Jump to content

asd123321

Members
  • Posts

    13
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I don't use anti virus because it is a constant nuisance. I updated Windows 7 for the first time if that helps stop this sort of thing Caption=RtHDVCpl Command=C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Caption=Classic Start Menu Command=C:\Classic Shell\ClassicStartMenu.exe Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The C:\Windows\pss\HELP_YOUR_FILES.PNG.Startup appeared the first time when it actually destroyed documents and C:\Windows\pss\INSTRUCTIONS_A37F5173.png.Startup showed up this time when not much happened. Yes, I disabled them.
  2. It put up the same 3 pictures on desktop to show up at start as the first time which claimed I have joined the Cryptowall community. That is why I am wondering did the firewall stop it from doing more or was it a botched attack? Can it put 3 pictures on desktop to show up at start but not run a program. I turned off Flash for IE for my regular use and would run Mozilla if something needs it. Would that help?
  3. Would you answer my original question? DrWeb Cure is too big for your forum. summary is shown. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 8.0.2 (01.06.2016) Operating System: Windows 7 Home Premium x64 Ran by Dave (Administrator) on Tue 02/02/2016 at 10:54:39.23 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ File System: 20 Successfully deleted: C:\Users\Dave\AppData\Local\{E44C7947-123C-4ADC-8238-25DC54827385} (Empty Folder) Successfully deleted: C:\Users\Dave\AppData\Local\bdb49bc6be0eab049e86c2a65af0618e (File) Successfully deleted: C:\Users\Dave\AppData\Local\crashrpt (Folder) Successfully deleted: C:\Users\Dave\Desktop\uninstall.lnk (Shortcut) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0528617Z (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0EZH29HT (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3R52IOLT (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\809T1FSF (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8AIFIQ8C (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\92XCKTOX (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DHBLL3IT (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IG9W06Z6 (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHUPLJ0A (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MAQ1X81V (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MD90N4EU (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N4BCST75 (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O9B8VKIO (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBOILVM9 (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XGXMWM0X (Folder) Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YGZDHA3C (Folder) Registry: 3 Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A39E563A-2D0A-4909-B52F-051C44A483CE} (Registry Value) Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B} (Registry Key) Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Toolbar\\{A39E563A-2D0A-4909-B52F-051C44A483CE} (Registry Value) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Tue 02/02/2016 at 10:57:49.85 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Drwebcure Total 5114601989 bytes in 20708 files scanned (23865 objects) Total 20619 files (23769 objects) are clean There are no infected objects detected Total 95 files are raised error condition Results of screen317's Security Check version 1.009 Windows 7 Service Pack 1 x64 (UAC is disabled!) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Java 8 Update 66 Java version 32-bit out of Date! Adobe Flash Player 18.0.0.209 Flash Player out of Date! Adobe Reader XI Mozilla Firefox (43.0.4) ````````Process Check: objlist.exe by Laurent```````` windows defender MpCmdRun.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 1% ````````````````````End of Log`````````````````````` Scan time is 00:07:38.607
  4. Are you going to continue on this or can someone else?
  5. I have Windows 7 firewall. I thought anti virus was for if you downloaded a exe. and ran it or opened a doc. type etc.
  6. No answer there and I was hoping to get some different opinions which he doesn't do much, not just fix the particular problem.
  7. After getting firewall working, Cryptowall came back but did about nothing and Malewarebytes and Hitmanpro did not find a rootkit this time. Did the firewall stop it from doing more or since it put 3 pictures on desktop to show up at start, it could have done anything? Would having Malwarebytes Anti-Malware Premium stop this from getting in? IN this topic: Cryptowall came back I didn't get an answer, but since have updated Windows 7 for the first time. Would that be enough or is some antivirus needed even if I am not downloading something and running it, just looking at internet pages?
  8. I was wondering if in the previous event the Cryptowallwas actually identified in something removed and if anything here is. Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 1/26/2016 Scan Time: 5:19 PM Logfile: Maleware log.txt Administrator: Yes Version: 2.2.0.1024 Malware Database: v2016.01.26.07 Rootkit Database: v2016.01.20.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Dave Scan Type: Threat Scan Result: Completed Objects Scanned: 393587 Time Elapsed: 38 min, 16 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Disabled Rootkits: Enabled Heuristics: Disabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) # AdwCleaner v5.031 - Logfile created 26/01/2016 at 21:18:48 # Updated 25/01/2016 by Xplode # Database : 2016-01-25.3 [server] # Operating system : Windows 7 Home Premium Service Pack 1 (x64) # Username : Dave - DAVE-PC # Running from : I:\New stuff\adwcleaner_5.031.exe # Option : Cleaning # Support : http://toolslib.net/forum ***** [ Services ] ***** ***** [ Folders ] ***** ***** [ Files ] ***** ***** [ DLLs ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled tasks ] ***** ***** [ Registry ] ***** [-] Key Deleted : HKCU\Software\Headlight [-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com [-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\conduit.com [-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\driverupdate.net [-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\en.softonic.com ***** [ Web browsers ] ***** ************************* :: "Tracing" keys removed :: Winsock settings cleared ########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1052 bytes] ########## Additional scan result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01 Ran by Dave (2016-01-26 18:19:52) Running from I:\New stuff\zip 01-16 Windows 7 Home Premium Service Pack 1 (X64) (2012-08-23 22:43:09) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-3023370978-3506523679-905622001-500 - Administrator - Disabled) ASPNET (S-1-5-21-3023370978-3506523679-905622001-1005 - Limited - Enabled) Dave (S-1-5-21-3023370978-3506523679-905622001-1001 - Administrator - Enabled) => C:\Users\Dave Guest (S-1-5-21-3023370978-3506523679-905622001-501 - Limited - Disabled) HomeGroupUser$ (S-1-5-21-3023370978-3506523679-905622001-1003 - Limited - Enabled) ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version: - ) AC3Filter 2.6.0b (HKLM-x32\...\AC3Filter_is1) (Version: 2.6.0b - Alexander Vigovsky) Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated) Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated) Adobe Flash Player 20 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 20.0.0.270 - Adobe Systems Incorporated) Adobe Reader XI (11.0.14) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.14 - Adobe Systems Incorporated) AirHockey 3D 1.81 (HKLM-x32\...\AirHockey 3D) (Version: 1.81 - Avalanche Team) Aliens vs Predator Classic 2000 (HKLM-x32\...\1207665883_is1) (Version: 2.0.0.21 - GOG.com) AMD Catalyst Install Manager (HKLM\...\{0CB2E2BC-A312-5821-C5C7-A295A1BEFD08}) (Version: 8.0.881.0 - Advanced Micro Devices, Inc.) America's Army 3 (HKLM-x32\...\Steam App 13140) (Version: - U.S. Army) Bass Audio Decoder (remove only) (HKLM-x32\...\Bass Audio Decoder) (Version: - ) BrettspielWelt (HKLM-x32\...\BrettspielWelt) (Version: 1.0 - BrettspielWelt GmbH) CD Audio Reader Filter (remove only) (HKLM-x32\...\CD Audio Reader Filter) (Version: - ) Cisco EAP-FAST Module (HKLM-x32\...\{415B2719-AD3A-4944-B404-C472DB6085B3}) (Version: 2.1.6 - Cisco Systems, Inc.) Cisco LEAP Module (HKLM-x32\...\{83770D14-21B9-44B3-8689-F7B523F94560}) (Version: 1.0.12 - Cisco Systems, Inc.) Cisco PEAP Module (HKLM-x32\...\{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}) (Version: 1.0.13 - Cisco Systems, Inc.) Classic Shell (HKLM\...\{DC45D291-769A-4608-A688-77E6DBC03498}) (Version: 3.6.1 - IvoSoft) Combat Arms (HKLM-x32\...\Combat Arms) (Version: - ) ConvertHelper 2.2 (HKLM-x32\...\{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1) (Version: - DownloadHelper) Cool Timer 5.2.3.0 (HKLM-x32\...\Cool Timer_is1) (Version: - Harmony Hollow Software) Crysis® SP Demo (HKLM-x32\...\{92AF2F5A-4407-4A03-A80A-5A2582264746}) (Version: 1.00.0000 - Electronic Arts) CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com) D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden DCoder Image Source (remove only) (HKLM-x32\...\DCoder Image Source) (Version: - ) DirectVobSub (remove only) (HKLM-x32\...\DirectVobSub) (Version: - ) DScaler 5 Mpeg Decoders (HKLM-x32\...\DScaler 5 Mpeg Decoders_is1) (Version: - ) ffdshow v1.3.4533 [2014-09-29] (HKLM-x32\...\ffdshow_is1) (Version: 1.3.4533.0 - ) FFMPEG Core Files (remove only) (HKLM-x32\...\FFMPEG Core Files) (Version: - ) Gabest MPEG Splitter (remove only) (HKLM-x32\...\Gabest MPEG Splitter) (Version: - ) Galaxy Client (HKLM-x32\...\{D6D1DA54-531F-4FA0-B683-CE66ACE3543F}_is1) (Version: 0.1.0.456 - GOG.com) GEM+/iGOR & Lee's GPL Setup Manager 2.5.0.32 (HKLM-x32\...\GEM+/iGOR & Lee's GPL Setup Manager_is1) (Version: - GPLSecrets Group) Guitar Pro 6 Demo (HKLM-x32\...\{14A487F2-1259-4E6C-AE3C-3C888DDBCB60}_is1) (Version: - Arobas Music) HAWKEN (HKLM-x32\...\Steam App 271290) (Version: - Adhesive Games) Hi-Rez Studios Authenticate and Update Service (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}) (Version: 3.0.0.0 - Hi-Rez Studios) InstaCodecs (HKLM-x32\...\InstaCodecs_is1) (Version: 1.0 - ) IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.36 - Irfan Skiljan) Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden Java 8 Update 66 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.18 - Oracle Corporation) Jericho Demo (HKLM-x32\...\{1CB55F41-7607-4225-B717-387B3C53FDAD}) (Version: 0.10.0000 - Codemasters) Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden LAV Filters 0.64 (HKLM-x32\...\lavfilters_is1) (Version: 0.64 - Hendrik Leppkes) MadVR (remove only) (HKLM-x32\...\MadVR) (Version: - ) Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes) Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden Microsoft .NET Framework 1.1 (HKLM-x32\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft) Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation) Microsoft Games for Windows - LIVE (HKLM-x32\...\{B45FABE7-D101-4D99-A671-E16DA40AF7F0}) (Version: 3.0.86.0 - Microsoft Corporation) Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{B578C85A-A84C-4230-A177-C5B2AF565B8C}) (Version: 3.0.17.0 - Microsoft Corporation) Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation) Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation) Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation) Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation) Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation) Mozilla Firefox 43.0.4 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 43.0.4 (x86 en-US)) (Version: 43.0.4 - Mozilla) Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 43.0.4.5848 - Mozilla) Nexon Game Manager (HKLM-x32\...\{EA2DB6E0-72C5-4ef9-A3A0-E6705F4A6A9E}) (Version: - ) NirSoft VideoCacheView (HKLM-x32\...\NirSoft VideoCacheView) (Version: - ) NVIDIA PhysX (HKLM-x32\...\{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}) (Version: 9.09.0814 - NVIDIA Corporation) OpenAL (HKLM-x32\...\OpenAL) (Version: - ) OpenSource AVI Splitter (remove only) (HKLM-x32\...\OpenSource AVI Splitter) (Version: - ) OpenSource DTS/AC3/DD+ Source Filter (remove only) (HKLM-x32\...\OpenSource DTS/AC3/DD+ Source Filter) (Version: - ) Opera 12.16 (HKLM-x32\...\Opera 12.16.1860) (Version: 12.16.1860 - Opera Software ASA) Power Tab Editor 1.7 (HKLM-x32\...\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}) (Version: 1.7.0 - Power Tab Software) Pro Evolution Soccer 5 DEMO(no voice) (HKLM-x32\...\InstallShield_{AEB74EBC-884B-4D76-98BC-4D88FE6F2E7F}) (Version: 1.00.0000 - KONAMI) Pro Evolution Soccer 5 DEMO(no voice) (x32 Version: 1.00.0000 - KONAMI) Hidden PT Boats: Knights of The Sea (HKLM-x32\...\PT Boats: Knights of The Sea_is1) (Version: Demo - Akella) PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.989 - Even Balance, Inc.) Real Alternative 2.0.2 (HKLM-x32\...\RealAlt_is1) (Version: 2.0.2 - ) Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6194 - Realtek Semiconductor Corp.) Steam (HKLM-x32\...\Steam) (Version: - Valve Corporation) Team Fortress 2 (HKLM-x32\...\Steam App 440) (Version: - Valve) TimeShift Demo (HKLM-x32\...\{C319F101-4221-4C5A-A9DE-36A6718F8215}) (Version: 1.00.000 - Sierra) Tribes Ascend (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF010}) (Version: 1.0.1268.1 - Hi-Rez Studios) Windows 7 Codec Pack 4.0.7 (HKLM-x32\...\Windows 7 - Codec Pack) (Version: 4.0.7 - Windows 7 Codec Pack) Windows Essentials Media Codec Pack 4.0 [64-Bit] (HKLM-x32\...\Windows Essentials Media Codec Pack) (Version: 4.0 - Media Codec) Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation) Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation) WinFF 1.2 (HKLM-x32\...\WinFF_is1) (Version: - WinFF.org) WinRAR 5.00 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH) Wireless N-lite USB Adapter Utility (HKLM-x32\...\{71AB49D0-9B47-4624-904C-D44B9B996656}) (Version: 1.5.4.0 - ZyXEL) Xvid 1.1.3 final uninstall (HKLM-x32\...\Xvid_is1) (Version: 1.1 - Xvid team (Koepi)) Zoom Player (remove only) (HKLM-x32\...\ZoomPlayer) (Version: 10.0.0 - Inmatrix LTD) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {09EB13AC-9899-476C-A438-CBAF94CEF380} - System32\Tasks\{D2B18D4C-E05A-48E6-96E8-597C25889123} => C:\Aliens versus Predator Demo\AvP_Marine_Demo.exe [1998-11-25] () Task: {1349E205-A8F8-4405-8AF5-65DFBC7673C2} - System32\Tasks\{04172568-0C0C-4734-AABA-7AB1EE014C42} => C:\NFL Fever 2000 Trial\NFLFEVER.exe [1999-07-27] (MSFT) Task: {14CB41F0-0735-495E-A7C4-BBBD6CD17BB8} - System32\Tasks\{F20FAA84-E9D2-4C51-975F-44121E8D5C06} => C:\COMET\COMET.EXE [1996-01-17] () Task: {233F6ECB-3A5D-440F-86B9-662522E1612C} - System32\Tasks\{EBEED6CC-BB5C-4D93-8CED-7DD9E88CB025} => G:\Quake3\quake3.exe Task: {282EE9D0-7945-461F-B443-F94B1C237080} - System32\Tasks\{B294D644-12E0-4391-9854-FF8052825471} => C:\Aliens versus Predator Demo\AvP_Marine_Demo.exe [1998-11-25] () Task: {347A040B-F4F8-46C8-A642-95AF9ACA4DCE} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-13] (Adobe Systems Incorporated) Task: {36BA5AF7-D8E7-4A4D-BFA5-8E48D9436B2A} - System32\Tasks\{8E87EF91-E491-4581-960C-6133E34DC5A7} => pcalua.exe -a "G:\Zip files\Software\retrospection_2.1_setup.exe" Task: {38C55743-B717-4C6B-9B24-2AB39CA3D644} - System32\Tasks\{01D93840-F7FE-4D49-9F30-7CBE6BE4AE0B} => G:\Quake3\quake3.exe Task: {3A34C632-1B55-4005-9A8F-046C2579460E} - System32\Tasks\{5AED553E-157B-40D2-96BB-7C297884F230} => C:\NHL 2001 Demo\nhl2001demo.exe [2000-09-12] () Task: {3C82F805-4F09-48CD-B99D-7191084409C4} - System32\Tasks\{267D3A3C-F1B0-45F2-8404-F9696821CB54} => G:\New stuff\Retrospection\RetrospectionFront.exe Task: {3ECFE579-31FE-4EC0-85B8-AD789310C5DE} - System32\Tasks\{A96939CF-C34C-4131-80C2-DB3819A5F53B} => C:\Aliens versus Predator Demo\AvP_Marine_Demo.exe [1998-11-25] () Task: {5075EA60-34D8-4625-91FF-47F92B787EB4} - System32\Tasks\{D5E7A254-7C82-40CD-A8DE-2B03927B7B88} => C:\NFL Fever 2000 Trial\NFLFEVER.exe [1999-07-27] (MSFT) Task: {512F5EE8-B32F-47CA-8995-6C42838ECC4A} - System32\Tasks\{AF900DF5-3DD9-4494-8CE6-C654CFE0295D} => C:\adciv\Ac.exe [2001-08-09] () Task: {58691C6F-786D-4827-BFA1-E0D113A1F32C} - System32\Tasks\{2FABA12A-E3D8-4AB1-B18B-80D6FAAFB990} => C:\Geardemo\Gear.exe [1996-02-16] () Task: {5A40E926-9E86-4B89-9CFD-B12311724371} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto Task: {6BB9CE94-443D-4B62-94D9-D1D391E2830A} - System32\Tasks\Windows Codec Update Service => C:\Program Files (x86)\Essentials Codec Pack\WECPUpdate.exe [2012-02-03] (MediaCodec.Org) Task: {6F5CB4A0-2160-4E7F-A92B-1B08FC10191E} - System32\Tasks\{D0F0DB4E-54AF-4EAF-8A0A-748EAE9B7E32} => C:\NFL Fever 2000 Trial\NFLFEVER.exe [1999-07-27] (MSFT) Task: {6FB1B1B1-0983-47D8-B165-5F22423A975B} - System32\Tasks\{32A15600-D985-4995-A0AD-7889FE7F6A28} => G:\Quake3\quake3.exe Task: {72E2301D-1D4D-4BC4-8ACE-40F607CB01E7} - System32\Tasks\{9CBDDAFA-7DCB-48A8-B2C8-A221F7C359EE} => C:\adciv\Ac.exe [2001-08-09] () Task: {A2D8E75A-73DE-46EC-B307-F792E663C171} - System32\Tasks\{9526E09E-FE95-4B49-81D6-68B8B736B789} => C:\COMET\COMET.EXE [1996-01-17] () Task: {B515CB5D-A6C2-4212-90F4-BC9F42768890} - System32\Tasks\{C482FAAA-B35D-405B-B632-305AD9DCDCE6} => C:\Geardemo\Gear.exe [1996-02-16] () Task: {B9547313-2419-4495-9AD4-1AA3662ECE2E} - System32\Tasks\{4BAEC7CA-C40C-47D0-8697-691320BD81DE} => G:\New stuff\Retrospection\RetrospectionFront.exe Task: {D71DAA71-215D-440C-AD50-AC04C62F14DD} - System32\Tasks\{C5D858F8-B98B-4105-B1C7-B39C47513457} => C:\adciv\Ac.exe [2001-08-09] () Task: {DD9F510C-95F4-499A-90C8-BAC5BC372FF4} - System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask => start sppsvc Task: {E4E3DB73-E7EA-41C3-8C15-933D85818729} - System32\Tasks\{6F59A0A7-8343-4A55-AC88-C3ABC5CF6B21} => pcalua.exe -a C:\Users\Dave\AppData\Local\Temp\Temp1_MotoGP08_PC_demo.zip\setup.exe Task: {F357EC66-21B3-49B5-BB17-C7818DE7C9AD} - System32\Tasks\{EFC0BF62-DA74-43E3-902C-807466C4942E} => C:\COMET\COMET.EXE [1996-01-17] () (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== 2013-08-13 10:51 - 2012-10-04 18:49 - 00087152 _____ () C:\Windows\System32\cpwmon64.dll 2012-06-11 15:12 - 2012-06-11 15:12 - 00212480 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.PerformanceTuning.dll 2012-03-05 18:03 - 2012-03-05 18:03 - 00677376 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dll 2012-02-16 16:53 - 2012-02-16 16:53 - 03642880 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Platform.dll 2012-06-11 15:12 - 2012-06-11 15:12 - 00073728 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll 2013-09-19 10:13 - 2014-05-18 16:48 - 00076888 _____ () C:\Windows\SysWOW64\PnkBstrA.exe 2012-06-11 15:12 - 2012-06-11 15:12 - 00103424 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll 2012-06-11 14:45 - 2012-06-11 14:45 - 00369152 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\87696299.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\87696299.sys => ""="Driver" ==================== EXE Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE restricted site: HKU\S-1-5-21-3023370978-3506523679-905622001-1001\...\mail3x.com -> hxxp://ads.mail3x.com ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-3023370978-3506523679-905622001-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg DNS Servers: 192.168.0.1 - 205.171.3.26 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) MSCONFIG\Services: IBUpdaterService => 2 MSCONFIG\Services: Updater By SweetPacks => 2 MSCONFIG\Services: vToolbarUpdater15.4.0 => 2 MSCONFIG\Services: ‮etadpug => 2 MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^19DBAD56F.lnk => C:\Windows\pss\19DBAD56F.lnk.Startup MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^HELP_YOUR_FILES.HTML => C:\Windows\pss\HELP_YOUR_FILES.HTML.Startup MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^HELP_YOUR_FILES.PNG => C:\Windows\pss\HELP_YOUR_FILES.PNG.Startup MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^HELP_YOUR_FILES.TXT => C:\Windows\pss\HELP_YOUR_FILES.TXT.Startup MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^INSTRUCTIONS_A37F5173.html => C:\Windows\pss\INSTRUCTIONS_A37F5173.html.Startup MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^INSTRUCTIONS_A37F5173.png => C:\Windows\pss\INSTRUCTIONS_A37F5173.png.Startup MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^INSTRUCTIONS_A37F5173.txt => C:\Windows\pss\INSTRUCTIONS_A37F5173.txt.Startup MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Adobe\Reader 9.0\Reader\Reader_sl.exe" MSCONFIG\startupreg: AMD AVT => Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml MSCONFIG\startupreg: ISUSPM => "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler MSCONFIG\startupreg: Itibiti.exe => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe MSCONFIG\startupreg: SearchProtectAll => C:\Program Files (x86)\SearchProtect\bin\cltmng.exe MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" MSCONFIG\startupreg: vProt => "C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [TCP Query User{A4DDB47B-F444-4AE9-9464-1C719DF1E300}E:\quake3\quake3.exe] => (Allow) E:\quake3\quake3.exe FirewallRules: [uDP Query User{CADF614C-04EF-44A3-AF55-A059EB4D5530}E:\quake3\quake3.exe] => (Allow) E:\quake3\quake3.exe FirewallRules: [TCP Query User{558236CC-709A-45B0-BE6E-D3AEC9ED4A19}I:\quake3\quake3.exe] => (Allow) I:\quake3\quake3.exe FirewallRules: [uDP Query User{7753C1F4-5AD0-41AE-9035-06AEA53BE3D3}I:\quake3\quake3.exe] => (Allow) I:\quake3\quake3.exe FirewallRules: [{EB62D7D7-6BDC-40AC-A983-0D8993DFB765}] => (Allow) C:\Steam\Steam.exe FirewallRules: [{0FA51F02-A8FC-4D24-8822-735A28F7738E}] => (Allow) C:\Steam\Steam.exe FirewallRules: [{20B28F8F-587C-4DAB-9BF5-44F6C127CFB0}] => (Allow) C:\Steam\SteamApps\common\Team Fortress 2\hl2.exe FirewallRules: [{366F0FA4-1D82-4750-92D7-FBDE5D3D5031}] => (Allow) C:\Steam\SteamApps\common\Team Fortress 2\hl2.exe FirewallRules: [TCP Query User{213CCD6F-7F80-47C1-8488-13936C8A4505}C:\trackmania nations forever\tmforever.exe] => (Allow) C:\trackmania nations forever\tmforever.exe FirewallRules: [uDP Query User{EEF47740-F71F-42EA-BC20-7B5557812165}C:\trackmania nations forever\tmforever.exe] => (Allow) C:\trackmania nations forever\tmforever.exe ==================== Restore Points ========================= 12-01-2016 15:20:50 Windows Update 12-01-2016 19:01:44 Restore Point Created by FRST 12-01-2016 22:19:46 Windows Update 13-01-2016 11:18:12 Removed Java 7 Update 45 24-01-2016 18:14:16 Scheduled Checkpoint ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (01/26/2016 03:35:04 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (01/26/2016 01:06:10 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b Exception code: 0xc0000005 Fault offset: 0x00000000000033c1 Faulting process id: 0x6d0 Faulting application start time: 0xFuel.Service.exe0 Faulting application path: Fuel.Service.exe1 Faulting module path: Fuel.Service.exe2 Report Id: Fuel.Service.exe3 Error: (01/26/2016 10:42:52 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (01/26/2016 01:06:35 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b Exception code: 0xc0000005 Fault offset: 0x00000000000033c1 Faulting process id: 0x7ac Faulting application start time: 0xFuel.Service.exe0 Faulting application path: Fuel.Service.exe1 Faulting module path: Fuel.Service.exe2 Report Id: Fuel.Service.exe3 Error: (01/25/2016 11:55:47 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (01/25/2016 08:02:10 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b Exception code: 0xc0000005 Fault offset: 0x00000000000033c1 Faulting process id: 0x710 Faulting application start time: 0xFuel.Service.exe0 Faulting application path: Fuel.Service.exe1 Faulting module path: Fuel.Service.exe2 Report Id: Fuel.Service.exe3 Error: (01/25/2016 06:56:41 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (01/25/2016 04:36:09 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b Exception code: 0xc0000005 Fault offset: 0x00000000000033c1 Faulting process id: 0x7a4 Faulting application start time: 0xFuel.Service.exe0 Faulting application path: Fuel.Service.exe1 Faulting module path: Fuel.Service.exe2 Report Id: Fuel.Service.exe3 Error: (01/25/2016 11:31:48 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (01/24/2016 11:37:46 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b Exception code: 0xc0000005 Fault offset: 0x00000000000033c1 Faulting process id: 0x770 Faulting application start time: 0xFuel.Service.exe0 Faulting application path: Fuel.Service.exe1 Faulting module path: Fuel.Service.exe2 Report Id: Fuel.Service.exe3 System errors: ============= Error: (01/26/2016 01:06:10 PM) (Source: Service Control Manager) (EventID: 7034) (User: ) Description: The AMD FUEL Service service terminated unexpectedly. It has done this 1 time(s). Error: (01/26/2016 01:06:35 AM) (Source: Service Control Manager) (EventID: 7034) (User: ) Description: The AMD FUEL Service service terminated unexpectedly. It has done this 1 time(s). Error: (01/25/2016 08:02:11 PM) (Source: Service Control Manager) (EventID: 7034) (User: ) Description: The AMD FUEL Service service terminated unexpectedly. It has done this 1 time(s). Error: (01/25/2016 04:36:09 PM) (Source: Service Control Manager) (EventID: 7034) (User: ) Description: The AMD FUEL Service service terminated unexpectedly. It has done this 1 time(s). Error: (01/25/2016 11:50:45 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY) Description: The following fatal alert was generated: 43. The internal error state is 252. Error: (01/25/2016 11:50:38 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY) Description: The following fatal alert was generated: 43. The internal error state is 252. Error: (01/25/2016 11:50:33 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY) Description: The following fatal alert was generated: 43. The internal error state is 252. Error: (01/25/2016 11:50:24 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY) Description: The following fatal alert was generated: 43. The internal error state is 252. Error: (01/25/2016 11:50:24 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY) Description: The following fatal alert was generated: 43. The internal error state is 252. Error: (01/25/2016 11:50:24 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY) Description: The following fatal alert was generated: 43. The internal error state is 252. CodeIntegrity: =================================== Date: 2014-11-07 23:26:23.219 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\sfvfs02.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2014-11-07 23:26:23.199 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\sfvfs02.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. ==================== Memory info =========================== Processor: AMD FX-4100 Quad-Core Processor Percentage of memory in use: 30% Total physical RAM: 8190.46 MB Available physical RAM: 5699.57 MB Total Virtual: 16379.11 MB Available Virtual: 13419.53 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:465.66 GB) (Free:240.84 GB) NTFS Drive e: (DRV3_VOL1) (Fixed) (Total:111.76 GB) (Free:40.81 GB) FAT32 Drive f: (New Volume) (Fixed) (Total:272.85 GB) (Free:272.75 GB) NTFS Drive i: (New Volume) (Fixed) (Total:292.97 GB) (Free:166.14 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: ACC8B171) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 931.5 GB) (Disk ID: 486B9E5B) Partition 1: (Active) - (Size=111.8 GB) - (Type=0C) Partition 2: (Not Active) - (Size=272.8 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=293 GB) - (Type=07 NTFS) ==================== End of Addition.txt ============================ Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-01-2015 01 Ran by Dave (administrator) on DAVE-PC (26-01-2016 18:19:21) Running from I:\New stuff\zip 01-16 Loaded Profiles: Dave (Available Profiles: Dave) Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (AMD) C:\Windows\System32\atiesrxx.exe (AMD) C:\Windows\System32\atieclxx.exe (Microsoft Corporation) C:\Windows\System32\wlanext.exe (Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Hi-Rez Studios) C:\Tribes Ascend\HiPatchService.exe (IvoSoft) C:\Classic Shell\ClassicStartMenu.exe (Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe () C:\Windows\SysWOW64\PnkBstrA.exe (Ralink Technology, Corp.) C:\ZyXEL\N220\Common\RaRegistry.exe (Ralink Technology, Corp.) C:\ZyXEL\N220\Common\RaRegistry64.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE (ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Firegraphic.com) C:\Firegraphic 6\Firegraphic.exe (BrettspielWelt GmbH) C:\BSW\BrettspielWelt.exe (MMedia Research Corp) C:\Users\Dave\Desktop\LVIEWPRO.EXE (Microsoft Corporation) C:\Windows\splwow64.exe (Farbar) I:\New stuff\zip 01-16\Farbar RST64.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11464296 2010-09-03] (Realtek Semiconductor) HKLM\...\Run: [Classic Start Menu] => C:\Classic Shell\ClassicStartMenu.exe [159744 2012-08-19] (IvoSoft) HKLM-x32\...\Run: [startCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [641704 2012-06-11] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596528 2015-11-09] (Oracle Corporation) ShellIconOverlayIdentifiers: [shareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Classic Shell\ClassicExplorer64.dll [2012-08-19] (IvoSoft) ShellIconOverlayIdentifiers-x32: [shareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Classic Shell\ClassicExplorer32.dll [2012-08-19] (IvoSoft) BootExecute: autocheck autochk * bootdelete ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.26 205.171.2.26 Tcpip\..\Interfaces\{35924C7C-99D3-4386-BB4E-704C64247C7A}: [DhcpNameServer] 192.168.0.1 205.171.3.26 205.171.2.26 Tcpip\..\Interfaces\{D429B006-59C4-49E1-8F91-0C08DC2AAF25}: [DhcpNameServer] 192.168.0.1 Internet Explorer: ================== HKU\S-1-5-21-3023370978-3506523679-905622001-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://en.boardgamearena.com/#!gamelobby SearchScopes: HKLM-x32 -> DefaultScope {10E6CF9A-A768-44F4-BF6E-609B97ABF1EA} URL = SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox SearchScopes: HKU\S-1-5-21-3023370978-3506523679-905622001-1001 -> DefaultScope {BE50A3BD-1E1F-4688-9FD0-334A74D91E79} URL = hxxp://www.google.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-3023370978-3506523679-905622001-1001 -> {BE50A3BD-1E1F-4688-9FD0-334A74D91E79} URL = hxxp://www.google.com/search?q={searchTerms} BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Classic Shell\ClassicExplorer64.dll [2012-08-19] (IvoSoft) BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.) BHO: ClassicIE9BHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Classic Shell\ClassicIE9DLL_64.dll [2012-08-19] (IvoSoft) BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Classic Shell\ClassicExplorer32.dll [2012-08-19] (IvoSoft) BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2016-01-12] (Oracle Corporation) BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.) BHO-x32: No Name -> {A5366673-E8CA-11D3-9CD9-0090271D075B} -> No File BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2016-01-12] (Oracle Corporation) BHO-x32: ClassicIE9BHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Classic Shell\ClassicIE9DLL_32.dll [2012-08-19] (IvoSoft) Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Classic Shell\ClassicExplorer64.dll [2012-08-19] (IvoSoft) Toolbar: HKLM - No Name - {A39E563A-2D0A-4909-B52F-051C44A483CE} - No File Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Classic Shell\ClassicExplorer32.dll [2012-08-19] (IvoSoft) Toolbar: HKLM-x32 - FindWide Toolbar - {A39E563A-2D0A-4909-B52F-051C44A483CE} - C:\Program Files (x86)\TNT2\Profiles\11083\passport.dll No File Toolbar: HKU\S-1-5-21-3023370978-3506523679-905622001-1001 -> No Name - {A39E563A-2D0A-4909-B52F-051C44A483CE} - No File DPF: HKLM-x32 {56505FCF-9DB3-49B4-BA5F-BE3AAE44CF2E} hxxps://cityprojects.talgov.net/projectdox/Resources/BravaClient/en/BravaClientXWrapper.cab DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab FireFox: ======== FF ProfilePath: C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\11gg3lcq.default FF DefaultSearchEngine.US: Google FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-08-05] () FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-08-05] () FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2016-01-12] (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2016-01-12] (Oracle Corporation) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation) FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [2013-09-05] (Nexon) FF Plugin-x32: @real.com/nppl3260;version=6.0.12.450 -> C:\Real Alternative\browser\plugins\nppl3260.dll [2010-02-15] (RealNetworks, Inc.) FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.448 -> C:\Real Alternative\browser\plugins\nprpjplug.dll [2010-02-15] (RealNetworks, Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-12-17] (Adobe Systems Inc.) FF Extension: The Addon Bar (restored) - C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\11gg3lcq.default\Extensions\the-addon-bar@GeekInTraining-GiT.xpi [2015-06-14] FF Extension: Video DownloadHelper - C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\11gg3lcq.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-11-09] Opera: ======= StartMenuInternet: (HKLM) Opera - G:\Opera\Opera.exe ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-06-11] (Advanced Micro Devices, Inc.) [File not signed] S3 GalaxyService; C:\Program Files (x86)\GalaxyClient\GalaxyService.exe [2191648 2014-09-18] (GOG.com) U2 HiPatchService; C:\Tribes Ascend\HiPatchService.exe [9216 2014-02-28] (Hi-Rez Studios) [File not signed] S2 MBAMService; C:\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes) R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-05-18] () R2 RalinkRegistryWriter; C:\ZyXEL\N220\Common\RaRegistry.exe [185632 2009-07-14] (Ralink Technology, Corp.) R2 RalinkRegistryWriter64; C:\ZyXEL\N220\Common\RaRegistry64.exe [211232 2009-07-14] (Ralink Technology, Corp.) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation) S3 aspnet_state; %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices) S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes) S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-01-14 12:41 - 2016-01-14 12:41 - 00001471 _____ C:\Users\Dave\Desktop\Brettspielwelt.lnk 2016-01-14 12:01 - 2016-01-14 12:01 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task 2016-01-14 11:40 - 2016-01-22 16:02 - 00000000 ____D C:\Users\Dave\AppData\Roaming\BSW 2016-01-14 11:40 - 2016-01-14 12:41 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Brettspielwelt 2016-01-14 11:34 - 2016-01-14 12:01 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk 2016-01-13 23:02 - 2016-01-13 23:02 - 00014590 _____ C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Brettspielwelt old - Shortcut.lnk 2016-01-13 11:01 - 2016-01-13 11:01 - 00000000 ____D C:\BSW 2016-01-12 18:27 - 2016-01-12 18:35 - 00000000 ____D C:\Users\Dave\Doctor Web 2016-01-12 15:36 - 2016-01-12 15:36 - 00000000 __SHD C:\Users\Dave\AppData\LocalLow\EmieUserList 2016-01-12 15:36 - 2016-01-12 15:36 - 00000000 __SHD C:\Users\Dave\AppData\LocalLow\EmieSiteList 2016-01-12 15:21 - 2014-05-14 11:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll 2016-01-12 15:21 - 2014-05-14 11:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll 2016-01-12 15:21 - 2014-05-14 11:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll 2016-01-12 15:21 - 2014-05-14 11:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe 2016-01-12 15:21 - 2014-05-14 11:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll 2016-01-12 15:21 - 2014-05-14 11:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll 2016-01-12 15:21 - 2014-05-14 11:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll 2016-01-12 15:21 - 2014-05-14 11:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll 2016-01-12 15:21 - 2014-05-14 11:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll 2016-01-12 15:21 - 2014-05-14 11:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll 2016-01-12 15:21 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll 2016-01-12 15:21 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll 2016-01-12 15:21 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe 2016-01-12 15:21 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe 2016-01-12 15:00 - 2016-01-26 18:19 - 00000000 ____D C:\FRST 2016-01-12 14:59 - 2016-01-12 15:30 - 00000000 ____D C:\AdwCleaner 2016-01-12 12:22 - 2016-01-13 11:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java 2016-01-12 12:22 - 2016-01-12 12:22 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Sun 2016-01-12 12:22 - 2016-01-12 12:22 - 00000000 ____D C:\Users\Dave\.oracle_jre_usage 2016-01-12 12:21 - 2016-01-12 12:21 - 00000000 ____D C:\Program Files (x86)\Java 2016-01-12 12:20 - 2016-01-12 12:20 - 00000000 ____D C:\Users\Dave\AppData\LocalLow\Oracle 2016-01-12 12:00 - 2016-01-12 12:00 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Brettspielwelt old 2016-01-11 17:42 - 2016-01-11 22:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2016-01-10 21:44 - 2016-01-10 21:44 - 00000000 ____D C:\Users\Dave\AppData\Local\Chromium 2015-12-30 23:58 - 2015-12-30 23:58 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Guitar Pro 6 2015-12-30 23:58 - 2015-12-30 23:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Guitar Pro 6 2015-12-30 23:58 - 2015-12-30 23:58 - 00000000 ____D C:\ProgramData\Guitar Pro 6 2015-12-30 23:56 - 2015-12-30 23:57 - 00000000 ____D C:\Guitar Pro 6 ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-01-26 17:19 - 2015-01-17 19:32 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2016-01-26 16:48 - 2013-07-05 08:59 - 00003918 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{A4797549-CAB1-4E29-B9E1-E6B9D2F32C13} 2016-01-26 16:44 - 2013-07-03 14:46 - 00000000 ____D C:\Users\Dave\Documents\Firegraphic 2016-01-26 15:42 - 2009-07-13 23:45 - 00021664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2016-01-26 15:42 - 2009-07-13 23:45 - 00021664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2016-01-26 15:39 - 2009-07-14 00:13 - 00740482 _____ C:\Windows\system32\PerfStringBackup.INI 2016-01-26 15:39 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf 2016-01-26 15:35 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2016-01-26 13:01 - 2013-10-29 10:43 - 00000000 ____D C:\Windows\pss 2016-01-26 01:06 - 2014-02-26 13:41 - 00000000 ____D C:\Steam 2016-01-25 16:20 - 2013-07-04 11:10 - 00000000 ____D C:\Capture 2016-01-24 00:39 - 2013-11-10 22:29 - 00000000 ____D C:\Users\Dave\Documents\TrackMania 2016-01-23 11:04 - 2013-08-22 10:38 - 00000000 ____D C:\ProgramData\Zoom Player 2016-01-18 15:19 - 2013-07-03 15:19 - 00008440 _____ C:\Windows\lviewpro.ini 2016-01-15 18:33 - 2012-08-23 23:19 - 00000000 ____D C:\Users\Dave\AppData\Local\ElevatedDiagnostics 2016-01-15 18:33 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache 2016-01-14 17:59 - 2013-07-02 09:15 - 00000000 ____D C:\Users\Dave\AppData\Roaming\BSW old 2016-01-14 11:58 - 2013-01-12 20:55 - 00000000 ____D C:\ProgramData\Adobe 2016-01-14 11:45 - 2014-06-16 18:27 - 00000000 ____D C:\Users\Dave\AppData\Local\Adobe 2016-01-14 11:38 - 2013-01-12 20:57 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Adobe 2016-01-14 11:34 - 2013-01-13 21:04 - 00000000 ____D C:\Program Files (x86)\Adobe 2016-01-14 11:29 - 2013-07-01 23:31 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2016-01-14 11:29 - 2013-07-01 23:31 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2016-01-13 12:25 - 2012-08-23 17:43 - 00000000 ____D C:\Users\Dave\AppData\Local\VirtualStore 2016-01-13 11:20 - 2013-07-01 23:56 - 00000000 ____D C:\Java 2016-01-12 19:36 - 2012-08-23 17:43 - 00000000 ____D C:\Users\Dave 2016-01-12 19:02 - 2013-08-13 10:08 - 00000000 ____D C:\Users\Dave\AppData\LocalLow\Temp 2016-01-12 16:48 - 2014-07-02 23:30 - 00000000 ____D C:\Users\Dave\Desktop\Tzolkin 2016-01-12 15:31 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SchCache 2016-01-12 15:24 - 2009-07-13 22:20 - 00000000 ____D C:\Windows 2016-01-12 15:20 - 2015-01-17 19:32 - 00000000 ____D C:\Malwarebytes Anti-Malware 2016-01-12 14:29 - 2015-06-14 11:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2016-01-12 12:23 - 2013-10-29 21:23 - 00000000 ____D C:\ProgramData\Oracle 2016-01-12 12:22 - 2013-10-29 21:23 - 00278624 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe 2016-01-12 12:22 - 2013-10-29 21:23 - 00191584 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe 2016-01-12 12:22 - 2013-10-29 21:23 - 00191072 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe 2016-01-12 12:22 - 2013-10-29 21:23 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll 2016-01-12 00:25 - 2015-06-14 17:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2016-01-11 11:32 - 2013-07-02 22:06 - 00000000 ____D C:\4x4 Evolution 2015-12-29 10:20 - 2009-07-14 00:08 - 00032566 _____ C:\Windows\Tasks\SCHEDLGU.TXT ==================== Files in the root of some directories ======= 2015-06-14 09:53 - 2015-06-14 09:53 - 0000064 _____ () C:\Users\Dave\AppData\Local\bdb49bc6be0eab049e86c2a65af0618e 2013-07-04 20:53 - 2013-07-05 15:41 - 0009728 _____ () C:\Users\Dave\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2013-07-03 15:02 - 2013-07-03 15:02 - 0000092 _____ () C:\Users\Dave\AppData\Local\fusioncache.dat 2015-09-29 19:42 - 2015-09-29 19:42 - 0000017 _____ () C:\Users\Dave\AppData\Local\resmon.resmoncfg ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-01-21 17:27 ==================== End of FRST.txt ============================
  9. It returned after getting firewall working and software updated under this topic: Cryptowall effects noted, 1 thing won't work It put same notices but now called Instructions I only see 2 messed up files with Instructions in C: so far, not doc in documents In either case I did not download or run anything but was looking at some business sites. I ran Malwarebytes looking for rootkits only and found none Did the firewall stop it from doing more or since it put 3 pictures on desktop to show up at start, it could have done anything?
  10. The windows firewall is now active. Would it have stopped the Cryptowall from getting in? The basic issue of Brettspielwelte exe not working mentioned at top is still there which is the most important thing.
  11. I do not have an anti virus. The log from DrCureIt causes the page to blow up when I add it. It found 31 items that malewarebytes didn't get. It had adware and Trojans like CLick.21347 Vittalia.71. Thanks for your effort Dave Fix result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01 Ran by Dave (2016-01-12 19:01:39) Run:1 Running from I:\New stuff Loaded Profiles: Dave (Available Profiles: Dave) Boot Mode: Normal ============================================== fixlist content: Results of screen317's Security Check version 1.009 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Java 7 Update 45 Java 8 Update 66 Java version 32-bit out of Date! Adobe Flash Player 18.0.0.209 Flash Player out of Date! Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox (43.0.4) ````````Process Check: objlist.exe by Laurent```````` `````````````````System Health check````````````````` Total Fragmentation on Drive C: 2% ````````````````````End of Log`````````````````````` ***************** Start CloseProcesses: CreateRestorePoint: Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock: Catalog5 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll" Winsock: Catalog5-x64 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock: Catalog5-x64 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll" cmd: netsh winsock reset CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON U0 hsencgo; C:\Windows\System32\drivers\jfnotnwi.sys [79064 2016-01-12] (Malwarebytes) C:\Windows\System32\drivers\jfnotnwi.sys S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X] C:\Program Files (x86)\Google\Desktop\Install C:\Users\Dave\LVIEWPRO.EXE C:\Users\Dave\AppData\Local\Temp\bridj.dll5392563786024506545.dll C:\Users\Dave\AppData\Local\Temp\bridj.dll7326302336878197017.dll C:\Users\Dave\AppData\Local\Temp\bridj.dll7683881512564236683.dll C:\Users\Dave\AppData\Local\Temp\bridj.dll8349419641673059256.dll C:\Users\Dave\AppData\Local\Temp\bridj.dll8880528859784355924.dll C:\Users\Dave\AppData\Local\Temp\drm_dyndata_7330017.dll C:\Users\Dave\AppData\Local\Temp\GenericUninstall.exe C:\Users\Dave\AppData\Local\Temp\HiPatchSelfUpdateWindow.exe C:\Users\Dave\AppData\Local\Temp\HiRezLauncherControls.dll C:\Users\Dave\AppData\Local\Temp\NGMDll.dll C:\Users\Dave\AppData\Local\Temp\NGMResource.dll C:\Users\Dave\AppData\Local\Temp\nsjCE8B.exe C:\Users\Dave\AppData\Local\Temp\nsoAEA9.exe C:\Users\Dave\AppData\Local\Temp\nss322B.exe C:\Users\Dave\AppData\Local\Temp\oi_{6773B301-AE48-4A44-AD9F-D04B8650E2B4}.exe C:\Users\Dave\AppData\Local\Temp\SCC.dll C:\Users\Dave\AppData\Local\Temp\Setup.exe C:\Users\Dave\AppData\Local\Temp\sqlite3.dll C:\Users\Dave\AppData\Local\Temp\unicows.dll C:\Users\Dave\AppData\Local\Temp\UNINSTALL.EXE C:\Users\Dave\AppData\Local\Temp\uninstaller.exe C:\Users\Dave\AppData\Local\Temp\zp930free.exe C:\Users\Dave\AppData\Local\Temp\_is7213.exe C:\Users\Dave\AppData\Local\Temp\{D69D74D2-425A-4C42-B458-306075415304}.exe CustomCLSID: HKU\S-1-5-21-3023370978-3506523679-905622001-1001_Classes\CLSID\{A39E563A-2D0A-4909-B52F-051C44A483CE}\InprocServer32 -> C:\Program Files (x86)\TNT2\Profiles\11083\passport64.dll => No File CustomCLSID: HKU\S-1-5-21-3023370978-3506523679-905622001-1001_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\NativeHooks.dll => No File <==== ATTENTION Task: {09D77B8A-2823-42F2-9943-A1BF7771595D} - \GeniusBox -> No File <==== ATTENTION Task: {38C14FCE-9899-4E2A-B343-609DE73A743A} - System32\Tasks\Validate Installation => C:\Program Files (x86)\user extensions\updater.exe <==== ATTENTION Task: {822B0483-023B-41F2-8D19-11CB30581FFA} - \UpdateAdmin -> No File <==== ATTENTION Task: {AAE80F59-FCF7-4D59-9D7C-2D0717A388FE} - \ProPCCleaner_Popup -> No File <==== ATTENTION Task: {B6F0F35D-3A1E-4408-BE7D-E0CC66CD6FEC} - System32\Tasks\Check Updates => C:\Program Files (x86)\user extensions\updater.exe <==== ATTENTION C:\Program Files (x86)\user extensions Task: {BBE5C1BA-53F3-468E-804B-DF40B42D56EF} - System32\Tasks\Anwrerrot => C:\ProgramData\Anwrerrot\1.0.1.0\oiudnoep.exe <==== ATTENTION C:\ProgramData\Anwrerrot Task: {F3B9AFD2-5E2E-4151-81D6-C935981482C4} - \ProPCCleaner_Start -> No File <==== ATTENTION EmptyTemp: end ***************** Processes closed successfully. Restore point was successfully created. Winsock: Catalog5 000000000001\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll) Winsock: Catalog5 000000000005\\LibraryPath => restored successfully (%SystemRoot%\System32\mswsock.dll) Winsock: Catalog5-x64 000000000001\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll) Winsock: Catalog5-x64 000000000005\\LibraryPath => restored successfully (%SystemRoot%\System32\mswsock.dll) ========= netsh winsock reset ========= Sucessfully reset the Winsock Catalog. You must restart the computer in order to complete the reset. ========= End of CMD: ========= ========= netsh advfirewall reset ========= Ok. ========= End of CMD: ========= ========= netsh advfirewall set allprofiles state ON ========= Ok. ========= End of CMD: ========= hsencgo => service not found. "C:\Windows\System32\drivers\jfnotnwi.sys" => not found. EagleX64 => service removed successfully C:\Program Files (x86)\Google\Desktop\Install => moved successfully C:\Users\Dave\LVIEWPRO.EXE => moved successfully C:\Users\Dave\AppData\Local\Temp\bridj.dll5392563786024506545.dll => moved successfully C:\Users\Dave\AppData\Local\Temp\bridj.dll7326302336878197017.dll => moved successfully C:\Users\Dave\AppData\Local\Temp\bridj.dll7683881512564236683.dll => moved successfully C:\Users\Dave\AppData\Local\Temp\bridj.dll8349419641673059256.dll => moved successfully C:\Users\Dave\AppData\Local\Temp\bridj.dll8880528859784355924.dll => moved successfully C:\Users\Dave\AppData\Local\Temp\drm_dyndata_7330017.dll => moved successfully C:\Users\Dave\AppData\Local\Temp\GenericUninstall.exe => moved successfully C:\Users\Dave\AppData\Local\Temp\HiPatchSelfUpdateWindow.exe => moved successfully C:\Users\Dave\AppData\Local\Temp\HiRezLauncherControls.dll => moved successfully C:\Users\Dave\AppData\Local\Temp\NGMDll.dll => moved successfully C:\Users\Dave\AppData\Local\Temp\NGMResource.dll => moved successfully C:\Users\Dave\AppData\Local\Temp\nsjCE8B.exe => moved successfully C:\Users\Dave\AppData\Local\Temp\nsoAEA9.exe => moved successfully C:\Users\Dave\AppData\Local\Temp\nss322B.exe => moved successfully C:\Users\Dave\AppData\Local\Temp\oi_{6773B301-AE48-4A44-AD9F-D04B8650E2B4}.exe => moved successfully C:\Users\Dave\AppData\Local\Temp\SCC.dll => moved successfully C:\Users\Dave\AppData\Local\Temp\Setup.exe => moved successfully C:\Users\Dave\AppData\Local\Temp\sqlite3.dll => moved successfully C:\Users\Dave\AppData\Local\Temp\unicows.dll => moved successfully C:\Users\Dave\AppData\Local\Temp\UNINSTALL.EXE => moved successfully "C:\Users\Dave\AppData\Local\Temp\uninstaller.exe" => not found. C:\Users\Dave\AppData\Local\Temp\zp930free.exe => moved successfully C:\Users\Dave\AppData\Local\Temp\_is7213.exe => moved successfully C:\Users\Dave\AppData\Local\Temp\{D69D74D2-425A-4C42-B458-306075415304}.exe => moved successfully "HKU\S-1-5-21-3023370978-3506523679-905622001-1001_Classes\CLSID\{A39E563A-2D0A-4909-B52F-051C44A483CE}" => key removed successfully "HKU\S-1-5-21-3023370978-3506523679-905622001-1001_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{09D77B8A-2823-42F2-9943-A1BF7771595D}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09D77B8A-2823-42F2-9943-A1BF7771595D}" => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GeniusBox => key not found. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{38C14FCE-9899-4E2A-B343-609DE73A743A} => key not found. C:\Windows\System32\Tasks\Validate Installation => not found. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Validate Installation => key not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{822B0483-023B-41F2-8D19-11CB30581FFA}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{822B0483-023B-41F2-8D19-11CB30581FFA}" => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UpdateAdmin => key not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AAE80F59-FCF7-4D59-9D7C-2D0717A388FE}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AAE80F59-FCF7-4D59-9D7C-2D0717A388FE}" => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProPCCleaner_Popup => key not found. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B6F0F35D-3A1E-4408-BE7D-E0CC66CD6FEC} => key not found. C:\Windows\System32\Tasks\Check Updates => not found. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Check Updates => key not found. "C:\Program Files (x86)\user extensions" => not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{BBE5C1BA-53F3-468E-804B-DF40B42D56EF}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BBE5C1BA-53F3-468E-804B-DF40B42D56EF}" => key removed successfully C:\Windows\System32\Tasks\Anwrerrot => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Anwrerrot" => key removed successfully "C:\ProgramData\Anwrerrot" => not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F3B9AFD2-5E2E-4151-81D6-C935981482C4}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F3B9AFD2-5E2E-4151-81D6-C935981482C4}" => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProPCCleaner_Start => key not found. EmptyTemp: => 14.2 GB temporary data Removed. The system needed a reboot. ==== End of Fixlog 19:06:58 ====
  12. Did this occur because Windows 7 firewall has never worked. I thought Crypto wiped out documents, pictures audio and video but I don't see it changed. Additional scan result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01 Ran by Dave (2016-01-12 15:24:24) Running from I:\New stuff Windows 7 Home Premium Service Pack 1 (X64) (2012-08-23 22:43:09) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-3023370978-3506523679-905622001-500 - Administrator - Disabled) ASPNET (S-1-5-21-3023370978-3506523679-905622001-1005 - Limited - Enabled) Dave (S-1-5-21-3023370978-3506523679-905622001-1001 - Administrator - Enabled) => C:\Users\Dave Guest (S-1-5-21-3023370978-3506523679-905622001-501 - Limited - Disabled) HomeGroupUser$ (S-1-5-21-3023370978-3506523679-905622001-1003 - Limited - Enabled) ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version: - ) AC3Filter 2.6.0b (HKLM-x32\...\AC3Filter_is1) (Version: 2.6.0b - Alexander Vigovsky) Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated) Adobe Flash Player 18 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 18.0.0.209 - Adobe Systems Incorporated) Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated) Adobe Reader 9.1 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A91000000001}) (Version: 9.1.0 - Adobe Systems Incorporated) AirHockey 3D 1.81 (HKLM-x32\...\AirHockey 3D) (Version: 1.81 - Avalanche Team) Aliens vs Predator Classic 2000 (HKLM-x32\...\1207665883_is1) (Version: 2.0.0.21 - GOG.com) AMD Catalyst Install Manager (HKLM\...\{0CB2E2BC-A312-5821-C5C7-A295A1BEFD08}) (Version: 8.0.881.0 - Advanced Micro Devices, Inc.) America's Army 3 (HKLM-x32\...\Steam App 13140) (Version: - U.S. Army) Applian FLV Player (HKLM-x32\...\Applian FLV Player2.0.24) (Version: 2.0.24 - Applian Technologies Inc.) Bass Audio Decoder (remove only) (HKLM-x32\...\Bass Audio Decoder) (Version: - ) BrettspielWelt (HKLM-x32\...\BrettspielWelt) (Version: 1.0 - BrettspielWelt GmbH) BrettspielWelt (HKLM-x32\...\BSW) (Version: - ) CD Audio Reader Filter (remove only) (HKLM-x32\...\CD Audio Reader Filter) (Version: - ) Cisco EAP-FAST Module (HKLM-x32\...\{415B2719-AD3A-4944-B404-C472DB6085B3}) (Version: 2.1.6 - Cisco Systems, Inc.) Cisco LEAP Module (HKLM-x32\...\{83770D14-21B9-44B3-8689-F7B523F94560}) (Version: 1.0.12 - Cisco Systems, Inc.) Cisco PEAP Module (HKLM-x32\...\{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}) (Version: 1.0.13 - Cisco Systems, Inc.) Classic Shell (HKLM\...\{DC45D291-769A-4608-A688-77E6DBC03498}) (Version: 3.6.1 - IvoSoft) Combat Arms (HKLM-x32\...\Combat Arms) (Version: - ) ConvertHelper 2.2 (HKLM-x32\...\{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1) (Version: - DownloadHelper) Cool Timer 5.2.3.0 (HKLM-x32\...\Cool Timer_is1) (Version: - Harmony Hollow Software) Crysis® SP Demo (HKLM-x32\...\{92AF2F5A-4407-4A03-A80A-5A2582264746}) (Version: 1.00.0000 - Electronic Arts) CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com) D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden DCoder Image Source (remove only) (HKLM-x32\...\DCoder Image Source) (Version: - ) DirectVobSub (remove only) (HKLM-x32\...\DirectVobSub) (Version: - ) DScaler 5 Mpeg Decoders (HKLM-x32\...\DScaler 5 Mpeg Decoders_is1) (Version: - ) ffdshow v1.3.4533 [2014-09-29] (HKLM-x32\...\ffdshow_is1) (Version: 1.3.4533.0 - ) FFMPEG Core Files (remove only) (HKLM-x32\...\FFMPEG Core Files) (Version: - ) Free FLV Converter V 5.81 (HKLM-x32\...\Free FLV Converter_is1) (Version: - Koyote Soft) Gabest MPEG Splitter (remove only) (HKLM-x32\...\Gabest MPEG Splitter) (Version: - ) Galaxy Client (HKLM-x32\...\{D6D1DA54-531F-4FA0-B683-CE66ACE3543F}_is1) (Version: 0.1.0.456 - GOG.com) GEM+/iGOR & Lee's GPL Setup Manager 2.5.0.32 (HKLM-x32\...\GEM+/iGOR & Lee's GPL Setup Manager_is1) (Version: - GPLSecrets Group) Guitar Pro 6 Demo (HKLM-x32\...\{14A487F2-1259-4E6C-AE3C-3C888DDBCB60}_is1) (Version: - Arobas Music) HAWKEN (HKLM-x32\...\Steam App 271290) (Version: - Adhesive Games) Hi-Rez Studios Authenticate and Update Service (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}) (Version: 3.0.0.0 - Hi-Rez Studios) InstaCodecs (HKLM-x32\...\InstaCodecs_is1) (Version: 1.0 - ) Internet Explorer Toolbar 4.8 by SweetPacks (HKLM-x32\...\{DD85D6BF-4787-4A93-99A5-3F0CF0AE8834}) (Version: 4.8.0000 - SweetIM Technologies Ltd.) <==== ATTENTION IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.36 - Irfan Skiljan) Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden Java 7 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.450 - Oracle) Java 8 Update 66 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.18 - Oracle Corporation) Jericho Demo (HKLM-x32\...\{1CB55F41-7607-4225-B717-387B3C53FDAD}) (Version: 0.10.0000 - Codemasters) Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden LAV Filters 0.64 (HKLM-x32\...\lavfilters_is1) (Version: 0.64 - Hendrik Leppkes) MadVR (remove only) (HKLM-x32\...\MadVR) (Version: - ) Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes) Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden Microsoft .NET Framework 1.1 (HKLM-x32\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft) Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation) Microsoft Games for Windows - LIVE (HKLM-x32\...\{B45FABE7-D101-4D99-A671-E16DA40AF7F0}) (Version: 3.0.86.0 - Microsoft Corporation) Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{B578C85A-A84C-4230-A177-C5B2AF565B8C}) (Version: 3.0.17.0 - Microsoft Corporation) Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation) Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation) Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation) Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation) Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation) Mozilla Firefox 43.0.4 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 43.0.4 (x86 en-US)) (Version: 43.0.4 - Mozilla) Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 43.0.4.5848 - Mozilla) Nexon Game Manager (HKLM-x32\...\{EA2DB6E0-72C5-4ef9-A3A0-E6705F4A6A9E}) (Version: - ) NirSoft VideoCacheView (HKLM-x32\...\NirSoft VideoCacheView) (Version: - ) NVIDIA PhysX (HKLM-x32\...\{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}) (Version: 9.09.0814 - NVIDIA Corporation) OpenAL (HKLM-x32\...\OpenAL) (Version: - ) OpenSource AVI Splitter (remove only) (HKLM-x32\...\OpenSource AVI Splitter) (Version: - ) OpenSource DTS/AC3/DD+ Source Filter (remove only) (HKLM-x32\...\OpenSource DTS/AC3/DD+ Source Filter) (Version: - ) Opera 12.16 (HKLM-x32\...\Opera 12.16.1860) (Version: 12.16.1860 - Opera Software ASA) Power Tab Editor 1.7 (HKLM-x32\...\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}) (Version: 1.7.0 - Power Tab Software) Pro Evolution Soccer 5 DEMO(no voice) (HKLM-x32\...\InstallShield_{AEB74EBC-884B-4D76-98BC-4D88FE6F2E7F}) (Version: 1.00.0000 - KONAMI) Pro Evolution Soccer 5 DEMO(no voice) (x32 Version: 1.00.0000 - KONAMI) Hidden PT Boats: Knights of The Sea (HKLM-x32\...\PT Boats: Knights of The Sea_is1) (Version: Demo - Akella) PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.989 - Even Balance, Inc.) Real Alternative 2.0.2 (HKLM-x32\...\RealAlt_is1) (Version: 2.0.2 - ) Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6194 - Realtek Semiconductor Corp.) Steam (HKLM-x32\...\Steam) (Version: - Valve Corporation) Team Fortress 2 (HKLM-x32\...\Steam App 440) (Version: - Valve) TimeShift Demo (HKLM-x32\...\{C319F101-4221-4C5A-A9DE-36A6718F8215}) (Version: 1.00.000 - Sierra) Tribes Ascend (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF010}) (Version: 1.0.1268.1 - Hi-Rez Studios) Windows 7 Codec Pack 4.0.7 (HKLM-x32\...\Windows 7 - Codec Pack) (Version: 4.0.7 - Windows 7 Codec Pack) Windows Essentials Media Codec Pack 4.0 [64-Bit] (HKLM-x32\...\Windows Essentials Media Codec Pack) (Version: 4.0 - Media Codec) Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation) Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation) WinFF 1.2 (HKLM-x32\...\WinFF_is1) (Version: - WinFF.org) WinRAR 5.00 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH) Wireless N-lite USB Adapter Utility (HKLM-x32\...\{71AB49D0-9B47-4624-904C-D44B9B996656}) (Version: 1.5.4.0 - ZyXEL) Xvid 1.1.3 final uninstall (HKLM-x32\...\Xvid_is1) (Version: 1.1 - Xvid team (Koepi)) Zoom Player (remove only) (HKLM-x32\...\ZoomPlayer) (Version: 10.0.0 - Inmatrix LTD) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) CustomCLSID: HKU\S-1-5-21-3023370978-3506523679-905622001-1001_Classes\CLSID\{A39E563A-2D0A-4909-B52F-051C44A483CE}\InprocServer32 -> C:\Program Files (x86)\TNT2\Profiles\11083\passport64.dll => No File CustomCLSID: HKU\S-1-5-21-3023370978-3506523679-905622001-1001_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\NativeHooks.dll => No File <==== ATTENTION ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {09D77B8A-2823-42F2-9943-A1BF7771595D} - \GeniusBox -> No File <==== ATTENTION Task: {09EB13AC-9899-476C-A438-CBAF94CEF380} - System32\Tasks\{D2B18D4C-E05A-48E6-96E8-597C25889123} => C:\Aliens versus Predator Demo\AvP_Marine_Demo.exe [1998-11-25] () Task: {1349E205-A8F8-4405-8AF5-65DFBC7673C2} - System32\Tasks\{04172568-0C0C-4734-AABA-7AB1EE014C42} => C:\NFL Fever 2000 Trial\NFLFEVER.exe [1999-07-27] (MSFT) Task: {14CB41F0-0735-495E-A7C4-BBBD6CD17BB8} - System32\Tasks\{F20FAA84-E9D2-4C51-975F-44121E8D5C06} => C:\COMET\COMET.EXE [1996-01-17] () Task: {233F6ECB-3A5D-440F-86B9-662522E1612C} - System32\Tasks\{EBEED6CC-BB5C-4D93-8CED-7DD9E88CB025} => G:\Quake3\quake3.exe Task: {282EE9D0-7945-461F-B443-F94B1C237080} - System32\Tasks\{B294D644-12E0-4391-9854-FF8052825471} => C:\Aliens versus Predator Demo\AvP_Marine_Demo.exe [1998-11-25] () Task: {36BA5AF7-D8E7-4A4D-BFA5-8E48D9436B2A} - System32\Tasks\{8E87EF91-E491-4581-960C-6133E34DC5A7} => pcalua.exe -a "G:\Zip files\Software\retrospection_2.1_setup.exe" Task: {38C14FCE-9899-4E2A-B343-609DE73A743A} - System32\Tasks\Validate Installation => C:\Program Files (x86)\user extensions\updater.exe <==== ATTENTION Task: {38C55743-B717-4C6B-9B24-2AB39CA3D644} - System32\Tasks\{01D93840-F7FE-4D49-9F30-7CBE6BE4AE0B} => G:\Quake3\quake3.exe Task: {3A34C632-1B55-4005-9A8F-046C2579460E} - System32\Tasks\{5AED553E-157B-40D2-96BB-7C297884F230} => C:\NHL 2001 Demo\nhl2001demo.exe [2000-09-12] () Task: {3C82F805-4F09-48CD-B99D-7191084409C4} - System32\Tasks\{267D3A3C-F1B0-45F2-8404-F9696821CB54} => G:\New stuff\Retrospection\RetrospectionFront.exe Task: {3ECFE579-31FE-4EC0-85B8-AD789310C5DE} - System32\Tasks\{A96939CF-C34C-4131-80C2-DB3819A5F53B} => C:\Aliens versus Predator Demo\AvP_Marine_Demo.exe [1998-11-25] () Task: {5075EA60-34D8-4625-91FF-47F92B787EB4} - System32\Tasks\{D5E7A254-7C82-40CD-A8DE-2B03927B7B88} => C:\NFL Fever 2000 Trial\NFLFEVER.exe [1999-07-27] (MSFT) Task: {512F5EE8-B32F-47CA-8995-6C42838ECC4A} - System32\Tasks\{AF900DF5-3DD9-4494-8CE6-C654CFE0295D} => C:\adciv\Ac.exe [2001-08-09] () Task: {58691C6F-786D-4827-BFA1-E0D113A1F32C} - System32\Tasks\{2FABA12A-E3D8-4AB1-B18B-80D6FAAFB990} => C:\Geardemo\Gear.exe [1996-02-16] () Task: {5A40E926-9E86-4B89-9CFD-B12311724371} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto Task: {6BB9CE94-443D-4B62-94D9-D1D391E2830A} - System32\Tasks\Windows Codec Update Service => C:\Program Files (x86)\Essentials Codec Pack\WECPUpdate.exe [2012-02-03] (MediaCodec.Org) Task: {6F5CB4A0-2160-4E7F-A92B-1B08FC10191E} - System32\Tasks\{D0F0DB4E-54AF-4EAF-8A0A-748EAE9B7E32} => C:\NFL Fever 2000 Trial\NFLFEVER.exe [1999-07-27] (MSFT) Task: {6FB1B1B1-0983-47D8-B165-5F22423A975B} - System32\Tasks\{32A15600-D985-4995-A0AD-7889FE7F6A28} => G:\Quake3\quake3.exe Task: {72E2301D-1D4D-4BC4-8ACE-40F607CB01E7} - System32\Tasks\{9CBDDAFA-7DCB-48A8-B2C8-A221F7C359EE} => C:\adciv\Ac.exe [2001-08-09] () Task: {822B0483-023B-41F2-8D19-11CB30581FFA} - \UpdateAdmin -> No File <==== ATTENTION Task: {A2D8E75A-73DE-46EC-B307-F792E663C171} - System32\Tasks\{9526E09E-FE95-4B49-81D6-68B8B736B789} => C:\COMET\COMET.EXE [1996-01-17] () Task: {AAE80F59-FCF7-4D59-9D7C-2D0717A388FE} - \ProPCCleaner_Popup -> No File <==== ATTENTION Task: {B515CB5D-A6C2-4212-90F4-BC9F42768890} - System32\Tasks\{C482FAAA-B35D-405B-B632-305AD9DCDCE6} => C:\Geardemo\Gear.exe [1996-02-16] () Task: {B6F0F35D-3A1E-4408-BE7D-E0CC66CD6FEC} - System32\Tasks\Check Updates => C:\Program Files (x86)\user extensions\updater.exe <==== ATTENTION Task: {B9547313-2419-4495-9AD4-1AA3662ECE2E} - System32\Tasks\{4BAEC7CA-C40C-47D0-8697-691320BD81DE} => G:\New stuff\Retrospection\RetrospectionFront.exe Task: {BBE5C1BA-53F3-468E-804B-DF40B42D56EF} - System32\Tasks\Anwrerrot => C:\ProgramData\Anwrerrot\1.0.1.0\oiudnoep.exe <==== ATTENTION Task: {D71DAA71-215D-440C-AD50-AC04C62F14DD} - System32\Tasks\{C5D858F8-B98B-4105-B1C7-B39C47513457} => C:\adciv\Ac.exe [2001-08-09] () Task: {DD9F510C-95F4-499A-90C8-BAC5BC372FF4} - System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask => start sppsvc Task: {E4E3DB73-E7EA-41C3-8C15-933D85818729} - System32\Tasks\{6F59A0A7-8343-4A55-AC88-C3ABC5CF6B21} => pcalua.exe -a C:\Users\Dave\AppData\Local\Temp\Temp1_MotoGP08_PC_demo.zip\setup.exe Task: {F357EC66-21B3-49B5-BB17-C7818DE7C9AD} - System32\Tasks\{EFC0BF62-DA74-43E3-902C-807466C4942E} => C:\COMET\COMET.EXE [1996-01-17] () Task: {F3B9AFD2-5E2E-4151-81D6-C935981482C4} - \ProPCCleaner_Start -> No File <==== ATTENTION (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== 2013-08-13 10:51 - 2012-10-04 18:49 - 00087152 _____ () C:\Windows\System32\cpwmon64.dll 2012-06-11 15:12 - 2012-06-11 15:12 - 00212480 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.PerformanceTuning.dll 2012-03-05 18:03 - 2012-03-05 18:03 - 00677376 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dll 2012-02-16 16:53 - 2012-02-16 16:53 - 03642880 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Platform.dll 2012-06-11 15:12 - 2012-06-11 15:12 - 00073728 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll 2013-09-19 10:13 - 2014-05-18 16:48 - 00076888 _____ () C:\Windows\SysWOW64\PnkBstrA.exe 2012-06-11 15:12 - 2012-06-11 15:12 - 00103424 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll 2012-06-11 14:45 - 2012-06-11 14:45 - 00369152 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll 2016-01-12 12:22 - 2016-01-12 12:22 - 00204384 _____ () C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2iexp.dll 2016-01-12 12:22 - 2016-01-12 12:22 - 00019040 _____ () C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2native.dll 2011-10-16 15:33 - 2013-07-07 20:02 - 00835584 _____ () I:\Opera\gstreamer\gstreamer.dll 2011-10-16 15:33 - 2013-07-07 20:02 - 00093696 _____ () I:\Opera\gstreamer\plugins\gstaudioconvert.dll 2011-10-16 15:33 - 2013-07-07 20:02 - 00094208 _____ () I:\Opera\gstreamer\plugins\gstaudioresample.dll 2011-10-16 15:33 - 2013-07-07 20:02 - 00057344 _____ () I:\Opera\gstreamer\plugins\gstautodetect.dll 2013-07-07 20:02 - 2013-07-07 20:02 - 00096256 _____ () I:\Opera\gstreamer\plugins\gstcoreplugins.dll 2011-10-16 15:33 - 2013-07-07 20:02 - 00062976 _____ () I:\Opera\gstreamer\plugins\gstdecodebin2.dll 2011-10-16 15:33 - 2013-07-07 20:02 - 00067072 _____ () I:\Opera\gstreamer\plugins\gstdirectsound.dll 2011-10-16 15:33 - 2013-07-07 20:02 - 00158208 _____ () I:\Opera\gstreamer\plugins\gstffmpegcolorspace.dll 2011-10-16 15:33 - 2013-07-07 20:02 - 00312832 _____ () I:\Opera\gstreamer\plugins\gstoggdec.dll 2011-10-16 15:33 - 2013-07-07 20:02 - 00038912 _____ () I:\Opera\gstreamer\plugins\gstwaveform.dll 2011-10-16 15:33 - 2013-07-07 20:02 - 00073728 _____ () I:\Opera\gstreamer\plugins\gstwavparse.dll 2011-10-16 15:33 - 2013-07-07 20:02 - 00101888 _____ () I:\Opera\gstreamer\plugins\gstwebmdec.dll 2015-08-05 22:56 - 2015-08-05 22:56 - 17448624 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\87696299.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\87696299.sys => ""="Driver" ==================== EXE Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE restricted site: HKU\S-1-5-21-3023370978-3506523679-905622001-1001\...\mail3x.com -> hxxp://ads.mail3x.com ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-3023370978-3506523679-905622001-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg DNS Servers: 192.168.0.1 - 205.171.3.26 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) MpsSvc => Firewall Service is not running. bfe => Firewall Service is not running. ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) MSCONFIG\Services: IBUpdaterService => 2 MSCONFIG\Services: Updater By SweetPacks => 2 MSCONFIG\Services: vToolbarUpdater15.4.0 => 2 MSCONFIG\Services: ‮etadpug => 2 MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^19DBAD56F.lnk => C:\Windows\pss\19DBAD56F.lnk.Startup MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^HELP_YOUR_FILES.HTML => C:\Windows\pss\HELP_YOUR_FILES.HTML.Startup MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^HELP_YOUR_FILES.PNG => C:\Windows\pss\HELP_YOUR_FILES.PNG.Startup MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^HELP_YOUR_FILES.TXT => C:\Windows\pss\HELP_YOUR_FILES.TXT.Startup MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Adobe\Reader 9.0\Reader\Reader_sl.exe" MSCONFIG\startupreg: AMD AVT => Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml MSCONFIG\startupreg: ISUSPM => "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler MSCONFIG\startupreg: Itibiti.exe => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe MSCONFIG\startupreg: SearchProtectAll => C:\Program Files (x86)\SearchProtect\bin\cltmng.exe MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" MSCONFIG\startupreg: vProt => "C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Restore Points ========================= 12-01-2016 15:20:50 Windows Update Check "winmgmt" service or repair WMI. ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (01/12/2016 11:11:15 AM) (Source: CVHSVC) (EventID: 100) (User: ) Description: Information only. Error: Initialization failed 0x80070424 Type: 88::UnexpectedError. Error: (01/12/2016 11:01:11 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (01/12/2016 01:16:33 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b Exception code: 0xc0000005 Fault offset: 0x00000000000033c1 Faulting process id: 0x624 Faulting application start time: 0xFuel.Service.exe0 Faulting application path: Fuel.Service.exe1 Faulting module path: Fuel.Service.exe2 Report Id: Fuel.Service.exe3 Error: (01/12/2016 12:36:14 AM) (Source: CVHSVC) (EventID: 100) (User: ) Description: Information only. Error: Initialization failed 0x80070424 Type: 88::UnexpectedError. Error: (01/12/2016 12:26:13 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (01/11/2016 10:44:28 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b Exception code: 0xc0000005 Fault offset: 0x00000000000033c1 Faulting process id: 0x608 Faulting application start time: 0xFuel.Service.exe0 Faulting application path: Fuel.Service.exe1 Faulting module path: Fuel.Service.exe2 Report Id: Fuel.Service.exe3 Error: (01/11/2016 08:59:19 PM) (Source: CVHSVC) (EventID: 100) (User: ) Description: Information only. Error: Initialization failed 0x80070424 Type: 88::UnexpectedError. Error: (01/11/2016 08:49:16 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (01/11/2016 07:32:05 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b Exception code: 0xc0000005 Fault offset: 0x00000000000033c1 Faulting process id: 0x6ec Faulting application start time: 0xFuel.Service.exe0 Faulting application path: Fuel.Service.exe1 Faulting module path: Fuel.Service.exe2 Report Id: Fuel.Service.exe3 Error: (01/11/2016 04:54:09 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: F1_2002_Demo.exe, version: 0.5.1.8, time stamp: 0x3cc5b524 Faulting module name: F1_2002_Demo.exe, version: 0.5.1.8, time stamp: 0x3cc5b524 Exception code: 0xc0000005 Fault offset: 0x00108e78 Faulting process id: 0xe5c Faulting application start time: 0xF1_2002_Demo.exe0 Faulting application path: F1_2002_Demo.exe1 Faulting module path: F1_2002_Demo.exe2 Report Id: F1_2002_Demo.exe3 System errors: ============= Error: (01/12/2016 03:20:00 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The IPsec Policy Agent service depends on the Base Filtering Engine service which failed to start because of the following error: %%1290 Error: (01/12/2016 03:20:00 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Base Filtering Engine service failed to start due to the following error: %%1290 Error: (01/12/2016 03:19:50 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Security Center service failed to start due to the following error: %%1314 Error: (01/12/2016 03:19:49 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error: %%1290 Error: (01/12/2016 03:19:49 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Base Filtering Engine service failed to start due to the following error: %%1290 Error: (01/12/2016 03:19:46 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The IKE and AuthIP IPsec Keying Modules service depends on the Base Filtering Engine service which failed to start because of the following error: %%1290 Error: (01/12/2016 03:19:46 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Base Filtering Engine service failed to start due to the following error: %%1290 Error: (01/12/2016 03:19:45 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Base Filtering Engine service failed to start due to the following error: %%1290 Error: (01/12/2016 11:01:19 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891 Error: (01/12/2016 11:01:19 AM) (Source: Service Control Manager) (EventID: 7023) (User: ) Description: The Function Discovery Resource Publication service terminated with the following error: %%-2147024891 CodeIntegrity: =================================== Date: 2014-11-07 23:26:23.219 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\sfvfs02.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2014-11-07 23:26:23.199 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\sfvfs02.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. ==================== Memory info =========================== Processor: AMD FX-4100 Quad-Core Processor Percentage of memory in use: 58% Total physical RAM: 8190.46 MB Available physical RAM: 3360.52 MB Total Virtual: 16379.11 MB Available Virtual: 11129.4 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:465.66 GB) (Free:231.27 GB) NTFS Drive e: (DRV3_VOL1) (Fixed) (Total:111.76 GB) (Free:25.13 GB) FAT32 Drive f: (New Volume) (Fixed) (Total:272.85 GB) (Free:272.75 GB) NTFS Drive i: (New Volume) (Fixed) (Total:292.97 GB) (Free:166.41 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: ACC8B171) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 931.5 GB) (Disk ID: 486B9E5B) Partition 1: (Active) - (Size=111.8 GB) - (Type=0C) Partition 2: (Not Active) - (Size=272.8 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=293 GB) - (Type=07 NTFS) ==================== End of Addition.txt ============================ Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 1/12/2016 Scan Time: 2:34 PM Logfile: malware remove 2.txt Administrator: Yes Version: 2.2.0.1024 Malware Database: v2016.01.12.06 Rootkit Database: v2016.01.09.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Dave Scan Type: Threat Scan Result: Completed Objects Scanned: 381461 Time Elapsed: 37 min, 58 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Disabled Rootkits: Enabled Heuristics: Disabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 1 Trojan.0Access, c:\Program Files (x86)\Google\Desktop\Install\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}, Delete-on-Reboot, [facce94fb9e093a37e2023dfec146f91], Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-01-2015 01 Ran by Dave (administrator) on DAVE-PC (12-01-2016 15:23:25) Running from I:\New stuff Loaded Profiles: Dave (Available Profiles: Dave) Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (AMD) C:\Windows\System32\atiesrxx.exe (AMD) C:\Windows\System32\atieclxx.exe (Microsoft Corporation) C:\Windows\System32\wlanext.exe (Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe (Hi-Rez Studios) C:\Tribes Ascend\HiPatchService.exe () C:\Windows\SysWOW64\PnkBstrA.exe (Ralink Technology, Corp.) C:\ZyXEL\N220\Common\RaRegistry.exe (Ralink Technology, Corp.) C:\ZyXEL\N220\Common\RaRegistry64.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (IvoSoft) C:\Classic Shell\ClassicStartMenu.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE (ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe (Firegraphic.com) C:\Firegraphic 6\Firegraphic.exe (MMedia Research Corp) C:\Users\Dave\Desktop\LVIEWPRO.EXE (Microsoft Corporation) C:\Windows\splwow64.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe (Opera Software) I:\Opera\opera.exe (Oracle Corporation) C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2launcher.exe (Oracle Corporation) C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2launcher.exe (Microsoft Corporation) C:\Windows\System32\taskmgr.exe (Farbar) I:\New stuff\Farbar RST64.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11464296 2010-09-03] (Realtek Semiconductor) HKLM\...\Run: [Classic Start Menu] => C:\Classic Shell\ClassicStartMenu.exe [159744 2012-08-19] (IvoSoft) HKLM-x32\...\Run: [startCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [641704 2012-06-11] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596528 2015-11-09] (Oracle Corporation) HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2015-10-05] (Malwarebytes) ShellIconOverlayIdentifiers: [shareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Classic Shell\ClassicExplorer64.dll [2012-08-19] (IvoSoft) ShellIconOverlayIdentifiers-x32: [shareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Classic Shell\ClassicExplorer32.dll [2012-08-19] (IvoSoft) BootExecute: autocheck autochk * bootdelete ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock: Catalog5 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll" Winsock: Catalog5-x64 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock: Catalog5-x64 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll" Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.26 205.171.2.26 Tcpip\..\Interfaces\{35924C7C-99D3-4386-BB4E-704C64247C7A}: [DhcpNameServer] 192.168.0.1 205.171.3.26 205.171.2.26 Tcpip\..\Interfaces\{D429B006-59C4-49E1-8F91-0C08DC2AAF25}: [DhcpNameServer] 192.168.0.1 Internet Explorer: ================== HKU\S-1-5-21-3023370978-3506523679-905622001-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://en.boardgamearena.com/#!gamelobby SearchScopes: HKLM-x32 -> DefaultScope {10E6CF9A-A768-44F4-BF6E-609B97ABF1EA} URL = SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox SearchScopes: HKU\S-1-5-21-3023370978-3506523679-905622001-1001 -> DefaultScope {BE50A3BD-1E1F-4688-9FD0-334A74D91E79} URL = hxxp://www.google.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-3023370978-3506523679-905622001-1001 -> {BE50A3BD-1E1F-4688-9FD0-334A74D91E79} URL = hxxp://www.google.com/search?q={searchTerms} BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Classic Shell\ClassicExplorer64.dll [2012-08-19] (IvoSoft) BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.) BHO: ClassicIE9BHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Classic Shell\ClassicIE9DLL_64.dll [2012-08-19] (IvoSoft) BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27] (Adobe Systems Incorporated) BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Classic Shell\ClassicExplorer32.dll [2012-08-19] (IvoSoft) BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2016-01-12] (Oracle Corporation) BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.) BHO-x32: No Name -> {A5366673-E8CA-11D3-9CD9-0090271D075B} -> No File BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2016-01-12] (Oracle Corporation) BHO-x32: ClassicIE9BHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Classic Shell\ClassicIE9DLL_32.dll [2012-08-19] (IvoSoft) Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Classic Shell\ClassicExplorer64.dll [2012-08-19] (IvoSoft) Toolbar: HKLM - FindWide Toolbar - {A39E563A-2D0A-4909-B52F-051C44A483CE} - C:\Program Files (x86)\TNT2\Profiles\11083\passport64.dll No File Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Classic Shell\ClassicExplorer32.dll [2012-08-19] (IvoSoft) Toolbar: HKLM-x32 - FindWide Toolbar - {A39E563A-2D0A-4909-B52F-051C44A483CE} - C:\Program Files (x86)\TNT2\Profiles\11083\passport.dll No File Toolbar: HKU\S-1-5-21-3023370978-3506523679-905622001-1001 -> FindWide Toolbar - {A39E563A-2D0A-4909-B52F-051C44A483CE} - C:\Program Files (x86)\TNT2\Profiles\11083\passport64.dll No File DPF: HKLM-x32 {56505FCF-9DB3-49B4-BA5F-BE3AAE44CF2E} hxxps://cityprojects.talgov.net/projectdox/Resources/BravaClient/en/BravaClientXWrapper.cab DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab FireFox: ======== FF ProfilePath: C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\11gg3lcq.default FF DefaultSearchEngine.US: Google FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-08-05] () FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-08-05] () FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2016-01-12] (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2016-01-12] (Oracle Corporation) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation) FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [2013-09-05] (Nexon) FF Plugin-x32: @real.com/nppl3260;version=6.0.12.450 -> C:\Real Alternative\browser\plugins\nppl3260.dll [2010-02-15] (RealNetworks, Inc.) FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.448 -> C:\Real Alternative\browser\plugins\nprpjplug.dll [2010-02-15] (RealNetworks, Inc.) FF Extension: The Addon Bar (restored) - C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\11gg3lcq.default\Extensions\the-addon-bar@GeekInTraining-GiT.xpi [2015-06-14] FF Extension: Video DownloadHelper - C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\11gg3lcq.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-11-09] Opera: ======= StartMenuInternet: (HKLM) Opera - G:\Opera\Opera.exe ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-06-11] (Advanced Micro Devices, Inc.) [File not signed] S3 GalaxyService; C:\Program Files (x86)\GalaxyClient\GalaxyService.exe [2191648 2014-09-18] (GOG.com) U2 HiPatchService; C:\Tribes Ascend\HiPatchService.exe [9216 2014-02-28] (Hi-Rez Studios) [File not signed] S2 MBAMService; C:\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes) R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-05-18] () R2 RalinkRegistryWriter; C:\ZyXEL\N220\Common\RaRegistry.exe [185632 2009-07-14] (Ralink Technology, Corp.) R2 RalinkRegistryWriter64; C:\ZyXEL\N220\Common\RaRegistry64.exe [211232 2009-07-14] (Ralink Technology, Corp.) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation) S3 aspnet_state; %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices) S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation) U0 hsencgo; C:\Windows\System32\drivers\jfnotnwi.sys [79064 2016-01-12] (Malwarebytes) S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes) S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation) S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-01-12 15:21 - 2014-05-14 11:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll 2016-01-12 15:21 - 2014-05-14 11:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll 2016-01-12 15:21 - 2014-05-14 11:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll 2016-01-12 15:21 - 2014-05-14 11:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe 2016-01-12 15:21 - 2014-05-14 11:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll 2016-01-12 15:21 - 2014-05-14 11:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll 2016-01-12 15:21 - 2014-05-14 11:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll 2016-01-12 15:21 - 2014-05-14 11:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll 2016-01-12 15:21 - 2014-05-14 11:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll 2016-01-12 15:21 - 2014-05-14 11:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll 2016-01-12 15:21 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll 2016-01-12 15:21 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll 2016-01-12 15:21 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe 2016-01-12 15:21 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe 2016-01-12 15:19 - 2016-01-12 15:19 - 00079064 _____ (Malwarebytes) C:\Windows\system32\Drivers\jfnotnwi.sys 2016-01-12 15:00 - 2016-01-12 15:23 - 00000000 ____D C:\FRST 2016-01-12 14:59 - 2016-01-12 14:59 - 00000000 ____D C:\AdwCleaner 2016-01-12 12:22 - 2016-01-12 12:22 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Sun 2016-01-12 12:22 - 2016-01-12 12:22 - 00000000 ____D C:\Users\Dave\.oracle_jre_usage 2016-01-12 12:22 - 2016-01-12 12:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java 2016-01-12 12:21 - 2016-01-12 12:21 - 00000000 ____D C:\Program Files (x86)\Java 2016-01-12 12:20 - 2016-01-12 12:20 - 00000000 ____D C:\Users\Dave\AppData\LocalLow\Oracle 2016-01-12 12:00 - 2016-01-12 12:00 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Brettspielwelt 2016-01-12 12:00 - 2016-01-12 12:00 - 00000000 ____D C:\BSW 2016-01-11 17:42 - 2016-01-11 22:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2016-01-10 21:44 - 2016-01-10 21:44 - 00000000 ____D C:\Users\Dave\AppData\Local\Chromium 2015-12-30 23:58 - 2015-12-30 23:58 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Guitar Pro 6 2015-12-30 23:58 - 2015-12-30 23:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Guitar Pro 6 2015-12-30 23:58 - 2015-12-30 23:58 - 00000000 ____D C:\ProgramData\Guitar Pro 6 2015-12-30 23:56 - 2015-12-30 23:57 - 00000000 ____D C:\Guitar Pro 6 2015-12-18 10:03 - 2015-12-18 10:03 - 00001147 _____ C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Mozilla Firefox.lnk 2015-12-18 10:03 - 2015-12-18 10:03 - 00001031 _____ C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Firegraphic.lnk ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-01-12 15:23 - 2009-07-13 23:45 - 00021664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2016-01-12 15:23 - 2009-07-13 23:45 - 00021664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2016-01-12 15:20 - 2015-01-17 19:32 - 00000000 ____D C:\Malwarebytes Anti-Malware 2016-01-12 15:19 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SchCache 2016-01-12 15:00 - 2009-07-13 22:20 - 00000000 ____D C:\Windows 2016-01-12 14:33 - 2015-01-17 19:32 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2016-01-12 14:29 - 2015-06-14 11:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2016-01-12 14:14 - 2013-07-03 14:46 - 00000000 ____D C:\Users\Dave\Documents\Firegraphic 2016-01-12 14:13 - 2013-08-22 10:38 - 00000000 ____D C:\ProgramData\Zoom Player 2016-01-12 12:23 - 2013-10-29 21:23 - 00000000 ____D C:\ProgramData\Oracle 2016-01-12 12:22 - 2013-10-29 21:23 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll 2016-01-12 12:22 - 2012-08-23 17:43 - 00000000 ____D C:\Users\Dave 2016-01-12 12:01 - 2013-07-02 09:15 - 00000000 ____D C:\Users\Dave\AppData\Roaming\BSW 2016-01-12 11:36 - 2013-07-05 08:59 - 00003918 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{A4797549-CAB1-4E29-B9E1-E6B9D2F32C13} 2016-01-12 11:05 - 2009-07-14 00:13 - 00740482 _____ C:\Windows\system32\PerfStringBackup.INI 2016-01-12 11:05 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf 2016-01-12 11:01 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2016-01-12 00:25 - 2015-06-14 17:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2016-01-11 16:44 - 2013-10-29 10:43 - 00000000 ____D C:\Windows\pss 2016-01-11 11:32 - 2013-07-02 22:06 - 00000000 ____D C:\4x4 Evolution 2016-01-10 14:06 - 2013-07-04 11:10 - 00000000 ____D C:\Capture 2016-01-09 00:37 - 2014-02-26 13:41 - 00000000 ____D C:\Steam 2016-01-08 16:34 - 2014-07-02 23:30 - 00000000 ____D C:\Users\Dave\Desktop\Tzolkin 2015-12-30 19:14 - 2013-07-03 15:19 - 00008440 _____ C:\Windows\lviewpro.ini 2015-12-29 10:20 - 2009-07-14 00:08 - 00032566 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2015-12-21 20:54 - 2012-08-29 19:27 - 00000000 ____D C:\New Stuff ==================== Files in the root of some directories ======= 2015-06-14 09:53 - 2015-06-14 09:53 - 0000064 _____ () C:\Users\Dave\AppData\Local\bdb49bc6be0eab049e86c2a65af0618e 2013-07-04 20:53 - 2013-07-05 15:41 - 0009728 _____ () C:\Users\Dave\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2013-07-03 15:02 - 2013-07-03 15:02 - 0000092 _____ () C:\Users\Dave\AppData\Local\fusioncache.dat 2015-09-29 19:42 - 2015-09-29 19:42 - 0000017 _____ () C:\Users\Dave\AppData\Local\resmon.resmoncfg ZeroAccess: C:\Program Files (x86)\Google\Desktop\Install Files to move or delete: ==================== C:\Users\Dave\LVIEWPRO.EXE Some files in TEMP: ==================== C:\Users\Dave\AppData\Local\Temp\bridj.dll5392563786024506545.dll C:\Users\Dave\AppData\Local\Temp\bridj.dll7326302336878197017.dll C:\Users\Dave\AppData\Local\Temp\bridj.dll7683881512564236683.dll C:\Users\Dave\AppData\Local\Temp\bridj.dll8349419641673059256.dll C:\Users\Dave\AppData\Local\Temp\bridj.dll8880528859784355924.dll C:\Users\Dave\AppData\Local\Temp\drm_dyndata_7330017.dll C:\Users\Dave\AppData\Local\Temp\GenericUninstall.exe C:\Users\Dave\AppData\Local\Temp\HiPatchSelfUpdateWindow.exe C:\Users\Dave\AppData\Local\Temp\HiRezLauncherControls.dll C:\Users\Dave\AppData\Local\Temp\NGMDll.dll C:\Users\Dave\AppData\Local\Temp\NGMResource.dll C:\Users\Dave\AppData\Local\Temp\nsjCE8B.exe C:\Users\Dave\AppData\Local\Temp\nsoAEA9.exe C:\Users\Dave\AppData\Local\Temp\nss322B.exe C:\Users\Dave\AppData\Local\Temp\oi_{6773B301-AE48-4A44-AD9F-D04B8650E2B4}.exe C:\Users\Dave\AppData\Local\Temp\SCC.dll C:\Users\Dave\AppData\Local\Temp\Setup.exe C:\Users\Dave\AppData\Local\Temp\sqlite3.dll C:\Users\Dave\AppData\Local\Temp\unicows.dll C:\Users\Dave\AppData\Local\Temp\UNINSTALL.EXE C:\Users\Dave\AppData\Local\Temp\uninstaller.exe C:\Users\Dave\AppData\Local\Temp\zp930free.exe C:\Users\Dave\AppData\Local\Temp\_is7213.exe C:\Users\Dave\AppData\Local\Temp\{D69D74D2-425A-4C42-B458-306075415304}.exe ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-01-10 21:04 ==================== End of FRST.txt ============================ the only logs that showed up
  13. 3 help your files notice popped up and were on desktop to run at start. I shut off computer. I ran Malewarebytes which found 13 things that looked like adware. 10 odd named things popped up in Documents. The other thing I see bad is Help your files notice showed up in a folder Brettspieltwelt and the exe for this game site won't start. I downloaded a new one and installed but it now loses connection whenever I log on. Do you have ideas as what is happening and what to fix? what was found Registry Keys: 5 PUP.Optional.GeniusBox, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\GeniusBox, Delete-on-Reboot, [20413503e6b3261011cdd0e6ed16659b], PUP.Optional.ProPCCleaner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ProPCCleaner_Popup, Delete-on-Reboot, [c39ee45472275ed8f275f8d4a75c33cd], PUP.Optional.ProPCCleaner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ProPCCleaner_Start, Delete-on-Reboot, [600123158a0fad89afb8e0ecc241748c], PUP.Optional.UpdateAdmin, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\UpdateAdmin, Delete-on-Reboot, [84ddc573aeeb61d55287419ad132718f], PUP.Optional.GeniusBox, HKU\S-1-5-21-3023370978-3506523679-905622001-1001\SOFTWARE\geniusboxinstalled, Quarantined, [2a37de5a930695a1f1e8feb8d42ff709], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 4 PUP.Optional.PullUpdate, C:\CrimeWatch, Quarantined, [f46dde5a41588aacbedcd4ec9e64768a], PUP.Optional.ASK.Gen, C:\Users\Dave\AppData\Local\Temp\APN-Stub, Quarantined, [1b4678c0277284b20cfdc00205fd35cb], PUP.Optional.ASK.Gen, C:\Users\Dave\AppData\Local\Temp\APN-Stub\ARS3-SAT, Quarantined, [1b4678c0277284b20cfdc00205fd35cb], PUP.Optional.ASK.Gen, C:\Users\Dave\AppData\Local\Temp\APN-Stub\ARS3-V7, Quarantined, [1b4678c0277284b20cfdc00205fd35cb], Files: 4 PUP.Optional.ASK.Gen, C:\Users\Dave\AppData\Local\Temp\APN-Stub\ARS3-SAT\Msi64840c0a-35eb-4b84-abdc-b10b460089f4.log, Quarantined, [1b4678c0277284b20cfdc00205fd35cb], PUP.Optional.ASK.Gen, C:\Users\Dave\AppData\Local\Temp\APN-Stub\ARS3-SAT\Stb64840c0a-35eb-4b84-abdc-b10b460089f4.log, Quarantined, [1b4678c0277284b20cfdc00205fd35cb], PUP.Optional.ASK.Gen, C:\Users\Dave\AppData\Local\Temp\APN-Stub\ARS3-V7\Msid712df06-1228-4fc9-91fb-11b892b2a366.log, Quarantined, [1b4678c0277284b20cfdc00205fd35cb], PUP.Optional.ASK.Gen, C:\Users\Dave\AppData\Local\Temp\APN-Stub\ARS3-V7\Stbd712df06-1228-4fc9-91fb-11b892b2a366.log, Quarantined, [1b4678c0277284b20cfdc00205fd35cb],
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.