:\WINDOWS\System32\DRIVERS\snapman.sys [99776 2012-08-14] (Acronis) [File not signed]
S4 sptd; C:\WINDOWS\System32\Drivers\sptd.sys [685816 2013-10-09] (Duplex Secure Ltd.)
U3 TrueSight; C:\WINDOWS\system32\drivers\TrueSight.sys [34808 2014-10-10] ()
S3 w810bus; C:\WINDOWS\System32\DRIVERS\w810bus.sys [58288 2006-02-20] (MCCI)
S3 w810mdfl; C:\WINDOWS\System32\DRIVERS\w810mdfl.sys [8336 2006-02-20] (MCCI)
S3 w810mdm; C:\WINDOWS\System32\DRIVERS\w810mdm.sys [94064 2006-02-20] (MCCI)
S3 w810mgmt; C:\WINDOWS\System32\DRIVERS\w810mgmt.sys [85408 2006-02-20] (MCCI)
S3 w810obex; C:\WINDOWS\System32\DRIVERS\w810obex.sys [83344 2006-02-20] (MCCI)
S2 BTTUNER; system32\drivers\BTTUNER.SYS [X]
S2 BTXBAR; system32\drivers\BTXBAR.SYS [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 epfwtdir; system32\DRIVERS\epfwtdir.sys [X]
S4 IntelIde; No ImagePath

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-29 11:05 - 2014-10-29 11:05 - 00000000 ____H () C:\Documents and Settings\All Users\Application Data\cm-lock
2014-10-24 19:27 - 2014-10-23 18:45 - 00000077 _____ () C:\WINDOWS\system32\Desktop.scf
2014-10-24 11:33 - 2014-10-24 11:33 - 00000994 _____ () C:\Documents and Settings\SomeNewUser\Desktop\BlitzBlankScript.txt
2014-10-24 09:59 - 2014-10-29 11:07 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-10-24 09:59 - 2014-10-29 11:06 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Local Settings\temp
2014-10-24 09:59 - 2014-10-24 09:59 - 00020748 _____ () C:\ComboFix.txt
2014-10-24 09:59 - 2014-10-24 09:59 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-10-24 09:59 - 2014-10-24 09:59 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-10-24 09:48 - 2014-10-24 09:59 - 00000000 ____D () C:\ComboFix
2014-10-22 12:21 - 2014-10-22 12:21 - 00000073 _____ () C:\WINDOWS\system32\-1
2014-10-22 12:21 - 2014-10-22 12:21 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap
2014-10-22 12:20 - 2014-10-26 18:25 - 00002519 _____ () C:\Documents and Settings\All Users\Desktop\TRENDnet Powerline Utility.lnk
2014-10-22 12:20 - 2014-10-22 12:20 - 00000000 ____D () C:\Program Files\TRENDnet
2014-10-22 12:20 - 2014-10-22 12:20 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\TRENDnet Inc
2014-10-22 09:04 - 2014-10-22 09:04 - 00000000 ____D () C:\sh4ldr
2014-10-22 09:04 - 2014-10-22 09:04 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Start Menu\Programs\SpyHunter
2014-10-19 21:51 - 2014-10-19 21:51 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-10-19 21:50 - 2014-10-19 21:50 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-10-19 21:50 - 2014-10-19 21:50 - 00000000 ____D () C:\Program Files\Java
2014-10-19 21:40 - 2014-10-19 21:40 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Oracle
2014-10-15 09:44 - 2014-10-15 09:45 - 00000160 _____ () C:\Documents and Settings\SomeNewUser\defogger_reenable
2014-10-14 17:57 - 2014-10-14 17:57 - 00021764 _____ () C:\Documents and Settings\Administrator\Desktop\gmer.log
2014-10-14 17:27 - 2014-10-14 17:23 - 00380416 _____ () C:\Documents and Settings\SomeNewUser\Desktop\d3v1cegw.exe
2014-10-12 02:30 - 2014-10-29 11:07 - 00000000 ____D () C:\FRST
2014-10-11 20:59 - 2014-10-11 20:59 - 00001919 _____ () C:\WINDOWS\epplauncher.mif
2014-10-11 20:59 - 2014-10-11 20:59 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2014-10-11 16:54 - 2014-10-11 17:04 - 00000013 _____ () C:\Documents and Settings\Administrator\Desktop\New Text Document.txt
2014-10-11 16:42 - 2014-10-11 16:42 - 00000000 ____D () C:\Program Files\Windows Resource Kits
2014-10-11 16:21 - 2014-10-11 16:21 - 00060408 _____ () C:\Documents and Settings\Administrator\Desktop\regscanner.zip
2014-10-11 15:05 - 2014-10-11 15:05 - 00014215 _____ () C:\WINDOWS\KB942288-v3.log
2014-10-11 15:05 - 2014-10-11 15:05 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB942288-v3$
2014-10-11 15:05 - 2007-11-30 04:39 - 00017272 ____N (Microsoft Corporation) C:\WINDOWS\system32\spmsg.dll
2014-10-11 14:57 - 2014-10-11 14:57 - 00011348 _____ () C:\Documents and Settings\Administrator\Desktop\safemsi.zip
2014-10-11 14:57 - 2014-10-11 14:57 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\safemsi
2014-10-11 14:44 - 2014-10-11 14:44 - 00001153 _____ () C:\Documents and Settings\Administrator\Desktop\fix2.zip
2014-10-11 14:44 - 2014-10-11 14:44 - 00000397 _____ () C:\Documents and Settings\Administrator\Desktop\fix1.zip
2014-10-11 01:40 - 2014-10-24 09:54 - 00008192 ____H () C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2014-10-11 01:40 - 2014-10-11 01:40 - 00000000 ____H () C:\WINDOWS\system32\config\system.tmp.LOG
2014-10-11 01:40 - 2014-10-11 01:40 - 00000000 ____H () C:\WINDOWS\system32\config\software.tmp.LOG
2014-10-11 01:40 - 2014-10-11 01:40 - 00000000 ____H () C:\WINDOWS\system32\config\SAM.tmp.LOG
2014-10-11 01:40 - 2014-10-11 01:40 - 00000000 ____H () C:\WINDOWS\system32\config\default.tmp.LOG
2014-10-11 01:31 - 2014-10-11 01:31 - 00000000 _RSHD () C:\cmdcons
2014-10-11 01:31 - 2014-08-26 13:30 - 00000245 _____ () C:\Boot.bak
2014-10-11 01:31 - 2004-08-03 22:00 - 00260272 __RSH () C:\cmldr
2014-10-11 01:29 - 2014-10-24 09:59 - 00000000 ____D () C:\Qoobox
2014-10-11 01:29 - 2014-10-24 09:54 - 00000000 ____D () C:\WINDOWS\erdnt
2014-10-11 01:29 - 2011-06-26 08:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-10-11 01:29 - 2010-11-07 19:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-10-11 01:29 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-10-11 01:29 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-10-11 01:29 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-10-11 01:29 - 2000-08-31 02:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-10-11 01:29 - 2000-08-31 02:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-10-11 01:29 - 2000-08-31 02:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-10-11 01:29 - 2000-08-31 02:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-10-10 23:02 - 2014-10-10 23:02 - 00034808 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
2014-10-10 23:02 - 2014-10-10 23:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\RogueKiller
2014-10-10 22:52 - 2014-10-10 22:52 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
2014-10-10 22:51 - 2014-10-10 22:51 - 00001234 _____ () C:\Documents and Settings\Administrator\Desktop\JRT.txt
2014-10-10 22:50 - 2014-10-10 22:50 - 00000773 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk
2014-10-10 22:50 - 2014-10-10 22:50 - 00000744 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Outlook Express.lnk
2014-10-10 22:50 - 2008-04-14 14:00 - 00221184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmpns.dll
2014-10-10 22:49 - 2014-10-10 22:49 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-10-10 22:25 - 2014-10-10 22:44 - 00000000 ____D () C:\AdwCleaner
2014-10-10 22:16 - 2014-10-10 22:16 - 00000000 ____D () C:\WINDOWS\system32\Drivers\netfilter.bak
2014-10-10 12:54 - 2014-10-10 22:55 - 00000855 _____ () C:\WINDOWS\system32\Drivers\etc\hosts.conf
2014-10-10 12:54 - 2014-10-10 12:54 - 00000000 ___SH () C:\WINDOWS\PsfjH4KN.txt
2014-10-10 12:54 - 2014-10-10 12:54 - 00000000 ___SH () C:\WINDOWS\F5Ws94kb.txt
2014-10-10 12:50 - 2014-10-10 08:30 - 00002048 _____ () C:\WINDOWS\bootstat2.dat
2014-10-02 12:48 - 2014-10-02 12:48 - 00000097 _____ () C:\New Text Document (2).txt
2014-09-29 21:00 - 2014-09-29 21:00 - 00000730 _____ () C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-29 11:07 - 2012-10-28 12:22 - 00885536 _____ () C:\WINDOWS\error.log
2014-10-29 11:07 - 2008-04-14 14:00 - 00001068 _____ () C:\WINDOWS\win.ini
2014-10-29 11:05 - 2012-10-28 12:22 - 00017260 _____ () C:\WINDOWS\errord.log
2014-10-29 11:05 - 2012-08-28 16:29 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-29 11:05 - 2012-07-25 03:53 - 00000159 ____C () C:\WINDOWS\wiadebug.log
2014-10-29 11:05 - 2012-07-25 03:53 - 00000053 ____C () C:\WINDOWS\wiaservc.log
2014-10-29 11:05 - 2012-07-25 01:07 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-10-29 11:05 - 2012-07-25 01:03 - 00360493 _____ () C:\WINDOWS\WindowsUpdate.log
2014-10-29 11:03 - 2012-07-26 11:37 - 00000178 __SHC () C:\Documents and Settings\Administrator\ntuser.ini
2014-10-29 11:03 - 2012-07-25 01:07 - 00032494 _____ () C:\WINDOWS\SchedLgU.Txt
2014-10-29 11:03 - 2012-07-25 01:07 - 00000278 ___SH () C:\Documents and Settings\SomeNewUser\ntuser.ini
2014-10-29 10:50 - 2012-07-25 12:26 - 00002497 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Microsoft Office Word 2003.lnk
2014-10-29 10:48 - 2012-07-25 12:07 - 00000600 _____ () C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\PUTTY.RND
2014-10-29 10:40 - 2012-08-28 16:29 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-29 10:28 - 2012-07-25 16:14 - 00001082 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1177238915-1801674531-1003UA.job
2014-10-29 01:55 - 2012-07-25 12:26 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\Skype
2014-10-29 01:44 - 2014-03-03 18:17 - 00008274 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Mihail Zadornov.txt
2014-10-28 21:28 - 2012-07-25 16:14 - 00001030 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1177238915-1801674531-1003Core.job
2014-10-28 02:08 - 2013-12-29 02:20 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\BitTorrent
2014-10-28 02:01 - 2012-07-25 17:12 - 00002397 _____ () C:\Documents and Settings\All Users\Desktop\ACDSee 5.0.lnk
2014-10-28 00:52 - 2012-07-25 16:08 - 00000000 ____D () C:\Program Files\The KMPlayer
2014-10-27 14:46 - 2012-07-25 12:25 - 00002495 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Microsoft Office Excel 2003.lnk
2014-10-27 10:39 - 2013-03-21 22:24 - 00002375 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Microsoft Office Visio 2003.lnk
2014-10-27 10:31 - 2008-04-14 14:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-10-27 03:22 - 2012-07-26 01:35 - 00068608 _____ () C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-10-27 03:22 - 2012-07-25 23:07 - 00000116 _____ () C:\WINDOWS\NeroDigital.ini
2014-10-26 20:47 - 2012-07-25 17:40 - 00000041 _____ () C:\WINDOWS\crw.ini
2014-10-26 08:09 - 2012-07-25 03:52 - 00588920 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-10-24 18:02 - 2013-10-05 01:11 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\vlc
2014-10-24 17:22 - 2012-07-27 09:16 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\My Documents\Readon Player
2014-10-24 09:57 - 2008-04-14 14:00 - 00000435 _____ () C:\WINDOWS\system.ini
2014-10-24 09:55 - 2012-07-25 03:51 - 00053248 _____ () C:\WINDOWS\system32\config\SECURITY.bak
2014-10-24 09:55 - 2012-07-25 03:51 - 00028672 _____ () C:\WINDOWS\system32\config\SAM.bak
2014-10-24 09:55 - 2012-07-25 03:50 - 28135424 _____ () C:\WINDOWS\system32\config\software.bak
2014-10-24 09:55 - 2012-07-25 03:50 - 10485760 _____ () C:\WINDOWS\system32\config\system.bak
2014-10-24 09:55 - 2012-07-25 03:50 - 00315392 _____ () C:\WINDOWS\system32\config\default.bak
2014-10-24 09:13 - 2012-07-25 12:26 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Skype
2014-10-22 22:08 - 2012-07-25 03:51 - 00176544 _____ () C:\WINDOWS\setupapi.log
2014-10-22 12:21 - 2012-11-20 02:23 - 00000000 ____D () C:\Program Files\WinPcap
2014-10-22 08:29 - 2012-07-25 01:07 - 00000000 ____D () C:\Documents and Settings\NetworkService
2014-10-20 02:21 - 2013-09-09 19:58 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Desktop\123
2014-10-19 21:50 - 2014-08-08 07:02 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-10-18 20:56 - 2012-10-05 22:41 - 00000000 ____D () C:\Program Files\Cheat Engine
2014-10-18 20:56 - 2012-07-25 16:22 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\CRE
2014-10-18 18:53 - 2012-08-05 00:20 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\SimpleTV V03
2014-10-17 19:11 - 2013-11-06 08:41 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\uTorrent
2014-10-15 09:44 - 2012-07-25 01:07 - 00000000 ____D () C:\Documents and Settings\SomeNewUser
2014-10-15 03:11 - 2012-07-26 11:37 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-10-14 13:30 - 2014-04-21 00:06 - 00000000 ____D () C:\New Folder
2014-10-12 15:37 - 2012-07-26 10:39 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-10-12 02:29 - 2012-07-25 01:02 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-10-11 21:48 - 2013-12-29 02:21 - 00000823 _____ () C:\Documents and Settings\SomeNewUser\Desktop\BitTorrent.lnk
2014-10-11 21:41 - 2012-11-14 00:26 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-10-11 21:41 - 2012-07-25 01:04 - 00002577 _____ () C:\WINDOWS\system32\CONFIG.NT
2014-10-11 17:03 - 2012-07-25 03:52 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-10-11 15:05 - 2012-07-25 03:52 - 00068219 ____C () C:\WINDOWS\iis6.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00030088 ____C () C:\WINDOWS\FaxSetup.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00023640 ____C () C:\WINDOWS\ocgen.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00021922 ____C () C:\WINDOWS\comsetup.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00019266 ____C () C:\WINDOWS\tsoc.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00015592 ____C () C:\WINDOWS\msmqinst.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00011613 ____C () C:\WINDOWS\ntdtcsetup.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00006039 ____C () C:\WINDOWS\netfxocm.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00002762 ____C () C:\WINDOWS\MedCtrOC.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00002185 ____C () C:\WINDOWS\tabletoc.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00001911 ____C () C:\WINDOWS\ocmsn.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00001798 ____C () C:\WINDOWS\msgsocm.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00001393 _____ () C:\WINDOWS\imsins.log
2014-10-11 15:05 - 2012-07-25 03:43 - 00000000 ____D () C:\WINDOWS\system32\mui
2014-10-11 14:46 - 2014-01-13 14:53 - 00006238 __RSH () C:\Documents and Settings\All Users\ntuser.pol
2014-10-11 14:21 - 2014-02-25 20:19 - 00000000 __SHD () C:\WINDOWS\CSC
2014-10-11 01:31 - 2012-07-25 03:50 - 00000355 __RSH () C:\boot.ini
2014-10-10 23:27 - 2012-07-25 01:07 - 00001605 _____ () C:\Documents and Settings\SomeNewUser\Start Menu\Programs\Remote Assistance.lnk
2014-10-10 23:27 - 2012-07-25 01:04 - 00001605 ____C () C:\Documents and Settings\Default User\Start Menu\Programs\Remote Assistance.lnk
2014-10-10 23:20 - 2012-11-10 00:49 - 00000000 ____D () C:\Documents and Settings\All Users\Local Settings\Temp
2014-10-10 23:15 - 2012-07-25 01:04 - 00001513 _____ () C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk
2014-10-10 23:14 - 2012-07-26 11:37 - 00001605 ____C () C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2014-10-10 22:50 - 2012-07-26 11:37 - 00000798 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2014-10-10 22:50 - 2012-07-26 11:37 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2014-10-10 22:50 - 2012-07-25 01:01 - 00005832 ____C () C:\WINDOWS\wmsetup.log
2014-10-10 21:39 - 2012-07-25 03:51 - 00188301 _____ () C:\WINDOWS\setupact.log
2014-10-10 20:48 - 2012-07-26 14:00 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Ashampoo
2014-10-10 12:53 - 2013-04-12 14:45 - 00000000 ____D () C:\Program Files\Adobe
2014-10-10 12:53 - 2012-07-25 01:02 - 00000000 ____D () C:\WINDOWS\system32\Macromed
2014-10-10 08:30 - 2012-11-14 13:55 - 00187010 _____ () C:\aaw7boot.log
2014-10-09 17:52 - 2014-08-26 10:59 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\.ACEStream
2014-09-30 08:01 - 2012-07-25 11:04 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-09-29 21:00 - 2014-08-30 12:12 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-09-29 21:00 - 2012-07-25 11:04 - 00000736 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk

Some content of TEMP:
====================
C:\Documents and Settings\SomeNewUser\Local Settings\temp\rtdrvmon.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 27-10-2014 01
Ran by Administrator at 2014-10-29 11:08:17
Running from L:\
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKLM\...\uTorrent) (Version: 1.8.5 - )
3Com TFTP Server (HKLM\...\{155940A6-F4CF-434F-BBFD-A26A4E3D02C0}) (Version: 1.05 - 3Com)
7-Zip 9.20 (HKLM\...\7-Zip) (Version:  - )
ACDSee 5.0 Standard (HKLM\...\{AF5E8D43-49AD-4BE7-A941-2BB0A8CACA62}) (Version: 5.0.0 - ACD Systems Ltd)
Acronis Disk Director Suite (HKLM\...\{2300EE96-0A41-4FAB-BD03-989EC44577A0}) (Version: 10.0.2117 - Acronis)
Adobe Reader XI (11.0.02) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.02 - Adobe Systems Incorporated)
Apache HTTP Server 2.0.58 (HKLM\...\{3A862C7D-0504-48BC-AEF8-7F7479C7C158}) (Version: 2.0.58 - Apache Software Foundation)
Apple Application Support (HKLM\...\{A83279FD-CA4B-4206-9535-90974DE76654}) (Version: 2.1.5 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver (HKLM\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.27 - Atheros Communications Inc.)
Avant Browser (remove only) (HKLM\...\AvantBrowser) (Version: 12.0.0.0 - Avant Force)
Bulgarian BDS (2000,XP,2003,Vista,7,2008) - Microinvest (HKLM\...\{67437C58-1E0A-40E0-915E-95DF37BB4196}) (Version: 1.0.3.40 - Microinvest Ltd.)
Bulgarian PHO (2000,XP,2003,Vista,7,2008) - Microinvest (HKLM\...\{B263EA04-647B-4F01-B528-936E87ABA8A6}) (Version: 1.0.3.40 - Microinvest Ltd.)
Cantennator 1.0 (HKLM\...\Cantennator_is1) (Version:  - Island Limited)
CDex extraction audio (HKLM\...\CDex) (Version:  - )
Cheat Engine 5.5 (HKLM\...\Cheat Engine 5.5_is1) (Version:  - Dark Byte)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6021.5000 - Microsoft Corporation)
Core FTP LE (HKLM\...\CoreFTP) (Version:  - )
CrystalDiskMark 3.0.1c (HKLM\...\CrystalDiskMark_is1) (Version: 3.0.1c - Crystal Dew World)
CSV to vCard (HKLM\...\{B9DCBBD4-20F5-424B-9C56-FFF62BE71CD7}_is1) (Version:  - csvtovcard.com)
Decal Converter (HKLM\...\{5BB207D6-0E1E-11D5-9B6A-00C04F7EC248}) (Version:  - )
Doro 1.42 (HKLM\...\Doro_is1) (Version:  - CompSoft)
EasyCleanBG (HKLM\...\EasyCleanBG) (Version:  - )
Ethereal 0.99.0 (HKLM\...\Ethereal) (Version: 0.99.0 - The Ethereal developer community, http://www.ethereal.com)
FlexType 2K (HKLM\...\FlexType 2K) (Version:  - )
FlexWord 2K (HKLM\...\FlexWord 2K) (Version:  - )
Foxit Reader 5.1 (HKLM\...\Foxit Reader_is1) (Version: 5.1.4.104 - Foxit Corporation)
Free YouTube Download version 3.2.18.1128 (HKLM\...\Free YouTube Download_is1) (Version: 3.2.18.1128 - DVDVideoSoft Ltd.)
GetDataBack for NTFS (HKLM\...\{56582EEA-3AEF-4D84-8B9D-C87A3CD9250F}) (Version: 4.24.000 - Runtime Software)
Google Earth Plug-in (HKLM\...\{4AB54F11-2F8C-11E3-B09F-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (Version: 1.3.25.5 - Google Inc.) Hidden
grepWin (HKLM\...\{AFDF754A-1694-4933-8E8F-58E97A525015}) (Version: 1.6.466 - Stefans Tools)
HD Tune Pro 5.00 (HKLM\...\HD Tune Pro_is1) (Version:  - EFD Software)
HDD Health v2.1 Beta (HKLM\...\HDD Health_is1) (Version:  - )
HP USB Key Utility (HKLM\...\HP USB Key Utility) (Version:  - )
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - Intel Corporation)
iSlim 300X (HKLM\...\{7EF900F4-61A8-4D95-8A65-488D3BECA206}) (Version: 1.0.0.28 - )
ISO to USB (HKLM\...\{D08A30AC-A663-4EA8-8D81-B98E17F19F1C}_is1) (Version:  - isotousb.com)
Jasc Paint Shop Pro 8 (HKLM\...\{81A34902-9D0B-4920-A25C-4CDC5D14B328}) (Version: 8.01.0000 - Jasc Software Inc)
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Java 8 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Java Auto Updater (Version: 2.8.25.18 - Oracle Corporation) Hidden
Java SE Development Kit 7 Update 40 (HKLM\...\{32A3A4F4-B792-11D6-A78A-00B0D0170400}) (Version: 1.7.0.400 - Oracle)
Java SE Development Kit 7 Update 51 (HKLM\...\{32A3A4F4-B792-11D6-A78A-00B0D0170510}) (Version: 1.7.0.510 - Oracle)
Lexmark 1200 Series (HKLM\...\Lexmark 1200 Series) (Version:  - )
LG United Mobile Driver (HKLM\...\{2A3A4BD6-6CE0-4E2A-80D2-1D0FF6ACBFBA}) (Version: 3.10.1.0 - LG Electronics)
marvell 61xx (HKLM\...\mv61xxDriver) (Version: 1.2.0.68 - Marvell)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.7969.0 - Microsoft Corporation)
Microsoft Office Visio Professional 2003 (HKLM\...\{90510409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.7969.0 - Microsoft Corporation)
Microsoft SMS Sender (HKLM\...\{394BE3D9-7F57-4638-A8D1-1D88671913B7}) (Version: 1.0.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
MiniTool Partition Wizard Home Edition 8.1.1 (HKLM\...\{05D996FA-ADCB-4D23-BA3C-A7C184A8FAC6}_is1) (Version:  - MiniTool Solution Ltd.)
Mozilla Firefox 32.0.3 (x86 en-US) (HKLM\...\Mozilla Firefox 32.0.3 (x86 en-US)) (Version: 32.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 32.0.3 - Mozilla)
Nero 6 Ultra Edition (HKLM\...\Nero - Burning Rom!UninstallKey) (Version:  - )
NVIDIA Control Panel 301.42 (Version: 301.42 - NVIDIA Corporation) Hidden
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10 - NVIDIA Corporation)
NVIDIA Graphics Driver 301.42 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 301.42 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.75.420 - NVIDIA Corporation) Hidden
NVIDIA nView 136.27 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView) (Version: 136.27 - NVIDIA Corporation)
NVIDIA Performance (HKLM\...\InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}) (Version: 6.5 - NVIDIA Corporation)
NVIDIA Performance (Version: 6.5 - NVIDIA Corporation) Hidden
NVIDIA PhysX (Version: 9.12.0213 - NVIDIA Corporation) Hidden
NVIDIA PhysX System Software 9.12.0213 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.0213 - NVIDIA Corporation)
NVIDIA System Monitor (HKLM\...\InstallShield_{E9CFBE78-ED91-4FCF-9E6F-210E477E527D}) (Version: 6.5 - NVIDIA Corporation)
NVIDIA System Monitor (Version: 6.5 - NVIDIA Corporation) Hidden
Opera 12.02 (HKLM\...\Opera 12.02.1578) (Version: 12.02.1578 - Opera Software ASA)
Opera 12.17 (HKLM\...\Opera 12.17.1863) (Version: 12.17.1863 - Opera Software ASA)
PC Probe II (HKLM\...\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}) (Version: 1.04.72 - ASUSTek)
QuickTime (HKLM\...\{7BE15435-2D3E-4B58-867F-9C75BED0208C}) (Version: 7.71.80.42 - Apple Inc.)
Readon TV Movie Radio Player 7.6.0.0 (HKLM\...\{80074966-5231-428D-9AE7-B7D5D2DC3246}) (Version: 7.6.0 - Readon Technology)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.5657 - Realtek Semiconductor Corp.)
Rename Master (HKLM\...\Rename Master_is1) (Version:  - )
Revo Uninstaller Pro 2.5.8 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 2.5.8 - VS Revo Group, Ltd.)
Rockstar Games Social Club (HKLM\...\Rockstar Games Social Club) (Version: 1.0.9.5 - Rockstar Games)
Scavenger (HKLM\...\Scavenger_is1) (Version:  - )
SeaTools for Windows (HKLM\...\SeaTools for Windows) (Version:  - Seagate Technology)
SimpleTV 0.4.6 r (HKLM\...\{290A2821-B1F8-4565-B49A-25F349A5B5CB}_is1) (Version:  - SergeyVS)
Skype™ 6.21 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.21.104 - Skype Technologies S.A.)
SMS Control Center Free (HKLM\...\{1EB31B96-CD37-45DC-B637-7D56BAE4D0D9}) (Version: 7.5.9.1 - KD Apps)
SopCast 3.4.8 (HKLM\...\SopCast) (Version: 3.4.8 - www.sopcast.com)
SpyHunter (HKLM\...\{AF549236-6258-4AC6-A043-5B5B89C6EB61}) (Version: 4.17.6.4336 - Enigma Software Group USA, LLC)
SysTools SQL Recovery (HKLM\...\SysTools Access Recovery v3.1 - DEMO Version_is1) (Version:  - )
TeamViewer 9 (HKLM\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)
The KMPlayer (remove only) (HKLM\...\The KMPlayer) (Version:  - )
TightVNC 1.3.10 (HKLM\...\TightVNC_is1) (Version: 1.3.10 - TightVNC Group)
TRENDnet Powerline Utility (HKLM\...\{B596801C-EA86-4920-8432-1B1B8AE148F0}) (Version: 7.1.0101 - TRENDnet)
Unlocker 1.8.0 (HKLM\...\Unlocker) (Version: 1.8.0 - Cedrick Collomb)
VLC media player 2.1.0 (HKLM\...\VLC media player) (Version: 2.1.0 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Where Is It? 3.20 (HKLM\...\Where Is It? 3.20) (Version: 3.20 - Robert Galle)
Winamp (remove only) (HKLM\...\Winamp) (Version:  - )
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Format 11 runtime (Version:  - Microsoft Corporation) Hidden
Windows Media Player Firefox Plugin (HKLM\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
Windows Resource Kit Tools - SubInAcl.exe (HKLM\...\{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}) (Version: 5.2.3790.1164 - Microsoft Corporation)
WinPcap 4.1.3 (HKLM\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
World of Warcraft (HKLM\...\World of Warcraft) (Version:  - Blizzard Entertainment)
XML Paper Specification Shared Components Pack 1.0 (Version:  - Microsoft Corporation) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.135\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.23.9\psuser.dll N (the data entry has 6 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Chrome\Application\38.0.2125.104\delegate_execute.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.145\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.123\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.153\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.24.15\psuser.dll  (the data entry has 7 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{91EFB276-CEFE-48EC-BB3A-57795A7B4008}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.149\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.22.3\psuser.dll N (the data entry has 6 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.165\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.21.115\psuser.dll (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.25.5\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.22.5\psuser.dll N (the data entry has 6 more characters).
CustomCLSID: HKU\S-1-5-21-1957994488-1177238915-1801674531-1003_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Update\1.3.24.7\psuser.dll N (the data entry has 6 more characters).

==================== Restore Points  =========================

26-10-2014 06:23:33 System Checkpoint
27-10-2014 10:40:14 System Checkpoint
28-10-2014 11:12:49 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2008-04-14 14:00 - 2014-10-24 09:56 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1177238915-1801674531-1003Core.job => ?
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1177238915-1801674531-1003UA.job => ?

==================== Loaded Modules (whitelisted) =============

2014-02-11 13:07 - 2006-01-19 12:33 - 00078336 _____ () C:\WINDOWS\System32\spool\PRTPROCS\W32X86\LXCZPP5C.dll
2008-04-14 14:00 - 2008-04-14 14:00 - 01288192 _____ () C:\WINDOWS\system32\quartz.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Documents and Settings\All Users\DRM:احتضان

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-1957994488-1177238915-1801674531-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
SomeNewUser (S-1-5-21-1957994488-1177238915-1801674531-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\SomeNewUser
ASPNET (S-1-5-21-1957994488-1177238915-1801674531-1004 - Limited - Enabled)
Guest (S-1-5-21-1957994488-1177238915-1801674531-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1957994488-1177238915-1801674531-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1957994488-1177238915-1801674531-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

Name: 1394 Net Adapter
Description: 1394 Net Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: NIC1394
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (10/24/2014 10:09:50 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application frst.exe, version 23.10.2014.0, faulting module frst.exe, version 23.10.2014.0, fault address 0x0001f440.
Processing media-specific event for [frst.exe!ws!]

Error: (10/22/2014 09:07:27 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x02d39a30.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/20/2014 11:45:40 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application frst.exe, version 20.10.2014.0, faulting module frst.exe, version 20.10.2014.0, fault address 0x0001f3f6.
Processing media-specific event for [frst.exe!ws!]

Error: (10/12/2014 03:36:44 PM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070005

Error: (10/12/2014 03:36:43 PM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070005

Error: (10/12/2014 10:57:00 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe . Error code = 0x80070005

Error: (10/12/2014 10:56:59 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe . Error code = 0x80070005

Error: (10/12/2014 10:29:56 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe . Error code = 0x80070005

Error: (10/12/2014 10:29:55 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe . Error code = 0x80070005

Error: (10/12/2014 10:04:06 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe . Error code = 0x80070005


System errors:
=============
Error: (10/29/2014 11:05:37 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
epfwtdir

Error: (10/29/2014 11:05:33 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The BtXBar, WDM Crossbar service failed to start due to the following error:
%%2

Error: (10/29/2014 11:05:33 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The BtTuner, WDM TV Tuner service failed to start due to the following error:
%%2

Error: (10/29/2014 11:05:33 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The BtCap, WDM Video Capture service failed to start due to the following error:
%%1058

Error: (10/29/2014 08:24:30 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
69512100

Error: (10/29/2014 08:24:26 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The BtXBar, WDM Crossbar service failed to start due to the following error:
%%2

Error: (10/29/2014 08:24:26 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The BtTuner, WDM TV Tuner service failed to start due to the following error:
%%2

Error: (10/29/2014 08:24:26 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The BtCap, WDM Video Capture service failed to start due to the following error:
%%1058

Error: (10/29/2014 08:24:26 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SpyHunter 4 Service service failed to start due to the following error:
%%3

Error: (10/28/2014 08:57:20 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
69512100


Microsoft Office Sessions:
=========================
Error: (10/24/2014 10:09:50 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: frst.exe23.10.2014.0frst.exe23.10.2014.00001f440

Error: (10/22/2014 09:07:27 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.0.2900.5512unknown0.0.0.002d39a30

Error: (10/20/2014 11:45:40 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: frst.exe20.10.2014.0frst.exe20.10.2014.00001f3f6

Error: (10/12/2014 03:36:44 PM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070005
Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Error: (10/12/2014 03:36:43 PM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070005
Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Error: (10/12/2014 10:57:00 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe . Error code = 0x80070005
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe

Error: (10/12/2014 10:56:59 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe . Error code = 0x80070005
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe

Error: (10/12/2014 10:29:56 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe . Error code = 0x80070005
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

Error: (10/12/2014 10:29:55 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe . Error code = 0x80070005
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

Error: (10/12/2014 10:04:06 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe . Error code = 0x80070005
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe


==================== Memory info ===========================

Processor: Pentium® Dual-Core CPU E5200 @ 2.50GHz
Percentage of memory in use: 32%
Total physical RAM: 2046.97 MB
Available physical RAM: 1385.76 MB
Total Pagefile: 3939.44 MB
Available Pagefile: 3479.23 MB
Total Virtual: 2047.88 MB
Available Virtual: 1948.95 MB

==================== Drives ================================

Drive c: (System) (Fixed) (Total:20 GB) (Free:0.99 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (Games) (Fixed) (Total:40 GB) (Free:0.13 GB) NTFS
Drive e: (Data) (Fixed) (Total:150 GB) (Free:0.55 GB) NTFS
Drive g: (4GB) (Removable) (Total:3.73 GB) (Free:2.28 GB) FAT32
Drive k: (500GB-1) (Fixed) (Total:200 GB) (Free:0.1 GB) NTFS
Drive l: (500GB-2) (Fixed) (Total:265.76 GB) (Free:0.16 GB) NTFS
Drive o: (Debian) (Fixed) (Total:12 GB) (Free:0.15 GB) NTFS
Drive p: (BT3) (Fixed) (Total:10 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 2CEB7248)
Partition 1: (Not Active) - (Size=200 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=265.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 232.9 GB) (Disk ID: 6036B098)
Partition 1: (Active) - (Size=20 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=190.9 GB) - (Type=05)

========================================================
Disk: 2 (Size: 3.7 GB) (Disk ID: 6F20736B)
No partition Table on disk 2.
Disk 2 is a removable device.

==================== End Of Log ============================


Edited by SomeNewUser, 29 October 2014 - 03:25 AM.

  • 0

Advertisements


#41
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

Are these the FRST logfiles after running AVZ?


  • 0

#42
SomeNewUser

SomeNewUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Yes.


  • 0

#43
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

Looks like AVZ did absolutely nothing.



OTS.png Scan with OTS

Please download OTS by OldTimer and save the file to your desktop.

  • Right-click on OTS.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Make sure that Scan All Users (upper bar) is ticked.
  • For 64-bit systems only - make sure that Include 64-bit option is also ticked.
  • Sections Processes, Modules, Services, Drivers, Standard Registry are set to Use Safelist.
  • Under the Additional scans bar press once Extras.
  • Push Run Scan at the top and wait patiently.
  • A notepad window will be opened after this run, named OTS.txt (saved also to your desktop).

Pleasepost that file in your reply.


  • 0

#44
SomeNewUser

SomeNewUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Hi, have a lot of work again, the OTS software stops with the following error:

 

Attached Thumbnails

  • OTS.jpg

  • 0

#45
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

Hi :)
 
FRST.gif Fix with Farbar Recovery Scan Tool

 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif


Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:
    start
    CloseProcesses:
    HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
    HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
    HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
    HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
    2014-10-22 09:04 - 2014-10-22 09:04 - 00000000 ____D () C:\sh4ldr
    2014-10-22 09:04 - 2014-10-22 09:04 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Start Menu\Programs\SpyHunter
    2014-10-10 12:54 - 2014-10-10 12:54 - 00000000 ___SH () C:\WINDOWS\PsfjH4KN.txt
    2014-10-10 12:54 - 2014-10-10 12:54 - 00000000 ___SH () C:\WINDOWS\F5Ws94kb.txt
    S2 BTTUNER; system32\drivers\BTTUNER.SYS [X]
    S2 BTXBAR; system32\drivers\BTXBAR.SYS [X]
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S1 epfwtdir; system32\DRIVERS\epfwtdir.sys [X]
    S4 IntelIde; No ImagePath
    Reboot:
    end
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP