Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Multiple malware/adware programs that keep installing each other when

Started by smooman , Jan 25 2015 05:09 PM

malware spyware adware help! ytdownloader search module plus

Please log in to reply

#1
smooman

Posted 25 January 2015 - 05:09 PM

Member

Member
12 posts

Good afternoon Gurus of the arcane sciences, A pc that I'm attempting to fix has been afflicted with a terrible curse and my abilities are not sufficient to cleanse the taint.

I don't know what the owner was doing, but they downloaded something that installed a bunch of random 'booster' and 'optimizer' programs on their computer (Ytdownloader, Search Module Plus, others I uninstalled and can't remember). I tried to remove them through the usual uninstall methods but they keep repopulating themselves. On top of that, when I try to uninstall them in safe mode, the windows uninstaller either fails outright, or gives me an error because there's "a conflicting program" or "no internet connection' and fails to uninstall. As if that isn't enough, these programs have hijacked things in the background and changed system settings. I honestly don't know how many or what they've changed, but I know for sure that firefox defaults back to this search page:

http://www-searching...a376d5926,&pi=3

And resets the connection settings to use some 'proxy server' that keeps failing for whatever reason. It also adds 'search module plus' to the search engines and replaces it when I delete it. I have to manually go in, change the homepage and the connection settings to 'use no proxy' or I can't use the browser (firefox/IE). Of course, when I close the browser the settings reset so I have no idea what to do with that. Also, it's added a lot of garbage to startup and services in msconfig, see images below:

Any help you could provide would be greatly appreciated!

--------------------------------------------------------------------------------------------------------------------------------------------------------

Here is my OTL.txt

OTL logfile created on: 1/25/2015 2:44:39 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Clockwork\Downloads
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 6.70 Gb Available Physical Memory | 83.75% Memory free
16.00 Gb Paging File | 14.45 Gb Available in Paging File | 90.35% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 500.00 Gb Total Space | 327.17 Gb Free Space | 65.43% Space Free | Partition Type: NTFS
Drive G: | 431.41 Gb Total Space | 431.30 Gb Free Space | 99.97% Space Free | Partition Type: NTFS

Computer Name: CLOCKWORK-PC | User Name: Clockwork | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2015/01/25 14:44:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Clockwork\Downloads\OTL.exe
PRC - [2015/01/13 11:43:11 | 000,338,032 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2009/07/13 17:14:19 | 000,264,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\dxdiag.exe

========== Modules (No Company Name) ==========

MOD - [2015/01/13 11:43:11 | 003,925,104 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

========== Services (SafeList) ==========

SRV:64bit: - [2015/01/25 13:59:08 | 002,719,592 | ---- | M] (Search Module Plus Ltd.) [Auto | Running] -- C:\Program Files\Common Files\Goobzo\GBUpdatePlus\smu.exe -- (SMUpdPlus)
SRV:64bit: - [2011/06/09 13:01:00 | 000,555,392 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe -- (EpsonCustomerParticipation)
SRV:64bit: - [2009/07/13 17:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 17:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2015/01/23 14:33:44 | 000,834,752 | ---- | M] (Valve Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2015/01/21 12:30:28 | 000,802,688 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\BattlEye\BEService.exe -- (BEService)
SRV - [2015/01/13 11:43:11 | 000,114,800 | ---- | M] (Mozilla Foundation) [Disabled | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2015/01/01 17:16:11 | 000,174,112 | ---- | M] (EasyAntiCheat Ltd) [On_Demand | Stopped] -- C:\Windows\SysWOW64\EasyAntiCheat.exe -- (EasyAntiCheat)
SRV - [2014/12/13 14:55:02 | 002,968,696 | ---- | M] (MicroTools) [Disabled | Stopped] -- C:\Program Files (x86)\YouTube Downloader Services\P4\youtubeserv.exe -- (YouTubeDownload_P4)
SRV - [2014/10/20 23:51:28 | 002,973,600 | ---- | M] (MicroStudio) [Disabled | Stopped] -- C:\Program Files (x86)\Windows Network Accelerater\v3\winvxm.exe -- (WindowsVNT_R3)
SRV - [2014/04/03 19:21:48 | 000,315,008 | R--- | M] (Skype Technologies) [Disabled | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 13:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2015/01/25 13:59:00 | 000,042,856 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Goobzo\GBUpdatePlus\smw.sys -- (SMUpdd)
DRV:64bit: - [2015/01/25 13:11:51 | 000,386,680 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2014/07/02 20:49:08 | 000,026,200 | ---- | M] (SplitmediaLabs Limited) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\xspltspk.sys -- (XSplit_Dummy)
DRV:64bit: - [2013/05/30 08:16:40 | 000,064,280 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LGSHidFilt.Sys -- (LGSHidFilt)
DRV:64bit: - [2013/04/15 10:51:58 | 000,102,808 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ladfGSRamd64.sys -- (LADF_RenderOnly)
DRV:64bit: - [2013/04/15 10:51:52 | 000,410,008 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ladfGSCamd64.sys -- (LADF_CaptureOnly)
DRV:64bit: - [2009/11/23 16:38:00 | 000,016,008 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LGVirHid.sys -- (LGVirHid)
DRV:64bit: - [2009/11/23 16:37:50 | 000,022,408 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LGBusEnum.sys -- (LGBusEnum)
DRV:64bit: - [2009/07/13 17:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 17:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 17:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 17:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 17:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 17:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009/07/13 17:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 12:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
DRV:64bit: - [2009/06/10 12:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 12:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 12:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 12:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2006/11/28 21:46:20 | 000,043,328 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\PCAMp50a64.sys -- (PCAMp50a64)
DRV:64bit: - [2006/11/28 21:46:20 | 000,041,280 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\PCASp50a64.sys -- (PCASp50a64)
DRV - [2015/01/24 02:56:08 | 000,058,728 | ---- | M] (YTDownloader) [Kernel | Auto | Running] -- C:\Program Files (x86)\YTDownloader\sbmntr.sys -- (sbmntr)
DRV - [2009/07/13 17:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}: "URL" = http://www-searching...q={searchTerms}
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8877;https=127.0.0.1:8877
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8877;https=127.0.0.1:8877

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.trovi.com...&UM=8&UP=&SSPV=
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 00 F5 7B ED F4 02 D0 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {CF7CA083-9219-4904-8F3F-183BB6CDEEC5}
IE - HKCU\..\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}: "URL" = http://www-searching...q={searchTerms}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www-searching...q={searchTerms}
IE - HKCU\..\SearchScopes\{068D1032-D786-41AD-AB67-E90C796355B4}: "URL" = http://www.google.co...utputEncoding?}
IE - HKCU\..\SearchScopes\{28074A22-926F-43D0-8258-DA9A47782D73}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}: "URL" = http://www-searching...q={searchTerms}
IE - HKCU\..\SearchScopes\{CF7CA083-9219-4904-8F3F-183BB6CDEEC5}: "URL" = http://www.trovi.com...rchTerms}&SSPV=
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8877;https=127.0.0.1:8877

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Startpage HTTPS"
FF - prefs.js..browser.search.highlightCount: 0
FF - prefs.js..browser.search.isUS: true
FF - prefs.js..browser.search.selectedEngine: "Trovi search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.trovi.com...UM=8&UP=&SSPV="
FF - prefs.js..extensions.enabledAddons: %7Bbee6eb20-01e0-ebd1-da83-080329fb9a3a%7D:1.65
FF - prefs.js..extensions.enabledAddons: %7B94284f0b-b82a-f31b-9e12-76e8dfd5a24d%7D:1.0
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:35.0
FF - prefs.js..keyword.URL: "http://www-searching...aa376d5926,&q="
FF - prefs.js..network.proxy.type: 0

FF - user.js..network.proxy.type: 5led", false);user_pref("extensions.autoDisableScopes", 0);

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_257.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=11.31.2: C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.31.2: C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=11.31.2: C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.31.2: C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10: C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll File not found
FF - HKLM\Software\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4: C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.3: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{d9a96531-b093-4d07-9e4c-9704a365c441}: C:\Program Files (x86)\Mozilla Firefox\extensions\{d9a96531-b093-4d07-9e4c-9704a365c441}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 35.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 35.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 31.4.0\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 31.4.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2014/11/18 08:38:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Extensions
[2015/01/25 14:27:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions
[2015/01/25 14:22:54 | 000,000,000 | ---D | M] ("Zoom It") -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{94284f0b-b82a-f31b-9e12-76e8dfd5a24d}
[2015/01/18 23:52:37 | 000,000,000 | ---D | M] (Flash and Video Download) -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
[2015/01/25 14:20:38 | 000,000,000 | ---D | M] (Booster Web) -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack
[2014/12/13 16:46:07 | 000,026,009 | ---- | M] () (No name found) -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\[email protected]
[2015/01/15 10:43:38 | 000,985,112 | ---- | M] () (No name found) -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2015/01/25 11:25:52 | 000,005,501 | ---- | M] () -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\searchplugins\startpage-https.xml
[2015/01/25 14:12:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2015/01/13 11:43:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2015/01/13 11:43:12 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

O1 HOSTS File: ([2009/06/10 13:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
O4:64bit: - HKLM..\Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe (Logitech Inc.)
O4 - HKLM..\Run: [gmsd_us_138] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0857202D-2F31-4C23-BAB6-16122231A610}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{13A298C0-0DB3-487E-B605-E22642D83CD1}: DhcpNameServer = 192.168.1.1 68.238.64.12
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{ea149240-a4da-11e4-86b1-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{ea149240-a4da-11e4-86b1-806e6f6e6963}\Shell\AutoRun\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{ea149240-a4da-11e4-86b1-806e6f6e6963}\Shell\configure\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{ea149240-a4da-11e4-86b1-806e6f6e6963}\Shell\install\command - "" = E:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2015/01/25 14:29:34 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2015/01/25 14:22:45 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Local\yuntnani
[2015/01/25 14:22:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FastInternet
[2015/01/25 14:22:35 | 000,000,000 | ---D | C] -- C:\a
[2015/01/25 14:22:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2015/01/25 14:22:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight
[2015/01/25 14:22:04 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YTDownloader
[2015/01/25 14:22:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\YTDownloader
[2015/01/25 14:21:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Goobzo
[2015/01/25 14:17:34 | 000,000,000 | ---D | C] -- C:\ProgramData\9c650b94000014ee
[2015/01/25 14:10:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Windows VXM
[2015/01/25 14:10:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Network Accelerater
[2015/01/25 14:09:59 | 000,000,000 | -HSD | C] -- C:\Users\Clockwork\AppData\Roaming\AnyProtectEx
[2015/01/25 14:09:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Optimizer
[2015/01/25 14:09:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\YouTube Downloader Services
[2015/01/25 14:09:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Software Update Services
[2015/01/25 14:01:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\predm
[2015/01/25 13:56:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2015/01/25 13:55:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VideoLAN
[2015/01/25 13:54:27 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\Booster-Web
[2015/01/25 13:53:39 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Local\globalUpdate
[2015/01/25 13:53:19 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Local\BoBrowser
[2015/01/25 13:53:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\turbodiagnosis
[2015/01/25 13:53:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\turbodiagnosis
[2015/01/25 13:52:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\download Manager
[2015/01/25 13:51:48 | 000,000,000 | ---D | C] -- C:\ProgramData\SearchModulePlus
[2015/01/25 13:51:38 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Local\CrashRpt
[2015/01/25 13:51:05 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\DAT
[2015/01/25 13:11:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAEMON Tools Lite
[2015/01/25 13:11:51 | 000,386,680 | ---- | C] (Duplex Secure Ltd.) -- C:\Windows\SysNative\drivers\sptd.sys
[2015/01/25 13:11:51 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\DAEMON Tools Lite
[2015/01/25 13:11:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DAEMON Tools Lite
[2015/01/25 13:10:43 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2015/01/21 09:26:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2015/01/17 03:51:38 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\PhotoScape
[2015/01/13 21:50:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Thunderbird
[2015/01/13 11:43:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2015/01/13 01:47:00 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\Yahoo!
[2015/01/13 01:45:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Yahoo!
[2015/01/01 17:46:57 | 000,174,112 | ---- | C] (EasyAntiCheat Ltd) -- C:\Windows\SysWow64\EasyAntiCheat.exe
[2015/01/01 12:16:49 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Local\capcom
[2014/12/30 10:13:16 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2014/12/29 21:09:23 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\Documents\Larian Studios
[2014/12/29 21:09:17 | 000,518,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XAudio2_7.dll
[2014/12/29 21:09:17 | 000,077,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XAPOFX1_5.dll
[2014/12/29 21:09:16 | 002,526,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DCompiler_43.dll
[2014/12/29 21:09:16 | 001,907,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dcsx_43.dll
[2014/12/29 21:09:16 | 000,511,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx10_43.dll
[2014/12/29 21:09:16 | 000,470,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx10_43.dll
[2014/12/29 21:09:16 | 000,276,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx11_43.dll
[2014/12/29 21:09:16 | 000,248,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx11_43.dll
[2014/12/29 21:09:16 | 000,176,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine3_7.dll
[2014/12/29 21:09:15 | 002,401,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DX9_43.dll
[1 C:\Users\Clockwork\AppData\Local\*.tmp files -> C:\Users\Clockwork\AppData\Local\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2015/01/25 14:35:31 | 000,014,192 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2015/01/25 14:35:31 | 000,014,192 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2015/01/25 14:34:45 | 000,778,150 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2015/01/25 14:34:45 | 000,659,580 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2015/01/25 14:34:45 | 000,120,508 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2015/01/25 14:31:00 | 000,000,378 | ---- | M] () -- C:\Windows\tasks\APSnotifierPP1.job
[2015/01/25 14:30:23 | 000,000,960 | ---- | M] () -- C:\Windows\tasks\globalUpdateUpdateTaskMachineCore.job
[2015/01/25 14:30:15 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\APSnotifierPP3.job
[2015/01/25 14:30:15 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\APSnotifierPP2.job
[2015/01/25 14:30:13 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2015/01/25 14:30:09 | 2146,344,959 | -HS- | M] () -- C:\hiberfil.sys
[2015/01/25 14:24:59 | 000,021,976 | ---- | M] () -- C:\Windows\SysNative\drivers\SPPD.sys
[2015/01/25 14:22:04 | 000,001,953 | ---- | M] () -- C:\Users\Clockwork\Desktop\YTDownloader.lnk
[2015/01/25 14:21:53 | 000,001,613 | ---- | M] () -- C:\Users\Clockwork\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2015/01/25 14:20:20 | 000,000,019 | ---- | M] () -- C:\Windows\SysWow64\39414105.bat
[2015/01/25 14:09:23 | 000,001,901 | ---- | M] () -- C:\Windows\patsearch.bin
[2015/01/25 14:09:22 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_webinstrNHKT_01009.Wdf
[2015/01/25 13:59:53 | 000,001,800 | ---- | M] () -- C:\ProgramData\tempimage.bmp
[2015/01/25 13:58:00 | 000,000,964 | ---- | M] () -- C:\Windows\tasks\globalUpdateUpdateTaskMachineUA.job
[2015/01/25 13:56:01 | 000,001,070 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2015/01/25 13:12:01 | 000,001,954 | ---- | M] () -- C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
[2015/01/25 13:11:51 | 000,386,680 | ---- | M] (Duplex Secure Ltd.) -- C:\Windows\SysNative\drivers\sptd.sys
[2015/01/23 12:56:25 | 000,026,109 | ---- | M] () -- C:\Users\Clockwork\Desktop\Untitled attachment 00046.jpg
[2015/01/21 09:25:59 | 000,111,016 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\WindowsAccessBridge-64.dll
[2015/01/21 09:25:38 | 000,098,216 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2015/01/18 01:46:53 | 000,002,114 | ---- | M] () -- C:\Users\Clockwork\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
[2015/01/17 21:07:32 | 000,701,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2015/01/17 21:07:32 | 000,071,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2015/01/17 17:39:59 | 488,662,232 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2015/01/17 03:52:26 | 000,030,720 | -H-- | M] () -- C:\Users\Clockwork\Desktop\photothumb.db
[2015/01/01 17:16:11 | 000,174,112 | ---- | M] (EasyAntiCheat Ltd) -- C:\Windows\SysWow64\EasyAntiCheat.exe
[2014/12/29 11:48:26 | 000,000,222 | ---- | M] () -- C:\Users\Clockwork\Desktop\Divinity Original Sin.url
[2014/12/27 21:13:02 | 000,000,859 | ---- | M] () -- C:\Users\Clockwork\Desktop\µTorrent.lnk
[2014/12/27 21:13:02 | 000,000,839 | ---- | M] () -- C:\Users\Clockwork\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[1 C:\Users\Clockwork\AppData\Local\*.tmp files -> C:\Users\Clockwork\AppData\Local\*.tmp -> ]

========== Files Created - No Company Name ==========

[2015/01/25 14:24:59 | 000,021,976 | ---- | C] () -- C:\Windows\SysNative\drivers\SPPD.sys
[2015/01/25 14:22:04 | 000,001,953 | ---- | C] () -- C:\Users\Clockwork\Desktop\YTDownloader.lnk
[2015/01/25 14:20:20 | 000,000,019 | ---- | C] () -- C:\Windows\SysWow64\39414105.bat
[2015/01/25 14:11:01 | 000,000,376 | ---- | C] () -- C:\Windows\tasks\APSnotifierPP3.job
[2015/01/25 14:11:00 | 000,000,376 | ---- | C] () -- C:\Windows\tasks\APSnotifierPP2.job
[2015/01/25 14:10:59 | 000,000,378 | ---- | C] () -- C:\Windows\tasks\APSnotifierPP1.job
[2015/01/25 14:09:23 | 000,001,901 | ---- | C] () -- C:\Windows\patsearch.bin
[2015/01/25 14:09:22 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_webinstrNHKT_01009.Wdf
[2015/01/25 13:59:53 | 000,001,800 | ---- | C] () -- C:\ProgramData\tempimage.bmp
[2015/01/25 13:56:01 | 000,001,070 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2015/01/25 13:53:46 | 000,000,964 | ---- | C] () -- C:\Windows\tasks\globalUpdateUpdateTaskMachineUA.job
[2015/01/25 13:53:45 | 000,000,960 | ---- | C] () -- C:\Windows\tasks\globalUpdateUpdateTaskMachineCore.job
[2015/01/25 13:12:01 | 000,001,954 | ---- | C] () -- C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
[2015/01/23 12:56:24 | 000,026,109 | ---- | C] () -- C:\Users\Clockwork\Desktop\Untitled attachment 00046.jpg
[2015/01/17 03:52:03 | 000,030,720 | -H-- | C] () -- C:\Users\Clockwork\Desktop\photothumb.db
[2014/12/30 10:13:09 | 488,662,232 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2014/12/29 11:48:26 | 000,000,222 | ---- | C] () -- C:\Users\Clockwork\Desktop\Divinity Original Sin.url
[2014/12/27 21:13:02 | 000,000,859 | ---- | C] () -- C:\Users\Clockwork\Desktop\µTorrent.lnk
[2014/12/27 21:13:02 | 000,000,839 | ---- | C] () -- C:\Users\Clockwork\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2014/11/26 08:30:56 | 000,000,079 | ---- | C] () -- C:\Windows\ENX230.ini
[2014/11/23 10:33:52 | 000,000,976 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2014/11/21 23:19:09 | 000,771,962 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2014/11/18 11:51:46 | 000,000,430 | RHS- | C] () -- C:\Users\Clockwork\ntuser.pol

========== ZeroAccess Check ==========

[2009/07/13 20:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2009/07/13 17:41:54 | 014,161,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2009/07/13 17:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 17:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/13 17:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 17:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >

#2
RKinner

Posted 25 January 2015 - 05:31 PM

Malware Expert

Expert
24,624 posts

Copy the text in the code box by highlighting and Ctrl + c


:OTL
IE:64bit: - HKLM\..\SearchScopes\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}: "URL" = http://www-searching...q={searchTerms}
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8877;https=127.0.0.1:8877
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8877;https=127.0.0.1:8877
IE - HKCU\..\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}: "URL" = http://www-searching...q={searchTerms}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www-searching...q={searchTerms}
IE - HKCU\..\SearchScopes\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}: "URL" = http://www-searching...q={searchTerms}
IE - HKCU\..\SearchScopes\{CF7CA083-9219-4904-8F3F-183BB6CDEEC5}: "URL" = http://www.trovi.com...rchTerms}&SSPV=
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8877;https=127.0.0.1:8877
[2015/01/25 14:22:54 | 000,000,000 | ---D | M] ("Zoom It") -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{94284f0b-b82a-f31b-9e12-76e8dfd5a24d}
[2015/01/18 23:52:37 | 000,000,000 | ---D | M] (Flash and Video Download) -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
[2015/01/25 14:20:38 | 000,000,000 | ---D | M] (Booster Web) -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack
[2014/12/13 16:46:07 | 000,026,009 | ---- | M] () (No name found) -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\[email protected]
[2015/01/15 10:43:38 | 000,985,112 | ---- | M] () (No name found) -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2015/01/25 11:25:52 | 000,005,501 | ---- | M] () -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\searchplugins\startpage-https.xml
FF - prefs.js..browser.search.defaultenginename: "Startpage HTTPS"
FF - prefs.js..browser.search.highlightCount: 0
FF - prefs.js..browser.search.isUS: true
FF - prefs.js..browser.search.selectedEngine: "Trovi search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.trovi.com...UM=8&UP=&SSPV="
FF - prefs.js..extensions.enabledAddons: %7B94284f0b-b82a-f31b-9e12-76e8dfd5a24d%7D:1.0
FF - prefs.js..keyword.URL: "http://www-searching...aa376d5926,&q="
O4 - HKLM..\Run: [gmsd_us_138]  File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Main present
O33 - MountPoints2\{ea149240-a4da-11e4-86b1-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{ea149240-a4da-11e4-86b1-806e6f6e6963}\Shell\AutoRun\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{ea149240-a4da-11e4-86b1-806e6f6e6963}\Shell\configure\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{ea149240-a4da-11e4-86b1-806e6f6e6963}\Shell\install\command - "" = E:\SETUP.EXE
[2015/01/25 14:22:45 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Local\yuntnani
[2015/01/25 14:22:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FastInternet
[2015/01/25 14:22:35 | 000,000,000 | ---D | C] -- C:\a
[2015/01/25 14:22:04 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YTDownloader
[2015/01/25 14:22:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\YTDownloader
[2015/01/25 14:21:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Goobzo
[2015/01/25 14:17:34 | 000,000,000 | ---D | C] -- C:\ProgramData\9c650b94000014ee
[2015/01/25 14:10:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Windows VXM
[2015/01/25 14:10:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Network Accelerater
[2015/01/25 14:09:59 | 000,000,000 | -HSD | C] -- C:\Users\Clockwork\AppData\Roaming\AnyProtectEx
[2015/01/25 14:09:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Optimizer
[2015/01/25 14:09:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\YouTube Downloader Services
[2015/01/25 14:09:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Software Update Services
[2015/01/25 14:01:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\predm
[2015/01/25 13:54:27 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\Booster-Web
[2015/01/25 13:53:39 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Local\globalUpdate
[2015/01/25 13:53:19 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Local\BoBrowser
[2015/01/25 13:53:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\turbodiagnosis
[2015/01/25 13:53:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\turbodiagnosis
[2015/01/25 13:52:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\download Manager
[2015/01/25 13:51:48 | 000,000,000 | ---D | C] -- C:\ProgramData\SearchModulePlus
[2015/01/25 13:51:38 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Local\CrashRpt
[2015/01/25 13:51:05 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\DAT
[2015/01/25 14:24:59 | 000,021,976 | ---- | M] () -- C:\Windows\SysNative\drivers\SPPD.sys
[2015/01/25 14:22:04 | 000,001,953 | ---- | M] () -- C:\Users\Clockwork\Desktop\YTDownloader.lnk
[2015/01/25 14:21:53 | 000,001,613 | ---- | M] () -- C:\Users\Clockwork\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2015/01/25 14:31:00 | 000,000,378 | ---- | M] () -- C:\Windows\tasks\APSnotifierPP1.job
[2015/01/25 14:30:23 | 000,000,960 | ---- | M] () -- C:\Windows\tasks\globalUpdateUpdateTaskMachineCore.job
[2015/01/25 14:30:15 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\APSnotifierPP3.job
[2015/01/25 14:30:15 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\APSnotifierPP2.job
[2015/01/25 14:20:20 | 000,000,019 | ---- | M] () -- C:\Windows\SysWow64\39414105.bat
[2015/01/25 14:09:23 | 000,001,901 | ---- | M] () -- C:\Windows\patsearch.bin
[2015/01/25 14:09:22 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_webinstrNHKT_01009.Wdf
[2015/01/25 13:59:53 | 000,001,800 | ---- | M] () -- C:\ProgramData\tempimage.bmp
[2015/01/25 13:58:00 | 000,000,964 | ---- | M] () -- C:\Windows\tasks\globalUpdateUpdateTaskMachineUA.job


Files:
sc stop SMUpdPlus /c
sc delete SMUpdPlus /c
sc stop SMUpdd /c
sc delete SMUpdd  /cC:\Program Files\Common Files\Goobzo


:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top

Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply.

It appears that Old Timer is now hiding the log in c:\_OTL\MovedFiles\01252015-some number.log so look there if you don't see it.

Download : ADWCleaner to your desktop. Make sure you get the correct Download button. Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @BleepingComputer

NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close all programs, pause your anti-virus and run AdwCleaner (Vista or Win 7 => right click and Run As Administrator).

Click on Scan and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

The report will be saved in the C:\AdwCleaner folder.

Junkware-Removal-Tool

Please download Junkware Removal Tool to your desktop. Make sure you get the correct Download button. Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @Author's site

Pause your anti-virus. Close all browsers.

Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Post the contents of JRT.txt into your next message.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.

Press Scan button.

It will produce a log called FRST.txt in the same directory the tool is run from.

Please copy and paste log back here.

The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

#3
smooman

Posted 25 January 2015 - 06:32 PM

Member

Topic Starter
Member
12 posts

First of all, RKinner , Thank you so much for your quick response to this!

OTL:

========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}\ not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CF7CA083-9219-4904-8F3F-183BB6CDEEC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF7CA083-9219-4904-8F3F-183BB6CDEEC5}\ not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{94284f0b-b82a-f31b-9e12-76e8dfd5a24d}\modules\tools folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{94284f0b-b82a-f31b-9e12-76e8dfd5a24d}\modules folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{94284f0b-b82a-f31b-9e12-76e8dfd5a24d}\chrome\skin folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{94284f0b-b82a-f31b-9e12-76e8dfd5a24d}\chrome\content folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{94284f0b-b82a-f31b-9e12-76e8dfd5a24d}\chrome folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{94284f0b-b82a-f31b-9e12-76e8dfd5a24d} folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\modules\classes\youtube folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\modules\classes folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\modules folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\defaults\preferences folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\defaults folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\skin\icons\options folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\skin\icons folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\skin folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\locale\zh-CN folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\locale\sr folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\locale\pt-BR folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\locale\nl folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\locale\ko-KR folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\locale\ko-KP folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\locale\hu-HU folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\locale\fr-FR folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\locale\en-US folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\locale folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome\content folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}\chrome folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a} folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\resources\smootherweb\tests folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\resources\smootherweb\lib folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\resources\smootherweb\data folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\resources\smootherweb folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\resources\livecharity\data\img folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\resources\livecharity\data\fonts folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\resources\livecharity\data folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\resources\livecharity folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\resources\addon-sdk\lib folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\resources\addon-sdk folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\resources folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\locale folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\defaults\preferences folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack\defaults folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\jid1-U7omKQ6kQfxMaQ@jetpack folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\[email protected] moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi moved successfully.
C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\searchplugins\startpage-https.xml moved successfully.
Prefs.js: "Startpage HTTPS" removed from browser.search.defaultenginename
Prefs.js: 0 removed from browser.search.highlightCount
Prefs.js: true removed from browser.search.isUS
Prefs.js: "Trovi search" removed from browser.search.selectedEngine
Prefs.js: true removed from browser.search.useDBForOrder
Prefs.js: "http://www.trovi.com....UM=8&UP=&SSPV=" removed from browser.startup.homepage
Prefs.js: %7B94284f0b-b82a-f31b-9e12-76e8dfd5a24d%7D:1.0 removed from extensions.enabledAddons
Prefs.js: "http://www-searching....aa376d5926,&q=" removed from keyword.URL
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\gmsd_us_138 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ea149240-a4da-11e4-86b1-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ea149240-a4da-11e4-86b1-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ea149240-a4da-11e4-86b1-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ea149240-a4da-11e4-86b1-806e6f6e6963}\ not found.
File E:\SETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ea149240-a4da-11e4-86b1-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ea149240-a4da-11e4-86b1-806e6f6e6963}\ not found.
File E:\SETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ea149240-a4da-11e4-86b1-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ea149240-a4da-11e4-86b1-806e6f6e6963}\ not found.
File E:\SETUP.EXE not found.
C:\Users\Clockwork\AppData\Local\yuntnani folder moved successfully.
C:\Program Files (x86)\FastInternet folder moved successfully.
C:\a folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YTDownloader folder moved successfully.
C:\Program Files (x86)\YTDownloader folder moved successfully.
C:\Program Files\Common Files\Goobzo\GBUpdatePlus folder moved successfully.
C:\Program Files\Common Files\Goobzo folder moved successfully.
C:\ProgramData\9c650b94000014ee folder moved successfully.
C:\ProgramData\Windows VXM\Images folder moved successfully.
C:\ProgramData\Windows VXM folder moved successfully.
C:\Program Files (x86)\Windows Network Accelerater\v3\config folder moved successfully.
C:\Program Files (x86)\Windows Network Accelerater\v3 folder moved successfully.
C:\Program Files (x86)\Windows Network Accelerater folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\AnyProtectEx\swf folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\AnyProtectEx\scan_results folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\AnyProtectEx\logs folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\AnyProtectEx\language folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\AnyProtectEx\installer folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\AnyProtectEx folder moved successfully.
C:\ProgramData\Optimizer\program folder moved successfully.
C:\ProgramData\Optimizer folder moved successfully.
C:\Program Files (x86)\YouTube Downloader Services\P4\config folder moved successfully.
C:\Program Files (x86)\YouTube Downloader Services\P4 folder moved successfully.
C:\Program Files (x86)\YouTube Downloader Services folder moved successfully.
C:\Program Files (x86)\Software Update Services folder moved successfully.
C:\Program Files (x86)\predm folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\Booster-Web folder moved successfully.
C:\Users\Clockwork\AppData\Local\globalUpdate\CrashReports folder moved successfully.
C:\Users\Clockwork\AppData\Local\globalUpdate folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\pnacl folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Web Applications\_crx_gfmdmibgfbecppaeocifplgmepgcpcbi folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Web Applications folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Storage\ext\cfonhidlapoahmcjpnilgpjjmgnmnnoa\def\GPUCache folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Storage\ext\cfonhidlapoahmcjpnilgpjjmgnmnnoa\def folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Storage\ext\cfonhidlapoahmcjpnilgpjjmgnmnnoa folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Storage\ext folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Storage folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Local Storage folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Local Extension Settings\gfmdmibgfbecppaeocifplgmepgcpcbi folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Local Extension Settings\ebpeonjdeofpjegbdiibbdjlgfohngee folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Local Extension Settings folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\JumpListIcons folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Icons folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\GPUCache folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\pdlpmjkeahlbfeiclkokomifjfnkghpg\1.0.0.9393_0\scripts folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\pdlpmjkeahlbfeiclkokomifjfnkghpg\1.0.0.9393_0 folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\pdlpmjkeahlbfeiclkokomifjfnkghpg folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\_locales\tr folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\_locales\pt folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\_locales\it folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\_locales\fr folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\_locales\es folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\_locales\en folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\_locales\de folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\_locales folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\views folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\scripts\tools folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\scripts\libs folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\scripts\content folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\scripts\background folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\scripts folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\img folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0\css folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi\1.3.0.9509_0 folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\gfmdmibgfbecppaeocifplgmepgcpcbi folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\ebpeonjdeofpjegbdiibbdjlgfohngee\1.26.14_0\js\lib\popupResource folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\ebpeonjdeofpjegbdiibbdjlgfohngee\1.26.14_0\js\lib folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\ebpeonjdeofpjegbdiibbdjlgfohngee\1.26.14_0\js\api folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\ebpeonjdeofpjegbdiibbdjlgfohngee\1.26.14_0\js folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\ebpeonjdeofpjegbdiibbdjlgfohngee\1.26.14_0\icons\actions folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\ebpeonjdeofpjegbdiibbdjlgfohngee\1.26.14_0\icons folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\ebpeonjdeofpjegbdiibbdjlgfohngee\1.26.14_0\extensionData\userCode folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\ebpeonjdeofpjegbdiibbdjlgfohngee\1.26.14_0\extensionData\plugins folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\ebpeonjdeofpjegbdiibbdjlgfohngee\1.26.14_0\extensionData folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\ebpeonjdeofpjegbdiibbdjlgfohngee\1.26.14_0 folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\ebpeonjdeofpjegbdiibbdjlgfohngee folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\_locales\tr folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\_locales\pt folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\_locales\it folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\_locales\fr folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\_locales\es folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\_locales\en folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\_locales\de folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\_locales folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\views folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\styles\fonts folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\styles folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\scripts\libs folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\scripts folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0\img folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa\1.3.0.9509_0 folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions\cfonhidlapoahmcjpnilgpjjmgnmnnoa folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extensions folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extension State folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Extension Rules folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\databases\chrome-extension_ebpeonjdeofpjegbdiibbdjlgfohngee_0 folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\databases folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default\Cache folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data\Default folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser\User Data folder moved successfully.
C:\Users\Clockwork\AppData\Local\BoBrowser folder moved successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\turbodiagnosis folder moved successfully.
C:\Program Files (x86)\turbodiagnosis folder moved successfully.
C:\Program Files (x86)\download Manager folder moved successfully.
C:\ProgramData\SearchModulePlus folder moved successfully.
C:\Users\Clockwork\AppData\Local\CrashRpt\UnsentCrashReports\YTDi 1.0.0.1_1.0.0.1 folder moved successfully.
C:\Users\Clockwork\AppData\Local\CrashRpt\UnsentCrashReports folder moved successfully.
C:\Users\Clockwork\AppData\Local\CrashRpt folder moved successfully.
C:\Users\Clockwork\AppData\Roaming\DAT folder moved successfully.
C:\Windows\SysNative\drivers\SPPD.sys moved successfully.
C:\Users\Clockwork\Desktop\YTDownloader.lnk moved successfully.
C:\Users\Clockwork\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk moved successfully.
C:\Windows\Tasks\APSnotifierPP1.job moved successfully.
C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job moved successfully.
C:\Windows\Tasks\APSnotifierPP3.job moved successfully.
C:\Windows\Tasks\APSnotifierPP2.job moved successfully.
C:\Windows\SysWOW64\39414105.bat moved successfully.
C:\Windows\patsearch.bin moved successfully.
C:\Windows\SysNative\drivers\Msft_Kernel_webinstrNHKT_01009.Wdf moved successfully.
C:\ProgramData\tempimage.bmp moved successfully.
C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job moved successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Clockwork
->Flash cache emptied: 19799 bytes

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: All Users

User: Clockwork
->Java cache emptied: 693437 bytes

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 1.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 01252015_155417

ADW Cleaner:

# AdwCleaner v4.109 - Report created 25/01/2015 at 16:13:19
# Updated 24/01/2015 by Xplode
# Database : 2015-01-25.1 [Live]
# Operating System : Windows 7 Ultimate (64 bits)
# Username : Clockwork - CLOCKWORK-PC
# Running from : C:\Users\Clockwork\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : globalUpdate
[#] Service Deleted : globalUpdatem
[#] Service Deleted : sbmntr
[#] Service Deleted : SMUpdd
[#] Service Deleted : wpnfd_1_10_0_2

***** [ Files / Folders ] *****

File Deleted : C:\Users\CLOCKW~1\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\invalidprefs.js
File Deleted : C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\user.js

***** [ Scheduled Tasks ] *****

Task Deleted : APSnotifierPP1
Task Deleted : APSnotifierPP2
Task Deleted : APSnotifierPP3
Task Deleted : globalUpdateUpdateTaskMachineCore
Task Deleted : globalUpdateUpdateTaskMachineUA
Task Deleted : LaunchSignup
Task Deleted : Smp
Task Deleted : SMupdate1
Task Deleted : YTDownloader
Task Deleted : Run_Bobby_Browser
Task Deleted : YTDownloaderUpd

***** [ Shortcuts ] *****

Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
Shortcut Disinfected : C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
Shortcut Disinfected : C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
Shortcut Disinfected : C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Shortcut Disinfected : C:\Users\Clockwork\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk

***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{d9a96531-b093-4d07-9e4c-9704a365c441}]
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\wajam.com
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdate.OneClickCtrl.10
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdate.OneClickProcessLauncherMachine
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdate.OneClickProcessLauncherMachine.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdate.Update3WebControl.4
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoCreateAsync
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoCreateAsync.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreClass
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreClass.1
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreMachineClass
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreMachineClass.1
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CredentialDialogMachine
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CredentialDialogMachine.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachine
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachine.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachineFallback
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassSvc
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassSvc.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.ProcessLauncher
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.ProcessLauncher.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3COMClassService
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3COMClassService.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachine
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachine.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachineFallback
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachineFallback.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebSvc
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebSvc.1.0
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3EBB5099-9732-48AE-B032-58B702D86EEC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3EBB5099-9732-48AE-B032-58B702D86EEC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{020B1D4B-5738-4C77-9E19-4F173DD9B486}
Key Deleted : HKCU\Software\AnyProtect
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\GlobalUpdate
Key Deleted : HKCU\Software\Microsoft\KanarCore
Key Deleted : HKCU\Software\TutoTag
Key Deleted : HKCU\Software\StormWatchApp
Key Deleted : HKCU\Software\BoBrowser
Key Deleted : HKCU\Software\YTDownloader
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\BlockAndSurf
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\GlobalUpdate
Key Deleted : HKLM\SOFTWARE\NpApp
Key Deleted : HKLM\SOFTWARE\Tutorials
Key Deleted : HKLM\SOFTWARE\WordProser_1.10.0.2
Key Deleted : HKLM\SOFTWARE\Clara
Key Deleted : HKLM\SOFTWARE\YTDownloader
Key Deleted : HKLM\SOFTWARE\GAMESDESKTOP
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YTDownloader
Key Deleted : [x64] HKLM\SOFTWARE\YTDownloader
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <-loopback>

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7600.16385

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v35.0 (x86 en-US)

[u3jstsw3.default\prefs.js] - Line Deleted : user_pref("browser.newtab.url", "hxxp://www.trovi.com/?gd=&ctid=CT3331213&octid=EB_ORIGINAL_CTID&ISID=M9B344D50-C2B9-43F9-A0B5-C2CA07F9D5F3&SearchSource=69&CUI=&SSPV=&Lay=1&UM=8&UP=");
[u3jstsw3.default\prefs.js] - Line Deleted : user_pref("browser.startup.homepage", "hxxp://www.trovi.com/?gd=&ctid=CT3331213&octid=EB_ORIGINAL_CTID&ISID=M9B344D50-C2B9-43F9-A0B5-C2CA07F9D5F3&SearchSource=55&CUI=&UM=8&UP=&SSPV=");

-\\ Chromium v

*************************

AdwCleaner[R0].txt - [8803 octets] - [25/01/2015 16:11:42]
AdwCleaner[S0].txt - [9104 octets] - [25/01/2015 16:13:19]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9164 octets] ##########

JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Ultimate x64
Ran by Clockwork on Sun 01/25/2015 at 16:16:50.71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110611131165}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110611131165}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 01/25/2015 at 16:19:30.97
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FRST:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-01-2015 01
Ran by Clockwork (administrator) on CLOCKWORK-PC on 25-01-2015 16:22:45
Running from C:\Users\Clockwork\Downloads
Loaded Profiles: Clockwork (Available profiles: Clockwork)
Platform: Windows 7 Ultimate (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [12697368 2014-10-14] (Logitech Inc.)
HKU\S-1-5-21-1414089619-1553986795-2700891581-1000\...\Policies\Explorer: [HideSCAHealth] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1414089619-1553986795-2700891581-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1414089619-1553986795-2700891581-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.m...ash/swflash.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default
FF DefaultSearchEngine: DuckDuckGo
FF SelectedSearchEngine:
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_257.dll ()
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [802688 2015-01-21] ()
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [174112 2015-01-01] (EasyAntiCheat Ltd)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
S2 SMUpdPlus; C:\Program Files\Common Files\Goobzo\GBUpdatePlus\smu.exe /service [X]
S4 WindowsVNT_R3; C:\Program Files (x86)\Windows Network Accelerater\v3\winvxm.exe [X]
S4 YouTubeDownload_P4; C:\Program Files (x86)\YouTube Downloader Services\P4\youtubeserv.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [64280 2013-05-30] (Logitech Inc.)
S3 PCAMp50a64; C:\Windows\System32\Drivers\PCAMp50a64.sys [43328 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
S3 PCASp50a64; C:\Windows\System32\Drivers\PCASp50a64.sys [41280 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [386680 2015-01-25] (Duplex Secure Ltd.)
R3 XSplit_Dummy; C:\Windows\System32\drivers\xspltspk.sys [26200 2014-07-02] (SplitmediaLabs Limited)
U3 aoprqlfx; C:\Windows\System32\Drivers\aoprqlfx.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero size file/folder)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 WPN111; system32\DRIVERS\WPN111vx.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-25 16:22 - 2015-01-25 16:23 - 00006320 _____ () C:\Users\Clockwork\Downloads\FRST.txt
2015-01-25 16:22 - 2015-01-25 16:22 - 00000000 ____D () C:\FRST
2015-01-25 16:19 - 2015-01-25 16:19 - 00001002 _____ () C:\Users\Clockwork\Desktop\JRT.txt
2015-01-25 16:16 - 2015-01-25 16:16 - 00000000 ____D () C:\Windows\ERUNT
2015-01-25 16:15 - 2015-01-25 16:15 - 00009252 _____ () C:\Users\Clockwork\Desktop\AdwCleaner[S0].txt
2015-01-25 16:11 - 2015-01-25 16:13 - 00000000 ____D () C:\AdwCleaner
2015-01-25 16:05 - 2015-01-25 16:05 - 02129920 _____ (Farbar) C:\Users\Clockwork\Downloads\FRST64.exe
2015-01-25 16:04 - 2015-01-25 16:04 - 01707939 _____ (Thisisu) C:\Users\Clockwork\Downloads\JRT.exe
2015-01-25 16:03 - 2015-01-25 16:03 - 02194432 _____ () C:\Users\Clockwork\Downloads\AdwCleaner.exe
2015-01-25 15:54 - 2015-01-25 15:54 - 00051384 _____ () C:\Users\Clockwork\Desktop\01252015_155417.log
2015-01-25 15:54 - 2015-01-25 15:54 - 00000000 ____D () C:\_OTL
2015-01-25 15:16 - 2015-01-25 15:39 - 140852175 _____ () C:\Users\Clockwork\Downloads\Apache_OpenOffice_4.1.1_Win_x86_install_en-US.exe
2015-01-25 14:48 - 2015-01-25 14:48 - 00069662 _____ () C:\Users\Clockwork\Downloads\OTL.Txt
2015-01-25 14:48 - 2015-01-25 14:48 - 00065446 _____ () C:\Users\Clockwork\Downloads\Extras.Txt
2015-01-25 14:44 - 2015-01-25 14:44 - 00602112 _____ (OldTimer Tools) C:\Users\Clockwork\Downloads\OTL.exe
2015-01-25 14:29 - 2015-01-25 14:29 - 00000000 ____D () C:\Windows\pss
2015-01-25 14:22 - 2015-01-25 14:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-01-25 14:22 - 2015-01-25 14:22 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2015-01-25 14:21 - 2015-01-25 14:21 - 00004280 _____ () C:\Windows\System32\Tasks\SMW_UpdateTask_Time_3131363031343633352d3437415a556c2a3223346c41
2015-01-25 14:21 - 2015-01-25 14:21 - 00003616 _____ () C:\Windows\System32\Tasks\SMWPUpd
2015-01-25 14:10 - 2015-01-25 14:09 - 00613057 _____ (CMI Limited) C:\Users\Clockwork\AppData\Local\nsk258A.tmp
2015-01-25 13:56 - 2015-01-25 13:56 - 00001070 _____ () C:\Users\Public\Desktop\VLC media player.lnk
2015-01-25 13:56 - 2015-01-25 13:56 - 00001070 _____ () C:\ProgramData\Desktop\VLC media player.lnk
2015-01-25 13:56 - 2015-01-25 13:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2015-01-25 13:55 - 2015-01-25 13:55 - 00003528 _____ () C:\Windows\System32\Tasks\PastaLeads
2015-01-25 13:55 - 2015-01-25 13:55 - 00000000 ____D () C:\Program Files (x86)\VideoLAN
2015-01-25 13:12 - 2015-01-25 13:12 - 00001954 _____ () C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
2015-01-25 13:12 - 2015-01-25 13:12 - 00001954 _____ () C:\ProgramData\Desktop\DAEMON Tools Lite.lnk
2015-01-25 13:11 - 2015-01-25 13:50 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\DAEMON Tools Lite
2015-01-25 13:11 - 2015-01-25 13:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAEMON Tools Lite
2015-01-25 13:11 - 2015-01-25 13:11 - 00386680 _____ (Duplex Secure Ltd.) C:\Windows\system32\Drivers\sptd.sys
2015-01-25 13:11 - 2015-01-25 13:11 - 00000000 ____D () C:\Program Files (x86)\DAEMON Tools Lite
2015-01-25 13:10 - 2015-01-25 13:50 - 00000000 ____D () C:\ProgramData\DAEMON Tools Lite
2015-01-25 13:10 - 2015-01-25 13:10 - 13429504 _____ (Disc Soft Ltd) C:\Users\Clockwork\Downloads\DTLite4491-0356.exe
2015-01-24 14:53 - 2015-01-24 14:55 - 00000000 ____D () C:\Users\Clockwork\Downloads\Event_ZEDS_V14
2015-01-24 14:52 - 2015-01-24 14:53 - 28570892 _____ () C:\Users\Clockwork\Downloads\Event_ZEDS_V14.rar
2015-01-17 17:40 - 2015-01-17 17:40 - 00291728 _____ () C:\Windows\Minidump\011715-20826-01.dmp
2015-01-17 03:52 - 2015-01-17 03:52 - 00030720 ____H () C:\Users\Clockwork\Desktop\photothumb.db
2015-01-17 03:51 - 2015-01-17 03:51 - 21360800 _____ (Mooii) C:\Users\Clockwork\Downloads\PhotoScape_V3.7.exe
2015-01-17 03:51 - 2015-01-17 03:51 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\PhotoScape
2015-01-13 21:50 - 2015-01-18 01:46 - 00000000 ____D () C:\Program Files (x86)\Mozilla Thunderbird
2015-01-13 11:43 - 2015-01-25 13:54 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-13 01:47 - 2015-01-13 01:47 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\Yahoo!
2015-01-13 01:45 - 2015-01-21 23:02 - 00000000 ____D () C:\Program Files (x86)\Yahoo!
2015-01-13 01:44 - 2015-01-13 01:44 - 00691576 _____ (Yahoo! Inc.) C:\Users\Clockwork\Downloads\msgr11us.exe
2015-01-06 13:24 - 2011-01-21 14:30 - 00000000 ____D () C:\Users\Clockwork\Downloads\The Screwtape Letters - C.S. Lewis - Focus on the Family's Radio Theatre
2015-01-04 19:20 - 2015-01-04 19:20 - 00291728 _____ () C:\Windows\Minidump\010415-14102-01.dmp
2015-01-04 12:30 - 2015-01-04 13:11 - 125341713 _____ () C:\Users\Clockwork\Downloads\The Screwtape Letters - C.S. Lewis - Focus on the Family's Radio Theatre.part4.rar
2015-01-03 21:55 - 2015-01-03 22:46 - 157286400 _____ () C:\Users\Clockwork\Downloads\The Screwtape Letters - C.S. Lewis - Focus on the Family's Radio Theatre.part3.rar
2015-01-03 17:48 - 2015-01-03 18:49 - 157286400 _____ () C:\Users\Clockwork\Downloads\The Screwtape Letters - C.S. Lewis - Focus on the Family's Radio Theatre.part2.rar
2015-01-03 13:37 - 2015-01-03 14:28 - 157286400 _____ () C:\Users\Clockwork\Downloads\The Screwtape Letters - C.S. Lewis - Focus on the Family's Radio Theatre.part1.rar
2015-01-01 17:46 - 2015-01-01 17:16 - 00174112 _____ (EasyAntiCheat Ltd) C:\Windows\SysWOW64\EasyAntiCheat.exe
2015-01-01 12:16 - 2015-01-01 12:16 - 00000000 ____D () C:\Users\Clockwork\AppData\Local\capcom
2014-12-30 10:13 - 2015-01-17 17:40 - 00000000 ____D () C:\Windows\Minidump
2014-12-30 10:13 - 2015-01-17 17:39 - 488662232 _____ () C:\Windows\MEMORY.DMP
2014-12-30 10:13 - 2014-12-30 10:13 - 00291728 _____ () C:\Windows\Minidump\123014-19952-01.dmp
2014-12-29 21:09 - 2014-12-29 21:09 - 00000000 ____D () C:\Users\Clockwork\Documents\Larian Studios
2014-12-29 21:09 - 2010-06-02 04:55 - 00518488 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_7.dll
2014-12-29 21:09 - 2010-06-02 04:55 - 00176984 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_7.dll
2014-12-29 21:09 - 2010-06-02 04:55 - 00077656 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_5.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 02526056 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_43.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 02401112 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_43.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 01907552 _____ (Microsoft Corporation) C:\Windows\system32\d3dcsx_43.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 00511328 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_43.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 00470880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_43.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 00276832 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_43.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 00248672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_43.dll
2014-12-29 11:48 - 2014-12-29 11:48 - 00000222 _____ () C:\Users\Clockwork\Desktop\Divinity Original Sin.url
2014-12-27 21:13 - 2014-12-27 21:13 - 00000859 _____ () C:\Users\Clockwork\Desktop\µTorrent.lnk
2014-12-27 21:13 - 2014-12-27 21:13 - 00000839 _____ () C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2014-12-27 21:11 - 2014-12-27 21:11 - 01688656 _____ (BitTorrent Inc.) C:\Users\Clockwork\Downloads\uTorrent.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-25 16:21 - 2014-11-18 09:02 - 00009503 _____ () C:\Windows\setupact.log
2015-01-25 16:21 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-25 16:20 - 2014-11-17 17:32 - 00268088 _____ () C:\Windows\WindowsUpdate.log
2015-01-25 16:19 - 2009-07-13 21:13 - 00778150 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-25 16:19 - 2009-07-13 20:45 - 00014192 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-25 16:19 - 2009-07-13 20:45 - 00014192 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-25 16:14 - 2014-12-16 10:14 - 00056250 _____ () C:\Windows\PFRO.log
2015-01-25 16:13 - 2014-11-18 08:38 - 00000815 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-01-25 16:13 - 2014-11-17 17:34 - 00000931 _____ () C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-01-25 16:13 - 2014-11-17 17:34 - 00000863 _____ () C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-01-25 15:15 - 2014-11-18 13:55 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-01-25 14:22 - 2009-07-13 19:20 - 00000000 ____D () C:\Program Files\Common Files\System
2015-01-25 13:49 - 2014-11-14 23:58 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\Skype
2015-01-25 13:41 - 2014-11-18 14:05 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-25 13:13 - 2014-11-18 17:06 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\uTorrent
2015-01-24 17:37 - 2014-11-18 14:59 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\TS3Client
2015-01-23 16:34 - 2014-11-18 18:07 - 00000000 ____D () C:\Users\Clockwork\AppData\Local\ArmA 2 OA
2015-01-21 09:27 - 2014-12-12 20:04 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-21 09:26 - 2014-12-12 20:05 - 00000000 ____D () C:\Program Files\Java
2015-01-21 09:26 - 2014-12-12 20:04 - 00000000 ____D () C:\Program Files (x86)\Java
2015-01-21 09:25 - 2014-12-12 20:05 - 00111016 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2015-01-21 09:25 - 2014-12-12 20:04 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-01-17 21:07 - 2014-11-17 22:35 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-17 21:07 - 2014-11-17 22:35 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-13 01:46 - 2014-11-18 16:48 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bohemia Interactive
2015-01-13 01:46 - 2014-11-17 17:34 - 00000000 ____D () C:\Users\Clockwork\AppData\Local\VirtualStore
2014-12-29 21:09 - 2014-11-18 16:48 - 00045339 _____ () C:\Windows\DirectX.log
2014-12-29 21:08 - 2009-07-13 19:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-12-29 11:48 - 2014-11-18 15:52 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam

==================== Files in the root of some directories =======

2015-01-25 14:10 - 2015-01-25 14:09 - 0613057 _____ (CMI Limited) C:\Users\Clockwork\AppData\Local\nsk258A.tmp

Some content of TEMP:
====================
C:\Users\Clockwork\AppData\Local\Temp\92972F13-F8BE-181F-217F-BEC5917BA197.dll
C:\Users\Clockwork\AppData\Local\Temp\92972F13-F8BE-181F-217F-BEC5917BA197.exe
C:\Users\Clockwork\AppData\Local\Temp\amisetup0366__11003.exe
C:\Users\Clockwork\AppData\Local\Temp\amisetup0376__11005.exe
C:\Users\Clockwork\AppData\Local\Temp\bitool.dll
C:\Users\Clockwork\AppData\Local\Temp\E255D629-F42E-35CE-0147-CCF769AD8585.exe
C:\Users\Clockwork\AppData\Local\Temp\ICReinstall_Windows 7 Start Orb Changer.exe
C:\Users\Clockwork\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Clockwork\AppData\Local\Temp\nvStInst.exe
C:\Users\Clockwork\AppData\Local\Temp\OnlineBackup.exe
C:\Users\Clockwork\AppData\Local\Temp\Quarantine.exe
C:\Users\Clockwork\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Clockwork\AppData\Local\Temp\sqlite3.dll
C:\Users\Clockwork\AppData\Local\Temp\tu17p84.exe
C:\Users\Clockwork\AppData\Local\Temp\vcredist_x64.exe
C:\Users\Clockwork\AppData\Local\Temp\ytdkiemon_amodk_setup.exe
C:\Users\Clockwork\AppData\Local\Temp\_is5946.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe
[2014-11-18 11:11] - [2009-07-13 17:39] - 2385408 ____A (Microsoft Corporation) E9E1502BE0491855AA9BF2CEEC20AE25

C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-01-24 11:31

==================== End Of Log ============================

Addition:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 24-01-2015 01
Ran by Clockwork at 2015-01-25 16:23:19
Running from C:\Users\Clockwork\Downloads
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-1414089619-1553986795-2700891581-1000\...\uTorrent) (Version: 3.4.2.37594 - BitTorrent Inc.)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.223 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Archeage (HKLM-x32\...\Glyph Archeage) (Version: - Trion Worlds, Inc.)
Arma 2 (HKLM-x32\...\Steam App 33900) (Version: - Bohemia Interactive)
Arma 2: Operation Arrowhead (HKLM-x32\...\Steam App 33930) (Version: - Bohemia Interactive)
BattlEye for OA Uninstall (HKLM-x32\...\BattlEye for OA) (Version: - )
BattlEye Uninstall (HKLM-x32\...\BattlEye for A2) (Version: - )
CCleaner (HKLM\...\CCleaner) (Version: 4.19 - Piriform)
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.49.1.0356 - Disc Soft Ltd)
Divinity: Original Sin (HKLM-x32\...\Steam App 230230) (Version: - Larian Studios)
DivX H.264 decoder 8.2.0.26 (HKLM-x32\...\divxh264_is1) (Version: 8.2.0.26 - )
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.0.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM-x32\...\{8ED43F7E-A8F6-4898-AF11-B6158F2EDF94}) (Version: 2.50.0000 - SEIKO EPSON CORPORATION)
EPSON NX230 Series Printer Uninstall (HKLM\...\EPSON NX230 Series) (Version: - SEIKO EPSON Corporation)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version: - Seiko Epson Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.4j - SEIKO EPSON CORPORATION)
Glyph (HKLM-x32\...\Glyph) (Version: - Trion Worlds, Inc.)
Java 8 Update 31 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418031F0}) (Version: 8.0.310 - Oracle Corporation)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Killing Floor - Toy Master (HKLM-x32\...\Steam App 326960) (Version: - David Hensley)
Killing Floor (HKLM-x32\...\Steam App 1250) (Version: - Tripwire Interactive)
Logitech Gaming Software 8.57 (HKLM\...\Logitech Gaming Software) (Version: 8.57.145 - Logitech Inc.)
Lost Planet: Extreme Condition (HKLM-x32\...\Steam App 6510) (Version: - CAPCOM Co., Ltd.)
Magicite (HKLM-x32\...\Steam App 268750) (Version: - SmashGames)
MechWarrior Online (HKLM-x32\...\{9f17023b-d04f-432b-b08a-3bb4c3a7ed3c}) (Version: 1.6.0.0 - Piranha Games Inc.)
MechWarrior Online (x32 Version: 1.6.1.0 - Piranha Games Inc.) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.60310.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 35.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 35.0 (x86 en-US)) (Version: 35.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.2.0 - Mozilla)
Mozilla Thunderbird 31.4.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 31.4.0 (x86 en-US)) (Version: 31.4.0 - Mozilla)
MPC-HC 1.7.7 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.7 - MPC-HC Team)
NVIDIA Graphics Driver 307.83 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 307.83 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.12.1031 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.1031 - NVIDIA Corporation)
Rust (HKLM-x32\...\Steam App 252490) (Version: - Facepunch Studios)
Search Module Plus (HKLM-x32\...\Search Module Plus) (Version: - Goobzo)
Skype™ 6.22 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.22.105 - Skype Technologies S.A.)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Sunrider: Mask of Arcadius (HKLM-x32\...\Steam App 313730) (Version: - Love in Space)
Team Fortress 2 (HKLM-x32\...\Steam App 440) (Version: - Valve)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.16 - TeamSpeak Systems GmbH)
TeamTalk 4 (HKLM\...\TeamTalk4_is1) (Version: - BearWare.dk)
TeraCopy 2.3 (HKLM\...\TeraCopy_is1) (Version: - Code Sector)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
WinRAR 5.11 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.11.0 - win.rar GmbH)
XSplit Broadcaster (HKLM-x32\...\{6BC12A2C-6B3D-4158-ACCE-C3602F7C6CF3}) (Version: 2.0.1411.1039 - SplitmediaLabs)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

ATTENTION: System Restore is disabled.

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2009-06-10 13:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {06B5E59C-DD08-4E4D-800E-2A992E1FE96F} - System32\Tasks\{D404FC82-2E27-42B2-B277-E7474FDB76C1} => pcalua.exe -a "C:\Users\Clockwork\Desktop\SAVE ME\evac 11-14-14\drivers\win7-64\CPSetup.exe" -d "C:\Users\Clockwork\Desktop\SAVE ME\evac 11-14-14\drivers\win7-64"
Task: {0A70A148-5C98-42B7-A476-461902DBAFA7} - System32\Tasks\PastaLeads => C:\Program Files (x86)\pastaleads\ScheduledTask.exe
Task: {2FC2E3C6-31F9-4BF1-93EB-F551BC921673} - System32\Tasks\Microsoft\Windows\Multimedia\SMupdate3 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update3 <==== ATTENTION
Task: {5DC96D56-DF29-42F2-9535-BAA4CCBDFD46} - System32\Tasks\SMWPUpd => C:\Program Files\Common Files\Goobzo\GBUpdatePlus\updater.exe <==== ATTENTION
Task: {67C2E7A1-5C85-4ECF-93D5-4407DBD32AC9} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-10-30] (Piriform Ltd)
Task: {DAD871FF-F915-4BC9-BAF0-E46F13876136} - System32\Tasks\SMW_UpdateTask_Time_3131363031343633352d3437415a556c2a3223346c41 => Wscript.exe //B "C:\ProgramData\SearchModulePlus\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION
Task: {E13B7965-FF9E-4DB0-8552-713B26F6EE88} - System32\Tasks\{A929CD59-96EE-4BA7-95EE-A959ABFF50BB} => pcalua.exe -a "C:\Users\Clockwork\Desktop\SAVE ME\evac 11-14-14\drivers\win7-64\setup.exe" -d "C:\Users\Clockwork\Desktop\SAVE ME\evac 11-14-14\drivers\win7-64"
Task: {F307BBC2-92B8-44F6-911F-C23235F6E168} - System32\Tasks\Microsoft\Windows\Maintenance\SMupdate2 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update2 <==== ATTENTION

==================== Loaded Modules (whitelisted) =============

2014-11-18 10:11 - 2013-01-31 01:25 - 00087328 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2014-11-17 21:30 - 2012-01-20 14:55 - 00678400 _____ () C:\Program Files\TeraCopy\TeraCopyExt64.dll
2014-09-17 23:23 - 2014-09-17 23:23 - 00866584 _____ () C:\Program Files\Logitech Gaming Software\libGLESv2.dll
2014-10-14 10:51 - 2014-10-14 10:51 - 01050904 _____ () C:\Program Files\Logitech Gaming Software\platforms\qwindows.dll
2014-09-17 23:23 - 2014-09-17 23:23 - 00059160 _____ () C:\Program Files\Logitech Gaming Software\libEGL.dll
2014-10-14 10:51 - 2014-10-14 10:51 - 00242456 _____ () C:\Program Files\Logitech Gaming Software\imageformats\qjpeg.dll
2015-01-13 11:43 - 2015-01-13 11:43 - 03925104 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: BEService => 3
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: Steam Client Service => 3
MSCONFIG\Services: WindowsVNT_R3 => 2
MSCONFIG\Services: YouTubeDownload_P4 => 2
MSCONFIG\startupfolder: C:^Users^Clockwork^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^intr.lnk => C:\Windows\pss\intr.lnk.Startup
MSCONFIG\startupreg: autoauto => 39414105.bat
MSCONFIG\startupreg: cutoauto => C:\a\wincheckfe.exe
MSCONFIG\startupreg: dutoauto => C:\a\wincheckfe.exe
MSCONFIG\startupreg: interpee => C:\a\internetport3.exe
MSCONFIG\startupreg: rutoauto => 39414105.bat
MSCONFIG\startupreg: smoother => C:\Users\Clockwork\AppData\Roaming\Booster-Web\Booster-Web-Installer.exe

========================= Accounts: ==========================

Administrator (S-1-5-21-1414089619-1553986795-2700891581-500 - Administrator - Disabled)
Clockwork (S-1-5-21-1414089619-1553986795-2700891581-1000 - Administrator - Enabled) => C:\Users\Clockwork
Guest (S-1-5-21-1414089619-1553986795-2700891581-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1414089619-1553986795-2700891581-1002 - Limited - Enabled)

==================== Faulty Device Manager Devices =============

Name: High Definition Audio Device
Description: High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HdAudAddService
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: High Definition Audio Device
Description: High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HdAudAddService
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: High Definition Audio Device
Description: High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HdAudAddService
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: High Definition Audio Device
Description: High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HdAudAddService
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================

System errors:
=============
Error: (01/25/2015 04:21:04 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Search Module Plus Update service failed to start due to the following error:
%%2

Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Processor: AMD Athlon™ 64 X2 Dual Core Processor 5600+
Percentage of memory in use: 15%
Total physical RAM: 8190.55 MB
Available physical RAM: 6928.98 MB
Total Pagefile: 16379.26 MB
Available Pagefile: 14963.66 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:500 GB) (Free:329.24 GB) NTFS
Drive g: (New Volume) (Fixed) (Total:431.41 GB) (Free:431.3 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 368DFBD2)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=500 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=431.4 GB) - (Type=07 NTFS)

==================== End Of Log ============================

And that's the lot of it, I hope it helps!

Attached Files

01252015_155417.log 50.18KB 406 downloads
JRT.txt 1002bytes 249 downloads
AdwCleanerS0.txt 9.04KB 392 downloads
FRST.txt 19.41KB 285 downloads
Addition.txt 14.19KB 318 downloads

#4
RKinner

Posted 25 January 2015 - 08:21 PM

Malware Expert

Expert
24,624 posts

Download the attached fixlist.txt to the same location as FRST

Run FRST and press Fix

A fix log will be generated please post that. Run FRST again, check the Additions box and then Scan. You will get two logs. Post them both.

Download aswMBR.exe to your desktop.

Right click aswMBR.exe and Run as Administrator

uncheck trace disk IO calls

Click the "Scan" button to start scan (Accept the Avast Engine)

On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply

If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

:!: Turn off your screen saver so you can see what is going on

Download and Save this file -- to your Desktop -- from either of these two sources:

http://download.blee...Bs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

You should get a log when it finishes. If not this may mean you have the new version of Zero Access malware so run Combofix a second time.

If you still don't get a log search for Combofix.txt. It is usually at => C:\Combofix\Combofix.txt. I'll need to see that in your reply.

If you get an error about a registry value when you try to run a program, then just reboot to clear it.

#5
smooman

Posted 25 January 2015 - 09:53 PM

Member

Topic Starter
Member
12 posts

all right, in order of request:

FRST (after fixlist.txt):

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-01-2015 01
Ran by Clockwork at 2015-01-25 19:20:17 Run:1
Running from C:\Users\Clockwork\Desktop
Loaded Profiles: Clockwork (Available profiles: Clockwork)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-1414089619-1553986795-2700891581-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1414089619-1553986795-2700891581-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF DefaultSearchEngine: DuckDuckGo
FF SelectedSearchEngine:
S2 SMUpdPlus; C:\Program Files\Common Files\Goobzo\GBUpdatePlus\smu.exe /service [X]
S4 WindowsVNT_R3; C:\Program Files (x86)\Windows Network Accelerater\v3\winvxm.exe [X]
S4 YouTubeDownload_P4; C:\Program Files (x86)\YouTube Downloader Services\P4\youtubeserv.exe [X]
U3 aoprqlfx; C:\Windows\System32\Drivers\aoprqlfx.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero size file/folder)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 WPN111; system32\DRIVERS\WPN111vx.sys [X]
2015-01-25 14:21 - 2015-01-25 14:21 - 00004280 _____ () C:\Windows\System32\Tasks\SMW_UpdateTask_Time_3131363031343633352d3437415a556c2a3223346c41
2015-01-25 14:21 - 2015-01-25 14:21 - 00003616 _____ () C:\Windows\System32\Tasks\SMWPUpd
2015-01-25 14:10 - 2015-01-25 14:09 - 00613057 _____ (CMI Limited) C:\Users\Clockwork\AppData\Local\nsk258A.tmp
C:\Users\Clockwork\AppData\Local\Temp\92972F13-F8BE-181F-217F-BEC5917BA197.dll
C:\Users\Clockwork\AppData\Local\Temp\92972F13-F8BE-181F-217F-BEC5917BA197.exe
C:\Users\Clockwork\AppData\Local\Temp\amisetup0366__11003.exe
C:\Users\Clockwork\AppData\Local\Temp\amisetup0376__11005.exe
C:\Users\Clockwork\AppData\Local\Temp\bitool.dll
C:\Users\Clockwork\AppData\Local\Temp\E255D629-F42E-35CE-0147-CCF769AD8585.exe
C:\Users\Clockwork\AppData\Local\Temp\ICReinstall_Windows 7 Start Orb Changer.exe
C:\Users\Clockwork\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Clockwork\AppData\Local\Temp\nvStInst.exe
C:\Users\Clockwork\AppData\Local\Temp\OnlineBackup.exe
C:\Users\Clockwork\AppData\Local\Temp\Quarantine.exe
C:\Users\Clockwork\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Clockwork\AppData\Local\Temp\sqlite3.dll
C:\Users\Clockwork\AppData\Local\Temp\tu17p84.exe
C:\Users\Clockwork\AppData\Local\Temp\vcredist_x64.exe
C:\Users\Clockwork\AppData\Local\Temp\ytdkiemon_amodk_setup.exe
C:\Users\Clockwork\AppData\Local\Temp\_is5946.exe
Task: {06B5E59C-DD08-4E4D-800E-2A992E1FE96F} - System32\Tasks\{D404FC82-2E27-42B2-B277-E7474FDB76C1} => pcalua.exe -a "C:\Users\Clockwork\Desktop\SAVE ME\evac 11-14-14\drivers\win7-64\CPSetup.exe" -d "C:\Users\Clockwork\Desktop\SAVE ME\evac 11-14-14\drivers\win7-64"
Task: {0A70A148-5C98-42B7-A476-461902DBAFA7} - System32\Tasks\PastaLeads => C:\Program Files (x86)\pastaleads\ScheduledTask.exe
Task: {2FC2E3C6-31F9-4BF1-93EB-F551BC921673} - System32\Tasks\Microsoft\Windows\Multimedia\SMupdate3 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update3 <==== ATTENTION
Task: {5DC96D56-DF29-42F2-9535-BAA4CCBDFD46} - System32\Tasks\SMWPUpd => C:\Program Files\Common Files\Goobzo\GBUpdatePlus\updater.exe <==== ATTENTION
Task: {67C2E7A1-5C85-4ECF-93D5-4407DBD32AC9} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-10-30] (Piriform Ltd)
Task: {DAD871FF-F915-4BC9-BAF0-E46F13876136} - System32\Tasks\SMW_UpdateTask_Time_3131363031343633352d3437415a556c2a3223346c41 => Wscript.exe //B "C:\ProgramData\SearchModulePlus\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION
Task: {E13B7965-FF9E-4DB0-8552-713B26F6EE88} - System32\Tasks\{A929CD59-96EE-4BA7-95EE-A959ABFF50BB} => pcalua.exe -a "C:\Users\Clockwork\Desktop\SAVE ME\evac 11-14-14\drivers\win7-64\setup.exe" -d "C:\Users\Clockwork\Desktop\SAVE ME\evac 11-14-14\drivers\win7-64"
Task: {F307BBC2-92B8-44F6-911F-C23235F6E168} - System32\Tasks\Microsoft\Windows\Maintenance\SMupdate2 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update2 <==== ATTENTION

*****************

HKU\S-1-5-21-1414089619-1553986795-2700891581-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value deleted successfully.
"HKU\S-1-5-21-1414089619-1553986795-2700891581-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
Firefox DefaultSearchEngine deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
SMUpdPlus => Service deleted successfully.
WindowsVNT_R3 => Service deleted successfully.
YouTubeDownload_P4 => Service deleted successfully.
aoprqlfx => Service deleted successfully.
EagleX64 => Service deleted successfully.
WPN111 => Service deleted successfully.
C:\Windows\System32\Tasks\SMW_UpdateTask_Time_3131363031343633352d3437415a556c2a3223346c41 => Moved successfully.
C:\Windows\System32\Tasks\SMWPUpd => Moved successfully.
C:\Users\Clockwork\AppData\Local\nsk258A.tmp => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\92972F13-F8BE-181F-217F-BEC5917BA197.dll => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\92972F13-F8BE-181F-217F-BEC5917BA197.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\amisetup0366__11003.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\amisetup0376__11005.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\bitool.dll => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\E255D629-F42E-35CE-0147-CCF769AD8585.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\ICReinstall_Windows 7 Start Orb Changer.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\jre-8u31-windows-au.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\nvStInst.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\OnlineBackup.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\tu17p84.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\vcredist_x64.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\ytdkiemon_amodk_setup.exe => Moved successfully.
C:\Users\Clockwork\AppData\Local\Temp\_is5946.exe => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{06B5E59C-DD08-4E4D-800E-2A992E1FE96F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{06B5E59C-DD08-4E4D-800E-2A992E1FE96F}" => Key deleted successfully.
C:\Windows\System32\Tasks\{D404FC82-2E27-42B2-B277-E7474FDB76C1} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{D404FC82-2E27-42B2-B277-E7474FDB76C1}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0A70A148-5C98-42B7-A476-461902DBAFA7}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0A70A148-5C98-42B7-A476-461902DBAFA7}" => Key deleted successfully.
C:\Windows\System32\Tasks\PastaLeads => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PastaLeads" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{2FC2E3C6-31F9-4BF1-93EB-F551BC921673}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2FC2E3C6-31F9-4BF1-93EB-F551BC921673}" => Key deleted successfully.
C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia\SMupdate3 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia\SMupdate3" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5DC96D56-DF29-42F2-9535-BAA4CCBDFD46}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DC96D56-DF29-42F2-9535-BAA4CCBDFD46}" => Key deleted successfully.
C:\Windows\System32\Tasks\SMWPUpd not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMWPUpd" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{67C2E7A1-5C85-4ECF-93D5-4407DBD32AC9}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{67C2E7A1-5C85-4ECF-93D5-4407DBD32AC9}" => Key deleted successfully.
C:\Windows\System32\Tasks\CCleanerSkipUAC => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DAD871FF-F915-4BC9-BAF0-E46F13876136}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DAD871FF-F915-4BC9-BAF0-E46F13876136}" => Key deleted successfully.
C:\Windows\System32\Tasks\SMW_UpdateTask_Time_3131363031343633352d3437415a556c2a3223346c41 not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMW_UpdateTask_Time_3131363031343633352d3437415a556c2a3223346c41" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E13B7965-FF9E-4DB0-8552-713B26F6EE88}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E13B7965-FF9E-4DB0-8552-713B26F6EE88}" => Key deleted successfully.
C:\Windows\System32\Tasks\{A929CD59-96EE-4BA7-95EE-A959ABFF50BB} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{A929CD59-96EE-4BA7-95EE-A959ABFF50BB}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F307BBC2-92B8-44F6-911F-C23235F6E168}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F307BBC2-92B8-44F6-911F-C23235F6E168}" => Key deleted successfully.
C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance\SMupdate2 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\SMupdate2" => Key deleted successfully.

==== End of Fixlog 19:20:18 ====

aswMBR:

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2015-01-25 19:21:47
-----------------------------
19:21:47.187    OS Version: Windows x64 6.1.7600
19:21:47.187    Number of processors: 2 586 0x4303
19:21:47.203    ComputerName: CLOCKWORK-PC UserName: Clockwork
19:21:48.014    Initialize success
19:21:48.076    VM: initialized successfully
19:21:48.076    VM: Amd CPU virtualization not supported
19:24:00.778    AVAST engine defs: 15012501
19:25:55.423    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
19:25:55.423    Disk 0 Vendor: Hitachi_HDS721010CLA330 JP4OA3MA Size: 953869MB BusType: 3
19:25:55.438    Disk 0 MBR read successfully
19:25:55.438    Disk 0 MBR scan
19:25:55.454    Disk 0 Windows 7 default MBR code
19:25:55.454    Disk 0 Partition 1 80 (A) 07      HPFS/NTFS NTFS          100 MB offset 2048
19:25:55.454    Disk 0 Boot: NTFS     code=2
19:25:55.470    Disk 0 Partition 2 00     07      HPFS/NTFS NTFS       512000 MB offset 206848
19:25:55.485    Disk 0 Partition 3 00     07      HPFS/NTFS NTFS       441766 MB offset 1048782848
19:25:55.501    Disk 0 scanning C:\Windows\system32\drivers
19:26:00.508    Service scanning
19:26:14.190    Modules scanning
19:26:14.190    Disk 0 trace - called modules:
19:26:14.205    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8006cdd2c0]<<sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
19:26:14.205    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800782f340]
19:26:14.221    3 CLASSPNP.SYS[fffff8800194543f] -> nt!IofCallDriver -> [0xfffffa800771c520]
19:26:14.221    5 ACPI.sys[fffff88000c0b781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0xfffffa8007717680]
19:26:14.236    \Driver\atapi[0xfffffa80076aa830] -> IRP_MJ_CREATE -> 0xfffffa8006cdd2c0
19:26:15.687    AVAST engine scan C:\Windows
19:26:17.497    AVAST engine scan C:\Windows\system32
19:28:17.539    AVAST engine scan C:\Windows\system32\drivers
19:28:24.294    AVAST engine scan C:\Users\Clockwork
19:29:24.104    File: C:\Users\Clockwork\AppData\Local\Temp\Low\~nsu.tmp\Au_.exe **INFECTED** Win32:Malware-gen
19:30:54.054    AVAST engine scan C:\ProgramData
19:31:01.651    Disk 0 statistics 3624089/0/0 @ 9.44 MB/s
19:31:01.651    Scan finished successfully
19:39:01.383    Disk 0 MBR has been saved successfully to "C:\Users\Clockwork\Desktop\MBR.dat"
19:39:01.399    The log file has been saved successfully to "C:\Users\Clockwork\Desktop\aswMBR.txt"

Combofix:

ComboFix 15-01-22.02 - Clockwork 01/25/2015 19:41:37.1.2 - x64
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.8191.6766 [GMT -8:00]
Running from: c:\users\Clockwork\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.pol
.
.
(((((((((((((((((((((((((   Files Created from 2014-12-26 to 2015-01-26 )))))))))))))))))))))))))))))))
.
.
2015-01-26 03:44 . 2015-01-26 03:44   --------   d-----w-   c:\users\Default\AppData\Local\temp
2015-01-26 00:57 . 2015-01-26 00:57   --------   d-----w-   c:\users\Clockwork\AppData\Roaming\OpenOffice
2015-01-26 00:56 . 2015-01-26 00:56   --------   d-----w-   c:\program files (x86)\OpenOffice 4
2015-01-26 00:22 . 2015-01-26 03:20   --------   d-----w-   C:\FRST
2015-01-26 00:16 . 2015-01-26 00:16   --------   d-----w-   c:\windows\ERUNT
2015-01-26 00:11 . 2015-01-26 00:13   --------   d-----w-   C:\AdwCleaner
2015-01-25 23:54 . 2015-01-25 23:54   --------   d-----w-   C:\_OTL
2015-01-25 22:22 . 2015-01-25 22:22   --------   d-----w-   c:\program files (x86)\Microsoft Silverlight
2015-01-25 21:55 . 2015-01-25 21:55   --------   d-----w-   c:\program files (x86)\VideoLAN
2015-01-25 21:11 . 2015-01-25 21:50   --------   d-----w-   c:\users\Clockwork\AppData\Roaming\DAEMON Tools Lite
2015-01-25 21:11 . 2015-01-25 21:11   386680   ----a-w-   c:\windows\system32\drivers\sptd.sys
2015-01-25 21:11 . 2015-01-25 21:11   --------   d-----w-   c:\program files (x86)\DAEMON Tools Lite
2015-01-25 21:10 . 2015-01-25 21:50   --------   d-----w-   c:\programdata\DAEMON Tools Lite
2015-01-24 10:56 . 2015-01-24 10:56   820072   ----a-w-   c:\program files\Common Files\System\SysMenu64.dll
2015-01-24 10:56 . 2015-01-24 10:56   649064   ----a-w-   c:\program files\Common Files\System\SysMenu.dll
2015-01-21 17:26 . 2015-01-21 17:26   --------   d-----w-   c:\program files (x86)\Common Files\Java
2015-01-17 11:51 . 2015-01-17 11:51   --------   d-----w-   c:\users\Clockwork\AppData\Roaming\PhotoScape
2015-01-14 05:50 . 2015-01-18 09:46   --------   d-----w-   c:\program files (x86)\Mozilla Thunderbird
2015-01-13 09:47 . 2015-01-13 09:47   --------   d-----w-   c:\users\Clockwork\AppData\Roaming\Yahoo!
2015-01-13 09:45 . 2015-01-22 07:02   --------   d-----w-   c:\program files (x86)\Yahoo!
2015-01-02 01:46 . 2015-01-02 01:16   174112   ----a-w-   c:\windows\SysWow64\EasyAntiCheat.exe
2015-01-01 20:16 . 2015-01-01 20:16   --------   d-----w-   c:\users\Clockwork\AppData\Local\capcom
2014-12-30 05:09 . 2010-06-02 12:55   77656   ----a-w-   c:\windows\system32\XAPOFX1_5.dll
2014-12-30 05:09 . 2010-06-02 12:55   518488   ----a-w-   c:\windows\system32\XAudio2_7.dll
2014-12-30 05:09 . 2010-06-02 12:55   176984   ----a-w-   c:\windows\system32\xactengine3_7.dll
2014-12-30 05:09 . 2010-05-26 19:41   511328   ----a-w-   c:\windows\system32\d3dx10_43.dll
2014-12-30 05:09 . 2010-05-26 19:41   470880   ----a-w-   c:\windows\SysWow64\d3dx10_43.dll
2014-12-30 05:09 . 2010-05-26 19:41   276832   ----a-w-   c:\windows\system32\d3dx11_43.dll
2014-12-30 05:09 . 2010-05-26 19:41   2526056   ----a-w-   c:\windows\system32\D3DCompiler_43.dll
2014-12-30 05:09 . 2010-05-26 19:41   248672   ----a-w-   c:\windows\SysWow64\d3dx11_43.dll
2014-12-30 05:09 . 2010-05-26 19:41   1907552   ----a-w-   c:\windows\system32\d3dcsx_43.dll
2014-12-30 05:09 . 2010-05-26 19:41   2401112   ----a-w-   c:\windows\system32\D3DX9_43.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-21 17:25 . 2014-12-13 04:05   111016   ----a-w-   c:\windows\system32\WindowsAccessBridge-64.dll
2015-01-21 17:25 . 2014-12-13 04:04   98216   ----a-w-   c:\windows\SysWow64\WindowsAccessBridge-32.dll
2015-01-18 05:07 . 2014-11-18 06:35   71344   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-01-18 05:07 . 2014-11-18 06:35   701616   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2014-11-18 22:50 . 2014-11-18 22:50   18960   ----a-w-   c:\windows\system32\drivers\LNonPnP.sys
2014-11-17 10:08 . 2014-11-18 05:56   11632448   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{6C898CB5-363A-43E6-A7F1-4697FA060F46}\mpengine.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-14 . E9E1502BE0491855AA9BF2CEEC20AE25 . 2385408 . . [6.1.7600.16385] .. c:\windows\explorer.exe
[7] 2009-07-14 . C235A51CB740E45FFA0EBFB9BAFCDA64 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R4 BEService;BattlEye Service;c:\program files (x86)\Common Files\BattlEye\BEService.exe;c:\program files (x86)\Common Files\BattlEye\BEService.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - ASWVMM
*Deregistered* - aswMBR
*Deregistered* - aswVmm
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2014-10-14 12697368]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-BattlEye for A2 - c:\program files (x86)\Steam\steamapps\common\Arma 2BattlEye\UnInstallBE.exe
AddRemove-Search Module Plus - c:\program files\Common Files\Goobzo\GBUpdatePlus\smUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-01-25 19:46:12
ComboFix-quarantined-files.txt 2015-01-26 03:46
.
Pre-Run: 352,593,612,800 bytes free
Post-Run: 353,046,405,120 bytes free
.
- - End Of File - - 0AF754AB3056292B6305D66819593CE0
A36C5E4F47E84449FF07ED3517B43A31

Attached Files

Fixlog.txt 10.97KB 318 downloads
aswMBR.txt 2.46KB 318 downloads
combofixlog.txt 11.13KB 222 downloads

#6
RKinner

Posted 25 January 2015 - 11:24 PM

Malware Expert

Expert
24,624 posts

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

DirLook::

C:\Program Files\Common

%user%\library

File::

C:\Users\Clockwork\AppData\Local\Temp\Low\~nsu.tmp\Au_.exe

FCopy::

c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe | C:\windows\explorer.exe

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).

sfc  /scannow

(This will check your critical system files. Does this finish without complaint? IF it says it couldn't fix everything then:

Copy the next two lines:

findstr /c:"[SR]" \windows\logs\cbs\cbs.log > \windows\logs\cbs\junk.txt

notepad \windows\logs\cbs\junk.txt

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Right click and Paste or Edit then Paste and the copied line should appear.

Hit Enter. Copy and paste the text from notepad or if it is too big, just attach the file.)

1. Please download the Event Viewer Tool by Vino Rosso

http://images.malwar...om/vino/VEW.exe

and save it to your Desktop:

2. Right-click VEW.exe and Run AS Administrator

3. Under 'Select log to query', select:

* System

4. Under 'Select type to list', select:

* Error

* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

Ron

#7
smooman

Posted 25 January 2015 - 11:59 PM

Member

Topic Starter
Member
12 posts

Allright, here are the logs you requested.

Combofix with CFscript:

ComboFix 15-01-22.02 - Clockwork 01/25/2015 21:28:35.2.2 - x64
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.8191.6578 [GMT -8:00]
Running from: c:\users\Clockwork\Desktop\ComboFix.exe
Command switches used :: c:\users\Clockwork\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\users\Clockwork\AppData\Local\Temp\Low\~nsu.tmp\Au_.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe --> c:\windows\explorer.exe
.
(((((((((((((((((((((((((   Files Created from 2014-12-26 to 2015-01-26 )))))))))))))))))))))))))))))))
.
.
2015-01-26 05:31 . 2015-01-26 05:31   --------   d-----w-   c:\users\Default\AppData\Local\temp
2015-01-26 00:57 . 2015-01-26 00:57   --------   d-----w-   c:\users\Clockwork\AppData\Roaming\OpenOffice
2015-01-26 00:56 . 2015-01-26 00:56   --------   d-----w-   c:\program files (x86)\OpenOffice 4
2015-01-26 00:22 . 2015-01-26 03:20   --------   d-----w-   C:\FRST
2015-01-26 00:16 . 2015-01-26 00:16   --------   d-----w-   c:\windows\ERUNT
2015-01-26 00:11 . 2015-01-26 00:13   --------   d-----w-   C:\AdwCleaner
2015-01-25 23:54 . 2015-01-25 23:54   --------   d-----w-   C:\_OTL
2015-01-25 22:22 . 2015-01-25 22:22   --------   d-----w-   c:\program files (x86)\Microsoft Silverlight
2015-01-25 21:55 . 2015-01-25 21:55   --------   d-----w-   c:\program files (x86)\VideoLAN
2015-01-25 21:11 . 2015-01-25 21:50   --------   d-----w-   c:\users\Clockwork\AppData\Roaming\DAEMON Tools Lite
2015-01-25 21:11 . 2015-01-25 21:11   386680   ----a-w-   c:\windows\system32\drivers\sptd.sys
2015-01-25 21:11 . 2015-01-25 21:11   --------   d-----w-   c:\program files (x86)\DAEMON Tools Lite
2015-01-25 21:10 . 2015-01-25 21:50   --------   d-----w-   c:\programdata\DAEMON Tools Lite
2015-01-24 10:56 . 2015-01-24 10:56   820072   ----a-w-   c:\program files\Common Files\System\SysMenu64.dll
2015-01-24 10:56 . 2015-01-24 10:56   649064   ----a-w-   c:\program files\Common Files\System\SysMenu.dll
2015-01-21 17:26 . 2015-01-21 17:26   --------   d-----w-   c:\program files (x86)\Common Files\Java
2015-01-17 11:51 . 2015-01-17 11:51   --------   d-----w-   c:\users\Clockwork\AppData\Roaming\PhotoScape
2015-01-14 05:50 . 2015-01-18 09:46   --------   d-----w-   c:\program files (x86)\Mozilla Thunderbird
2015-01-13 09:47 . 2015-01-13 09:47   --------   d-----w-   c:\users\Clockwork\AppData\Roaming\Yahoo!
2015-01-13 09:45 . 2015-01-22 07:02   --------   d-----w-   c:\program files (x86)\Yahoo!
2015-01-02 01:46 . 2015-01-02 01:16   174112   ----a-w-   c:\windows\SysWow64\EasyAntiCheat.exe
2015-01-01 20:16 . 2015-01-01 20:16   --------   d-----w-   c:\users\Clockwork\AppData\Local\capcom
2014-12-30 05:09 . 2010-06-02 12:55   77656   ----a-w-   c:\windows\system32\XAPOFX1_5.dll
2014-12-30 05:09 . 2010-06-02 12:55   518488   ----a-w-   c:\windows\system32\XAudio2_7.dll
2014-12-30 05:09 . 2010-06-02 12:55   176984   ----a-w-   c:\windows\system32\xactengine3_7.dll
2014-12-30 05:09 . 2010-05-26 19:41   511328   ----a-w-   c:\windows\system32\d3dx10_43.dll
2014-12-30 05:09 . 2010-05-26 19:41   470880   ----a-w-   c:\windows\SysWow64\d3dx10_43.dll
2014-12-30 05:09 . 2010-05-26 19:41   276832   ----a-w-   c:\windows\system32\d3dx11_43.dll
2014-12-30 05:09 . 2010-05-26 19:41   2526056   ----a-w-   c:\windows\system32\D3DCompiler_43.dll
2014-12-30 05:09 . 2010-05-26 19:41   248672   ----a-w-   c:\windows\SysWow64\d3dx11_43.dll
2014-12-30 05:09 . 2010-05-26 19:41   1907552   ----a-w-   c:\windows\system32\d3dcsx_43.dll
2014-12-30 05:09 . 2010-05-26 19:41   2401112   ----a-w-   c:\windows\system32\D3DX9_43.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-21 17:25 . 2014-12-13 04:05   111016   ----a-w-   c:\windows\system32\WindowsAccessBridge-64.dll
2015-01-21 17:25 . 2014-12-13 04:04   98216   ----a-w-   c:\windows\SysWow64\WindowsAccessBridge-32.dll
2015-01-18 05:07 . 2014-11-18 06:35   71344   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-01-18 05:07 . 2014-11-18 06:35   701616   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2014-11-18 22:50 . 2014-11-18 22:50   18960   ----a-w-   c:\windows\system32\drivers\LNonPnP.sys
2014-11-17 10:08 . 2014-11-18 05:56   11632448   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{6C898CB5-363A-43E6-A7F1-4697FA060F46}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R4 BEService;BattlEye Service;c:\program files (x86)\Common Files\BattlEye\BEService.exe;c:\program files (x86)\Common Files\BattlEye\BEService.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - ASWVMM
*Deregistered* - aswMBR
*Deregistered* - aswVmm
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2014-10-14 12697368]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-BattlEye for A2 - c:\program files (x86)\Steam\steamapps\common\Arma 2BattlEye\UnInstallBE.exe
AddRemove-Search Module Plus - c:\program files\Common Files\Goobzo\GBUpdatePlus\smUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-01-25 21:32:51
ComboFix-quarantined-files.txt 2015-01-26 05:32
ComboFix2.txt 2015-01-26 03:46
.
Pre-Run: 353,061,859,328 bytes free
Post-Run: 353,039,282,176 bytes free
.
- - End Of File - - D2D122D436AC2EE736B0575D23C4A2A3
A36C5E4F47E84449FF07ED3517B43A31

SFC after reboot:

Event viewer (system):

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 25/01/2015 9:51:23 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 26/01/2015 5:36:54 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Event viewer (application):

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 25/01/2015 9:52:59 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Attached Files

combofixlog.txt 11.28KB 259 downloads
VEW systemtest.txt 636bytes 264 downloads
VEW applicationtest.txt 467bytes 260 downloads

#8
RKinner

Posted 26 January 2015 - 07:58 AM

Malware Expert

Expert
24,624 posts

Looks like it's gone and we didn't break anything important. Let's run a FRST scan again (with the Addition box checked so you will get two logs) also:

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
rsvpsp.dll
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%ProgramFiles%\WINDOWS NT\*.* /s
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

and

Get Process Explorer

http://live.sysinter...com/procexp.exe

Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK

Options, Verify Image Signatures

Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top.

Wait a full minute then:

File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.

#9
smooman

Posted 26 January 2015 - 12:27 PM

Member

Topic Starter
Member
12 posts

Good morning! All right lets hope this finishes everything up!

Here are the logs you requested:

FRST (w/addition box checked):

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-01-2015 01
Ran by Clockwork (administrator) on CLOCKWORK-PC on 26-01-2015 09:59:16
Running from C:\Users\Clockwork\Desktop
Loaded Profiles: Clockwork (Available profiles: Clockwork)
Platform: Windows 7 Ultimate (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [12697368 2014-10-14] (Logitech Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1414089619-1553986795-2700891581-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...d=ie&ar=msnhome
HKU\S-1-5-21-1414089619-1553986795-2700891581-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.m...ash/swflash.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default
FF DefaultSearchEngine: DuckDuckGo
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_257.dll ()
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [802688 2015-01-21] ()
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [174112 2015-01-01] (EasyAntiCheat Ltd)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [64280 2013-05-30] (Logitech Inc.)
S3 PCAMp50a64; C:\Windows\System32\Drivers\PCAMp50a64.sys [43328 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
S3 PCASp50a64; C:\Windows\System32\Drivers\PCASp50a64.sys [41280 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [386680 2015-01-25] (Duplex Secure Ltd.)
R3 XSplit_Dummy; C:\Windows\System32\drivers\xspltspk.sys [26200 2014-07-02] (SplitmediaLabs Limited)
U3 acg6p4o2; C:\Windows\System32\Drivers\acg6p4o2.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero size file/folder)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-26 09:59 - 2015-01-26 09:59 - 00005883 _____ () C:\Users\Clockwork\Desktop\FRST.txt
2015-01-26 09:55 - 2015-01-26 09:56 - 02480312 _____ (Sysinternals - www.sysinternals.com) C:\Users\Clockwork\Downloads\procexp.exe
2015-01-26 09:55 - 2015-01-26 09:56 - 02480312 _____ (Sysinternals - www.sysinternals.com) C:\Users\Clockwork\Desktop\procexp.exe
2015-01-25 22:09 - 2015-01-25 22:09 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\RenPy
2015-01-25 22:09 - 2015-01-25 22:09 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\NVIDIA
2015-01-25 21:53 - 2015-01-25 21:53 - 00000467 _____ () C:\Users\Clockwork\Desktop\VEW applicationtest.txt
2015-01-25 21:52 - 2015-01-25 21:52 - 00000467 _____ () C:\VEW applicationtest.txt
2015-01-25 21:51 - 2015-01-25 21:52 - 00000467 _____ () C:\VEW.txt
2015-01-25 21:51 - 2015-01-25 21:51 - 00000636 _____ () C:\Users\Clockwork\Desktop\VEW systemtest.txt
2015-01-25 21:49 - 2015-01-25 21:49 - 00061440 _____ ( ) C:\Users\Clockwork\Downloads\VEW.exe
2015-01-25 21:49 - 2015-01-25 21:49 - 00061440 _____ ( ) C:\Users\Clockwork\Desktop\VEW.exe
2015-01-25 21:32 - 2015-01-25 21:32 - 00011552 _____ () C:\ComboFix.txt
2015-01-25 19:40 - 2015-01-25 21:32 - 00000000 ____D () C:\Qoobox
2015-01-25 19:40 - 2015-01-25 19:45 - 00000000 ____D () C:\Windows\erdnt
2015-01-25 19:40 - 2011-06-25 22:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-01-25 19:40 - 2010-11-07 09:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-01-25 19:40 - 2009-04-19 20:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-01-25 19:40 - 2000-08-30 16:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-01-25 19:40 - 2000-08-30 16:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-01-25 19:40 - 2000-08-30 16:00 - 00098816 _____ () C:\Windows\sed.exe
2015-01-25 19:40 - 2000-08-30 16:00 - 00080412 _____ () C:\Windows\grep.exe
2015-01-25 19:40 - 2000-08-30 16:00 - 00068096 _____ () C:\Windows\zip.exe
2015-01-25 19:39 - 2015-01-25 19:39 - 00000512 _____ () C:\Users\Clockwork\Desktop\MBR.dat
2015-01-25 19:13 - 2015-01-25 19:14 - 05609462 ____R (Swearware) C:\Users\Clockwork\Desktop\ComboFix.exe
2015-01-25 19:12 - 2015-01-25 19:12 - 05200384 _____ (AVAST Software) C:\Users\Clockwork\Desktop\aswmbr.exe
2015-01-25 16:57 - 2015-01-25 16:57 - 00001112 _____ () C:\Users\Public\Desktop\OpenOffice 4.1.1.lnk
2015-01-25 16:57 - 2015-01-25 16:57 - 00001112 _____ () C:\ProgramData\Desktop\OpenOffice 4.1.1.lnk
2015-01-25 16:57 - 2015-01-25 16:57 - 00000000 ___SD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice 4.1.1
2015-01-25 16:57 - 2015-01-25 16:57 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\OpenOffice
2015-01-25 16:56 - 2015-01-25 16:56 - 00000000 ____D () C:\Users\Clockwork\Desktop\OpenOffice 4.1.1 (en-US) Installation Files
2015-01-25 16:56 - 2015-01-25 16:56 - 00000000 ____D () C:\Program Files (x86)\OpenOffice 4
2015-01-25 16:23 - 2015-01-25 16:23 - 00014530 _____ () C:\Users\Clockwork\Downloads\Addition.txt
2015-01-25 16:22 - 2015-01-26 09:59 - 00000000 ____D () C:\FRST
2015-01-25 16:22 - 2015-01-25 16:23 - 00019880 _____ () C:\Users\Clockwork\Downloads\FRST.txt
2015-01-25 16:16 - 2015-01-25 16:16 - 00000000 ____D () C:\Windows\ERUNT
2015-01-25 16:11 - 2015-01-25 16:13 - 00000000 ____D () C:\AdwCleaner
2015-01-25 16:05 - 2015-01-25 16:05 - 02129920 _____ (Farbar) C:\Users\Clockwork\Desktop\FRST64.exe
2015-01-25 16:04 - 2015-01-25 16:04 - 01707939 _____ (Thisisu) C:\Users\Clockwork\Downloads\JRT.exe
2015-01-25 16:03 - 2015-01-25 16:03 - 02194432 _____ () C:\Users\Clockwork\Downloads\AdwCleaner.exe
2015-01-25 15:54 - 2015-01-25 15:54 - 00000000 ____D () C:\_OTL
2015-01-25 15:16 - 2015-01-25 15:39 - 140852175 _____ () C:\Users\Clockwork\Downloads\Apache_OpenOffice_4.1.1_Win_x86_install_en-US.exe
2015-01-25 14:48 - 2015-01-25 14:48 - 00069662 _____ () C:\Users\Clockwork\Downloads\OTL.Txt
2015-01-25 14:48 - 2015-01-25 14:48 - 00065446 _____ () C:\Users\Clockwork\Downloads\Extras.Txt
2015-01-25 14:44 - 2015-01-25 14:44 - 00602112 _____ (OldTimer Tools) C:\Users\Clockwork\Downloads\OTL.exe
2015-01-25 14:44 - 2015-01-25 14:44 - 00602112 _____ (OldTimer Tools) C:\Users\Clockwork\Desktop\OTL.exe
2015-01-25 14:29 - 2015-01-25 14:29 - 00000000 ____D () C:\Windows\pss
2015-01-25 14:22 - 2015-01-25 14:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-01-25 14:22 - 2015-01-25 14:22 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2015-01-25 13:56 - 2015-01-25 13:56 - 00001070 _____ () C:\Users\Public\Desktop\VLC media player.lnk
2015-01-25 13:56 - 2015-01-25 13:56 - 00001070 _____ () C:\ProgramData\Desktop\VLC media player.lnk
2015-01-25 13:56 - 2015-01-25 13:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2015-01-25 13:55 - 2015-01-25 13:55 - 00000000 ____D () C:\Program Files (x86)\VideoLAN
2015-01-25 13:12 - 2015-01-25 13:12 - 00001954 _____ () C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
2015-01-25 13:12 - 2015-01-25 13:12 - 00001954 _____ () C:\ProgramData\Desktop\DAEMON Tools Lite.lnk
2015-01-25 13:11 - 2015-01-25 13:50 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\DAEMON Tools Lite
2015-01-25 13:11 - 2015-01-25 13:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAEMON Tools Lite
2015-01-25 13:11 - 2015-01-25 13:11 - 00386680 _____ (Duplex Secure Ltd.) C:\Windows\system32\Drivers\sptd.sys
2015-01-25 13:11 - 2015-01-25 13:11 - 00000000 ____D () C:\Program Files (x86)\DAEMON Tools Lite
2015-01-25 13:10 - 2015-01-25 13:50 - 00000000 ____D () C:\ProgramData\DAEMON Tools Lite
2015-01-25 13:10 - 2015-01-25 13:10 - 13429504 _____ (Disc Soft Ltd) C:\Users\Clockwork\Downloads\DTLite4491-0356.exe
2015-01-24 14:53 - 2015-01-24 14:55 - 00000000 ____D () C:\Users\Clockwork\Downloads\Event_ZEDS_V14
2015-01-24 14:52 - 2015-01-24 14:53 - 28570892 _____ () C:\Users\Clockwork\Downloads\Event_ZEDS_V14.rar
2015-01-17 17:40 - 2015-01-17 17:40 - 00291728 _____ () C:\Windows\Minidump\011715-20826-01.dmp
2015-01-17 03:52 - 2015-01-17 03:52 - 00030720 ____H () C:\Users\Clockwork\Desktop\photothumb.db
2015-01-17 03:51 - 2015-01-17 03:51 - 21360800 _____ (Mooii) C:\Users\Clockwork\Downloads\PhotoScape_V3.7.exe
2015-01-17 03:51 - 2015-01-17 03:51 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\PhotoScape
2015-01-13 21:50 - 2015-01-18 01:46 - 00000000 ____D () C:\Program Files (x86)\Mozilla Thunderbird
2015-01-13 11:43 - 2015-01-25 13:54 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-13 01:47 - 2015-01-13 01:47 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\Yahoo!
2015-01-13 01:45 - 2015-01-21 23:02 - 00000000 ____D () C:\Program Files (x86)\Yahoo!
2015-01-13 01:44 - 2015-01-13 01:44 - 00691576 _____ (Yahoo! Inc.) C:\Users\Clockwork\Downloads\msgr11us.exe
2015-01-06 13:24 - 2011-01-21 14:30 - 00000000 ____D () C:\Users\Clockwork\Downloads\The Screwtape Letters - C.S. Lewis - Focus on the Family's Radio Theatre
2015-01-04 19:20 - 2015-01-04 19:20 - 00291728 _____ () C:\Windows\Minidump\010415-14102-01.dmp
2015-01-04 12:30 - 2015-01-04 13:11 - 125341713 _____ () C:\Users\Clockwork\Downloads\The Screwtape Letters - C.S. Lewis - Focus on the Family's Radio Theatre.part4.rar
2015-01-03 21:55 - 2015-01-03 22:46 - 157286400 _____ () C:\Users\Clockwork\Downloads\The Screwtape Letters - C.S. Lewis - Focus on the Family's Radio Theatre.part3.rar
2015-01-03 17:48 - 2015-01-03 18:49 - 157286400 _____ () C:\Users\Clockwork\Downloads\The Screwtape Letters - C.S. Lewis - Focus on the Family's Radio Theatre.part2.rar
2015-01-03 13:37 - 2015-01-03 14:28 - 157286400 _____ () C:\Users\Clockwork\Downloads\The Screwtape Letters - C.S. Lewis - Focus on the Family's Radio Theatre.part1.rar
2015-01-01 17:46 - 2015-01-01 17:16 - 00174112 _____ (EasyAntiCheat Ltd) C:\Windows\SysWOW64\EasyAntiCheat.exe
2015-01-01 12:16 - 2015-01-01 12:16 - 00000000 ____D () C:\Users\Clockwork\AppData\Local\capcom
2014-12-30 10:13 - 2015-01-17 17:40 - 00000000 ____D () C:\Windows\Minidump
2014-12-30 10:13 - 2015-01-17 17:39 - 488662232 _____ () C:\Windows\MEMORY.DMP
2014-12-30 10:13 - 2014-12-30 10:13 - 00291728 _____ () C:\Windows\Minidump\123014-19952-01.dmp
2014-12-29 21:09 - 2014-12-29 21:09 - 00000000 ____D () C:\Users\Clockwork\Documents\Larian Studios
2014-12-29 21:09 - 2010-06-02 04:55 - 00518488 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_7.dll
2014-12-29 21:09 - 2010-06-02 04:55 - 00176984 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_7.dll
2014-12-29 21:09 - 2010-06-02 04:55 - 00077656 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_5.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 02526056 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_43.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 02401112 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_43.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 01907552 _____ (Microsoft Corporation) C:\Windows\system32\d3dcsx_43.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 00511328 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_43.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 00470880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_43.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 00276832 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_43.dll
2014-12-29 21:09 - 2010-05-26 11:41 - 00248672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_43.dll
2014-12-29 11:48 - 2014-12-29 11:48 - 00000222 _____ () C:\Users\Clockwork\Desktop\Divinity Original Sin.url
2014-12-27 21:13 - 2014-12-27 21:13 - 00000859 _____ () C:\Users\Clockwork\Desktop\µTorrent.lnk
2014-12-27 21:13 - 2014-12-27 21:13 - 00000839 _____ () C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2014-12-27 21:11 - 2014-12-27 21:11 - 01688656 _____ (BitTorrent Inc.) C:\Users\Clockwork\Downloads\uTorrent.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-26 09:56 - 2014-11-18 13:55 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-01-26 09:56 - 2014-11-14 23:58 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\Skype
2015-01-26 08:15 - 2014-11-17 17:32 - 00276617 _____ () C:\Windows\WindowsUpdate.log
2015-01-26 08:14 - 2014-11-18 09:02 - 00009671 _____ () C:\Windows\setupact.log
2015-01-25 21:43 - 2009-07-13 21:13 - 00778150 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-25 21:42 - 2009-07-13 20:45 - 00014192 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-25 21:42 - 2009-07-13 20:45 - 00014192 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-25 21:37 - 2014-12-16 10:14 - 00057248 _____ () C:\Windows\PFRO.log
2015-01-25 21:37 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-25 21:37 - 2009-07-13 20:45 - 00293176 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-25 21:36 - 2014-11-18 08:08 - 00063568 _____ () C:\Users\Clockwork\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-25 21:31 - 2009-07-13 18:34 - 00000215 _____ () C:\Windows\system.ini
2015-01-25 19:46 - 2009-07-13 19:20 - 00000000 __RHD () C:\Users\Default
2015-01-25 16:56 - 2009-07-13 19:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-01-25 16:13 - 2014-11-18 08:38 - 00000815 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-01-25 16:13 - 2014-11-17 17:34 - 00000931 _____ () C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-01-25 16:13 - 2014-11-17 17:34 - 00000863 _____ () C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-01-25 14:22 - 2009-07-13 19:20 - 00000000 ____D () C:\Program Files\Common Files\System
2015-01-25 13:41 - 2014-11-18 14:05 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-25 13:13 - 2014-11-18 17:06 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\uTorrent
2015-01-24 17:37 - 2014-11-18 14:59 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\TS3Client
2015-01-23 16:34 - 2014-11-18 18:07 - 00000000 ____D () C:\Users\Clockwork\AppData\Local\ArmA 2 OA
2015-01-21 09:27 - 2014-12-12 20:04 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-21 09:26 - 2014-12-12 20:05 - 00000000 ____D () C:\Program Files\Java
2015-01-21 09:26 - 2014-12-12 20:04 - 00000000 ____D () C:\Program Files (x86)\Java
2015-01-21 09:25 - 2014-12-12 20:05 - 00111016 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2015-01-21 09:25 - 2014-12-12 20:04 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-01-17 21:07 - 2014-11-17 22:35 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-17 21:07 - 2014-11-17 22:35 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-13 01:46 - 2014-11-18 16:48 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bohemia Interactive
2015-01-13 01:46 - 2014-11-17 17:34 - 00000000 ____D () C:\Users\Clockwork\AppData\Local\VirtualStore
2014-12-29 21:09 - 2014-11-18 16:48 - 00045339 _____ () C:\Windows\DirectX.log
2014-12-29 11:48 - 2014-11-18 15:52 - 00000000 ____D () C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-01-24 11:31

==================== End Of Log ============================

Addition.txt:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 24-01-2015 01
Ran by Clockwork at 2015-01-26 09:59:41
Running from C:\Users\Clockwork\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-1414089619-1553986795-2700891581-1000\...\uTorrent) (Version: 3.4.2.37594 - BitTorrent Inc.)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.223 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Archeage (HKLM-x32\...\Glyph Archeage) (Version: - Trion Worlds, Inc.)
Arma 2 (HKLM-x32\...\Steam App 33900) (Version: - Bohemia Interactive)
Arma 2: Operation Arrowhead (HKLM-x32\...\Steam App 33930) (Version: - Bohemia Interactive)
BattlEye for OA Uninstall (HKLM-x32\...\BattlEye for OA) (Version: - )
BattlEye Uninstall (HKLM-x32\...\BattlEye for A2) (Version: - )
CCleaner (HKLM\...\CCleaner) (Version: 4.19 - Piriform)
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.49.1.0356 - Disc Soft Ltd)
Divinity: Original Sin (HKLM-x32\...\Steam App 230230) (Version: - Larian Studios)
DivX H.264 decoder 8.2.0.26 (HKLM-x32\...\divxh264_is1) (Version: 8.2.0.26 - )
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.0.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM-x32\...\{8ED43F7E-A8F6-4898-AF11-B6158F2EDF94}) (Version: 2.50.0000 - SEIKO EPSON CORPORATION)
EPSON NX230 Series Printer Uninstall (HKLM\...\EPSON NX230 Series) (Version: - SEIKO EPSON Corporation)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version: - Seiko Epson Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.4j - SEIKO EPSON CORPORATION)
Glyph (HKLM-x32\...\Glyph) (Version: - Trion Worlds, Inc.)
Java 8 Update 31 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418031F0}) (Version: 8.0.310 - Oracle Corporation)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Killing Floor - Toy Master (HKLM-x32\...\Steam App 326960) (Version: - David Hensley)
Killing Floor (HKLM-x32\...\Steam App 1250) (Version: - Tripwire Interactive)
Logitech Gaming Software 8.57 (HKLM\...\Logitech Gaming Software) (Version: 8.57.145 - Logitech Inc.)
Lost Planet: Extreme Condition (HKLM-x32\...\Steam App 6510) (Version: - CAPCOM Co., Ltd.)
Magicite (HKLM-x32\...\Steam App 268750) (Version: - SmashGames)
MechWarrior Online (HKLM-x32\...\{9f17023b-d04f-432b-b08a-3bb4c3a7ed3c}) (Version: 1.6.0.0 - Piranha Games Inc.)
MechWarrior Online (x32 Version: 1.6.1.0 - Piranha Games Inc.) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.60310.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 35.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 35.0 (x86 en-US)) (Version: 35.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.2.0 - Mozilla)
Mozilla Thunderbird 31.4.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 31.4.0 (x86 en-US)) (Version: 31.4.0 - Mozilla)
MPC-HC 1.7.7 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.7 - MPC-HC Team)
NVIDIA Graphics Driver 307.83 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 307.83 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.12.1031 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.1031 - NVIDIA Corporation)
OpenOffice 4.1.1 (HKLM-x32\...\{9395F41D-0F80-432E-9A59-B8E477E7E163}) (Version: 4.11.9775 - Apache Software Foundation)
Rust (HKLM-x32\...\Steam App 252490) (Version: - Facepunch Studios)
Search Module Plus (HKLM-x32\...\Search Module Plus) (Version: - Goobzo)
Skype™ 6.22 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.22.105 - Skype Technologies S.A.)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Sunrider: Mask of Arcadius (HKLM-x32\...\Steam App 313730) (Version: - Love in Space)
Team Fortress 2 (HKLM-x32\...\Steam App 440) (Version: - Valve)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.16 - TeamSpeak Systems GmbH)
TeamTalk 4 (HKLM\...\TeamTalk4_is1) (Version: - BearWare.dk)
TeraCopy 2.3 (HKLM\...\TeraCopy_is1) (Version: - Code Sector)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
WinRAR 5.11 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.11.0 - win.rar GmbH)
XSplit Broadcaster (HKLM-x32\...\{6BC12A2C-6B3D-4158-ACCE-C3602F7C6CF3}) (Version: 2.0.1411.1039 - SplitmediaLabs)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

ATTENTION: System Restore is disabled.

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2015-01-25 19:44 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

==================== Loaded Modules (whitelisted) =============

2014-11-18 10:11 - 2013-01-31 01:25 - 00087328 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2014-09-17 23:23 - 2014-09-17 23:23 - 00866584 _____ () C:\Program Files\Logitech Gaming Software\libGLESv2.dll
2014-10-14 10:51 - 2014-10-14 10:51 - 01050904 _____ () C:\Program Files\Logitech Gaming Software\platforms\qwindows.dll
2014-09-17 23:23 - 2014-09-17 23:23 - 00059160 _____ () C:\Program Files\Logitech Gaming Software\libEGL.dll
2014-10-14 10:51 - 2014-10-14 10:51 - 00242456 _____ () C:\Program Files\Logitech Gaming Software\imageformats\qjpeg.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: BEService => 3
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: Steam Client Service => 3
MSCONFIG\Services: WindowsVNT_R3 => 2
MSCONFIG\Services: YouTubeDownload_P4 => 2
MSCONFIG\startupfolder: C:^Users^Clockwork^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^intr.lnk => C:\Windows\pss\intr.lnk.Startup
MSCONFIG\startupreg: autoauto => 39414105.bat
MSCONFIG\startupreg: cutoauto => C:\a\wincheckfe.exe
MSCONFIG\startupreg: dutoauto => C:\a\wincheckfe.exe
MSCONFIG\startupreg: interpee => C:\a\internetport3.exe
MSCONFIG\startupreg: rutoauto => 39414105.bat
MSCONFIG\startupreg: smoother => C:\Users\Clockwork\AppData\Roaming\Booster-Web\Booster-Web-Installer.exe

========================= Accounts: ==========================

Administrator (S-1-5-21-1414089619-1553986795-2700891581-500 - Administrator - Disabled)
Clockwork (S-1-5-21-1414089619-1553986795-2700891581-1000 - Administrator - Enabled) => C:\Users\Clockwork
Guest (S-1-5-21-1414089619-1553986795-2700891581-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1414089619-1553986795-2700891581-1002 - Limited - Enabled)

==================== Faulty Device Manager Devices =============

Name: High Definition Audio Device
Description: High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HdAudAddService
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: High Definition Audio Device
Description: High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HdAudAddService
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: High Definition Audio Device
Description: High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HdAudAddService
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: High Definition Audio Device
Description: High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HdAudAddService
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================

System errors:
=============

Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
Date: 2015-01-25 19:44:36.534
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2015-01-25 19:44:36.534
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: AMD Athlon™ 64 X2 Dual Core Processor 5600+
Percentage of memory in use: 12%
Total physical RAM: 8190.55 MB
Available physical RAM: 7189.98 MB
Total Pagefile: 16379.26 MB
Available Pagefile: 15046.98 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:500 GB) (Free:328.77 GB) NTFS
Drive g: (New Volume) (Fixed) (Total:431.41 GB) (Free:431.3 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 368DFBD2)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=500 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=431.4 GB) - (Type=07 NTFS)

==================== End Of Log ============================

OTL (w/new code):

OTL.txt:

OTL logfile created on: 1/26/2015 10:02:56 AM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Clockwork\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 7.07 Gb Available Physical Memory | 88.37% Memory free
16.00 Gb Paging File | 14.77 Gb Available in Paging File | 92.37% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 500.00 Gb Total Space | 328.77 Gb Free Space | 65.75% Space Free | Partition Type: NTFS
Drive G: | 431.41 Gb Total Space | 431.30 Gb Free Space | 99.97% Space Free | Partition Type: NTFS

Computer Name: CLOCKWORK-PC | User Name: Clockwork | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2015/01/25 14:44:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Clockwork\Desktop\OTL.exe

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV:64bit: - [2011/06/09 13:01:00 | 000,555,392 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe -- (EpsonCustomerParticipation)
SRV:64bit: - [2009/07/13 17:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 17:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2015/01/23 14:33:44 | 000,834,752 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2015/01/21 12:30:28 | 000,802,688 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\BattlEye\BEService.exe -- (BEService)
SRV - [2015/01/13 11:43:11 | 000,114,800 | ---- | M] (Mozilla Foundation) [Disabled | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2015/01/01 17:16:11 | 000,174,112 | ---- | M] (EasyAntiCheat Ltd) [On_Demand | Stopped] -- C:\Windows\SysWOW64\EasyAntiCheat.exe -- (EasyAntiCheat)
SRV - [2014/04/03 19:21:48 | 000,315,008 | R--- | M] (Skype Technologies) [Disabled | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 13:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2015/01/25 13:11:51 | 000,386,680 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2014/07/02 20:49:08 | 000,026,200 | ---- | M] (SplitmediaLabs Limited) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\xspltspk.sys -- (XSplit_Dummy)
DRV:64bit: - [2013/05/30 08:16:40 | 000,064,280 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LGSHidFilt.Sys -- (LGSHidFilt)
DRV:64bit: - [2013/04/15 10:51:58 | 000,102,808 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ladfGSRamd64.sys -- (LADF_RenderOnly)
DRV:64bit: - [2013/04/15 10:51:52 | 000,410,008 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ladfGSCamd64.sys -- (LADF_CaptureOnly)
DRV:64bit: - [2009/11/23 16:38:00 | 000,016,008 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LGVirHid.sys -- (LGVirHid)
DRV:64bit: - [2009/11/23 16:37:50 | 000,022,408 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LGBusEnum.sys -- (LGBusEnum)
DRV:64bit: - [2009/07/13 17:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 17:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 17:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 17:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 17:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 17:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009/07/13 17:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 12:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
DRV:64bit: - [2009/06/10 12:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 12:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 12:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 12:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2006/11/28 21:46:20 | 000,043,328 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\PCAMp50a64.sys -- (PCAMp50a64)
DRV:64bit: - [2006/11/28 21:46:20 | 000,041,280 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\PCASp50a64.sys -- (PCASp50a64)
DRV - [2009/07/13 17:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 00 F5 7B ED F4 02 D0 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{068D1032-D786-41AD-AB67-E90C796355B4}: "URL" = http://www.google.co...utputEncoding?}
IE - HKCU\..\SearchScopes\{28074A22-926F-43D0-8258-DA9A47782D73}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "DuckDuckGo"
FF - prefs.js..browser.search.highlightCount: 1
FF - prefs.js..browser.search.isUS: true
FF - prefs.js..browser.search.useDBForOrder: ""
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:35.0
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_257.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=11.31.2: C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.31.2: C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=11.31.2: C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.31.2: C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.3: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 35.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 35.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 31.4.0\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 31.4.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2014/11/18 08:38:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Extensions
[2015/01/25 15:54:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Clockwork\AppData\Roaming\Mozilla\Firefox\Profiles\u3jstsw3.default\extensions
[2015/01/25 14:12:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2015/01/13 11:43:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2015/01/13 11:43:12 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

O1 HOSTS File: ([2015/01/25 19:44:54 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
O4:64bit: - HKLM..\Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe (Logitech Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O13 - gopher Prefix: missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0857202D-2F31-4C23-BAB6-16122231A610}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{13A298C0-0DB3-487E-B605-E22642D83CD1}: DhcpNameServer = 192.168.1.1 68.238.64.12
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

MsConfig:64bit - StartUpFolder: C:^Users^Clockwork^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^intr.lnk - - File not found
MsConfig:64bit - StartUpReg: autoauto - hkey= - key= - File not found
MsConfig:64bit - StartUpReg: cutoauto - hkey= - key= - File not found
MsConfig:64bit - StartUpReg: dutoauto - hkey= - key= - File not found
MsConfig:64bit - StartUpReg: interpee - hkey= - key= - File not found
MsConfig:64bit - StartUpReg: rutoauto - hkey= - key= - File not found
MsConfig:64bit - StartUpReg: smoother - hkey= - key= - File not found
MsConfig:64bit - State: "services" - Reg Error: Key error.
MsConfig:64bit - State: "startup" - Reg Error: Key error.

SafeBootMin:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SafeBootMin:64bit: Base - Driver Group
SafeBootMin:64bit: Boot Bus Extender - Driver Group
SafeBootMin:64bit: Boot file system - Driver Group
SafeBootMin:64bit: File system - Driver Group
SafeBootMin:64bit: Filter - Driver Group
SafeBootMin:64bit: HelpSvc - Service
SafeBootMin:64bit: PCI Configuration - Driver Group
SafeBootMin:64bit: PNP Filter - Driver Group
SafeBootMin:64bit: Primary disk - Driver Group
SafeBootMin:64bit: sacsvr - Service
SafeBootMin:64bit: SCSI Class - Driver Group
SafeBootMin:64bit: System Bus Extender - Driver Group
SafeBootMin:64bit: vmms - Service
SafeBootMin:64bit: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SafeBootNet:64bit: Base - Driver Group
SafeBootNet:64bit: Boot Bus Extender - Driver Group
SafeBootNet:64bit: Boot file system - Driver Group
SafeBootNet:64bit: File system - Driver Group
SafeBootNet:64bit: Filter - Driver Group
SafeBootNet:64bit: HelpSvc - Service
SafeBootNet:64bit: Messenger - Service
SafeBootNet:64bit: NDIS Wrapper - Driver Group
SafeBootNet:64bit: NetBIOSGroup - Driver Group
SafeBootNet:64bit: NetDDEGroup - Driver Group
SafeBootNet:64bit: Network - Driver Group
SafeBootNet:64bit: NetworkProvider - Driver Group
SafeBootNet:64bit: PCI Configuration - Driver Group
SafeBootNet:64bit: PNP Filter - Driver Group
SafeBootNet:64bit: PNP_TDI - Driver Group
SafeBootNet:64bit: Primary disk - Driver Group
SafeBootNet:64bit: rdsessmgr - Service
SafeBootNet:64bit: sacsvr - Service
SafeBootNet:64bit: SCSI Class - Driver Group
SafeBootNet:64bit: Streams Drivers - Driver Group
SafeBootNet:64bit: System Bus Extender - Driver Group
SafeBootNet:64bit: TDI - Driver Group
SafeBootNet:64bit: vmms - Service
SafeBootNet:64bit: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet:64bit: WudfUsbccidDriver - Driver
SafeBootNet:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet:64bit: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet:64bit: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet:64bit: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet:64bit: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet:64bit: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - Service
SafeBootNet: Messenger - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vmms - Service
SafeBootNet: WudfUsbccidDriver - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2015/01/26 09:55:59 | 002,480,312 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Clockwork\Desktop\procexp.exe
[2015/01/25 22:09:19 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\NVIDIA
[2015/01/25 22:09:16 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\RenPy
[2015/01/25 21:32:55 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2015/01/25 21:32:53 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2015/01/25 19:40:30 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2015/01/25 19:40:30 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2015/01/25 19:40:30 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2015/01/25 19:40:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2015/01/25 19:40:19 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2015/01/25 19:13:09 | 005,609,462 | R--- | C] (Swearware) -- C:\Users\Clockwork\Desktop\ComboFix.exe
[2015/01/25 19:12:08 | 005,200,384 | ---- | C] (AVAST Software) -- C:\Users\Clockwork\Desktop\aswmbr.exe
[2015/01/25 16:57:56 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\OpenOffice
[2015/01/25 16:57:02 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice 4.1.1
[2015/01/25 16:56:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\OpenOffice 4
[2015/01/25 16:56:26 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\Desktop\OpenOffice 4.1.1 (en-US) Installation Files
[2015/01/25 16:22:05 | 000,000,000 | ---D | C] -- C:\FRST
[2015/01/25 16:16:49 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2015/01/25 16:11:11 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2015/01/25 16:05:01 | 002,129,920 | ---- | C] (Farbar) -- C:\Users\Clockwork\Desktop\FRST64.exe
[2015/01/25 15:54:17 | 000,000,000 | ---D | C] -- C:\_OTL
[2015/01/25 14:44:22 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Clockwork\Desktop\OTL.exe
[2015/01/25 14:29:34 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2015/01/25 14:22:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2015/01/25 14:22:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight
[2015/01/25 13:56:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2015/01/25 13:55:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VideoLAN
[2015/01/25 13:11:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAEMON Tools Lite
[2015/01/25 13:11:51 | 000,386,680 | ---- | C] (Duplex Secure Ltd.) -- C:\Windows\SysNative\drivers\sptd.sys
[2015/01/25 13:11:51 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\DAEMON Tools Lite
[2015/01/25 13:11:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DAEMON Tools Lite
[2015/01/25 13:10:43 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2015/01/21 09:26:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2015/01/17 03:51:38 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\PhotoScape
[2015/01/13 21:50:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Thunderbird
[2015/01/13 11:43:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2015/01/13 01:47:00 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Roaming\Yahoo!
[2015/01/13 01:45:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Yahoo!
[2015/01/01 17:46:57 | 000,174,112 | ---- | C] (EasyAntiCheat Ltd) -- C:\Windows\SysWow64\EasyAntiCheat.exe
[2015/01/01 12:16:49 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\AppData\Local\capcom
[2014/12/30 10:13:16 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2014/12/29 21:09:23 | 000,000,000 | ---D | C] -- C:\Users\Clockwork\Documents\Larian Studios
[2014/12/29 21:09:17 | 000,518,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XAudio2_7.dll
[2014/12/29 21:09:17 | 000,077,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XAPOFX1_5.dll
[2014/12/29 21:09:16 | 002,526,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DCompiler_43.dll
[2014/12/29 21:09:16 | 001,907,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dcsx_43.dll
[2014/12/29 21:09:16 | 000,511,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx10_43.dll
[2014/12/29 21:09:16 | 000,470,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx10_43.dll
[2014/12/29 21:09:16 | 000,276,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx11_43.dll
[2014/12/29 21:09:16 | 000,248,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx11_43.dll
[2014/12/29 21:09:16 | 000,176,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine3_7.dll
[2014/12/29 21:09:15 | 002,401,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DX9_43.dll

========== Files - Modified Within 30 Days ==========

[2015/01/26 09:56:01 | 002,480,312 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Clockwork\Desktop\procexp.exe
[2015/01/26 08:14:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2015/01/25 21:49:18 | 000,061,440 | ---- | M] ( ) -- C:\Users\Clockwork\Desktop\VEW.exe
[2015/01/25 21:49:11 | 000,050,073 | ---- | M] () -- C:\Users\Clockwork\Desktop\sfc scan.jpg
[2015/01/25 21:43:47 | 000,778,150 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2015/01/25 21:43:47 | 000,659,580 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2015/01/25 21:43:47 | 000,120,508 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2015/01/25 21:42:51 | 000,014,192 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2015/01/25 21:42:51 | 000,014,192 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2015/01/25 21:37:41 | 000,293,176 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2015/01/25 21:37:32 | 2146,344,959 | -HS- | M] () -- C:\hiberfil.sys
[2015/01/25 19:44:54 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2015/01/25 19:39:01 | 000,000,512 | ---- | M] () -- C:\Users\Clockwork\Desktop\MBR.dat
[2015/01/25 19:14:03 | 005,609,462 | R--- | M] (Swearware) -- C:\Users\Clockwork\Desktop\ComboFix.exe
[2015/01/25 19:12:11 | 005,200,384 | ---- | M] (AVAST Software) -- C:\Users\Clockwork\Desktop\aswmbr.exe
[2015/01/25 16:57:02 | 000,001,112 | ---- | M] () -- C:\Users\Public\Desktop\OpenOffice 4.1.1.lnk
[2015/01/25 16:05:12 | 002,129,920 | ---- | M] (Farbar) -- C:\Users\Clockwork\Desktop\FRST64.exe
[2015/01/25 14:58:11 | 000,094,631 | ---- | M] () -- C:\Users\Clockwork\Desktop\suspicious startup.jpg
[2015/01/25 14:56:46 | 000,100,312 | ---- | M] () -- C:\Users\Clockwork\Desktop\suspicious services.jpg
[2015/01/25 14:44:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Clockwork\Desktop\OTL.exe
[2015/01/25 13:56:01 | 000,001,070 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2015/01/25 13:12:01 | 000,001,954 | ---- | M] () -- C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
[2015/01/25 13:11:51 | 000,386,680 | ---- | M] (Duplex Secure Ltd.) -- C:\Windows\SysNative\drivers\sptd.sys
[2015/01/23 12:56:25 | 000,026,109 | ---- | M] () -- C:\Users\Clockwork\Desktop\Untitled attachment 00046.jpg
[2015/01/21 09:25:59 | 000,111,016 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\WindowsAccessBridge-64.dll
[2015/01/21 09:25:38 | 000,098,216 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2015/01/18 01:46:53 | 000,002,114 | ---- | M] () -- C:\Users\Clockwork\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
[2015/01/17 21:07:32 | 000,701,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2015/01/17 21:07:32 | 000,071,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2015/01/17 17:39:59 | 488,662,232 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2015/01/17 03:52:26 | 000,030,720 | -H-- | M] () -- C:\Users\Clockwork\Desktop\photothumb.db
[2015/01/01 17:16:11 | 000,174,112 | ---- | M] (EasyAntiCheat Ltd) -- C:\Windows\SysWow64\EasyAntiCheat.exe
[2014/12/29 11:48:26 | 000,000,222 | ---- | M] () -- C:\Users\Clockwork\Desktop\Divinity Original Sin.url
[2014/12/27 21:13:02 | 000,000,859 | ---- | M] () -- C:\Users\Clockwork\Desktop\µTorrent.lnk
[2014/12/27 21:13:02 | 000,000,839 | ---- | M] () -- C:\Users\Clockwork\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk

========== Files Created - No Company Name ==========

[2015/01/25 21:49:15 | 000,061,440 | ---- | C] ( ) -- C:\Users\Clockwork\Desktop\VEW.exe
[2015/01/25 21:49:11 | 000,050,073 | ---- | C] () -- C:\Users\Clockwork\Desktop\sfc scan.jpg
[2015/01/25 19:40:30 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2015/01/25 19:40:30 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2015/01/25 19:40:30 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2015/01/25 19:40:30 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2015/01/25 19:40:30 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2015/01/25 19:39:01 | 000,000,512 | ---- | C] () -- C:\Users\Clockwork\Desktop\MBR.dat
[2015/01/25 16:57:02 | 000,001,112 | ---- | C] () -- C:\Users\Public\Desktop\OpenOffice 4.1.1.lnk
[2015/01/25 14:58:11 | 000,094,631 | ---- | C] () -- C:\Users\Clockwork\Desktop\suspicious startup.jpg
[2015/01/25 14:56:46 | 000,100,312 | ---- | C] () -- C:\Users\Clockwork\Desktop\suspicious services.jpg
[2015/01/25 13:56:01 | 000,001,070 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2015/01/25 13:12:01 | 000,001,954 | ---- | C] () -- C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
[2015/01/23 12:56:24 | 000,026,109 | ---- | C] () -- C:\Users\Clockwork\Desktop\Untitled attachment 00046.jpg
[2015/01/17 03:52:03 | 000,030,720 | -H-- | C] () -- C:\Users\Clockwork\Desktop\photothumb.db
[2014/12/30 10:13:09 | 488,662,232 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2014/12/29 11:48:26 | 000,000,222 | ---- | C] () -- C:\Users\Clockwork\Desktop\Divinity Original Sin.url
[2014/12/27 21:13:02 | 000,000,859 | ---- | C] () -- C:\Users\Clockwork\Desktop\µTorrent.lnk
[2014/12/27 21:13:02 | 000,000,839 | ---- | C] () -- C:\Users\Clockwork\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2014/11/26 08:30:56 | 000,000,079 | ---- | C] () -- C:\Windows\ENX230.ini
[2014/11/21 23:19:09 | 000,771,962 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2014/11/18 11:51:46 | 000,000,430 | RHS- | C] () -- C:\Users\Clockwork\ntuser.pol

========== ZeroAccess Check ==========

[2009/07/13 20:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2009/07/13 17:41:54 | 014,161,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2009/07/13 17:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 17:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/13 17:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 17:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== Custom Scans ==========

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed hard disk media
Interface type: IDE
Media Type: Fixed hard disk media
Model: Hitachi HDS721010CLA330 ATA Device
Partitions: 3
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 100.00MB
Starting Offset: 1048576
Hidden sectors: 0

DeviceID: Disk #0, Partition #1
PartitionType: Installable File System
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 500.00GB
Starting Offset: 105906176
Hidden sectors: 0

DeviceID: Disk #0, Partition #2
PartitionType: Installable File System
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 431.00GB
Starting Offset: 536976818176
Hidden sectors: 0

< %SYSTEMDRIVE%\*.exe >

< %systemroot%\assembly\GAC_32\*.ini >

< %systemroot%\assembly\GAC_64\*.ini >

< %SYSTEMDRIVE%\*.exe >

< %ALLUSERSPROFILE%\Application Data\*.exe >

< %APPDATA%\*. >
[2014/11/17 22:35:14 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Adobe
[2014/11/30 22:36:41 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\BearWare.dk
[2015/01/25 13:50:56 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\DAEMON Tools Lite
[2014/12/16 10:14:37 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Epson
[2014/11/17 17:34:09 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Identities
[2014/11/26 08:31:52 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\InstallShield
[2014/11/26 08:32:45 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Leadertech
[2014/11/18 14:49:40 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Logishrd
[2014/11/18 14:49:40 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Logitech
[2014/11/17 22:35:14 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Macromedia
[2009/07/13 23:45:14 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Media Center Programs
[2014/11/28 16:13:35 | 000,000,000 | --SD | M] -- C:\Users\Clockwork\AppData\Roaming\Microsoft
[2014/11/18 08:38:37 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Mozilla
[2014/11/28 16:04:04 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\MPC-HC
[2015/01/25 22:09:19 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\NVIDIA
[2015/01/25 16:57:56 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\OpenOffice
[2015/01/17 03:51:40 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\PhotoScape
[2015/01/25 22:09:17 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\RenPy
[2015/01/26 09:56:38 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Skype
[2014/11/28 15:34:59 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\SplitmediaLabs
[2014/11/17 21:31:07 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\TeraCopy
[2013/07/11 20:10:44 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Thunderbird
[2015/01/24 17:37:00 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\TS3Client
[2015/01/25 13:13:49 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\uTorrent
[2014/11/18 14:53:21 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Ventrilo
[2014/11/18 17:24:51 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\WinRAR
[2015/01/13 01:47:00 | 000,000,000 | ---D | M] -- C:\Users\Clockwork\AppData\Roaming\Yahoo!

< MD5 for: ATAPI.SYS >
[2009/07/13 17:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\erdnt\cache64\atapi.sys
[2009/07/13 17:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\drivers\atapi.sys
[2009/07/13 17:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
[2009/07/13 17:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys

< MD5 for: CSRSS.EXE >
[2009/07/13 17:39:02 | 000,007,680 | ---- | M] (Microsoft Corporation) MD5=60C2862B4BF0FD9F582EF344C2B1EC72 -- C:\Windows\SysNative\csrss.exe
[2009/07/13 17:39:02 | 000,007,680 | ---- | M] (Microsoft Corporation) MD5=60C2862B4BF0FD9F582EF344C2B1EC72 -- C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\csrss.exe

< MD5 for: EXPLORER.EXE >
[2009/07/13 17:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\SysWOW64\explorer.exe
[2009/07/13 17:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe
[2009/07/13 17:39:10 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=C235A51CB740E45FFA0EBFB9BAFCDA64 -- C:\Windows\erdnt\cache86\explorer.exe
[2009/07/13 17:39:10 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=C235A51CB740E45FFA0EBFB9BAFCDA64 -- C:\Windows\explorer.exe
[2009/07/13 17:39:10 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=C235A51CB740E45FFA0EBFB9BAFCDA64 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe

< MD5 for: MSWSOCK.DLL >
[2009/07/13 17:15:51 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=11A41F17527ED75D6B758FDD7F4FD00D -- C:\Windows\erdnt\cache86\mswsock.dll
[2009/07/13 17:15:51 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=11A41F17527ED75D6B758FDD7F4FD00D -- C:\Windows\SysWOW64\mswsock.dll
[2009/07/13 17:15:51 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=11A41F17527ED75D6B758FDD7F4FD00D -- C:\Windows\winsxs\x86_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7600.16385_none_b829ad298e9f53ff\mswsock.dll
[2009/07/13 17:41:34 | 000,320,000 | ---- | M] (Microsoft Corporation) MD5=FC76FE3C1E1FDB761244D4F74EF560FD -- C:\Windows\erdnt\cache64\mswsock.dll
[2009/07/13 17:41:34 | 000,320,000 | ---- | M] (Microsoft Corporation) MD5=FC76FE3C1E1FDB761244D4F74EF560FD -- C:\Windows\SysNative\mswsock.dll
[2009/07/13 17:41:34 | 000,320,000 | ---- | M] (Microsoft Corporation) MD5=FC76FE3C1E1FDB761244D4F74EF560FD -- C:\Windows\winsxs\amd64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7600.16385_none_144848ad46fcc535\mswsock.dll

< MD5 for: NAPINSP.DLL >
[2009/07/13 17:16:02 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=0B7E85364CB878E2AD531DB7B601A9E5 -- C:\Windows\SysWOW64\NapiNSP.dll
[2009/07/13 17:16:02 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=0B7E85364CB878E2AD531DB7B601A9E5 -- C:\Windows\winsxs\x86_microsoft-windows-n..ider-infrastructure_31bf3856ad364e35_6.1.7600.16385_none_abf396ebf0847c31\NapiNSP.dll
[2009/07/13 17:41:52 | 000,068,096 | ---- | M] (Microsoft Corporation) MD5=58A0CDABEA255616827B1C22C9994466 -- C:\Windows\SysNative\NapiNSP.dll
[2009/07/13 17:41:52 | 000,068,096 | ---- | M] (Microsoft Corporation) MD5=58A0CDABEA255616827B1C22C9994466 -- C:\Windows\winsxs\amd64_microsoft-windows-n..ider-infrastructure_31bf3856ad364e35_6.1.7600.16385_none_0812326fa8e1ed67\NapiNSP.dll

< MD5 for: NLAAPI.DLL >
[2009/07/13 17:16:03 | 000,051,712 | ---- | M] (Microsoft Corporation) MD5=045DB4EAB4FBD23210E85ECC3F464A2E -- C:\Windows\SysWOW64\nlaapi.dll
[2009/07/13 17:16:03 | 000,051,712 | ---- | M] (Microsoft Corporation) MD5=045DB4EAB4FBD23210E85ECC3F464A2E -- C:\Windows\winsxs\wow64_microsoft-windows-nlasvc_31bf3856ad364e35_6.1.7600.16385_none_cdcf91c058fc0e07\nlaapi.dll
[2009/07/13 17:41:52 | 000,070,144 | ---- | M] (Microsoft Corporation) MD5=86E3822A34D454032D8E88C72AE8CF2D -- C:\Windows\SysNative\nlaapi.dll
[2009/07/13 17:41:52 | 000,070,144 | ---- | M] (Microsoft Corporation) MD5=86E3822A34D454032D8E88C72AE8CF2D -- C:\Windows\winsxs\amd64_microsoft-windows-nlasvc_31bf3856ad364e35_6.1.7600.16385_none_c37ae76e249b4c0c\nlaapi.dll

< MD5 for: PNRPNSP.DLL >
[2009/07/13 17:16:12 | 000,065,024 | ---- | M] (Microsoft Corporation) MD5=5CF640EDDB1E40A5AB1BB743BCDEC610 -- C:\Windows\SysWOW64\pnrpnsp.dll
[2009/07/13 17:16:12 | 000,065,024 | ---- | M] (Microsoft Corporation) MD5=5CF640EDDB1E40A5AB1BB743BCDEC610 -- C:\Windows\winsxs\wow64_microsoft-windows-peertopeerpnrp_31bf3856ad364e35_6.1.7600.16385_none_d7c8b1ac70865dab\pnrpnsp.dll
[2009/07/13 17:41:53 | 000,086,016 | ---- | M] (Microsoft Corporation) MD5=613C8CE10A5FDE582BA5FA64C4D56AAA -- C:\Windows\SysNative\pnrpnsp.dll
[2009/07/13 17:41:53 | 000,086,016 | ---- | M] (Microsoft Corporation) MD5=613C8CE10A5FDE582BA5FA64C4D56AAA -- C:\Windows\winsxs\amd64_microsoft-windows-peertopeerpnrp_31bf3856ad364e35_6.1.7600.16385_none_cd74075a3c259bb0\pnrpnsp.dll

< MD5 for: PRINTISOLATIONHOST.EXE >
[2009/07/13 17:39:27 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=22F020C76E339EB2B2187BA73A7E4173 -- C:\Windows\SysNative\PrintIsolationHost.exe
[2009/07/13 17:39:27 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=22F020C76E339EB2B2187BA73A7E4173 -- C:\Windows\winsxs\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_6.1.7600.16385_none_f8a40495785334a9\PrintIsolationHost.exe

< MD5 for: SERVICES.EXE >
[2009/07/13 17:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\erdnt\cache64\services.exe
[2009/07/13 17:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\SysNative\services.exe
[2009/07/13 17:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

< MD5 for: SVCHOST.EXE >
[2009/07/13 17:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\erdnt\cache86\svchost.exe
[2009/07/13 17:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\SysWOW64\svchost.exe
[2009/07/13 17:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2009/07/13 17:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\erdnt\cache64\svchost.exe
[2009/07/13 17:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\SysNative\svchost.exe
[2009/07/13 17:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe

< MD5 for: USER32.DLL >
[2009/07/13 17:41:56 | 001,008,640 | ---- | M] (Microsoft Corporation) MD5=72D7B3EA16946E8F0CF7458150031CC6 -- C:\Windows\erdnt\cache64\user32.dll
[2009/07/13 17:41:56 | 001,008,640 | ---- | M] (Microsoft Corporation) MD5=72D7B3EA16946E8F0CF7458150031CC6 -- C:\Windows\SysNative\user32.dll
[2009/07/13 17:41:56 | 001,008,640 | ---- | M] (Microsoft Corporation) MD5=72D7B3EA16946E8F0CF7458150031CC6 -- C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[2009/07/13 17:11:24 | 000,833,024 | ---- | M] (Microsoft Corporation) MD5=E8B0FFC209E504CB7E79FC24E6C085F0 -- C:\Windows\erdnt\cache86\user32.dll
[2009/07/13 17:11:24 | 000,833,024 | ---- | M] (Microsoft Corporation) MD5=E8B0FFC209E504CB7E79FC24E6C085F0 -- C:\Windows\SysWOW64\user32.dll
[2009/07/13 17:11:24 | 000,833,024 | ---- | M] (Microsoft Corporation) MD5=E8B0FFC209E504CB7E79FC24E6C085F0 -- C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll

< MD5 for: USERINIT.EXE >
[2009/07/13 17:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\erdnt\cache86\userinit.exe
[2009/07/13 17:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\SysWOW64\userinit.exe
[2009/07/13 17:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
[2009/07/13 17:39:48 | 000,030,208 | ---- | M] (Microsoft Corporation) MD5=6F8F1376A13114CC10C0E69274F5A4DE -- C:\Windows\erdnt\cache64\userinit.exe
[2009/07/13 17:39:48 | 000,030,208 | ---- | M] (Microsoft Corporation) MD5=6F8F1376A13114CC10C0E69274F5A4DE -- C:\Windows\SysNative\userinit.exe
[2009/07/13 17:39:48 | 000,030,208 | ---- | M] (Microsoft Corporation) MD5=6F8F1376A13114CC10C0E69274F5A4DE -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_381dabbceb60feb2\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/07/13 17:39:52 | 000,389,120 | ---- | M] (Microsoft Corporation) MD5=132328DF455B0028F13BF0ABEE51A63A -- C:\Windows\erdnt\cache64\winlogon.exe
[2009/07/13 17:39:52 | 000,389,120 | ---- | M] (Microsoft Corporation) MD5=132328DF455B0028F13BF0ABEE51A63A -- C:\Windows\SysNative\winlogon.exe
[2009/07/13 17:39:52 | 000,389,120 | ---- | M] (Microsoft Corporation) MD5=132328DF455B0028F13BF0ABEE51A63A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe

< MD5 for: WINRNR.DLL >
[2009/07/13 17:41:56 | 000,028,672 | ---- | M] (Microsoft Corporation) MD5=2E2072EB48238FCA8FBB7A9F5FABAC45 -- C:\Windows\SysNative\winrnr.dll
[2009/07/13 17:41:56 | 000,028,672 | ---- | M] (Microsoft Corporation) MD5=2E2072EB48238FCA8FBB7A9F5FABAC45 -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.1.7600.16385_none_b543449669c73e11\winrnr.dll
[2009/07/13 17:16:19 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=5DF5D8CFD9B9573FA3B2C89D9061A240 -- C:\Windows\SysWOW64\winrnr.dll
[2009/07/13 17:16:19 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=5DF5D8CFD9B9573FA3B2C89D9061A240 -- C:\Windows\winsxs\x86_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.1.7600.16385_none_5924a912b169ccdb\winrnr.dll

< MD5 for: WSHELPER.DLL >
[2009/07/13 17:16:20 | 000,015,360 | ---- | M] (Microsoft Corporation) MD5=5B90BB3171504C9DAF3C5CB44B203CA7 -- C:\Windows\SysWOW64\wshelper.dll
[2009/07/13 17:16:20 | 000,015,360 | ---- | M] (Microsoft Corporation) MD5=5B90BB3171504C9DAF3C5CB44B203CA7 -- C:\Windows\winsxs\wow64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6ace9e67456cc40b\wshelper.dll
[2009/07/13 17:41:58 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=D314DA4B0B8DCD023D547FC568E34FB6 -- C:\Windows\SysNative\wshelper.dll
[2009/07/13 17:41:58 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=D314DA4B0B8DCD023D547FC568E34FB6 -- C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210\wshelper.dll

< C:\Windows\assembly\tmp\U\*.* /s >

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2015/01/13 11:43:11 | 000,915,376 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2015/01/13 11:43:11 | 000,915,376 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2015/01/13 11:43:11 | 000,915,376 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" [2015/01/13 11:43:11 | 000,338,032 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -preferences [2015/01/13 11:43:11 | 000,338,032 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode [2015/01/13 11:43:11 | 000,338,032 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2009/07/13 17:14:21 | 000,176,128 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2009/07/13 17:14:21 | 000,176,128 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2009/07/13 17:14:21 | 000,176,128 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -extoff [2009/07/13 17:17:29 | 000,673,048 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" [2009/07/13 17:17:29 | 000,673,048 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\UNINSTALL\HELPER.EXE" /HIDESHORTCUTS [2015/01/13 11:43:11 | 000,915,376 | ---- | M] (Mozilla Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\UNINSTALL\HELPER.EXE" /SHOWSHORTCUTS [2015/01/13 11:43:11 | 000,915,376 | ---- | M] (Mozilla Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\UNINSTALL\HELPER.EXE" /SETASDEFAULTAPPGLOBAL [2015/01/13 11:43:11 | 000,915,376 | ---- | M] (Mozilla Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: "C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE" [2015/01/13 11:43:11 | 000,338,032 | ---- | M] (Mozilla Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE" -PREFERENCES [2015/01/13 11:43:11 | 000,338,032 | ---- | M] (Mozilla Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE" -SAFE-MODE [2015/01/13 11:43:11 | 000,338,032 | ---- | M] (Mozilla Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -SHOW [2009/07/13 17:39:12 | 000,073,728 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -REINSTALL [2009/07/13 17:39:12 | 000,073,728 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -HIDE [2009/07/13 17:39:12 | 000,073,728 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE" -EXTOFF [2009/07/13 17:17:29 | 000,673,048 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE" [2009/07/13 17:17:29 | 000,673,048 | ---- | M] (Microsoft Corporation)

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %ProgramFiles%\WINDOWS NT\*.* /s >
[2009/07/13 17:14:49 | 004,243,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\WINDOWS NT\Accessories\wordpad.exe
[2009/07/13 17:16:20 | 000,194,560 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\WINDOWS NT\Accessories\WordpadFilter.dll
[2009/07/13 18:06:02 | 000,051,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\WINDOWS NT\Accessories\en-US\wordpad.exe.mui
[2009/07/13 17:16:15 | 000,325,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\WINDOWS NT\TableTextService\TableTextService.dll
[2009/06/10 13:43:18 | 000,016,212 | ---- | M] () -- C:\Program Files (x86)\WINDOWS NT\TableTextService\TableTextServiceAmharic.txt
[2009/06/10 13:43:18 | 001,272,822 | ---- | M] () -- C:\Program Files (x86)\WINDOWS NT\TableTextService\TableTextServiceArray.txt
[2009/06/10 13:43:18 | 000,980,102 | ---- | M] () -- C:\Program Files (x86)\WINDOWS NT\TableTextService\TableTextServiceDaYi.txt
[2009/06/10 13:43:19 | 001,665,878 | ---- | M] () -- C:\Program Files (x86)\WINDOWS NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt
[2009/06/10 13:43:19 | 001,445,430 | ---- | M] () -- C:\Program Files (x86)\WINDOWS NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt
[2009/06/10 13:43:19 | 001,810,352 | ---- | M] () -- C:\Program Files (x86)\WINDOWS NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt
[2009/06/10 13:43:19 | 000,044,968 | ---- | M] () -- C:\Program Files (x86)\WINDOWS NT\TableTextService\TableTextServiceYi.txt
[2009/07/13 18:05:26 | 000,008,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\WINDOWS NT\TableTextService\en-US\TableTextService.dll.mui

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< End of report >

Extras.txt

OTL Extras logfile created on: 1/26/2015 10:02:56 AM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Clockwork\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 7.07 Gb Available Physical Memory | 88.37% Memory free
16.00 Gb Paging File | 14.77 Gb Available in Paging File | 92.37% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 500.00 Gb Total Space | 328.77 Gb Free Space | 65.75% Space Free | Partition Type: NTFS
Drive G: | 431.41 Gb Total Space | 431.30 Gb Free Space | 99.97% Space Free | Partition Type: NTFS

Computer Name: CLOCKWORK-PC | User Name: Clockwork | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm[@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cpl[@ = cplfile] -- C:\Windows\SysNative\control.exe (Microsoft Corporation)
.hlp[@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.hta[@ = htafile] -- C:\Windows\SysWOW64\mshta.exe (Microsoft Corporation)
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf[@ = inffile] -- C:\Windows\SysNative\NOTEPAD.EXE (Microsoft Corporation)
.ini[@ = inifile] -- C:\Windows\SysNative\NOTEPAD.EXE (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
.js[@ = JSFile] -- C:\Windows\SysNative\WScript.exe (Microsoft Corporation)
.jse[@ = JSEFile] -- C:\Windows\SysNative\WScript.exe (Microsoft Corporation)
.reg[@ = regfile] -- C:\Windows\regedit.exe (Microsoft Corporation)
.txt[@ = txtfile] -- C:\Windows\SysNative\NOTEPAD.EXE (Microsoft Corporation)
.vbe[@ = VBEFile] -- C:\Windows\SysNative\WScript.exe (Microsoft Corporation)
.vbs[@ = VBSFile] -- C:\Windows\SysNative\WScript.exe (Microsoft Corporation)
.wsf[@ = WSFFile] -- C:\Windows\SysNative\WScript.exe (Microsoft Corporation)
.wsh[@ = WSHFile] -- C:\Windows\SysNative\WScript.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = ComFile] -- "%1" %*
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\Windows\SysWOW64\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf [@ = inffile] -- C:\Windows\SysWow64\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\Windows\SysWow64\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\Windows\SysWow64\rundll32.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\Windows\SysWow64\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\Windows\SysWow64\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SystemRoot%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\Windows\SysWOW64\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- C:\Windows\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- C:\Windows\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- C:\Windows\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- C:\Windows\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- C:\Windows\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\notepad.exe "%1" (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\notepad.exe /p "%1" (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
vbsfile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wsffile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
wsffile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
wsffile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wshfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SystemRoot%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\Windows\SysWOW64\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- C:\Windows\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- C:\Windows\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- C:\Windows\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- C:\Windows\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- C:\Windows\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\notepad.exe "%1" (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\notepad.exe /p "%1" (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
vbsfile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wsffile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
wsffile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
wsffile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wshfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0136A680-4ADD-4800-A51F-4B1DEEDA79C2}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{0356E175-ADBB-448E-B878-8B8E57FBC494}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{081547A8-448B-4427-942C-5EF6FACDDDBC}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{095E783E-A9AA-494C-8469-5B6365F9BD2C}" = lport=137 | protocol=17 | dir=in | app=system |
"{0FA2EC44-EB6F-47D2-880D-0D0FD5E850E9}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{22DC784A-3B9B-48B9-8B55-E386F8756559}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{29F10764-A904-4CAC-9EE0-32B2B69BA2C2}" = rport=139 | protocol=6 | dir=out | app=system |
"{53AD596C-4065-4190-A361-A7B554A3FEE0}" = lport=445 | protocol=6 | dir=in | app=system |
"{57A9FFE8-CE28-40E8-95A5-F8D56A15BF10}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{5E710AFD-7185-4C21-A91B-C8C09769C2AD}" = lport=138 | protocol=17 | dir=in | app=system |
"{767B5FE0-578D-47EF-A8DF-4FB1D09882FD}" = rport=10243 | protocol=6 | dir=out | app=system |
"{7B2327F5-78CB-4EBB-8DBC-89F4E3D81EE2}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{9AE9BC36-39C1-491A-9E9A-47F63713838C}" = lport=10243 | protocol=6 | dir=in | app=system |
"{A2C8C8E0-42B6-43BC-A12E-530E6F86F962}" = rport=138 | protocol=17 | dir=out | app=system |
"{ABF8C614-6458-4AA9-93B0-1E64FB6AF18D}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{B728DA59-9E4B-4CD4-B020-3172EF828E4B}" = lport=2869 | protocol=6 | dir=in | app=system |
"{B9F6CA70-0379-4105-B2DA-78E22C9E92F5}" = lport=54045 | protocol=17 | dir=in | app=c:\program files\logitech gaming software\lcore.exe |
"{C6071D34-7085-4504-AF91-18CE1A8B4ADA}" = rport=445 | protocol=6 | dir=out | app=system |
"{D2534D3A-E915-4F78-87E5-F8437BCD79C6}" = rport=137 | protocol=17 | dir=out | app=system |
"{D4B04ADB-0609-4D8C-B688-F8EEEC2EE920}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{ED91B028-AE1C-41DE-B996-3520B22F1E2B}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{FE5AF1DD-B7BB-41EF-95B8-5483EBD5F3D9}" = lport=139 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{050B7076-4FA8-4048-86C4-602BDEC065E3}" = dir=in | app=c:\a\winonit.exe |
"{0633C1F0-AAC5-413A-95AA-9E501BCA1E2A}" = dir=out | app=c:\a\getcap.exe |
"{083A9378-C9AB-4A8B-829A-F3A5DFEA58C4}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{0B17ED34-8D98-47CE-AD70-631372515631}" = protocol=17 | dir=in | app=c:\program files (x86)\mozilla firefox\firefox.exe |
"{11F11995-D294-414C-B1F3-B56D54BE9575}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\bin\steamwebhelper.exe |
"{12E8C027-D00E-4C0F-8E4C-AF43A3728BAC}" = dir=in | app=c:\a\internetport3.exe |
"{14BE0496-C127-46AC-9935-22F649DFB503}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{154D8D88-F58A-4008-843B-1A3D79C124C2}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\sunrider\sunridermaskofarcadius-steam.exe |
"{1B2CC766-C8E0-499E-A5C6-AEA6E32B79E8}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{2422EBB5-B08B-4A0C-A2FE-4C7BF8D7761A}" = dir=in | app=c:\a\wincheckfe.exe |
"{25EACD4B-13B6-4344-AC86-9D969D8D413D}" = protocol=6 | dir=out | app=system |
"{2836D890-FD9F-4386-AA28-50A5CB30554F}" = protocol=6 | dir=in | app=c:\users\clockwork\appdata\local\temp\wzse0.tmp\common\epsonnet setup\eneasyapp.exe |
"{2BAF4D70-7219-4D29-88AD-7D2B4CB58FB2}" = dir=out | app=c:\a\wcheckf.exe |
"{2EF44E22-524E-4AB4-A7F9-4EB61C2DE660}" = protocol=6 | dir=in | app=c:\program files (x86)\mozilla firefox\firefox.exe |
"{36B3F6D7-A7D1-4B9A-8EF4-4AE542B1B99C}" = protocol=6 | dir=in | app=c:\program files\teamtalk4\teamtalk4.exe |
"{3E30E17F-3946-4125-BB86-D68FF37BB8FB}" = protocol=1 | dir=in | [email protected],-28543 |
"{46DCF8A8-D207-4CAE-8BC5-B675121C4C15}" = protocol=17 | dir=in | app=c:\program files (x86)\yahoo!\messenger\yahoomessenger.exe |
"{47159CD5-FAA6-4B74-8B3C-840C0709E916}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\sunrider\sunridermaskofarcadius-steam.exe |
"{481F7666-0B54-449F-8825-CAEB2BFD234F}" = protocol=17 | dir=in | app=c:\users\clockwork\downloads\utorrent_1.7.1.exe |
"{4B8C8638-1325-4A53-A159-B5C8BB731606}" = dir=out | app=c:\a\kcik4zs0priyuprf52jg.exe |
"{4C9CC927-2F25-482B-90D0-215CBDFBB65A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{55E36625-8BBE-4055-BC9B-10226A39BEF9}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\killingfloor\system\killingfloor.exe |
"{567201E8-5966-441F-A0C4-BC80BBB9741B}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\rust\rust.exe |
"{56FDD773-888B-4EA6-B3C9-081EF4039D43}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{58513D2A-E759-41F6-925D-DA1DA53F172A}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\divinity - original sin\shipping\eocapp.exe |
"{5939242F-1CE1-4D57-B823-31EC8F3DAEC4}" = dir=in | app=c:\a\kcik4zs0priyuprf52jg.exe |
"{6D3C2C17-92A3-4F66-94D8-C33B66799E76}" = protocol=6 | dir=in | app=c:\users\clockwork\downloads\utorrent_1.7.1.exe |
"{6DD82040-C976-4C38-A34A-099B61E1E146}" = protocol=17 | dir=in | app=c:\program files\teamtalk4\teamtalk4.exe |
"{71770999-9BDC-4422-9A9F-7B5DAFEA1E31}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\magicite\magicite.exe |
"{73DAECEE-2767-4AA1-A5A7-61C8BB176CCD}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{7B1CB94B-BBD5-4863-BCBA-17161EDFFA11}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\rust\legacy\rust.exe |
"{7C29ADEE-F6AE-438C-AD6F-DA5FC2BC9C20}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\bin\steamwebhelper.exe |
"{7C953350-CD56-4849-B6DD-4097186D9116}" = dir=in | app=c:\a\vchk.exe |
"{7DA8E34B-33A5-48A0-A7D6-9AF2D9A1CC27}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe |
"{7F75225F-5AAD-4676-B2FB-1D91C0CC67CF}" = protocol=58 | dir=out | [email protected],-28546 |
"{80DBB924-D7BE-4ADD-982D-3852C149F6E3}" = dir=in | app=c:\a\getcap.exe |
"{81E5C8EE-C89F-4609-B31E-FD85D00C2514}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{829593A7-8D4C-4278-804C-4ED2710AE5B0}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{84EB52C2-80A2-46E7-959F-A0FE77A2F368}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowhead\arma2oa_be.exe |
"{8759E119-7CE3-476E-B5D9-87B25E43E03B}" = dir=in | app=c:\program files (x86)\youtube downloader services\p4\youtubeserv.exe |
"{8D4421EA-44D2-4771-8AC2-D7E85A8A7843}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\rust\legacy\rust.exe |
"{8D88E694-D112-4A72-9B07-3D874F58E324}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\rust\rust.exe |
"{8F271D33-A7CF-4998-BE5F-65DACC554A00}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\magicite\magicite.exe |
"{9077ED2E-1EEB-4194-A472-9F4BED500B38}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\lost planet extreme condition\lostplanetdx9.exe |
"{92F8F3D0-DA67-4776-BF28-22A9F63D2FE7}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\lost planet extreme condition\lostplanetdx10.exe |
"{98150D19-3EB3-4088-A07D-BA05C3D70E68}" = protocol=17 | dir=in | app=c:\users\clockwork\appdata\roaming\utorrent\utorrent.exe |
"{9995470F-9690-40DC-BB5B-46FCAA43D18C}" = dir=in | app=c:\a\wcheckf.exe |
"{9B4ADE7C-7876-4060-8AE0-F21696913FC8}" = protocol=58 | dir=in | [email protected],-28545 |
"{9E73AA35-4CA6-4594-888F-7778F4CE294A}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{A2D0EB8F-5219-4558-BEFB-524346D540D3}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{A3F08B85-5A0E-42F7-BECC-097DDDAFB972}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\arma 2\arma2.exe |
"{A9D7E61E-9F46-4C15-AC3C-13DBFE3C8E9E}" = protocol=6 | dir=in | app=c:\program files (x86)\yahoo!\messenger\yahoomessenger.exe |
"{ADCF38F0-EE00-4EC1-A7AB-AA26AA79A113}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\team fortress 2\hl2.exe |
"{AE3837A2-8774-4156-A1A7-57723A95E86B}" = dir=out | app=c:\a\wincheckfe.exe |
"{AFDC2908-A39E-41B8-8D88-05EE8FFAA902}" = dir=out | app=c:\a\winonit.exe |
"{B680218A-5939-4EAD-8ED1-3D6AC790163B}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe |
"{B7AD6E26-02D3-4351-8D74-F467EBA62F4F}" = dir=in | app=c:\program files (x86)\youtube downloader services\p4\powermgr.exe |
"{BADC9165-465A-4ABE-B86A-C628AD05EA0C}" = protocol=6 | dir=in | app=c:\users\clockwork\appdata\roaming\utorrent\utorrent.exe |
"{BB635EBC-0612-48A7-BA3D-55D296811571}" = protocol=17 | dir=in | app=c:\users\clockwork\appdata\local\temp\wzse0.tmp\common\epsonnet setup\eneasyapp.exe |
"{CA677B50-3F7E-47F7-A668-DC394BA58A9E}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{CB6A0092-2D2B-4ABD-924E-A0A726A7FEF8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{D3817A57-8252-46A2-8014-CE4DB5E6F37A}" = protocol=6 | dir=in | app=c:\program files\logitech gaming software\lcore.exe |
"{D5E15A0B-FFC7-4422-9B6E-A1720CF83F5A}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowhead\arma2oa_be.exe |
"{DCC41809-9D65-4C40-A106-EA01833959B0}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{E0BB5F33-C8CA-4264-8500-F91F2D48DA84}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\lost planet extreme condition\lostplanetdx10.exe |
"{E1A534A5-79CD-4089-AF61-1789ACBCDD29}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E4BA6CD2-8E72-4E3C-B038-14378BA0B2C3}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\team fortress 2\hl2.exe |
"{E6307FA6-EA11-4DFF-AE75-5787306E29CC}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\killingfloor\system\killingfloor.exe |
"{EBBB5719-E31F-4F78-A1FA-489BBE46AAE7}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\lost planet extreme condition\lostplanetdx9.exe |
"{ED5ED7CC-17E0-4383-9B23-B67141F9FFC8}" = protocol=1 | dir=out | [email protected],-28544 |
"{F13F39A8-BF9B-4E5E-81C6-676ED3A951D0}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{F3ABDD12-472D-47B8-A7C6-F43E676B9BE4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{F7E24EA1-9D76-46C2-B9D0-A9190A7A44E4}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\arma 2\arma2.exe |
"{FB89EA43-1459-4EC0-BB8D-A23F8E3FAE66}" = dir=out | app=c:\a\internetport3.exe |
"{FB8B2414-2AF7-437D-9BF7-5C09131238D7}" = dir=out | app=c:\a\vchk.exe |
"{FECBD353-F2DC-4982-B454-C65C6D6E2BB9}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{FFB1A327-6F48-499F-9B6A-AB618314AEA9}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\divinity - original sin\shipping\eocapp.exe |
"TCP Query User{92671EFB-702D-4C47-98C7-33AA7A14F003}C:\users\clockwork\appdata\local\akamai\netsession_win.exe" = protocol=6 | dir=in | app=c:\users\clockwork\appdata\local\akamai\netsession_win.exe |
"TCP Query User{D7F9635C-3205-4E11-8901-C7918FEF3F3F}C:\program files (x86)\steam\steamapps\common\lord of the rings online\lotroclient.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\lord of the rings online\lotroclient.exe |
"TCP Query User{E19291C8-03FA-4BFA-A84D-F0EAC381FBD8}C:\users\clockwork\appdata\local\akamai\netsession_win.exe" = protocol=6 | dir=in | app=c:\users\clockwork\appdata\local\akamai\netsession_win.exe |
"UDP Query User{C63F3A25-D07D-4246-8FA1-C7918C20D7FB}C:\users\clockwork\appdata\local\akamai\netsession_win.exe" = protocol=17 | dir=in | app=c:\users\clockwork\appdata\local\akamai\netsession_win.exe |
"UDP Query User{D250DB07-0F9B-4A5E-8A4B-B31718924F2E}C:\program files (x86)\steam\steamapps\common\lord of the rings online\lotroclient.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\lord of the rings online\lotroclient.exe |
"UDP Query User{EF0205D2-ECF6-4AB6-9487-592B6DCFC94F}C:\users\clockwork\appdata\local\akamai\netsession_win.exe" = protocol=17 | dir=in | app=c:\users\clockwork\appdata\local\akamai\netsession_win.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F86418031F0}" = Java 8 Update 31 (64-bit)
"{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1" = MPC-HC 1.7.7 (64-bit)
"{37B8F9C7-03FB-3253-8781-2517C99D7C00}" = Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{690285C2-2481-44FB-8402-162EA970A6DD}" = Logitech Gaming Software
"{814FA673-A085-403C-9545-747FC1495069}" = Epson Customer Participation
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{8C775E70-A791-4DA8-BCC3-6AB7136F4484}" = Visual Studio 2012 x64 Redistributables
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 307.83
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 307.83
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.12.1031
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" = Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CCleaner" = CCleaner
"EPSON NX230 Series" = EPSON NX230 Series Printer Uninstall
"Logitech Gaming Software" = Logitech Gaming Software 8.57
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"TeamTalk4_is1" = TeamTalk 4
"TeraCopy_is1" = TeraCopy 2.3
"WinRAR archiver" = WinRAR 5.11 (64-bit)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1A14AC87-9585-4AC5-BA5D-0A3A4C6AF7D4}" = MechWarrior Online
"{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}" = Skype™ 6.22
"{26A24AE4-039D-4CA4-87B4-2F83218031F0}" = Java 8 Update 31
"{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6BC12A2C-6B3D-4158-ACCE-C3602F7C6CF3}" = XSplit Broadcaster
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}" = NVIDIA PhysX
"{8ED43F7E-A8F6-4898-AF11-B6158F2EDF94}" = Epson Event Manager
"{9395F41D-0F80-432E-9A59-B8E477E7E163}" = OpenOffice 4.1.1
"{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}" = Visual Studio 2012 x86 Redistributables
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9f17023b-d04f-432b-b08a-3bb4c3a7ed3c}" = MechWarrior Online
"{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" = Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"Adobe Flash Player ActiveX" = Adobe Flash Player 15 ActiveX
"Adobe Flash Player NPAPI" = Adobe Flash Player 16 NPAPI
"BattlEye for A2" = BattlEye Uninstall
"BattlEye for OA" = BattlEye for OA Uninstall
"DAEMON Tools Lite" = DAEMON Tools Lite
"divxh264_is1" = DivX H.264 decoder 8.2.0.26
"EPSON Scanner" = EPSON Scan
"Glyph" = Glyph
"Glyph Archeage" = Archeage
"Mozilla Firefox 35.0 (x86 en-US)" = Mozilla Firefox 35.0 (x86 en-US)
"Mozilla Thunderbird 31.4.0 (x86 en-US)" = Mozilla Thunderbird 31.4.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Search Module Plus" = Search Module Plus
"Steam" = Steam
"Steam App 1250" = Killing Floor
"Steam App 230230" = Divinity: Original Sin
"Steam App 252490" = Rust
"Steam App 268750" = Magicite
"Steam App 313730" = Sunrider: Mask of Arcadius
"Steam App 326960" = Killing Floor - Toy Master
"Steam App 33900" = Arma 2
"Steam App 33930" = Arma 2: Operation Arrowhead
"Steam App 440" = Team Fortress 2
"Steam App 6510" = Lost Planet: Extreme Condition
"VLC media player" = VLC media player 2.1.3

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

< End of report >

Process explorer:

Process   CPU   Private Bytes   Working Set   PID   Description   Company Name   Verified Signer
System Idle Process   97.30   0 K   24 K   0
procexp64.exe   2.17   22,668 K   41,644 K   4444   Sysinternals Process Explorer   Sysinternals - www.sysinternals.com   (Verified) Sysinternals
dwm.exe   0.12   39,632 K   31,836 K   2368   Desktop Window Manager   Microsoft Corporation   (Verified) Microsoft Windows
System   0.12   112 K   324 K   4
Interrupts   0.07   0 K   0 K   n/a   Hardware Interrupts and DPCs
svchost.exe   0.07   191,880 K   177,652 K   868   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
csrss.exe   0.04   2,448 K   12,836 K   424   Client Server Runtime Process   Microsoft Corporation   (Verified) Microsoft Windows
explorer.exe   0.03   35,940 K   33,884 K   2396   Windows Explorer   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   0.02   10,376 K   10,320 K   2640   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   0.02   7,560 K   8,372 K   2964   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   0.01   4,492 K   5,096 K   724   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
taskhost.exe   0.01   2,692 K   1,552 K   2404   Host Process for Windows Tasks   Microsoft Corporation   (Verified) Microsoft Windows
SearchIndexer.exe   0.01   36,668 K   25,152 K   2764   Microsoft Windows Search Indexer   Microsoft Corporation   (Verified) Microsoft Windows
lsass.exe   < 0.01   4,720 K   6,832 K   488   Local Security Authority Process   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   < 0.01   21,976 K   24,812 K   904   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
wmpnetwk.exe   < 0.01   10,604 K   13,560 K   2904   Windows Media Player Network Sharing Service   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   < 0.01   8,976 K   11,008 K   280   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   < 0.01   28,740 K   29,124 K   1192   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
csrss.exe   < 0.01   2,140 K   2,376 K   320   Client Server Runtime Process   Microsoft Corporation   (Verified) Microsoft Windows
nvvsvc.exe   < 0.01   5,296 K   3,540 K   492   NVIDIA Driver Helper Service, Version 307.83   NVIDIA Corporation   (Verified) NVIDIA Corporation
WmiPrvSE.exe       2,392 K   5,840 K   1708   WMI Provider Host   Microsoft Corporation   (Verified) Microsoft Windows
winlogon.exe       2,884 K   1,996 K   536   Windows Logon Application   Microsoft Corporation   (Verified) Microsoft Windows
wininit.exe       1,436 K   300 K   388   Windows Start-Up Application   Microsoft Corporation   (Verified) Microsoft Windows
taskhost.exe       3,564 K   804 K   2760   Host Process for Windows Tasks   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe       10,596 K   7,456 K   1368   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe       4,228 K   4,584 K   628   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe       20,924 K   14,036 K   776   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe       1,876 K   2,432 K   1916   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe       2,152 K   2,452 K   1604   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
spoolsv.exe       6,624 K   4,336 K   1336   Spooler SubSystem App   Microsoft Corporation   (Verified) Microsoft Windows
smss.exe       424 K   272 K   236   Windows Session Manager   Microsoft Corporation   (Verified) Microsoft Windows
services.exe       4,796 K   5,004 K   456   Services and Controller app   Microsoft Corporation   (Verified) Microsoft Windows
procexp.exe       2,184 K   6,864 K   2672   Sysinternals Process Explorer   Sysinternals - www.sysinternals.com   (Verified) Microsoft Corporation
nvxdsync.exe       7,824 K   9,376 K   292   NVIDIA User Experience Driver Component   NVIDIA Corporation   (Verified) NVIDIA Corporation
nvvsvc.exe       2,372 K   2,792 K   684   NVIDIA Driver Helper Service, Version 307.83   NVIDIA Corporation   (Verified) NVIDIA Corporation
lsm.exe       2,588 K   2,224 K   496   Local Session Manager Service   Microsoft Corporation   (Verified) Microsoft Windows
EPCP.exe       4,520 K   6,428 K   1468   Epson Customer Participation   SEIKO EPSON CORPORATION   (Verified) SEIKO EPSON Corporation
dllhost.exe       2,004 K   5,536 K   2952   COM Surrogate   Microsoft Corporation   (Verified) Microsoft Windows
audiodg.exe       15,584 K   15,140 K   4348   Windows Audio Device Graph Isolation    Microsoft Corporation   (Verified) Microsoft Windows

Attached Files

FRST.txt 20.31KB 256 downloads
Addition.txt 13.17KB 315 downloads
OTL.Txt 132.51KB 287 downloads
Extras.Txt 69.36KB 309 downloads
System Idle Process.txt 4.45KB 295 downloads

#10
RKinner

Posted 26 January 2015 - 01:21 PM

Malware Expert

Expert
24,624 posts

We are about done. I want to clean up the msconfig entries that are no longer with us.

Copy the text in the code box by highlighting and Ctrl + c

:OTL
MsConfig:64bit - StartUpFolder: C:^Users^Clockwork^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^intr.lnk -  - File not found
MsConfig:64bit - StartUpReg: autoauto - hkey= - key= -  File not found
MsConfig:64bit - StartUpReg: cutoauto - hkey= - key= -  File not found
MsConfig:64bit - StartUpReg: dutoauto - hkey= - key= -  File not found
MsConfig:64bit - StartUpReg: interpee - hkey= - key= -  File not found
MsConfig:64bit - StartUpReg: rutoauto - hkey= - key= -  File not found
MsConfig:64bit - StartUpReg: smoother - hkey= - key= -  File not found
MsConfig:64bit - State: "services" - Reg Error: Key error.
MsConfig:64bit - State: "startup" - Reg Error: Key error.

Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply.

It appears that Old Timer is now hiding the log in c:\_OTL\MovedFiles\01262015-some number.log so look there if you don't see

FRST said that System Restore wasn't working but OTL claims it made a restore point so I don't know which to believe. Unless you have deliberately turned it off:

Type: rstrui.exe

in the Search box. When it finds it double click on it. Then hit Next. It should show you a list of restore points. There should be at least one (from OTL) if it is working. Hit Cancel.

FRST also says your sound is not working. Might be normal if you have another sound card. Does your sound work?

I don't see any sign of your infection now. How is it running?

#11
smooman

Posted 26 January 2015 - 02:02 PM

Member

Topic Starter
Member
12 posts

It seems to be running okay, and there are no obvious signs of infection at all. The sound is working, and there are multiple sound devices (two different usb headsets as well as a software device for X-split) so I think it's okay.

The restore point seems to have been created:

However, I ran that fix through OTL and there still seem to be entries in MSCONFIG from the offending programs:

OTL LOG:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\autoauto\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\cutoauto\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\dutoauto\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\interpee\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\rutoauto\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\smoother\ not found.

OTL by OldTimer - Version 3.2.69.0 log created on 01262015_114434

#12
RKinner

Posted 26 January 2015 - 02:15 PM

Malware Expert

Expert
24,624 posts

Guess we have to do it the hard way:

Copy the next 6 lines:

reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\autoauto
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\cutoauto
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\dutoauto
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\interpee
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\rutoauto
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\smoother

Start, Programs, Accessories, then right click on Command Prompt and Run As admin. Right click and Paste or Edit then paste and the copied lines should appear. Hit Enter. IF it doesn't give you and error that should take care of them.

#13
smooman

Posted 26 January 2015 - 02:32 PM

Member

Topic Starter
Member
12 posts

They're stubborn little entries, aren't they... just don't want to leave.

#14
RKinner

Posted 26 January 2015 - 03:58 PM

Malware Expert

Expert
24,624 posts

My fault. There is a space in the path so we need to have quotes around it:

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\autoauto"
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\cutoauto"
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\dutoauto"
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\interpee"
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\rutoauto"
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\smoother"

Try it now.

#15
smooman

Posted 27 January 2015 - 01:38 AM

Member

Topic Starter
Member
12 posts

Ok that got almost all of them (I had to copy and paste them individually, because the command prompt wanted me to confirm each deletion with 'yes/no' ) but there's still one more bugger that hasn't disappeared.

The location is a long one:

C:\Users\Clockwork\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

it wouldn't fit in my msconfig window

The manufacturer is 'unknown' so I'm pretty sure it was one of the offending programs.

Back to Virus, Spyware, Malware Removal · Next Unread Topic →

Also tagged with one or more of these keywords: malware, spyware, adware, help!, ytdownloader, search module plus

Security → Virus, Spyware, Malware Removal → Having Powersheel.exe Issues ... Need fixlist.txt Started by raj0171 , 19 Mar 2024 Virus, HELP, Malwarebytes	5 replies 2,647 views	DR M 06 Apr 2024
Hardware → Hardware, Components and Peripherals → Recover the hard drive Started by Andrew Board , 16 Jan 2024 data recovery, hard drive, help and 1 more...	2 replies 652 views	phillpower2 16 Jan 2024
Security → Virus, Spyware, Malware Removal → Hijacked Windows defender [Closed] Started by relay , 17 Nov 2023 shell, spyware, keylogger and 2 more...	8 replies 3,021 views	DR M 23 Nov 2023
Security → Virus, Spyware, Malware Removal → Possible Malware infection - help request [Solved] Started by Maffu , 07 May 2023 malware, advapi and 1 more... 1 2 3 4	Hot 51 replies 12,615 views	DR M 26 Jun 2023
Security → Virus, Spyware, Malware Removal → Help getting started checking laptop for malware [Solved] Started by triedeverything , 12 Apr 2023 help, malware, spyware 1 2	Hot 19 replies 5,694 views	DR M 16 Apr 2023