Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Keylogger of Rat?! Please Help! [Solved]


  • This topic is locked This topic is locked

#1
UniClad

UniClad

    New Member

  • Member
  • Pip
  • 9 posts
So yesterday my Malware software detected Stolen.Data which was located in my roaming folder in a dclogs folder as well as detected a backdoor trojan. The folder contained data files which i opened in notepad that contained conversations I've had and things I've typed.I quickly disconnected from the Internet.

I went onto a different PC and changed all my passwords. At one point all of my files in my computer turned into utorrent files. I then deleted Utorrent and did a system restore to regain the normal state of my files. I then did ran a full scan in malware and removed all the things that popped up. When my pc restarted the dclogs folder was gone and when I rescanned it came up clear.

However, I'm still very worried that the virus is still there but just moved locations. I checked my processes and I saw an atieclxx.exe process the couldn't direct me to a file location nor be ended resulting in a pop up saying "Access Denied".

I would very much appreciate if you could help me figure out if the virus is truly gone or still lurking on my computer somewhere. If so please tell me what I need to do to completely get rid of this virus!
  • 0

Advertisements


#2
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

Hello UniClad,

Welcome to Geekstogo,

The dclogs folder is related to a backdoor infection. Your computer has been accessed. All your passwords and sensitive security information have been looked at from an outside source. If your computer is/was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed including those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information.

The only way you can be certain the infection is gone is a format and re-installation.

Having said that you may have stopped it with the actions you took. We can continue the cleaning process if you wish.

If you do want to continue with cleaning then:

Please download Farbar Recovery Scan Tool from here and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 

  • Right click to run as administrator. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called (FRST.txt) in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run, it makes also another log (Addition.txt). Please also paste that into your reply.

 


  • 0

#3
UniClad

UniClad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Alright thank you! I have downloaded and scanned using the software you linked. 

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-11-2014 01

Ran by Caroline 2 (administrator) on CAROLINE-PC on 24-11-2014 19:52:35
Running from C:\Users\Caroline 2\Desktop
Loaded Profile: Caroline 2 (Available profiles: Caroline 2)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\WTabletServiceCon.exe
(AMD) C:\Windows\System32\atieclxx.exe
(IObit) C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
() C:\Program Files (x86)\MSI\ControlCenter\Sleep\MSISleepService.exe
(MSI) C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe
(MSI) C:\Program Files (x86)\MSI\Super-Charger\ChargeService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
() C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(Wacom Technology) C:\Program Files\Tablet\Pen\WacomHost.exe
() C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe
() C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(MSI) C:\Program Files (x86)\MSI\Super-Charger\Super-Charger.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Micro-Star INT'L CO.,LTD.) C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(IObit) C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe
(IObit) C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [THXCfg64] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-09-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Super-Charger] => C:\Program Files (x86)\MSI\Super-Charger\Super-Charger.exe [490480 2013-08-13] (MSI)
HKLM-x32\...\Run: [Fast Boot] => C:\Program Files (x86)\MSI\Fast Boot\StartFastBoot.exe [764472 2012-09-19] ()
HKLM-x32\...\Run: [THX Audio Control Panel] => C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe [1517056 2011-08-29] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [ControlCenterCount] => C:\Program Files (x86)\MSI\ControlCenter\ControlCenterCount.exe [872448 2012-03-26] (MSI CO.,LTD.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [LiveUpdate 5] => C:\Program Files (x86)\MSI\Live Update 5\BootStartLiveupdate.exe [322544 2014-03-05] ()
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2694040 2014-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [IObit Malware Fighter] => C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe [1802048 2014-10-13] (IObit)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNA3100 Genie.lnk
ShortcutTarget: NETGEAR WNA3100 Genie.lnk -> C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SteelSeries Engine 3.lnk
ShortcutTarget: SteelSeries Engine 3.lnk -> C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe ()
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()
BootExecute: autocheck autochk * sdnclean64.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearc...r=204695463&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearc...r=204695463&ir=
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll (IObit)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Ads Removal -> {9D974C8C-6D92-44FB-BEAF-B45A1C0CF17F} -> C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.dll (Adblock)
BHO-x32: No Name -> {A817C286-3D6B-4ECD-A99C-E44E50DBC523} ->  No File
BHO-x32: Advanced SystemCare Surfing Protection -> {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll (IObit)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_223.dll ()
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
FF Plugin: adobe.com/AdobeAAMDetect_x86_64 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_223.dll ()
FF Plugin-x32: @esn/npbattlelog,version=2.3.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.3.2\npbattlelog.dll (EA Digital Illusions CE AB)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
 
Chrome: 
=======
CHR Profile: C:\Users\Caroline 2\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Caroline 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-11-23]
CHR Extension: (Google Drive) - C:\Users\Caroline 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-11-23]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Caroline 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-23]
CHR Extension: (YouTube) - C:\Users\Caroline 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-11-23]
CHR Extension: (Google Search) - C:\Users\Caroline 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-11-23]
CHR Extension: (Google Wallet) - C:\Users\Caroline 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-23]
CHR Extension: (Gmail) - C:\Users\Caroline 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-11-23]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdvancedSystemCareService8; C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCService.exe [815392 2014-11-04] (IObit)
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2013-09-11] (Advanced Micro Devices, Inc.) [File not signed]
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [107552 2014-08-07] (EasyAntiCheat Ltd)
R2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9216 2014-08-22] (Hi-Rez Studios) [File not signed]
R2 IMFservice; C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [344896 2014-09-30] (IObit)
S2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2630432 2014-11-04] (IObit)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
R2 MSISleep; C:\Program Files (x86)\MSI\ControlCenter\Sleep\MSISleepService.exe [282624 2013-04-29] () [File not signed]
R2 MSI_FastBoot; C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe [103992 2012-10-26] (MSI)
R2 MSI_SuperCharger; C:\Program Files (x86)\MSI\Super-Charger\ChargeService.exe [161776 2013-08-19] (MSI)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 WSWNA3100; C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe [307928 2013-11-11] ()
R2 WTabletServiceCon; C:\Program Files\Tablet\Pen\WTabletServiceCon.exe [656664 2014-08-19] (Wacom Technology, Corp.)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [42240 2013-07-31] (Advanced Micro Devices)
R3 FileMonitor; C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [23048 2013-03-23] (IObit)
S3 massfilter_hs; C:\Windows\system32\drivers\massfilter_hs.sys [20232 2014-04-01] (HandSet Incorporated)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-10-01] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-11-24] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-10-01] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
S3 NPF; C:\Windows\System32\DRIVERS\npf.sys [47632 2010-02-03] (CACE Technologies, Inc.)
S3 NTIOLib_1_0_2; C:\Program Files (x86)\MSI\ControlCenter\NTIOLib_X64.sys [13328 2012-02-14] (MSI)
R3 NTIOLib_1_0_3; C:\Program Files (x86)\MSI\Super-Charger\NTIOLib_X64.sys [13368 2012-10-25] (MSI)
S3 NTIOLib_1_0_4; C:\Program Files (x86)\MSI\Live Update 5\NTIOLib_X64.sys [14136 2010-10-22] (MSI)
R3 NTIOLib_FastBoot; C:\Program Files (x86)\MSI\Fast Boot\NTIOLib_X64.sys [13368 2012-10-26] (MSI)
R3 NTIOLib_MSISMB_CC; C:\Program Files (x86)\MSI\ControlCenter\Sleep\NTIOLib_X64.sys [13368 2012-11-09] (MSI)
R3 RegFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [34848 2013-11-19] (IObit.com)
R3 SAlphamHid; C:\Windows\System32\DRIVERS\SAlpham64.sys [38016 2013-05-31] (SteelSeries Corporation)
R3 Sftfs; C:\Windows\System32\DRIVERS\Sftfswin7.sys [768680 2013-06-26] (Microsoft Corporation)
R3 Sftplay; C:\Windows\System32\DRIVERS\Sftplaywin7.sys [273576 2013-06-26] (Microsoft Corporation)
R3 Sftredir; C:\Windows\System32\DRIVERS\Sftredirwin7.sys [29352 2013-06-26] (Microsoft Corporation)
R3 Sftvol; C:\Windows\System32\DRIVERS\Sftvolwin7.sys [23208 2013-06-26] (Microsoft Corporation)
R3 sshid; C:\Windows\System32\DRIVERS\sshid.sys [38400 2014-08-13] (SteelSeries ApS)
R3 UrlFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [23016 2013-11-19] (IObit.com)
R1 wStLibG64; C:\Windows\System32\drivers\wStLibG64.sys [61120 2014-04-15] (StdLib)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S3 MBfilt; system32\drivers\MBfilt64.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]
S3 NTIOLib_MSIClock_CC; \??\C:\Program Files (x86)\MSI\CommandCenter\ClockGen\NTIOLib_X64.sys [X]
S3 NTIOLib_MSICOMM_CC; \??\C:\Program Files (x86)\MSI\CommandCenter\NTIOLib_X64.sys [X]
S3 NTIOLib_MSICPU_CC; \??\C:\Program Files (x86)\MSI\CommandCenter\CPU\NTIOLib_X64.sys [X]
S3 NTIOLib_MSIDDR_CC; \??\C:\Program Files (x86)\MSI\CommandCenter\DDR\NTIOLib_X64.sys [X]
S3 NTIOLib_MSIRatio_CC; \??\C:\Program Files (x86)\MSI\CommandCenter\CPU\CPU_Ratio\NTIOLib_X64.sys [X]
S3 NTIOLib_MSISuperIO_CC; \??\C:\Program Files (x86)\MSI\CommandCenter\SuperIO\NTIOLib_X64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-24 19:52 - 2014-11-24 19:52 - 00021187 _____ () C:\Users\Caroline 2\Desktop\FRST.txt
2014-11-24 19:52 - 2014-11-24 19:52 - 00000000 ____D () C:\FRST
2014-11-24 19:51 - 2014-11-24 19:51 - 02118144 _____ (Farbar) C:\Users\Caroline 2\Downloads\FRST64.exe
2014-11-24 19:51 - 2014-11-24 19:51 - 02118144 _____ (Farbar) C:\Users\Caroline 2\Desktop\FRST64.exe
2014-11-24 00:50 - 2014-11-24 00:50 - 00001177 _____ () C:\Users\Public\Desktop\IObit Malware Fighter.lnk
2014-11-24 00:50 - 2014-11-24 00:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Malware Fighter
2014-11-24 00:49 - 2014-11-24 00:49 - 00002864 _____ () C:\Windows\System32\Tasks\ASC8_SkipUac_Caroline 2
2014-11-24 00:44 - 2014-11-05 12:56 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-24 00:44 - 2014-11-05 12:56 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-24 00:44 - 2014-11-05 12:52 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-24 00:19 - 2014-11-24 00:19 - 00000000 ____D () C:\Users\Caroline 2\AppData\Roaming\WTablet
2014-11-23 23:48 - 2014-11-24 00:42 - 00000000 ____D () C:\Users\Caroline 2\AppData\Roaming\Skype
2014-11-23 23:48 - 2014-11-23 23:48 - 00000000 ____D () C:\Users\Caroline 2\AppData\Local\Skype
2014-11-23 21:32 - 2014-11-23 21:32 - 00000000 ____H () C:\Users\Caroline 2\Documents\Default.rdp
2014-11-23 21:23 - 2014-11-24 13:39 - 00000000 ____D () C:\Users\Caroline 2\AppData\Roaming\ProductData
2014-11-23 21:02 - 2014-11-23 21:02 - 00000000 ____D () C:\Users\Caroline 2\AppData\Roaming\WinRAR
2014-11-23 20:53 - 2014-11-24 00:20 - 00000000 ____D () C:\Users\Caroline 2\AppData\Roaming\Wacom
2014-11-23 20:53 - 2014-11-23 20:53 - 00062496 _____ () C:\Users\Caroline 2\AppData\Local\GDIPFONTCACHEV1.DAT
2014-11-23 20:53 - 2014-11-23 20:53 - 00001417 _____ () C:\Users\Caroline 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-11-23 20:53 - 2014-11-23 20:53 - 00000000 ____D () C:\Users\Caroline 2\AppData\Roaming\ATI
2014-11-23 20:53 - 2014-11-23 20:53 - 00000000 ____D () C:\Users\Caroline 2\AppData\Roaming\Apple Computer
2014-11-23 20:53 - 2014-11-23 20:53 - 00000000 ____D () C:\Users\Caroline 2\AppData\Roaming\Adobe
2014-11-23 20:53 - 2014-11-23 20:53 - 00000000 ____D () C:\Users\Caroline 2\AppData\Local\Google
2014-11-23 20:53 - 2014-11-23 20:53 - 00000000 ____D () C:\Users\Caroline 2\AppData\Local\ATI
2014-11-23 20:53 - 2014-11-23 20:53 - 00000000 ____D () C:\Users\Caroline 2\AppData\Local\AMD
2014-11-23 20:53 - 2014-11-23 20:53 - 00000000 ____D () C:\Users\Caroline 2\AppData\Local\Adobe
2014-11-23 20:52 - 2014-11-24 00:50 - 00000000 ____D () C:\Users\Caroline 2\AppData\Roaming\IObit
2014-11-23 20:52 - 2014-11-23 20:53 - 00000000 ____D () C:\Users\Caroline 2
2014-11-23 20:52 - 2014-11-23 20:52 - 00000020 ___SH () C:\Users\Caroline 2\ntuser.ini
2014-11-23 20:52 - 2014-11-23 20:52 - 00000000 ____D () C:\Users\Caroline 2\AppData\Local\VirtualStore
2014-11-23 20:52 - 2014-08-21 21:07 - 00000000 ____D () C:\Users\Caroline 2\AppData\Roaming\Macromedia
2014-11-23 20:52 - 2009-07-13 23:54 - 00000000 ___RD () C:\Users\Caroline 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-11-23 20:52 - 2009-07-13 23:49 - 00000000 ___RD () C:\Users\Caroline 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-11-23 19:55 - 2014-11-23 20:11 - 00002181 _____ () C:\Windows\diagerr.xml
2014-11-23 19:55 - 2014-11-23 20:11 - 00001908 _____ () C:\Windows\diagwrn.xml
2014-11-23 18:47 - 2014-11-24 13:42 - 00002188 _____ () C:\Windows\setupact.log
2014-11-23 18:47 - 2014-11-23 20:11 - 00000117 _____ () C:\Windows\setuperr.log
2014-11-23 18:47 - 2014-11-23 18:47 - 00002788 _____ () C:\Windows\PFRO.log
2014-11-23 18:29 - 2014-11-23 18:29 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-23 18:29 - 2014-11-23 18:29 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-23 18:29 - 2014-11-23 18:29 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2014-11-23 18:29 - 2014-11-23 18:29 - 00186880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2014-11-23 18:28 - 2014-11-23 18:28 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-23 18:28 - 2014-11-23 18:28 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-11-23 18:28 - 2014-11-23 18:28 - 01882624 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-23 18:28 - 2014-11-23 18:28 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-11-23 18:28 - 2014-11-23 18:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-11-23 18:28 - 2014-11-23 18:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-23 18:27 - 2014-11-23 18:27 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-23 18:27 - 2014-11-23 18:27 - 00683520 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-23 18:27 - 2014-11-23 18:27 - 00681984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2014-11-23 18:27 - 2014-11-23 18:27 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-23 18:27 - 2014-11-23 18:27 - 00155064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-23 18:27 - 2014-11-23 18:27 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2014-11-23 18:27 - 2014-11-23 18:27 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-23 18:27 - 2014-11-23 18:27 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-11-23 18:27 - 2014-11-23 18:27 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-11-23 18:25 - 2014-11-23 18:25 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-23 18:24 - 2014-11-23 18:24 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-23 18:24 - 2014-11-23 18:24 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-11-23 18:24 - 2014-11-23 18:24 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-23 18:24 - 2014-11-23 18:24 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-11-23 18:23 - 2014-11-23 18:23 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-23 18:23 - 2014-11-23 18:23 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-23 18:23 - 2014-11-23 18:23 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2014-11-23 18:23 - 2014-11-23 18:23 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-23 18:23 - 2014-11-23 18:23 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2014-11-23 18:23 - 2014-11-23 18:23 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-11-23 18:23 - 2014-11-23 18:23 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-23 18:23 - 2014-11-23 18:23 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2014-11-23 18:22 - 2014-11-23 18:22 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2014-11-23 18:22 - 2014-11-23 18:22 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2014-11-23 18:21 - 2014-11-23 18:21 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-23 18:21 - 2014-11-23 18:21 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-11-23 18:21 - 2014-11-23 18:21 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-11-23 18:21 - 2014-11-23 18:21 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-11-23 18:21 - 2014-11-23 18:21 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-11-23 18:21 - 2014-11-23 18:21 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-11-23 18:21 - 2014-11-23 18:21 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-11-23 18:21 - 2014-11-23 18:21 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-11-23 18:21 - 2014-11-23 18:21 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-11-23 18:21 - 2014-11-23 18:21 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-11-23 18:21 - 2014-11-23 18:21 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-11-23 18:21 - 2014-11-23 18:21 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 25110016 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 19781632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 14390272 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 12819456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 06584320 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 06040064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 05703168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 04298240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 02884096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-11-23 18:20 - 2014-11-23 18:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-23 18:20 - 2014-11-23 18:20 - 02365440 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 02277376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 02124288 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-23 18:20 - 2014-11-23 18:20 - 02051072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-11-23 18:20 - 2014-11-23 18:20 - 01892864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 01550336 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 01310208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-11-23 18:20 - 2014-11-23 18:20 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00799232 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00716800 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-23 18:20 - 2014-11-23 18:20 - 00708096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00388272 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00341168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-11-23 18:20 - 2014-11-23 18:20 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-11-23 18:20 - 2014-11-23 18:20 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-11-23 18:20 - 2014-11-23 18:20 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-11-23 18:20 - 2014-11-23 18:20 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-11-23 18:19 - 2014-11-23 18:19 - 03179520 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-11-23 18:18 - 2014-11-23 18:18 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-11-23 18:18 - 2014-11-23 18:18 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll
2014-11-23 18:18 - 2014-11-23 18:18 - 00212480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2014-11-23 18:18 - 2014-11-23 18:18 - 00157696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winsta.dll
2014-11-23 18:18 - 2014-11-23 18:18 - 00150528 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll
2014-11-23 18:18 - 2014-11-23 18:18 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2014-11-23 18:16 - 2014-11-23 18:16 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2014-11-23 18:16 - 2014-11-23 18:16 - 00372736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rastls.dll
2014-11-23 18:14 - 2014-11-23 18:14 - 01943696 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2014-11-23 18:14 - 2014-11-23 18:14 - 01131664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dfshim.dll
2014-11-23 18:14 - 2014-11-23 18:14 - 00156824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscorier.dll
2014-11-23 18:14 - 2014-11-23 18:14 - 00156312 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2014-11-23 18:14 - 2014-11-23 18:14 - 00081560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscories.dll
2014-11-23 18:14 - 2014-11-23 18:14 - 00073880 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2014-11-23 18:13 - 2014-11-23 18:13 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2014-11-23 18:13 - 2014-11-23 18:13 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-11-23 18:13 - 2014-11-23 18:13 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-11-23 18:13 - 2014-11-23 18:13 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-11-23 18:11 - 2014-11-23 18:11 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-11-23 18:11 - 2014-11-23 18:11 - 01987584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2014-11-23 18:10 - 2014-11-23 18:10 - 01031168 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll
2014-11-23 18:10 - 2014-11-23 18:10 - 00793600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSWorkspace.dll
2014-11-23 18:08 - 2014-11-23 18:08 - 02777088 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2014-11-23 18:08 - 2014-11-23 18:08 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2014-11-23 18:07 - 2014-11-23 18:07 - 14175744 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2014-11-23 18:07 - 2014-11-23 18:07 - 12874240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2014-11-23 18:07 - 2014-11-23 18:07 - 00404480 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-11-23 18:07 - 2014-11-23 18:07 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2014-11-23 18:06 - 2014-11-23 18:06 - 01941504 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2014-11-23 18:06 - 2014-11-23 18:06 - 01805824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2014-11-23 18:06 - 2014-11-23 18:06 - 01216000 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2014-11-23 18:06 - 2014-11-23 18:06 - 00985536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2014-11-23 18:06 - 2014-11-23 18:06 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2014-11-23 18:06 - 2014-11-23 18:06 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2014-11-23 18:06 - 2014-11-23 18:06 - 00337408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2014-11-23 18:06 - 2014-11-23 18:06 - 00112064 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2014-11-23 18:05 - 2014-11-23 18:05 - 01389208 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
2014-11-23 18:05 - 2014-11-23 18:05 - 00619672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardagt.exe
2014-11-23 18:05 - 2014-11-23 18:05 - 00171160 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
2014-11-23 18:05 - 2014-11-23 18:05 - 00099480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\infocardapi.dll
2014-11-23 18:05 - 2014-11-23 18:05 - 00035480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TsWpfWrp.exe
2014-11-23 18:05 - 2014-11-23 18:05 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2014-11-23 18:05 - 2014-11-23 18:05 - 00008856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardres.dll
2014-11-23 18:05 - 2014-11-23 18:05 - 00008856 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
2014-11-23 17:53 - 2014-11-23 17:53 - 62128128 _____ () C:\Windows\system32\config\software.iobit
2014-11-23 17:53 - 2014-11-23 17:53 - 43937792 _____ () C:\Windows\system32\config\components.iobit
2014-11-23 17:53 - 2014-11-23 17:53 - 00229376 _____ () C:\Windows\system32\config\default.iobit
2014-11-23 17:53 - 2014-11-23 17:53 - 00061440 _____ () C:\Windows\system32\config\sam.iobit
2014-11-23 17:53 - 2014-11-23 17:53 - 00024576 _____ () C:\Windows\system32\config\security.iobit
2014-11-23 17:50 - 2014-11-24 00:50 - 00000000 ____D () C:\Program Files (x86)\IObit
2014-11-23 17:50 - 2014-11-23 17:51 - 00000000 ____D () C:\ProgramData\IObit
2014-11-23 17:50 - 2014-11-23 17:50 - 00003172 _____ () C:\Windows\System32\Tasks\ASC8_PerformanceMonitor
2014-11-23 17:50 - 2014-11-23 17:50 - 00002892 _____ () C:\Windows\System32\Tasks\Uninstaller_SkipUac_Caroline
2014-11-23 17:50 - 2014-11-23 17:50 - 00002860 _____ () C:\Windows\System32\Tasks\ASC8_SkipUac_Caroline
2014-11-23 17:50 - 2014-11-23 17:50 - 00000000 ____D () C:\Windows\Tasks\ImCleanDisabled
2014-11-23 17:50 - 2014-11-23 17:50 - 00000000 ____D () C:\ProgramData\ProductData
2014-11-23 17:50 - 2014-11-23 17:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 8
2014-11-23 17:50 - 2014-11-23 17:50 - 00000000 ____D () C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0}
2014-11-23 17:48 - 2014-05-14 11:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-11-23 17:48 - 2014-05-14 11:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2014-11-23 17:48 - 2014-05-14 11:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2014-11-23 17:48 - 2014-05-14 11:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-11-23 17:48 - 2014-05-14 11:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2014-11-23 17:48 - 2014-05-14 11:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2014-11-23 17:48 - 2014-05-14 11:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2014-11-23 17:48 - 2014-05-14 11:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-11-23 17:48 - 2014-05-14 11:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2014-11-23 17:48 - 2014-05-14 11:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2014-11-23 17:48 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-11-23 17:48 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2014-11-23 17:48 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-11-23 17:48 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2014-11-23 13:11 - 2014-11-23 13:53 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-11-23 13:11 - 2014-11-23 13:14 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-11-23 13:11 - 2014-11-23 13:11 - 00001395 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2014-11-23 13:11 - 2014-11-23 13:11 - 00001383 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2014-11-23 13:11 - 2014-11-23 13:11 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2014-11-23 13:11 - 2014-11-23 13:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2014-11-23 13:11 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2014-11-23 13:03 - 2014-11-23 13:03 - 00003176 _____ () C:\Windows\System32\Tasks\{14D3B192-7E4F-45C2-B643-193F34C6DA53}
2014-11-18 21:39 - 2014-11-18 21:39 - 00000000 ____D () C:\ProgramData\Celavimus
2014-11-18 21:38 - 2014-11-23 02:22 - 00000000 ____D () C:\Program Files (x86)\CEVO
2014-11-18 21:38 - 2014-11-23 01:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CEVO Client
2014-11-06 02:27 - 2014-11-06 02:28 - 00276448 _____ () C:\Windows\Minidump\110614-20498-01.dmp
2014-11-05 22:13 - 2014-11-24 18:43 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-05 22:13 - 2014-11-05 22:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-05 22:13 - 2014-11-05 22:13 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-11-05 22:13 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-05 22:13 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-11-03 21:26 - 2014-11-03 21:26 - 00003192 _____ () C:\Windows\System32\Tasks\{5649479F-0928-40C1-A39B-30D4909639B2}
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-24 19:50 - 2014-03-05 09:03 - 01784126 _____ () C:\Windows\WindowsUpdate.log
2014-11-24 19:29 - 2014-03-05 10:21 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-24 18:56 - 2014-03-05 09:56 - 00000304 _____ () C:\Windows\Tasks\UpdaterEX.job
2014-11-24 14:00 - 2009-07-13 23:45 - 00038384 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-24 14:00 - 2009-07-13 23:45 - 00038384 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-24 13:41 - 2009-07-14 00:13 - 00782744 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-24 13:38 - 2014-04-28 23:57 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-24 13:37 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-24 01:24 - 2014-10-08 06:34 - 00065536 _____ () C:\Windows\system32\spu_storage.bin
2014-11-24 00:47 - 2014-05-07 00:41 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-24 00:47 - 2014-03-05 22:39 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-24 00:47 - 2014-03-05 22:22 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2014-11-24 00:47 - 2014-03-05 22:22 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-11-24 00:47 - 2014-03-05 22:22 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-11-24 00:47 - 2014-03-05 22:22 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-11-23 20:55 - 2014-03-17 16:22 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-11-23 20:52 - 2014-03-05 23:21 - 00000000 ____D () C:\ProgramData\Origin
2014-11-23 19:03 - 2014-03-05 09:03 - 00000000 __SHD () C:\Recovery
2014-11-23 18:51 - 2014-03-05 23:21 - 00000000 ____D () C:\Program Files (x86)\Origin
2014-11-23 18:48 - 2009-07-13 23:45 - 04995704 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-23 18:47 - 2014-03-06 11:56 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-11-23 18:46 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-11-23 18:09 - 2014-03-05 09:11 - 00774802 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-11-23 17:59 - 2014-06-30 10:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dxtory2.0
2014-11-23 17:59 - 2014-03-06 11:58 - 00000000 ____D () C:\Windows\Panther
2014-11-23 13:04 - 2014-05-24 23:21 - 00000000 ____D () C:\Program Files (x86)\Supraball
2014-11-23 13:04 - 2014-05-24 22:05 - 00000000 ____D () C:\Program Files (x86)\Cube World
2014-11-23 13:02 - 2014-09-06 12:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hi-Rez Studios
2014-11-23 01:06 - 2014-10-08 03:05 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2014-11-23 01:06 - 2014-06-29 09:31 - 00000000 ____D () C:\ProgramData\McAfee Security Scan
2014-11-23 01:06 - 2014-05-03 21:23 - 00000000 ____D () C:\Program Files (x86)\Guild Wars 2
2014-11-23 01:06 - 2014-03-06 10:20 - 00000000 ____D () C:\Program Files\OBS
2014-11-23 01:06 - 2014-03-06 10:20 - 00000000 ____D () C:\Program Files (x86)\OBS
2014-11-23 01:06 - 2014-03-05 23:46 - 00000000 ___HD () C:\ControlCenterCount
2014-11-23 01:06 - 2014-03-05 10:13 - 00000000 ___HD () C:\SuperChargerProfile
2014-11-23 01:06 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\registration
2014-11-13 19:31 - 2014-10-08 03:07 - 00000000 ____D () C:\Program Files (x86)\World of Warcraft
2014-11-13 01:25 - 2014-04-28 23:57 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-11-13 01:25 - 2014-04-28 23:57 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-11-13 01:25 - 2014-04-28 23:57 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-12 20:42 - 2014-07-31 18:33 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-11-12 00:29 - 2014-03-05 10:21 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-11-12 00:29 - 2014-03-05 10:21 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-11-12 00:29 - 2014-03-05 10:21 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-11-08 04:17 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-11-08 02:21 - 2014-04-26 21:14 - 00000000 ____D () C:\ProgramData\savue neeT
2014-11-06 02:27 - 2014-10-08 06:36 - 640604254 _____ () C:\Windows\MEMORY.DMP
2014-11-06 02:27 - 2014-10-08 06:36 - 00000000 ____D () C:\Windows\Minidump
2014-11-05 22:19 - 2014-04-18 21:04 - 00000000 ____D () C:\Windows\PCHEALTH
2014-11-05 22:18 - 2014-07-31 18:15 - 00000000 ____D () C:\Program Files (x86)\globalUpdate
2014-11-05 22:18 - 2014-04-26 21:14 - 00000000 ____D () C:\Program Files (x86)\savue neeT
2014-11-05 22:13 - 2014-03-05 22:36 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-11-03 21:27 - 2014-03-14 16:42 - 00000000 ____D () C:\Program Files (x86)\NCH Software
2014-11-03 21:20 - 2009-07-14 00:32 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2014-11-03 21:18 - 2014-03-05 23:24 - 00000000 ____D () C:\Program Files (x86)\Origin Games
2014-11-03 18:37 - 2014-07-23 23:21 - 00111016 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-11-03 18:37 - 2014-07-23 23:21 - 00000000 ____D () C:\Program Files\Java
2014-11-03 18:37 - 2014-03-06 10:02 - 00000000 ____D () C:\ProgramData\Oracle
2014-10-31 23:26 - 2014-03-05 22:39 - 103374192 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-10-30 06:25 - 2010-11-20 22:27 - 00275080 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
Files to move or delete:
====================
C:\ProgramData\hash.dat
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-11-15 18:15
 
==================== End Of Log ============================
 
Addition.txt:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 23-11-2014 01
Ran by Caroline 2 at 2014-11-24 19:53:11
Running from C:\Users\Caroline 2\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
AS: IObit Malware Fighter (Enabled - Up to date) {A751AC20-3B48-5237-898A-78C4436BB78D}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe After Effects CC 2014 (HKLM-x32\...\{2B22C750-5C3B-4738-B621-BA786AC7A494}) (Version: 13.0.2 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.6.0.19140 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 2.7.1.418 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.223 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.223 - Adobe Systems Incorporated)
Adobe Media Encoder CC 2014 (HKLM-x32\...\{663DEEEF-EF34-4DCB-8687-73A7AA146E02}) (Version: 8.0.1 - Adobe Systems Incorporated)
Adobe Photoshop CS6 (HKLM-x32\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated)
Advanced SystemCare 8 (HKLM-x32\...\Advanced SystemCare 8_is1) (Version: 8.0.3 - IObit)
Age of Empires II: HD Edition (HKLM-x32\...\Steam App 221380) (Version:  - Hidden Path Entertainment, Ensemble Studios)
AMD Catalyst Install Manager (HKLM\...\{C2956908-53A3-88FC-B795-B16508296FC4}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Archeage (HKLM-x32\...\Glyph Archeage) (Version:  - Trion Worlds, Inc.)
Audacity 2.0.5 (HKLM-x32\...\Audacity_is1) (Version: 2.0.5 - Audacity Team)
AudibleManager (HKLM-x32\...\AudibleManager) (Version: 1999191294.48.56.5770474 - Audible, Inc.)
AudioGenie (HKLM-x32\...\AudioGenie_is1) (Version:  - msi, Inc.)
Audiosurf (HKLM-x32\...\Steam App 12900) (Version:  - Dylan Fitterer)
Banished (HKLM-x32\...\Steam App 242920) (Version:  - Shining Rock Software LLC)
Banished 1.0 (HKLM-x32\...\Banished 1.0) (Version: 1.0 - Cat-A-Cat)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
BattleBlock Theater (HKLM-x32\...\Steam App 238460) (Version:  - The Behemoth)
Battlefield 4™ (HKLM-x32\...\{ABADE36E-EC37-413B-8179-B432AD3FACE7}) (Version: 1.3.2.15221 - Electronic Arts)
Battlelog Web Plugins (HKLM-x32\...\Battlelog Web Plugins) (Version: 2.3.2 - EA Digital Illusions CE AB)
Call of Duty: Advanced Warfare - Multiplayer (HKLM-x32\...\Steam App 209660) (Version:  - Sledgehammer Games)
Call of Duty: Advanced Warfare (HKLM-x32\...\Steam App 209650) (Version:  - Sledgehammer Games)
Call of Duty: Black Ops II - Multiplayer (HKLM-x32\...\Steam App 202990) (Version:  - )
Call of Duty: Black Ops II - Zombies (HKLM-x32\...\Steam App 212910) (Version:  - )
Call of Duty: Modern Warfare 2 - Multiplayer (HKLM-x32\...\Steam App 10190) (Version:  - Infinity Ward)
Camtasia Studio 8 (HKLM-x32\...\{5303CFB5-D635-44F0-A94B-9611E81F07C4}) (Version: 8.3.0.1471 - TechSmith Corporation)
CLICKBIOSII (HKLM-x32\...\{EBCB111F-4907-4B28-BD03-F5BD901106D2}_is1) (Version: 1.0.123 - MSI)
ControlCenter (HKLM-x32\...\{AF14F0CD-5307-4134-BDFA-15974473C1EE}_is1) (Version: 2.5.060 - MSI)
Counter-Strike: Global Offensive (HKLM-x32\...\Steam App 730) (Version:  - Valve)
Counter-Strike: Source (HKLM-x32\...\Steam App 240) (Version:  - Valve)
DayZ (HKLM-x32\...\Steam App 221100) (Version:  - Bohemia Interactive)
Don't Starve (HKLM-x32\...\Steam App 219740) (Version:  - Klei Entertainment)
Dungeon Defenders (HKLM-x32\...\Steam App 65800) (Version:  - Trendy Entertainment)
EA SPORTS™ FIFA 15 (HKLM-x32\...\{3D4ADA2B-F028-4307-ADF4-6F9AA44725DA}) (Version: 1.3.0.0 - Electronic Arts)
EA SPORTS™ FIFA 15 Demo (HKLM-x32\...\{108C0C19-6316-4944-A62F-C744488F8639}) (Version: 1.0.0.0 - Electronic Arts)
EA Sports™ FIFA World (HKLM-x32\...\{8F9AC744-EEF6-43DB-A4B6-FA1A18F1C640}) (Version: 7.0.0.45489 - Electronic Arts, Inc.)
Edge of Space (HKLM-x32\...\Steam App 238240) (Version:  - Handyman Studios)
Express Burn (HKLM-x32\...\ExpressBurn) (Version: 4.68 - NCH Software)
Fast Boot (HKLM-x32\...\{0F212E7A-65EB-4668-A8D7-749026A64F8E}_is1) (Version: 1.0.0.9 - MSI)
Fraps (remove only) (HKLM-x32\...\Fraps) (Version:  - )
Garry's Mod (HKLM-x32\...\Steam App 4000) (Version:  - Facepunch Studios)
Glyph (HKLM-x32\...\Glyph) (Version:  - Trion Worlds, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.62 - Google Inc.)
Google Earth (HKLM-x32\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Guild Wars 2 (HKLM-x32\...\Guild Wars 2) (Version:  - NCsoft Corporation, Ltd.)
Gyazo 2.0.2 (HKLM-x32\...\{6DB8C365-E719-4BA5-9594-10DFC244D3FD}_is1) (Version:  - Nota Inc.)
Hi-Rez Studios Authenticate and Update Service (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}) (Version: 3.0.0.0 - Hi-Rez Studios)
HP Deskjet 1510 series Basic Device Software (HKLM\...\{C9064E5C-D5AB-4EEB-86A6-50756901038A}) (Version: 32.0.1180.44630 - Hewlett-Packard Co.)
HP Deskjet 1510 series Help (HKLM-x32\...\{2E25FCEB-EFCB-4696-AA01-D3CBAC721831}) (Version: 30.0.0 - Hewlett Packard)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
IObit Malware Fighter (HKLM-x32\...\IObit Malware Fighter_is1) (Version: 2.5 - IObit)
IObit Uninstaller (HKLM-x32\...\IObitUninstall) (Version: 4.1.5.24 - IObit)
Java 7 Update 65 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F06417065FF}) (Version: 7.0.650 - Oracle)
Java 8 Update 25 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418025F0}) (Version: 8.0.250 - Oracle Corporation)
League of Legends (HKLM-x32\...\League of Legends 3.0.1) (Version: 3.0.1 - Riot Games)
League of Legends (x32 Version: 3.0.1 - Riot Games) Hidden
Live Update 5 (HKLM-x32\...\{E8BAA541-D161-4C9B-85BF-01F05A56BD7F}}_is1) (Version: 5.0.114 - MSI)
Magic 2014  (HKLM-x32\...\Steam App 213850) (Version:  - Stainless Games)
Magicite version 1.3 (HKLM-x32\...\Magicite_is1) (Version: 1.3 - GMT-MAX.ORG)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.6122.5000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.7122.5000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
Mount Your Friends (HKLM-x32\...\Steam App 296470) (Version:  - Stegersaurus Software Inc.)
MSVCRT Redists (Version: 1.0 - Sony Creative Software Inc.) Hidden
Mumble 1.2.7 (HKLM-x32\...\{CF8BBFA2-5502-4904-A9E9-8D5CAA8DF785}) (Version: 1.2.7 - Thorvald Natvig)
NETGEAR WNA3100 wireless USB 2.0 adapter (HKLM-x32\...\{C2425F91-1F7B-4037-9A05-9F290184798D}) (Version: 2.2.0.2 - NETGEAR)
Nuclear Throne (HKLM-x32\...\Steam App 242680) (Version:  - Vlambeer)
Open Broadcaster Software (HKLM-x32\...\Open Broadcaster Software) (Version:  - )
Origin (HKLM-x32\...\Origin) (Version: 9.4.5.195 - Electronic Arts, Inc.)
PDF Settings CS6 (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
Peggle (HKLM-x32\...\{715AD72D-887A-459E-988B-D4F3E87FA24B}) (Version: 1.04.0.0 - PopCap Games)
Pixel Piracy (HKLM-x32\...\Steam App 264140) (Version:  - Vitali Kirpu)
Portal 2 (HKLM-x32\...\Steam App 620) (Version:  - Valve)
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Realm of the Mad God (HKLM-x32\...\Steam App 200210) (Version:  - Wild Shadow Studios)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.72.410.2013 - Realtek)
Risk of Rain (HKLM-x32\...\Steam App 248820) (Version:  - )
Rust (HKLM-x32\...\Steam App 252490) (Version:  - Facepunch Studios)
Skype™ 6.21 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.21.104 - Skype Technologies S.A.)
Sniper Elite V2 (HKLM-x32\...\Steam App 63380) (Version:  - Rebellion)
Sonic & All-Stars Racing Transformed (HKLM-x32\...\Steam App 212480) (Version:  - Sumo Digital)
Source Filmmaker (HKLM-x32\...\Steam App 1840) (Version:  - Valve)
SpeedRunners (HKLM-x32\...\Steam App 207140) (Version:  - DoubleDutch Games)
Spelunky (HKLM-x32\...\Steam App 239350) (Version:  - )
Spiral Knights (HKLM-x32\...\Steam App 99900) (Version:  - Three Rings)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Starbound (HKLM-x32\...\Steam App 211820) (Version:  - )
Steam (HKLM-x32\...\Steam) (Version:  - Valve Corporation)
SteelSeries Engine (HKLM\...\SteelSeries Engine) (Version: 2.8.171.34768 - SteelSeries)
SteelSeries Engine 3.2.9 (HKLM\...\SteelSeries Engine 3) (Version: 3.2.9 - SteelSeries ApS)
Super Meat Boy (HKLM-x32\...\Steam App 40800) (Version:  - Team Meat)
Super-Charger (HKLM-x32\...\{7CDF10DD-A9B5-4DA3-AB95-E193248D4369}_is1) (Version: 1.2.019 - MSI)
Surfing Protection (HKLM-x32\...\IObit Surfing Protection_is1) (Version: 1.2 - IObit)
Team Fortress 2 (HKLM-x32\...\Steam App 440) (Version:  - Valve)
Terraria (HKLM-x32\...\Steam App 105600) (Version:  - Re-Logic)
The Binding of Isaac (HKLM-x32\...\Steam App 113200) (Version:  - Edmund McMillen and Florian Himsl)
The Binding of Isaac: Rebirth (HKLM-x32\...\Steam App 250900) (Version:  - Nicalis, Inc.)
The Crew (Beta) (HKLM-x32\...\Uplay Install 750) (Version:  - Ubisoft)
The Elder Scrolls V: Skyrim (HKLM-x32\...\Steam App 72850) (Version:  - Bethesda Game Studios)
THX TruStudio Pro (HKLM-x32\...\{4FA6CB9A-2972-4AAF-A36E-3C40FCC22395}) (Version: 1.04.03 - Creative Technology Limited)
TweetDeck (HKLM-x32\...\{C4ADB67B-C908-4D94-B85E-585D2F3F9118}) (Version: 3.3.7 - Twitter)
Unturned (HKLM-x32\...\Steam App 304930) (Version:  - Nelson Sexton)
Uplay (HKLM-x32\...\Uplay) (Version: 4.7 - Ubisoft)
Vegas Pro 13.0 (64-bit) (HKLM\...\{D0360940-CCC6-11E3-B9C6-F04DA23A5C58}) (Version: 13.0.310 - Sony)
Wacom (HKLM\...\Pen Tablet Driver) (Version: 5.3.5-3 - Wacom Technology Corp.)
WebTablet FB Plugin 32 bit (HKLM-x32\...\Wacom WebTabletPlugin for Internet Explorer and Netscape) (Version: 2.1.0.7 - Wacom Technology Corp.)
WebTablet FB Plugin 64 bit (HKLM\...\Wacom WebTabletPlugin for Internet Explorer and Netscape) (Version: 2.1.0.7 - Wacom Technology Corp.)
WildStar (HKLM-x32\...\WildStar) (Version:  - NCSOFT)
Winamp (HKLM-x32\...\Winamp) (Version: 5.666  - Nullsoft, Inc)
WinRAR 5.01 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.01.0 - win.rar GmbH)
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version:  - Blizzard Entertainment)
ZTE Handset USB Driver (HKLM\...\{01D42BF0-ED08-463f-8A28-99EB6FEE962B}) (Version:  - ZTE Corporation)
ZTE Handset USB Driver (HKLM\...\{D2D77DC2-8299-11D1-8949-444553540000}_is1) (Version: 5.2088.1.A02B06 - ZTE Corporation)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
23-11-2014 22:48:05 Windows Update
23-11-2014 23:00:36 Windows Modules Installer
24-11-2014 05:45:32 Windows Update
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {0B236D8C-5BEC-4859-BC2F-6873BEF4E83D} - System32\Tasks\Microsoft\Windows\TabletPC\InputPersonalization => C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe [2009-07-13] (Microsoft Corporation)
Task: {2EB9AD59-2048-4C05-AA4D-A8A4FFC39BD3} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-12] (Adobe Systems Incorporated)
Task: {3A3FCA93-72B1-485E-AE31-EACF9F16EE5F} - System32\Tasks\ASC8_SkipUac_Caroline => C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASC.exe [2014-11-07] (IObit)
Task: {731D4060-096B-4DE7-A199-C2A42B8DF597} - System32\Tasks\ASC8_SkipUac_Caroline 2 => C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASC.exe [2014-11-07] (IObit)
Task: {823CDA79-A52F-4072-9EA8-847DD5A34DAD} - System32\Tasks\ASC8_PerformanceMonitor => C:\Program Files (x86)\IObit\Advanced SystemCare 8\Monitor.exe [2014-11-10] (IObit)
Task: {8C960315-6C37-40B0-9E8A-33358F32FF2C} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
Task: {8CF592DD-35EC-4CBC-9600-E0F7E0650D43} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-28] (Google Inc.)
Task: {9C122977-8BCD-41A1-A495-3BF25E606192} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {BB9A4FF8-192A-4736-B2D9-7CB537283611} - System32\Tasks\Uninstaller_SkipUac_Caroline => C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe [2014-11-04] (IObit)
Task: {C9E93993-1192-4FE2-B8F8-E5992787EB16} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {CCB7E950-DA35-4664-B04B-8FA062B136F4} - System32\Tasks\AdobeAAMUpdater-1.0-Caroline-PC-Caroline => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2014-02-27] (Adobe Systems Incorporated)
Task: {DBF556CA-0615-41A3-A244-8EDF985EECF1} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-28] (Google Inc.)
Task: {DCD8DDF5-DC82-4CA2-8C3C-2F984E326697} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe
Task: {F8FB4D18-703C-4C5D-A110-B94E6AFFF0D8} - System32\Tasks\UpdaterEX => C:\Users\Caroline\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\Caroline\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
 
==================== Loaded Modules (whitelisted) =============
 
2013-09-11 21:57 - 2013-09-11 21:57 - 00214528 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.PerformanceTuning.dll
2013-07-26 06:59 - 2013-07-26 06:59 - 00814592 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dll
2013-07-26 06:59 - 2013-07-26 06:59 - 03650560 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Platform.dll
2014-03-05 23:46 - 2013-04-29 10:12 - 00282624 _____ () C:\Program Files (x86)\MSI\ControlCenter\Sleep\MSISleepService.exe
2014-06-09 18:11 - 2013-11-11 14:10 - 00307928 _____ () C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe
2014-07-16 10:06 - 2014-07-16 10:06 - 00672416 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
2014-03-05 22:19 - 2010-05-04 11:00 - 00237056 _____ () C:\Windows\SYSTEM32\APOMgr64.DLL
2014-06-09 18:11 - 2013-11-22 18:34 - 08266456 _____ () C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe
2014-09-16 15:09 - 2014-09-16 15:09 - 17422848 _____ () C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe
2013-11-15 19:09 - 2013-11-15 19:09 - 00047616 _____ () C:\Program Files\SteelSeries\SteelSeries Engine 3\x2api.dll
2014-08-21 21:06 - 2014-08-19 11:12 - 01356568 _____ () C:\Program Files\Tablet\Pen\libxml2.dll
2013-09-11 21:57 - 2013-09-11 21:57 - 00102400 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
2014-11-12 20:42 - 2014-11-11 23:04 - 01408328 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.62\libglesv2.dll
2014-11-12 20:42 - 2014-11-11 23:03 - 00204616 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.62\libegl.dll
2014-11-12 20:42 - 2014-11-11 23:04 - 10689352 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.62\pdf.dll
2014-11-12 20:42 - 2014-11-11 23:03 - 01856840 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.62\ffmpegsumo.dll
2014-11-12 20:42 - 2014-11-11 23:04 - 26721608 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.62\PepperFlash\pepflashplayer.dll
2014-11-23 17:50 - 2013-10-25 12:08 - 00517408 _____ () C:\Program Files (x86)\IObit\Advanced SystemCare 8\sqlite3.dll
2014-11-23 13:11 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-11-23 13:11 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2014-11-23 13:11 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-11-23 13:11 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2014-11-23 13:11 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2014-06-09 18:11 - 2013-10-30 18:06 - 00380928 _____ () C:\Program Files (x86)\NETGEAR\WNA3100\WifiLib.dll
2014-06-09 18:11 - 2013-11-01 16:31 - 00278528 _____ () C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvcLib.dll
2014-11-24 00:50 - 2013-01-15 18:48 - 00348992 _____ () C:\Program Files (x86)\IObit\IObit Malware Fighter\madExcept_.bpl
2014-11-24 00:50 - 2013-01-15 18:48 - 00183616 _____ () C:\Program Files (x86)\IObit\IObit Malware Fighter\madBasic_.bpl
2014-11-24 00:50 - 2013-01-15 18:48 - 00051008 _____ () C:\Program Files (x86)\IObit\IObit Malware Fighter\madDisAsm_.bpl
2014-11-24 00:50 - 2013-12-12 18:46 - 08001344 _____ () C:\Program Files (x86)\IObit\IObit Malware Fighter\WebUI.dll
2014-11-24 00:50 - 2013-05-16 19:26 - 00182080 _____ () C:\Program Files (x86)\IObit\IObit Malware Fighter\unrar.dll
2014-11-24 00:50 - 2013-10-16 22:17 - 00185168 _____ () C:\Program Files (x86)\IObit\IObit Malware Fighter\libcurl-4.dll
2014-11-24 00:50 - 2013-05-16 19:26 - 00145216 _____ () C:\Program Files (x86)\IObit\IObit Malware Fighter\zlibwapi.dll
2014-11-23 17:50 - 2013-01-15 18:48 - 00348992 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madExcept_.bpl
2014-11-23 17:50 - 2013-01-15 18:48 - 00183616 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madBasic_.bpl
2014-11-23 17:50 - 2013-01-15 18:48 - 00051008 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madDisAsm_.bpl
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice => ""="Service"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-2310810233-3278711678-2536777568-500 - Administrator - Disabled)
Caroline 2 (S-1-5-21-2310810233-3278711678-2536777568-1004 - Administrator - Enabled) => C:\Users\Caroline 2
Guest (S-1-5-21-2310810233-3278711678-2536777568-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2310810233-3278711678-2536777568-1003 - Limited - Enabled)
 
==================== Faulty Device Manager Devices =============
 
Name: PCI Device
Description: PCI Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (11/24/2014 01:38:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/24/2014 01:12:52 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - Failed to compile: Narrator, Version=6.1.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil . Error code = 0x80070020
 
Error: (11/24/2014 01:11:52 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - Failed to compile: Microsoft.JScript, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a . Error code = 0x80070020
 
Error: (11/24/2014 01:10:22 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - Failed to compile: Microsoft.MediaCenter.UI, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070020
 
Error: (11/23/2014 11:27:37 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.
 
Error: (11/23/2014 11:17:34 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/23/2014 09:32:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/23/2014 08:59:12 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.
 
Error: (11/23/2014 08:55:58 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1533) (User: Caroline-PC)
Description: Windows cannot delete the profile directory C:\Users\Caroline. This error may be caused by files in this directory being used by another program. 
 
 DETAIL - The directory is not empty.
 
Error: (11/23/2014 08:49:05 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (11/23/2014 11:17:37 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
qknfd
 
Error: (11/23/2014 11:17:20 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error: 
%%1053
 
Error: (11/23/2014 11:17:20 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.
 
Error: (11/23/2014 09:32:42 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
qknfd
 
Error: (11/23/2014 09:32:21 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error: 
%%1053
 
Error: (11/23/2014 09:32:21 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.
 
Error: (11/23/2014 09:31:24 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 9:27:23 PM on ‎11/‎23/‎2014 was unexpected.
 
Error: (11/23/2014 08:49:12 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
qknfd
 
Error: (11/23/2014 08:48:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error: 
%%1053
 
Error: (11/23/2014 08:48:31 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.
 
 
Microsoft Office Sessions:
=========================
Error: (11/24/2014 01:38:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/24/2014 01:12:52 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - Failed to compile: Narrator, Version=6.1.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil . Error code = 0x80070020 
Narrator, Version=6.1.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil
 
Error: (11/24/2014 01:11:52 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - Failed to compile: Microsoft.JScript, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a . Error code = 0x80070020 
Microsoft.JScript, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
 
Error: (11/24/2014 01:10:22 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - Failed to compile: Microsoft.MediaCenter.UI, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070020 
Microsoft.MediaCenter.UI, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
 
Error: (11/23/2014 11:27:37 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: (Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.
 
Error: (11/23/2014 11:17:34 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/23/2014 09:32:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/23/2014 08:59:12 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: (Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.
 
Error: (11/23/2014 08:55:58 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1533) (User: Caroline-PC)
Description: C:\Users\CarolineThe directory is not empty.
 
Error: (11/23/2014 08:49:05 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
==================== Memory info =========================== 
 
Processor: AMD A10-7850K APU with Radeon™ R7 Graphics 
Percentage of memory in use: 35%
Total physical RAM: 7109.06 MB
Available physical RAM: 4617.29 MB
Total Pagefile: 14216.3 MB
Available Pagefile: 10888.58 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:931.41 GB) (Free:557.36 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: E6FE62E9)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.4 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================

  • 0

#4
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

Hello UniClad,

Not too much leaping out at me.

 

I forgot to mention that atieclxx.exe is related to your ATi Graphics card and not part of the infection.

 

Now

Open notepad.

Please copy the contents of the code box below.

To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to the Desktop as fixlist.txt.

Alternatively type the contents of the box into notepad and save it to your desktop as fixlist.txt.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
 

HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearc...r=204695463&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearc...r=204695463&ir=
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll (IObit)
BHO-x32: No Name -> {A817C286-3D6B-4ECD-A99C-E44E50DBC523} ->  No File
C:\ProgramData\hash.dat
Task: {F8FB4D18-703C-4C5D-A110-B94E6AFFF0D8} - System32\Tasks\UpdaterEX => C:\Users\Caroline\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\Caroline\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION

EmptyTemp:

This script is specifically written for the infection on this person's computer. It should NOT to be used on another machine. It may cause serious damage even to the point of rendering the computer unusable.

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

After that

Please download : ADWCleaner to your desktop  (use the Download Now @ BleepingComputer button)..

NOTE: If using Internet Explorer and get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close all programs and click on the AdwCleaner icon. AdwCleaner will update itself and then open.

AdwCleaner.jpg

Click on Scan  and follow the prompts. It may appear not to be doing anything, please be patient and let it run unhindered. When the "Please uncheck elements you don't want to remove" appears just go ahead and click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy and paste back here. If a report doesn't appear, press the report button and Copy & Paste the contents on your next reply.

A copy of the report is also saved in the C:\AdwCleaner folder.

So when you return please post

  • fixlog.txt
  • AdwCleaner log

Edited by emeraldnzl, 24 November 2014 - 09:03 PM.
edited to add explanation about atieclxx.exe

  • 0

#5
UniClad

UniClad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Thanks! I did what you asked her are the logs.

 

Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-11-2014 01
Ran by Caroline 2 at 2014-11-24 22:11:03 Run:1
Running from C:\Users\Caroline 2\Desktop
Loaded Profile: Caroline 2 (Available profiles: Caroline 2)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearc...r=204695463&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearc...r=204695463&ir=
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll (IObit)
BHO-x32: No Name -> {A817C286-3D6B-4ECD-A99C-E44E50DBC523} ->  No File
C:\ProgramData\hash.dat
Task: {F8FB4D18-703C-4C5D-A110-B94E6AFFF0D8} - System32\Tasks\UpdaterEX => C:\Users\Caroline\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\Caroline\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
 
EmptyTemp:
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
"HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}" => Key deleted successfully.
"HKCR\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A817C286-3D6B-4ECD-A99C-E44E50DBC523}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{A817C286-3D6B-4ECD-A99C-E44E50DBC523}" => Key not found.
C:\ProgramData\hash.dat => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F8FB4D18-703C-4C5D-A110-B94E6AFFF0D8}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F8FB4D18-703C-4C5D-A110-B94E6AFFF0D8}" => Key deleted successfully.
C:\Windows\System32\Tasks\UpdaterEX => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UpdaterEX" => Key deleted successfully.
C:\Windows\Tasks\UpdaterEX.job => Moved successfully.
EmptyTemp: => Removed 85.2 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog ====
 
AdWCleaner log:
 
# AdwCleaner v3.022 - Report created 29/03/2014 at 12:55:07
# Updated 13/03/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Caroline - CAROLINE-PC
# Running from : C:\Users\Caroline\Downloads\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
Service Deleted : IePluginService
Service Deleted : Wpm
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\IePluginService
Folder Deleted : C:\ProgramData\WPM
Folder Deleted : C:\Program Files (x86)\SupTab
Folder Deleted : C:\Users\Caroline\AppData\Local\Mobogenie
Folder Deleted : C:\Users\Caroline\AppData\LocalLow\Mysearchdial
Folder Deleted : C:\Users\Caroline\AppData\Roaming\Oxy
Folder Deleted : C:\Users\Caroline\AppData\Roaming\SupTab
Folder Deleted : C:\Users\Caroline\AppData\Roaming\UpdaterEX
Folder Deleted : C:\Users\Caroline\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oxy
Folder Deleted : C:\Users\Caroline\Documents\Mobogenie
File Deleted : C:\Users\Caroline\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Users\Caroline\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pflphaooapbgpeakohlggbpidpppgdff_0.localstorage
File Deleted : C:\Windows\Tasks\UpdaterEX.job
File Deleted : C:\Windows\System32\Tasks\UpdaterEX
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\esrv.mysearchdialesrvc
Key Deleted : HKLM\SOFTWARE\Classes\esrv.mysearchdialesrvc.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [mobilegeni daemon]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D40753C7-8A59-4C1F-BE88-C300F4624D5B}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Escolade
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\UpdaterEX
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\supTab
Key Deleted : HKLM\Software\supWPM
Key Deleted : HKLM\Software\Vittalia
Key Deleted : HKLM\Software\Wpm
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\UpdaterEX
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wpm
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16521
 
 
-\\ Google Chrome v33.0.1750.154
 
[ File : C:\Users\Caroline\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [4220 octets] - [29/03/2014 12:54:19]
AdwCleaner[S0].txt - [3808 octets] - [29/03/2014 12:55:07]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3868 octets] ##########
# AdwCleaner v4.102 - Report created 24/11/2014 at 22:17:45
# Updated 23/11/2014 by Xplode
# Database : 2014-11-24.1 [Live]
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Caroline 2 - CAROLINE-PC
# Running from : C:\Users\Caroline 2\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
Service Deleted : wStLibG64
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\NCH Software
Folder Deleted : C:\ProgramData\savue neeT
Folder Deleted : C:\ProgramData\b9a0df621b50e5da
Folder Deleted : C:\Program Files (x86)\globalUpdate
Folder Deleted : C:\Program Files (x86)\HulaToo
Folder Deleted : C:\Program Files (x86)\NCH Software
Folder Deleted : C:\Program Files (x86)\savue neeT
Folder Deleted : C:\Users\Administrator\AppData\Local\torch
Folder Deleted : C:\Users\Guest\AppData\Local\torch
Folder Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\checkbpdpbmabhdobdlnkhachflngpko
Folder Deleted : C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\checkbpdpbmabhdobdlnkhachflngpko
Folder Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpcafgceghmilibcnjlbfdfofhgbakcd
Folder Deleted : C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpcafgceghmilibcnjlbfdfofhgbakcd
File Deleted : C:\Windows\System32\drivers\wStLibG64.sys
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Conduit
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17420
 
 
-\\ Google Chrome v39.0.2171.62
 
[C:\Users\Caroline 2\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Caroline 2\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [6763 octets] - [29/03/2014 11:54:19]
AdwCleaner[R1].txt - [969 octets] - [29/03/2014 11:57:08]
AdwCleaner[S0].txt - [6343 octets] - [29/03/2014 11:55:07]
AdwCleaner[S1].txt - [989 octets] - [29/03/2014 11:58:11]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6462 octets] ##########
 

  • 0

#6
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

Making progress. Now for a deeper check:

 

Download Malwarebytes Anti-Rootkit to your desktop from here.

  • Right-Click on the file that was downloaded and choose Run as administrator. Answer Yes if prompted to Allow.
  • Click OK at the installer screen that comes up.
  • The software will be extracted and will open.
  • Click Next at the first screen.
  • The Update Database screen will appear. Click the Update button.
  • Once updated, click the Next button.
  • On the Scan System screen, click the Scan button.
  • Once, the Scan is finished click on the Cleanup button to remove any threats and reboot if prompted to do so.  If no threats are found just close the programme.
  • If threats were found, then after the reboot, re-run the programme to verify no threats remain. If threats are still detected, click the Cleanup button once more.

Whether threats were found or not there will be a folder named mbar on your desktop. Open this folder and you will find in the list that presents with a file named mbar-log-...txt and another named system log.txt. Please open the files one at a time and copy and paste the contents of each back here.

 


  • 0

#7
UniClad

UniClad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Nothing was found when running the scan.

 

Mbar-log:

 

Malwarebytes Anti-Rootkit BETA 1.08.2.1001
www.malwarebytes.org
 
Database version: v2014.11.25.02
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17420
Caroline 2 :: CAROLINE-PC [administrator]
 
11/24/2014 10:35:06 PM
mbar-log-2014-11-24 (22-35-06).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 362631
Time elapsed: 6 minute(s), 37 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
System log:
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.2.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 11.0.9600.17420
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 3.692000 GHz
Memory total: 7454392320, free: 5136183296
 
Downloaded database version: v2014.11.25.02
Downloaded database version: v2014.11.22.01
=======================================
Initializing...
This version of Malwarebytes Anti-Rootkit requires you to completely exit the Malwarebytes Anti-Malware application to continue.
=======================================
Initializing...
This version of Malwarebytes Anti-Rootkit requires you to completely exit the Malwarebytes Anti-Malware application to continue.
=======================================
Initializing...
------------ Kernel report ------------
     11/24/2014 22:34:57
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\amd_sata.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\amd_xata.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\scmndisp.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\amdxhc.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\usbfilter.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\amdppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\SteelBus64.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\amdhub30.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\drivers\AtihdW76.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_amd_sata.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\bcmwlhigh664.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\SAlpham64.sys
\SystemRoot\system32\DRIVERS\sshid.sys
\SystemRoot\system32\DRIVERS\hidkmdf.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\Sftvolwin7.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\system32\DRIVERS\Sftfswin7.sys
\SystemRoot\system32\DRIVERS\Sftplaywin7.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\Sftredirwin7.sys
\??\C:\Program Files (x86)\MSI\ControlCenter\Sleep\NTIOLib_X64.sys
\??\C:\Program Files (x86)\MSI\Super-Charger\NTIOLib_X64.sys
\??\C:\Program Files (x86)\MSI\Fast Boot\NTIOLib_X64.sys
\??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys
\??\C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys
\??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\nsi.dll
\Windows\System32\urlmon.dll
\Windows\System32\ws2_32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\Wldap32.dll
\Windows\System32\iertutil.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\gdi32.dll
\Windows\System32\imm32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\usp10.dll
\Windows\System32\msctf.dll
\Windows\System32\normaliz.dll
\Windows\System32\sechost.dll
\Windows\System32\setupapi.dll
\Windows\System32\comdlg32.dll
\Windows\System32\ole32.dll
\Windows\System32\kernel32.dll
\Windows\System32\advapi32.dll
\Windows\System32\shell32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\msvcrt.dll
\Windows\System32\wininet.dll
\Windows\System32\user32.dll
\Windows\System32\psapi.dll
\Windows\System32\difxapi.dll
\Windows\System32\lpk.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\devobj.dll
\Windows\System32\userenv.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\comctl32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\wintrust.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\msasn1.dll
\Windows\System32\profapi.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800806d060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000006f\
Lower Device Object: 0xfffffa8007a66060
Lower Device Driver Name: \Driver\amd_sata\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800806d060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800806db90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800806d060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8007ac1ac0, DeviceName: Unknown, DriverName: \Driver\amd_xata\
DevicePointer: 0xfffffa8007a66060, DeviceName: \Device\0000006f\, DriverName: \Driver\amd_sata\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: E6FE62E9
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 1953314816
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 1000204886016 bytes
Sector size: 512 bytes
 
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 

Edited by UniClad, 24 November 2014 - 09:46 PM.

  • 0

#8
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

Moving on then:

 

Please download Junkware Removal Tool to your desktop.
 

  • Shut down your protection software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right click JRT.exe and "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Next

Please run (FRST) Farbar Recovery Scan Tool

Type or copy and paste the following in the edit box after "Search:".

dclogs;Stolen.Data;

Click Search Registry button and post the log (Search.txt) it makes to your reply.

When you return please post

  • JRT.txt
  • Search.txt

 


  • 0

#9
UniClad

UniClad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Here are the logs:

 

JRT.txt

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.9 (11.15.2014:2)
OS: Windows 7 Ultimate x64
Ran by Caroline 2 on Mon 11/24/2014 at 22:58:25.75
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 11/24/2014 at 23:00:58.99
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Search.txt:
 
Farbar Recovery Scan Tool (x64) Version: 23-11-2014 01
Ran by Caroline 2 at 2014-11-24 23:04:33
Running from C:\Users\Caroline 2\Desktop
Boot Mode: Normal
 
================== Search Registry: "dclogs;Stolen.Data" ===========
 
====== End Of Search ======

  • 0

#10
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

Good results so far. :)

Now

Open notepad.

Please copy the contents of the code box below.

To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to the Desktop as fixlist.txt.

Alternatively type the contents of the box into notepad and save it to your desktop as fixlist.txt.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
 

Folder:C:\Users\Caroline\AppData\Roaming\dclogs
FindFolder:*dclogs*

This script is specifically written for the infection on this person's computer. It should NOT to be used on another machine. It may cause serious damage even to the point of rendering the computer unusable.

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

After that

Please run a free online scan with the ESET Online Scanner

Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

Note: This scan works with Internet Explorer or Mozilla FireFox.

If using Mozilla Firefox you may need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

Disable your security programs.


  • Click the blue Run ESET Online Scanner box
  • Tick the box next to YES, I accept the Terms of Use
     then click on: Start
  • You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow/install to install. If your firewall asks whether you want to allow installation, say yes. If asked, click yes to allow the program to run on your computer.
  • Check "Enable detection of potentially unwanted applications"
  • Click on Start and say yes to allow the program to proceed.
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed click "List of found threats" and click again on Copy to clipboard. Open notepad and past in the clipboard list. Save it as ESET log somewhere that you can find .
  • After that click the button "Back"
  • Select and check Uninstall application on close and Delete quarantined files.
  • Then click on: Finish
  • Copy and paste the ESET log back here and tell me how your machine is now.

So when you return please post

  • fixlog.txt
  • ESET scan results.

     

     

  • and tell me how the computer is

 


  • 0

Advertisements


#11
UniClad

UniClad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Happy to hear :)

 

fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-11-2014 01

Ran by Caroline 2 at 2014-11-24 23:16:00 Run:2
Running from C:\Users\Caroline 2\Desktop
Loaded Profile: Caroline 2 (Available profiles: Caroline 2)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
Folder:C:\Users\Caroline\AppData\Roaming\dclogs
FindFolder:*dclogs*
*****************
 
 
========================= Folder:C:\Users\Caroline\AppData\Roaming\dclogs ========================
 
Directory Not Found
================== FindFolder: "FindFolder:*dclogs*" ===================
 
No folder found
 
==== End of Fixlog ====
 
ESET scan results:
 
C:\AdwCleaner\Quarantine\C\Program Files (x86)\HulaToo\bin\tmp844.tmp.vir a variant of Win32/BrowseFox.H potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SupTab\DpInterface32.dll.vir a variant of Win32/Thinknice.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SupTab\DpInterface64.dll.vir Win64/Thinknice.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SupTab\DpInterfacef32.dll.vir a variant of Win32/Thinknice.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SupTab\SearchProtect64.dll.vir a variant of Win64/Thinknice.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SupTab\SpAPPSv64.dll.vir a variant of Win64/Thinknice.C potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\IePluginService\PluginService.exe.vir a variant of Win32/ELEX.AD potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Caroline\AppData\Roaming\UpdaterEX\UpdateProc\UpdateTask.exe.vir a variant of Win32/DealPly.S potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Windows\System32\drivers\wStLibG64.sys.vir Win64/Riskware.NetFilter.A application cleaned by deleting - quarantined

  • 0

#12
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

I am not seeing anything bad. Those found by ESET were already in quarantine.

 

The dclogs one involves a nasty keylogger infection and as I said at the start, the only way you can be absolutely certain it is gone is to format and re-install.

 

Keep a careful watch to see if anything returns and if it does it will be time to follow the re-install route.

 

Before I give you some instructions for clearing away the tools we have been using please tell me how your computer is. :)


  • 0

#13
UniClad

UniClad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
My computer is fine as of right now. It hasn't been slow nor have anything randomly opened. I haven't logged into anything important yet because I don't know if the virus is truly gone. I've perfomed full scans on my pc with various programs such as malware, spy bot, and advanced system care and they've all come up clean. However I don't know if it's just become undetected. At this point I'm worried to do anything on my computer as I don't know if it's truly gone.
  • 0

#14
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

Hello again UniClad,

 

I think your machine is clean but as I have said previously you can never be entirely sure.

 

If it were me, I would keep alert to any virus warnings and anything different that might be an indication of re-infection.

 

I have seen that infection before associated with uTorrent so I would stay away from the file sharing programs and use common sense when browsing.

 

Now

 

I think you are good to go. :thumbsup:

 

We have a couple of last steps to perform and then you're all set. :)

To clear away the tools we have been using download Delfix from here.

Put a check (tick) in the following boxes:
 

  • Remove disinfection tools
  • Purge System Restore
  • Then click Run

The tool will run for a short time. When completed a notepad window will open with a log. Please copy and paste the log back here.

Any remaining tools may be deleted.

-------------------------------------------------------------------------------------------------------------------

A reminder:  Remember to (re-install if uninstalled during cleaning) update and turn back on any anti-malware programs you may have turned off during the cleaning process.
-------------------------------------------------------------------------------------------------------------------

Here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article Strong passwords: How to create and use them.

----------------------------------------------------------------------------------------------------------------------

So many of us use Facebook nowadays. Go here for a guide to Facebook security.

-----------------------------------------------------------------------------------------------------------------------

A while back over 100 million Adobe users e-mail and other information were hacked. Users were asked to change their passwords following the hack and you can go to the link below to check your e-mail to see whether you were one of the 150 million.

https://lastpass.com/adobe/

If you are on the list, all passwords should be changed including those used for banking, email, eBay, paypal and online forums.

------------------------------------------------------------------------------------------------------------------------

Java warning

Java is a popular point of entry to your computer for malicous programs. The United States Department of Homeland Security recommends that computer users disable Java, see here. Unless you need it to run an important software the safest approach is to completely uninstall Java. Where you do require it, then the next safest option is to disable it in your browsers until you need it, then enable it.

How to disable Java in your web browser and How to unplug Java from the browser

If you do still need Java then regularly check that it is up to date. Older versions are the most vulnerable to malicious attack.
 

  • Download Java for Windows

    Reboot your computer.
    You also need to unininstall older versions of Java.

       
  • Click Start > Control Panel > Add or Remove Programs
       
  • Remove all Java updates except the latest one you have just installed.

--------------------------------------------------------------------------------------------------------------------

CryptoLocker Warning

There is a particularly nasty infection out there at the moment.

Go here for information about CryptoLocker Ransomeware

Download CryptoPrevent free for home use.

--------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future:



If you do not already have automatic updates set then it is recommended that you do set Windows to check, download and install your updates automatically.

    * Click Start > Control Panel > System and Security > Windows Update
    * Under Windows Update click on Turn automatic updating on or off
    * Check items shown to ensure you receive updates automatically. Click OK.

Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

A fun way to check your online safety literacy.

Quiz - getsafeonline

Have a safe and happy computing day!
 

 

 

 


  • 0

#15
UniClad

UniClad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Thank you! :)

 

Log:

 

# DelFix v10.8 - Logfile created 25/11/2014 at 16:37:53
# Updated 29/07/2014 by Xplode
# Username : Caroline 2 - CAROLINE-PC
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
 
~ Removing disinfection tools ...
 
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Caroline 2\Desktop\mbar
Deleted : C:\Users\Caroline 2\Desktop\Addition.txt
Deleted : C:\Users\Caroline 2\Desktop\Fixlog.txt
Deleted : C:\Users\Caroline 2\Desktop\FRST.txt
Deleted : C:\Users\Caroline 2\Desktop\FRST64.exe
Deleted : C:\Users\Caroline 2\Desktop\JRT.txt
Deleted : C:\Users\Caroline 2\Desktop\Search.txt
Deleted : C:\Users\Caroline 2\Downloads\AdwCleaner.exe
Deleted : C:\Users\Caroline 2\Downloads\FRST64.exe
Deleted : C:\Users\Caroline 2\Downloads\JRT.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
 
~ Cleaning system restore ...
 
Deleted : RP #184 [Windows Update | 11/23/2014 22:48:05]
Deleted : RP #185 [Windows Modules Installer | 11/23/2014 23:00:36]
Deleted : RP #186 [Windows Update | 11/24/2014 05:45:32]
 
New restore point created !
 
########## - EOF - ##########

 


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP