Jump to content

Recommended Posts

Hello,

 

My PC has managed to become infected with a very troublesome virus. Malwarebytes will not run at all. I get permission denied errors when I try to run it and even chameleon doesn't work (even when I get malwarebytes to start it crashes before running.) Exactly when this started occuring, firefox started hanging upon any attempt to download. I followed a walkthrough for common fixes for that issue and was unable to resolve it. I mention this because it might be a related symptom that could help you.

 

In safe mode with networking malwarebytes gives "runtime error 13 type mismatch". I looked this error up and found people referencing a fix involving changing my region/language settings via control panel. I am not sure how, but only my date and time show up under my control panel so I cannot try that fix. Could this could also be related to this infection?

 

I was unable to get superantispyware to run in normal mode, but  it ran in safe mode and found 1 infection and cleaned it up. I then rebooted into normal windows and the same problems persist, now including superantispyware getting killed upon bootup.

 

I am sorry to beg for help, but I am unable to fix this alone and would appreciate any assistance anyone can offer. Please let me know of anything else I can add to help you help me.

 

Here are the dds.txt and attach.txt

 

DDS.txt

--------------------------------------------------------------------

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 8.0.7600.16800  BrowserJavaVersion: 10.25.2
Run by Dook at 8:03:34 on 2014-02-21
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4094.3258 [GMT -5:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\helppane.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

uWindows: Load = C:\{$5812-5333-4513-5757-7153$}\nacl64.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Adobe Updater] C:\Program Files (x86)\Adobe\Updater.exe
uRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe] C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Recent.vbe
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Windows Configuration] C:\{$5812-5333-4513-5757-7153$}\nacl64.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows"
StartupFolder: C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.ini.url
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{1D659983-B13C-4FF5-B4E2-90E1048147AE} : DHCPNameServer = 192.168.1.1
IFEO: avcenter.exe - euaie.exe
IFEO: avguard.exe - euaie.exe
IFEO: avp.exe - euaie.exe
IFEO: bdagent.exe - euaie.exe
IFEO: ccuac.exe - euaie.exe
x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

x64-IFEO: avcenter.exe - euaie.exe
x64-IFEO: avguard.exe - euaie.exe
x64-IFEO: avp.exe - euaie.exe
x64-IFEO: bdagent.exe - euaie.exe
x64-IFEO: ccuac.exe - euaie.exe
.
Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 127.0.0.1 ads.mcafee.com
Hosts: 127.0.0.1 analytics.microsoft.com
Hosts: 127.0.0.1 metrics.bitdefender.com
Hosts: 127.0.0.1 metrics.mcafee.com
Hosts: 127.0.0.1  om.symantec.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\

FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Users\Dook\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-10-10 144152]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-12-5 346144]
S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-2-29 382272]
S3 mbamchameleon;mbamchameleon;C:\Windows\System32\drivers\mbamchameleon.sys [2014-2-21 36680]
S3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;C:\Windows\System32\drivers\9kdUSB64.sys [2011-1-5 30720]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-12-5 1255736]
SUnknown alskvflw;alskvflw; [x]
SUnknown chtzttgh;chtzttgh; [x]
SUnknown pxzsvitd;pxzsvitd; [x]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=C:\Windows\System32\NOTEPAD.EXE %1 [userChoice]
.
=============== Created Last 30 ================
.
2014-02-21 12:55:12    421704    ----a-w-    C:\Windows\System32\drivers\pxzsvitd.sys
2014-02-21 12:54:15    421704    ----a-w-    C:\Windows\System32\drivers\alskvflw.sys
2014-02-21 12:52:25    421704    ----a-w-    C:\Windows\System32\drivers\lrkxzijc.sys
2014-02-21 12:41:24    421704    ----a-w-    C:\Windows\System32\drivers\ggkphcrz.sys
2014-02-21 12:32:01    421704    ----a-w-    C:\Windows\System32\drivers\zmavmbuo.sys
2014-02-21 11:48:57    --------    d-----w-    C:\Users\Dook\AppData\Roaming\SUPERAntiSpyware.com
2014-02-21 11:48:27    --------    d-----w-    C:\ProgramData\SUPERAntiSpyware.com
2014-02-21 11:48:27    --------    d-----w-    C:\Program Files\SUPERAntiSpyware
2014-02-21 11:41:46    36680    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-02-21 01:58:28    --------    d-----w-    C:\Users\Dook\AppData\Roaming\QuickScan
2014-02-21 01:08:12    943777    ----a-w-    C:\Windows\SysWow64\scrypt130511GeForce GTX 460glg2tc1472w64l4.bin
2014-02-21 01:04:03    --------    d-----w-    C:\Users\Dook\AppData\Local\Microsoft Corporation
2014-02-21 00:29:10    --------    d-s---w-    C:\Windows\SysWow64\Microsoft
2014-02-20 11:42:59    --------    d-----w-    C:\Users\Dook\AppData\Roaming\Basilisk Games
2014-02-20 11:13:44    --------    d--h--w-    C:\{$5812-5333-4513-5757-7153$}
2014-02-19 18:58:25    1199104    --sha-r-    C:\ProgramData\737923934.exe
2014-02-04 01:43:09    --------    d-----w-    C:\Users\Dook\AppData\Local\Octodad Dadliest Catch
2014-02-04 01:43:09    --------    d-----w-    C:\ProgramData\CODEX
.
==================== Find3M  ====================
.
.
============= FINISH:  8:05:20.22 ===============

 

attach.txt

 

-------------------------------

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/5/2010 12:49:05 AM
System Uptime: 2/21/2014 7:53:01 AM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | M4A88T-M
Processor: AMD Athlon II X4 640 Processor | AM3 | 3013/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 5.884 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Security Processor Loader Driver
Device ID: ROOT\LEGACY_SPLDR\0000
Manufacturer:
Name: Security Processor Loader Driver
PNP Device ID: ROOT\LEGACY_SPLDR\0000
Service: spldr
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: sptd
Device ID: ROOT\LEGACY_SPTD\0000
Manufacturer:
Name: sptd
PNP Device ID: ROOT\LEGACY_SPTD\0000
Service: sptd
.
==== System Restore Points ===================
.
RP419: 2/20/2014 7:28:24 PM - avast! Free Antivirus Setup
RP420: 2/20/2014 8:05:13 PM - Windows Modules Installer
RP421: 2/20/2014 8:29:56 PM - avast! antivirus system restore point
RP422: 2/20/2014 8:36:29 PM - avast! antivirus system restore point
RP423: 2/20/2014 8:48:45 PM - avast! antivirus system restore point
RP424: 2/20/2014 9:36:31 PM - Restore Operation
.
==== Image File Execution Options =============
.
IFEO: avcenter.exe - euaie.exe
IFEO: avguard.exe - euaie.exe
IFEO: avp.exe - euaie.exe
IFEO: bdagent.exe - euaie.exe
IFEO: ccuac.exe - euaie.exe
IFEO: ComboFix.exe - euaie.exe
IFEO: egui.exe - euaie.exe
IFEO: hijackthis.exe - euaie.exe
IFEO: keyscrambler.exe - euaie.exe
IFEO: mbam.exe - euaie.exe
IFEO: MpCmdRun.exe - euaie.exe
IFEO: MSASCui.exe - euaie.exe
IFEO: MsMpEng.exe - euaie.exe
IFEO: msseces.exe - euaie.exe
IFEO: spybotsd.exe - euaie.exe
IFEO: SUPERAntiSpyware.exe - euaie.exe
IFEO: wireshark.exe - euaie.exe
IFEO: zlclient.exe - euaie.exe
x64-IFEO: avcenter.exe - euaie.exe
x64-IFEO: avguard.exe - euaie.exe
x64-IFEO: avp.exe - euaie.exe
x64-IFEO: bdagent.exe - euaie.exe
x64-IFEO: ccuac.exe - euaie.exe
x64-IFEO: ComboFix.exe - euaie.exe
x64-IFEO: egui.exe - euaie.exe
x64-IFEO: hijackthis.exe - euaie.exe
x64-IFEO: keyscrambler.exe - euaie.exe
x64-IFEO: mbam.exe - euaie.exe
x64-IFEO: MpCmdRun.exe - euaie.exe
x64-IFEO: MSASCui.exe - euaie.exe
x64-IFEO: MsMpEng.exe - euaie.exe
x64-IFEO: msseces.exe - euaie.exe
x64-IFEO: spybotsd.exe - euaie.exe
x64-IFEO: SUPERAntiSpyware.exe - euaie.exe
x64-IFEO: wireshark.exe - euaie.exe
x64-IFEO: zlclient.exe - euaie.exe
.
==== Hosts File Hijack ======================
.
Hosts: 127.0.0.1  ads.mcafee.com
Hosts: 127.0.0.1  analytics.microsoft.com
Hosts: 127.0.0.1  metrics.bitdefender.com
Hosts: 127.0.0.1  metrics.mcafee.com
Hosts: 127.0.0.1  om.symantec.com
Hosts: 127.0.0.1  ads.bleepingcomputer.com
Hosts: 127.0.0.1  wdcs.trendmicro.com
.
==== Installed Programs ======================
.
"How To Survive"
"XCOM - Enemy Within"
12 Labours of Hercules
7-Zip 9.20 (x64 edition)
Adobe AIR
Adobe Flash Player 11 ActiveX 64-bit
Adobe Flash Player 11 Plugin
Adobe Reader X
Age of Mythology
Age of Mythology - The Titans Expansion
Age of Wonders
Age of Wonders II
Alarm Clock v1.0
All My Gods
Anomaly 2 © 11 bit studios version 1
ASUS nVidia Driver
Avernum
AviSynth 2.5
AVStoDVD 2.6.0
Baldur's Gate II: Enhanced Edition
Batman Arkham Origins version 1.0.3
Batman.Arkham Origins + 1 DLC
Battle for Wesnoth 1.8.5
BitTorrent
Bully Scholarship Edition
CCleaner
Circle of Eight Modpack version 7.6.0 NC
ComicRack v0.9.149
Dead Space™ 2
Deadfall Adventures
DEMISE
DROD: Journey to Rooted Hold 2.0.12
Droid Assault / by NSIS
Dual-Core Optimizer
Duke Nukem Forever
Dungeons & Dragons Online ®:  Eberron Unlimited ™ v01.13.00.802
Eador - Masters of The Broken World
Fable III
Fallout 3
Fallout: New Vegas
Far Cry 2 with Fortunes Pack
ffdshow v1.2.4422 [2012-04-09]
Fieldrunners 2 1.0
Flashback
Folk Tale
From Dust
FTL version 1.01
Glare
Grand Theft Auto IV
Grand Theft Auto: Episodes from Liberty City
Grimm
Haali Media Splitter
Hellgate: London
Horizon
Hydrophobia Prophecy
I Am Alive
ImgBurn
Java 7 Update 25
Java Auto Updater
Java 7 Update 5 (64-bit)
King's Bounty. The Legend (Remove Only)
Kingdoms of Amalur Reckoning
Legend of Grimrock
Magic Carpet 2
Magic The Gathering - Duels of the Planeswalkers 2013
Majesty 2 Collection
Mark of the Ninja Special Edition
Master Of Magic
MediaInfo
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Compatibility Toolkit 5.6
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Reader
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
Might and Magic X Legacy
Mozilla Firefox 19.0.2 (x86 en-US)
Mozilla Maintenance Service
MSXML4 Parser
My Game Long Name
Neverwinter
Newsbin Pro
Northern Tale 2 1.0
NVIDIA 3D Vision Driver 296.10
NVIDIA Control Panel 296.10
NVIDIA Graphics Driver 296.10
NVIDIA HD Audio Driver 1.3.12.0
NVIDIA Install Application
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
Octodad Dadliest Catch
OpenAL
OpenOffice.org 3.3
Pando Media Booster
Panzer Corps
Panzer Corps version 1.0
Papers, Please
Plants vs. Zombies
Pool of Radiance: RoMD
Populous - The Beginning
POR
QuickPar 0.9
Rage
Realtek Ethernet Controller Driver For Windows 7
Rise of Venice
Risen 2: Dark Waters
Rockstar Games Social Club
Rogue Legacy version 0.0.0.9
Sacrifice
Saints Row IV Update 5 Incl. DLC
Sanctum 2 © CoffeeStainStudios version 1
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Shadow Warrior
Shadowrun Returns
SmartGlobe Deluxe V3.12
Solar 2 version 1.01
Stanza
StarTopia
State of Decay - Breakdown
Steam
Stonekeep
SUPERAntiSpyware
Temple of Elemental Evil
Tetrobot and Co
The Cave 1.1.0
Titan Attacks
Torchlight II © Runic Games version 1
Ubisoft Game Launcher
Ultima 4 - Quest of the Avatar
Ultratron / by NSIS
Unity Web Player
Unreal Development Kit: 2012-07
Uplay
Viscera Cleanup Detail - ALPHA
Viscera Cleanup Detail: Santa's Rampage
Viscera Cleanup Detail: Santas Rampage
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Studio 2008 x64 Redistributables
VLC media player 1.1.5
Warlock - Master of the Arcane © Paradox Interactive version 1
Weird Worlds: Return To Infinite Space v1.30
WinRAR archiver
Zeno Clash 2
Zip Motion Block Video codec (Remove Only)
.
==== Event Viewer Messages From Past Week ========
.
2/21/2014 7:53:57 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
2/21/2014 7:53:57 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
2/21/2014 7:53:41 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
2/21/2014 7:53:41 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
2/21/2014 7:53:35 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/21/2014 7:53:29 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
2/21/2014 7:53:24 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  discache SASDIFSV SASKUTIL spldr sptd Wanarpv6
2/21/2014 7:53:24 AM, Error: Service Control Manager [7003]  - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
2/21/2014 7:53:24 AM, Error: Service Control Manager [7003]  - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
2/21/2014 7:53:24 AM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
2/21/2014 7:53:05 AM, Error: sptd [4]  - Driver detected an internal error in its data structures for .
2/21/2014 7:47:08 AM, Error: Service Control Manager [7031]  - The SAS Core Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.
2/21/2014 7:46:49 AM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
2/21/2014 7:39:22 AM, Error: Service Control Manager [7023]  - The Server service terminated with the following error:  The service has not been started.
2/21/2014 7:39:22 AM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  A system shutdown is in progress.
2/21/2014 7:39:21 AM, Error: Microsoft-Windows-Directory-Services-SAM [12291]  - SAM failed to start the TCP/IP or SPX/IPX listening thread
2/21/2014 7:00:12 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  aswRdr aswRvrt aswSnx aswSP aswVmm discache SASDIFSV SASKUTIL spldr sptd Wanarpv6
2/21/2014 6:55:30 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  aswRdr aswRvrt aswSnx aswSP aswVmm
2/21/2014 6:55:28 AM, Error: Service Control Manager [7001]  - The avast! Antivirus service depends on the aswMonFlt service which failed to start because of the following error:  The system cannot find the file specified.
2/21/2014 6:55:26 AM, Error: Service Control Manager [7000]  - The aswMonFlt service failed to start due to the following error:  The system cannot find the file specified.
2/21/2014 6:47:43 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  aswRdr aswRvrt aswSnx aswSP aswVmm discache spldr sptd Wanarpv6
2/21/2014 6:25:32 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
2/21/2014 5:41:06 AM, Error: VDS Basic Provider [1]  - Unexpected failure. Error code: 490@01010004
2/20/2014 9:39:10 PM, Error: Service Control Manager [7022]  - The Windows Search service hung on starting.
2/20/2014 9:36:20 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 3 time(s).
2/20/2014 9:36:20 PM, Error: Service Control Manager [7024]  - The Windows Search service terminated with service-specific error %%-2147217025.
2/20/2014 9:35:37 PM, Error: Service Control Manager [7031]  - The Windows Search service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
2/20/2014 9:34:55 PM, Error: Service Control Manager [7031]  - The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
2/20/2014 9:33:20 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 15 time(s).
2/20/2014 9:32:23 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 14 time(s).
2/20/2014 9:32:23 PM, Error: Service Control Manager [7024]  - The Windows Search service terminated with service-specific error %%-1073473536.
2/20/2014 9:29:23 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 13 time(s).
2/20/2014 9:29:15 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 12 time(s).
2/20/2014 9:26:34 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 11 time(s).
2/20/2014 9:25:29 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 10 time(s).
2/20/2014 9:19:10 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 9 time(s).
2/20/2014 9:18:49 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 8 time(s).
2/20/2014 9:18:34 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 7 time(s).
2/20/2014 9:17:07 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 6 time(s).
2/20/2014 9:12:11 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 5 time(s).
2/20/2014 9:10:56 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 4 time(s).
2/20/2014 8:49:53 PM, Error: Service Control Manager [7000]  - The avast! VM Monitor service failed to start due to the following error:  The system cannot find the file specified.
2/20/2014 8:49:53 PM, Error: Service Control Manager [7000]  - The aswSnx service failed to start due to the following error:  The system cannot find the file specified.
2/20/2014 8:49:53 PM, Error: Service Control Manager [7000]  - The aswRdr service failed to start due to the following error:  The system cannot find the file specified.
2/20/2014 8:45:26 PM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
2/20/2014 8:45:00 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service NVSvc with arguments "" in order to run the server: {DCAB0989-1301-4319-BE5F-ADE89F88581C}
2/20/2014 8:44:23 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
2/20/2014 8:44:23 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
2/20/2014 8:44:08 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD aswRdr aswRvrt aswSnx aswSP aswVmm DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx Wanarpv6 WfpLwf ws2ifsl
2/20/2014 8:44:08 PM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
2/20/2014 8:44:08 PM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
2/20/2014 8:44:08 PM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
2/20/2014 8:44:08 PM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
2/20/2014 8:44:08 PM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
2/20/2014 8:44:08 PM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.
2/20/2014 8:44:08 PM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
2/20/2014 8:44:08 PM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
2/20/2014 8:44:08 PM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
2/20/2014 8:42:03 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 21 time(s).
2/20/2014 8:37:00 PM, Error: Service Control Manager [7006]  - The ScRegSetValueExW call failed for Type with the following error:  Access is denied.
2/20/2014 8:36:57 PM, Error: Service Control Manager [7006]  - The ScRegSetValueExW call failed for ServiceSidType with the following error:  Access is denied.
2/20/2014 8:36:56 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 20 time(s).
2/20/2014 8:36:33 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 19 time(s).
2/20/2014 8:36:17 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 18 time(s).
2/20/2014 8:36:02 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 17 time(s).
2/20/2014 8:35:48 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 16 time(s).
2/20/2014 8:05:53 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 31 time(s).
2/20/2014 8:05:47 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 30 time(s).
2/20/2014 8:04:01 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 29 time(s).
2/20/2014 8:03:46 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 28 time(s).
2/20/2014 8:03:30 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 27 time(s).
2/20/2014 8:02:58 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 26 time(s).
2/20/2014 8:02:56 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 25 time(s).
2/20/2014 8:02:43 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 24 time(s).
2/20/2014 8:00:49 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 23 time(s).
2/20/2014 8:00:27 PM, Error: Service Control Manager [7034]  - The Windows Search service terminated unexpectedly.  It has done this 22 time(s).
2/20/2014 7:34:09 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:  An instance of the service is already running.
2/20/2014 7:32:11 PM, Error: Service Control Manager [7024]  - The Windows Search service terminated with service-specific error %%-1073473535.
2/19/2014 2:15:51 AM, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
.
==== End Of File ===========================


 

Link to post
Share on other sites

  • Staff

Hello Poorsoul

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this program for me.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
Link to post
Share on other sites

First of all, thank you very much for your time, I honestly appreciate it.

 

I am still in safe mode with networking. I hope it is ok for me to follow these instructions while logged in this way.

 

FRST.txt log :

-------------------------

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 20-02-2014
Ran by Dook (administrator) on DOOK-PC on 21-02-2014 09:33:54
Running from C:\Users\Dook\Desktop
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (with Networking)

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-

scan-tool/

==================== Processes (Whitelisted) =================

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

HKLM-x32\...\Run: [amd_dc_opt] - C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-

22] (AMD)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-11-

10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe

[35736 2010-11-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe] - C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Recent.vbe [15550 2013-01-20] ()
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

[253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [Windows Configuration] - C:\{$5812-5333-4513-5757-7153$}\nacl64.exe -rundll32 /SYSTEM32 "C:

\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows"
HKLM-x32\...\RunOnce: [1] - C:\Temp\mbam-chameleon.exe /r /p [218184 2012-08-15] ()
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-2980796359-892880252-2195086714-1000\...\Run: [Adobe Updater] - C:\Program Files (x86)\Adobe

\Updater.exe [735232 2013-05-17] ()
HKU\S-1-5-21-2980796359-892880252-2195086714-1000\...\Run: [sUPERAntiSpyware] - C:\Program Files

\SUPERAntiSpyware\SUPERAntiSpyware.exe [6563608 2014-01-06] (SUPERAntiSpyware)
HKU\S-1-5-21-2980796359-892880252-2195086714-1000\...\CurrentVersion\Windows: [Load] C:\{$5812-5333-4513-5757-

7153$}\nacl64.exe <===== ATTENTION
IFEO\avcenter.exe: [Debugger] euaie.exe
IFEO\avguard.exe: [Debugger] euaie.exe
IFEO\avp.exe: [Debugger] euaie.exe
IFEO\bdagent.exe: [Debugger] euaie.exe
IFEO\ccuac.exe: [Debugger] euaie.exe
IFEO\ComboFix.exe: [Debugger] euaie.exe
IFEO\egui.exe: [Debugger] euaie.exe
IFEO\hijackthis.exe: [Debugger] euaie.exe
IFEO\keyscrambler.exe: [Debugger] euaie.exe
IFEO\MpCmdRun.exe: [Debugger] euaie.exe
IFEO\MSASCui.exe: [Debugger] euaie.exe
IFEO\MsMpEng.exe: [Debugger] euaie.exe
IFEO\msseces.exe: [Debugger] euaie.exe
IFEO\spybotsd.exe: [Debugger] euaie.exe
IFEO\SUPERAntiSpyware.exe: [Debugger] euaie.exe
IFEO\wireshark.exe: [Debugger] euaie.exe
IFEO\zlclient.exe: [Debugger] euaie.exe
Startup: C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.ini.url ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?

prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://ixquick.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xD655AE1080FECB01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin

\ssv.dll (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin

\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files

\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java

\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java

\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM {615A1925-0E5B-4767-A65E-3165AEAC32A3} http://quickscan.bitdefender.com/qsax/qsax64.cab
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%

\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%

\system32\NLAapi.dll"
Winsock: Catalog5 04 %SystemRoot%\System32\nwprovau.dll File Not found ()
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog9 11 mswsock.dll File Not found ()
Winsock: Catalog9 12 mswsock.dll File Not found ()
Winsock: Catalog9 13 mswsock.dll File Not found ()
Winsock: Catalog9 14 mswsock.dll File Not found ()
Winsock: Catalog9 15 mswsock.dll File Not found ()
Winsock: Catalog9 16 mswsock.dll File Not found ()
Winsock: Catalog9 17 mswsock.dll File Not found ()
Winsock: Catalog9 18 mswsock.dll File Not found ()
Winsock: Catalog9 19 mswsock.dll File Not found ()
Winsock: Catalog9 25 mswsock.dll File Not found ()
Winsock: Catalog9 26 mswsock.dll File Not found ()
Winsock: Catalog9 27 mswsock.dll File Not found ()
Winsock: Catalog9 28 mswsock.dll File Not found ()
Winsock: Catalog9 29 mswsock.dll File Not found ()
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%

\system32\NLAapi.dll"
Winsock: Catalog5-x64 02 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%

\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found ()
Winsock: Catalog9-x64 02 mswsock.dll File Not found ()
Winsock: Catalog9-x64 03 mswsock.dll File Not found ()
Winsock: Catalog9-x64 04 mswsock.dll File Not found ()
Winsock: Catalog9-x64 05 mswsock.dll File Not found ()
Winsock: Catalog9-x64 06 mswsock.dll File Not found ()
Winsock: Catalog9-x64 07 mswsock.dll File Not found ()
Winsock: Catalog9-x64 08 mswsock.dll File Not found ()
Winsock: Catalog9-x64 09 mswsock.dll File Not found ()
Winsock: Catalog9-x64 10 mswsock.dll File Not found ()
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default
FF Homepage: https://www.ixquick.com/
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_8_800_94.dll ()
FF Plugin: @java.com/DTPlugin,version=10.5.0 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.5.0 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle

Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

(Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight

\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA

Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision

\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster

\npPandoWebPlugin.dll (Pando Networks)
FF Plugin-x32: @videolan.org/vlc,version=1.1.5 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (the VideoLAN

Team)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Dook\AppData\LocalLow\Unity\WebPlayer\loader

\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin HKCU: pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster

\npPandoWebPlugin.dll (Pando Networks)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\creativecommons.xml
FF Extension: baNdit - C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\Extensions

\{51114877-d928-5d13-4e22-53a228937a5c} [2011-02-27]
FF Extension: Ghostery - C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\Extensions

\firefox@ghostery.com.xpi [2013-08-02]
FF Extension: NoScript - C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\Extensions

\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2011-04-01]
FF Extension: Adblock Plus - C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\Extensions

\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2011-03-26]
FF Extension: BetterPrivacy - C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default

\Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2011-08-20]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [pmcmflmkceipgecmhoddphflfndnfbbe] - C:\Users\Dook\AppData\Local\Temp

\tbch.crx []

==================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [144152 2013-10-10] (SUPERAntiSpyware.com)
S3 PSEXESVC; C:\Windows\PSEXESVC.EXE [181064 2014-02-21] (Sysinternals)

==================== Drivers (Whitelisted) ====================

S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2010-12-05] ()
S2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2010-12-05] ()
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-15] ()
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and

SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and

SUPERAntiSpyware.com)
S3 SNL320XP; C:\Windows\System32\DRIVERS\9kdUSB64.sys [30720 2007-07-03] (Sonix Technology Co., Ltd.)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-12-12] (Duplex Secure Ltd.)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-02-21 09:33 - 2014-02-21 09:34 - 00011561 _____ () C:\Users\Dook\Desktop\FRST.txt
2014-02-21 09:33 - 2014-02-21 09:33 - 02153984 _____ (Farbar) C:\Users\Dook\Desktop\FRST64.exe
2014-02-21 09:33 - 2014-02-21 09:33 - 00000000 ____D () C:\FRST
2014-02-21 09:32 - 2014-02-21 09:32 - 00000000 _____ () C:\Users\Dook\Desktop\VIRUS.txt
2014-02-21 08:05 - 2014-02-21 08:40 - 00022495 _____ () C:\Users\Dook\Desktop\attach.txt
2014-02-21 08:05 - 2014-02-21 08:05 - 00007966 _____ () C:\Users\Dook\Desktop\dds.txt
2014-02-21 08:03 - 2014-02-21 08:03 - 00688992 ____R (Swearware) C:\Users\Dook\Desktop\dds.scr
2014-02-21 07:56 - 2014-02-21 07:56 - 04697744 _____ (AVAST Software) C:\Users\Dook\Desktop

\avast_free_antivirus_setup_online.exe
2014-02-21 07:55 - 2014-02-21 07:55 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\pxzsvitd.sys
2014-02-21 07:54 - 2014-02-21 07:54 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\alskvflw.sys
2014-02-21 07:52 - 2014-02-21 07:52 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\lrkxzijc.sys
2014-02-21 07:52 - 2014-02-21 07:52 - 00181064 _____ (Sysinternals) C:\Windows\PSEXESVC.EXE
2014-02-21 07:41 - 2014-02-21 07:41 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\ggkphcrz.sys
2014-02-21 07:32 - 2014-02-21 07:32 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\zmavmbuo.sys
2014-02-21 06:48 - 2014-02-21 07:01 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-02-21 06:48 - 2014-02-21 06:48 - 00001808 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free

Edition.lnk
2014-02-21 06:48 - 2014-02-21 06:48 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\SUPERAntiSpyware.com
2014-02-21 06:48 - 2014-02-21 06:48 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-02-20 21:32 - 2014-02-20 21:32 - 00080456 _____ (Malwarebytes Corporation) C:\Users\Dook\Desktop\mbam-

clean-1.60.2.0003.exe
2014-02-20 21:25 - 2014-02-20 21:28 - 00000794 _____ () C:\Users\Dook\Desktop\unhide.txt
2014-02-20 21:25 - 2014-02-20 21:25 - 00398752 _____ (Bleeping Computer, LLC) C:\Users\Dook\Desktop\unhide.exe
2014-02-20 21:17 - 2014-02-20 21:17 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Dook\Desktop\mbam-

setup-1.75.0.1300.exe
2014-02-20 20:58 - 2014-02-20 20:59 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\QuickScan
2014-02-20 20:08 - 2014-02-20 20:08 - 00943777 _____ () C:\Windows\SysWOW64\scrypt130511GeForce GTX

460glg2tc1472w64l4.bin
2014-02-20 20:07 - 2014-02-20 20:07 - 00001443 _____ () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start

Menu\Programs\Internet Explorer.lnk
2014-02-20 20:07 - 2014-02-20 20:07 - 00001409 _____ () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start

Menu\Programs\Internet Explorer (64-bit).lnk
2014-02-20 20:04 - 2014-02-20 20:04 - 00000000 ____D () C:\Users\Dook\AppData\Local\Microsoft Corporation
2014-02-20 20:04 - 2014-02-20 20:04 - 00000000 ____D () C:\ProgramData\Microsoft Corporation
2014-02-20 19:54 - 2014-02-20 20:27 - 90578216 _____ (AVAST Software) C:\Users\Dook\Downloads

\avast_free_antivirus_setup.exe
2014-02-20 06:42 - 2014-02-20 06:42 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\Basilisk Games
2014-02-20 06:13 - 2014-02-21 06:42 - 00000000 ___HD () C:\{$5812-5333-4513-5757-7153$}
2014-02-20 05:57 - 2014-02-20 06:11 - 00000000 ____D () C:\Users\Dook\Downloads\Eschalon.Book.III
2014-02-19 13:58 - 2014-02-19 13:58 - 01199104 __RSH ( ) C:\ProgramData\737923934.exe
2014-02-19 04:36 - 2014-02-19 04:36 - 00001164 _____ () C:\Users\Dook\Desktop\Banished.exe - Shortcut.lnk
2014-02-18 11:21 - 2014-02-18 11:21 - 00000000 ____D () C:\Users\Dook\Documents\Banished
2014-02-18 10:45 - 2014-02-18 10:45 - 00000000 ____D () C:\Users\Dook\Downloads\Banished
2014-02-14 13:15 - 2014-02-14 13:15 - 00002039 _____ () C:\Users\Public\Desktop\Ultima 4 - Quest of the

Avatar.lnk
2014-02-14 13:00 - 2014-02-14 13:02 - 26824360 _____ (GOG.com ) C:\Users\Dook\Downloads

\setup_ultima4_2.0.0.19.exe
2014-02-14 11:22 - 2014-02-14 11:22 - 00001911 _____ () C:\Users\Public\Desktop\Magic Carpet 2.lnk
2014-02-14 10:51 - 2014-02-14 11:00 - 00000000 ____D () C:\Users\Dook\Downloads\Magic Carpet 2 GOG
2014-02-13 07:53 - 2014-02-13 08:04 - 09004360 _____ (Perfect World Entertainment) C:\Users\Dook\Downloads

\ArcInstall_v20140121a.exe
2014-02-13 07:41 - 2014-02-13 07:41 - 00000222 _____ () C:\Users\Dook\Desktop\Neverwinter.url
2014-02-10 04:27 - 2014-02-10 04:42 - 00000000 ____D () C:\Users\Dook\Documents\Horizon Game
2014-02-10 03:16 - 2014-02-10 03:16 - 00001543 _____ () C:\Users\Public\Desktop\Horizon.lnk
2014-02-09 07:48 - 2014-02-09 12:03 - 00000000 ____D () C:\Users\Dook\Downloads\Horizon
2014-02-03 20:43 - 2014-02-03 20:43 - 00000000 ____D () C:\Users\Dook\AppData\Local\Octodad Dadliest Catch
2014-02-03 20:43 - 2014-02-03 20:43 - 00000000 ____D () C:\ProgramData\CODEX
2014-02-03 20:39 - 2014-02-03 20:39 - 00000870 _____ () C:\Users\Dook\Desktop\Octodad Dadliest Catch.lnk
2014-01-31 13:57 - 2014-01-31 13:57 - 00000222 _____ () C:\Users\Dook\Desktop\Viscera Cleanup Detail Santa's

Rampage.url
2014-01-29 22:06 - 2014-01-29 22:06 - 00001825 _____ () C:\Users\Dook\Desktop\Viscera Cleanup Detail - Alpha.lnk
2014-01-29 22:06 - 2014-01-29 22:06 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start

Menu\Programs\VisceraCleanupDetail-Alpha
2014-01-28 21:01 - 2014-01-29 00:53 - 1215219712 _____ () C:\Users\Dook\Downloads\rld-bragea1.iso
2014-01-25 15:38 - 2014-01-25 15:38 - 00000000 _____ () C:\Users\Dook\Desktop\New Text Document (3).txt
2014-01-24 15:13 - 2014-01-27 12:37 - 00000000 ____D () C:\Users\Dook\Documents\MightAndMagicXLegacy
2014-01-24 15:06 - 2014-01-24 15:06 - 00000731 _____ () C:\Users\Public\Desktop\Might and Magic X Legacy.lnk
2014-01-24 14:38 - 2014-01-24 14:38 - 00001588 _____ () C:\Users\Dook\Desktop\Eador-Mechanics.doc - Shortcut.lnk
2014-01-24 14:37 - 2014-01-24 14:37 - 00001565 _____ () C:\Users\Dook\Desktop\MTG.lnk
2014-01-23 20:56 - 2014-01-23 20:56 - 00000946 _____ () C:\Users\Dook\Desktop\Zeno Clash 2.lnk

==================== One Month Modified Files and Folders =======

2014-02-21 09:34 - 2014-02-21 09:33 - 00011561 _____ () C:\Users\Dook\Desktop\FRST.txt
2014-02-21 09:33 - 2014-02-21 09:33 - 02153984 _____ (Farbar) C:\Users\Dook\Desktop\FRST64.exe
2014-02-21 09:33 - 2014-02-21 09:33 - 00000000 ____D () C:\FRST
2014-02-21 09:32 - 2014-02-21 09:32 - 00000000 _____ () C:\Users\Dook\Desktop\VIRUS.txt
2014-02-21 08:40 - 2014-02-21 08:05 - 00022495 _____ () C:\Users\Dook\Desktop\attach.txt
2014-02-21 08:05 - 2014-02-21 08:05 - 00007966 _____ () C:\Users\Dook\Desktop\dds.txt
2014-02-21 08:03 - 2014-02-21 08:03 - 00688992 ____R (Swearware) C:\Users\Dook\Desktop\dds.scr
2014-02-21 07:57 - 2009-07-14 00:13 - 00791944 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-21 07:56 - 2014-02-21 07:56 - 04697744 _____ (AVAST Software) C:\Users\Dook\Desktop

\avast_free_antivirus_setup_online.exe
2014-02-21 07:55 - 2014-02-21 07:55 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\pxzsvitd.sys
2014-02-21 07:54 - 2014-02-21 07:54 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\alskvflw.sys
2014-02-21 07:52 - 2014-02-21 07:52 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\lrkxzijc.sys
2014-02-21 07:52 - 2014-02-21 07:52 - 00181064 _____ (Sysinternals) C:\Windows\PSEXESVC.EXE
2014-02-21 07:50 - 2010-12-05 16:52 - 01066982 _____ () C:\Windows\WindowsUpdate.log
2014-02-21 07:50 - 2009-07-13 23:45 - 00015008 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-

9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-21 07:50 - 2009-07-13 23:45 - 00015008 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-

9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-21 07:46 - 2013-07-14 00:00 - 00004037 _____ () C:\Windows\setupact.log
2014-02-21 07:46 - 2010-12-05 00:59 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-02-21 07:41 - 2014-02-21 07:41 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\ggkphcrz.sys
2014-02-21 07:36 - 2013-03-12 13:57 - 00000000 ____D () C:\Program Files\AVAST Software
2014-02-21 07:36 - 2012-05-16 20:25 - 00000000 _____ () C:\Windows\SysWOW64\config.nt
2014-02-21 07:32 - 2014-02-21 07:32 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\zmavmbuo.sys
2014-02-21 07:01 - 2014-02-21 06:48 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-02-21 06:48 - 2014-02-21 06:48 - 00001808 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free

Edition.lnk
2014-02-21 06:48 - 2014-02-21 06:48 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\SUPERAntiSpyware.com
2014-02-21 06:48 - 2014-02-21 06:48 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-02-21 06:45 - 2012-06-14 11:20 - 00000000 ____D () C:\Users\Dook\AppData\Local\CrashDumps
2014-02-21 06:42 - 2014-02-20 06:13 - 00000000 ___HD () C:\{$5812-5333-4513-5757-7153$}
2014-02-21 06:39 - 2013-03-12 13:27 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-02-20 21:32 - 2014-02-20 21:32 - 00080456 _____ (Malwarebytes Corporation) C:\Users\Dook\Desktop\mbam-

clean-1.60.2.0003.exe
2014-02-20 21:28 - 2014-02-20 21:25 - 00000794 _____ () C:\Users\Dook\Desktop\unhide.txt
2014-02-20 21:25 - 2014-02-20 21:25 - 00398752 _____ (Bleeping Computer, LLC) C:\Users\Dook\Desktop\unhide.exe
2014-02-20 21:17 - 2014-02-20 21:17 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Dook\Desktop\mbam-

setup-1.75.0.1300.exe
2014-02-20 21:15 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-02-20 20:59 - 2014-02-20 20:58 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\QuickScan
2014-02-20 20:27 - 2014-02-20 19:54 - 90578216 _____ (AVAST Software) C:\Users\Dook\Downloads

\avast_free_antivirus_setup.exe
2014-02-20 20:08 - 2014-02-20 20:08 - 00943777 _____ () C:\Windows\SysWOW64\scrypt130511GeForce GTX

460glg2tc1472w64l4.bin
2014-02-20 20:07 - 2014-02-20 20:07 - 00001443 _____ () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start

Menu\Programs\Internet Explorer.lnk
2014-02-20 20:07 - 2014-02-20 20:07 - 00001409 _____ () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start

Menu\Programs\Internet Explorer (64-bit).lnk
2014-02-20 20:07 - 2010-12-05 16:44 - 00000000 ____D () C:\Windows\Panther
2014-02-20 20:04 - 2014-02-20 20:04 - 00000000 ____D () C:\Users\Dook\AppData\Local\Microsoft Corporation
2014-02-20 20:04 - 2014-02-20 20:04 - 00000000 ____D () C:\ProgramData\Microsoft Corporation
2014-02-20 19:31 - 2013-03-12 13:18 - 00017634 _____ () C:\Windows\PFRO.log
2014-02-20 10:55 - 2010-12-05 12:47 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-02-20 09:19 - 2010-12-06 20:59 - 00003918 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-

{C71DB46F-2FB1-4F78-A79A-B9FCEBD9CAB7}
2014-02-20 06:42 - 2014-02-20 06:42 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\Basilisk Games
2014-02-20 06:14 - 2012-08-05 01:20 - 00000000 ____D () C:\Games
2014-02-20 06:13 - 2010-12-05 00:49 - 00000000 ___RD () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start

Menu\Programs\Startup
2014-02-20 06:11 - 2014-02-20 05:57 - 00000000 ____D () C:\Users\Dook\Downloads\Eschalon.Book.III
2014-02-19 13:58 - 2014-02-19 13:58 - 01199104 __RSH ( ) C:\ProgramData\737923934.exe
2014-02-19 04:36 - 2014-02-19 04:36 - 00001164 _____ () C:\Users\Dook\Desktop\Banished.exe - Shortcut.lnk
2014-02-18 11:21 - 2014-02-18 11:21 - 00000000 ____D () C:\Users\Dook\Documents\Banished
2014-02-18 10:45 - 2014-02-18 10:45 - 00000000 ____D () C:\Users\Dook\Downloads\Banished
2014-02-14 13:15 - 2014-02-14 13:15 - 00002039 _____ () C:\Users\Public\Desktop\Ultima 4 - Quest of the

Avatar.lnk
2014-02-14 13:02 - 2014-02-14 13:00 - 26824360 _____ (GOG.com ) C:\Users\Dook\Downloads

\setup_ultima4_2.0.0.19.exe
2014-02-14 11:22 - 2014-02-14 11:22 - 00001911 _____ () C:\Users\Public\Desktop\Magic Carpet 2.lnk
2014-02-14 11:04 - 2011-01-12 09:26 - 00009159 _____ () C:\Users\Dook\Desktop\New Text Document.txt
2014-02-14 11:00 - 2014-02-14 10:51 - 00000000 ____D () C:\Users\Dook\Downloads\Magic Carpet 2 GOG
2014-02-13 13:16 - 2013-06-19 18:36 - 00141538 _____ () C:\Windows\DirectX.log
2014-02-13 08:04 - 2014-02-13 07:53 - 09004360 _____ (Perfect World Entertainment) C:\Users\Dook\Downloads

\ArcInstall_v20140121a.exe
2014-02-13 07:41 - 2014-02-13 07:41 - 00000222 _____ () C:\Users\Dook\Desktop\Neverwinter.url
2014-02-10 04:42 - 2014-02-10 04:27 - 00000000 ____D () C:\Users\Dook\Documents\Horizon Game
2014-02-10 03:16 - 2014-02-10 03:16 - 00001543 _____ () C:\Users\Public\Desktop\Horizon.lnk
2014-02-09 12:03 - 2014-02-09 07:48 - 00000000 ____D () C:\Users\Dook\Downloads\Horizon
2014-02-03 20:43 - 2014-02-03 20:43 - 00000000 ____D () C:\Users\Dook\AppData\Local\Octodad Dadliest Catch
2014-02-03 20:43 - 2014-02-03 20:43 - 00000000 ____D () C:\ProgramData\CODEX
2014-02-03 20:39 - 2014-02-03 20:39 - 00000870 _____ () C:\Users\Dook\Desktop\Octodad Dadliest Catch.lnk
2014-02-03 10:34 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-01-31 13:57 - 2014-01-31 13:57 - 00000222 _____ () C:\Users\Dook\Desktop\Viscera Cleanup Detail Santa's

Rampage.url
2014-01-29 22:06 - 2014-01-29 22:06 - 00001825 _____ () C:\Users\Dook\Desktop\Viscera Cleanup Detail - Alpha.lnk
2014-01-29 22:06 - 2014-01-29 22:06 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start

Menu\Programs\VisceraCleanupDetail-Alpha
2014-01-29 00:53 - 2014-01-28 21:01 - 1215219712 _____ () C:\Users\Dook\Downloads\rld-bragea1.iso
2014-01-27 20:00 - 2014-01-09 20:52 - 00001803 _____ () C:\Users\Dook\Desktop\VCD Santa's Rampage.lnk
2014-01-27 19:59 - 2014-01-10 12:09 - 00002049 _____ () C:\Users\Public\Desktop\VCD Shadow Warrior.lnk
2014-01-27 12:37 - 2014-01-24 15:13 - 00000000 ____D () C:\Users\Dook\Documents\MightAndMagicXLegacy
2014-01-25 15:38 - 2014-01-25 15:38 - 00000000 _____ () C:\Users\Dook\Desktop\New Text Document (3).txt
2014-01-24 15:14 - 2013-10-22 17:53 - 00000000 ____D () C:\ProgramData\Orbit
2014-01-24 15:06 - 2014-01-24 15:06 - 00000731 _____ () C:\Users\Public\Desktop\Might and Magic X Legacy.lnk
2014-01-24 14:47 - 2012-03-09 05:47 - 00000000 ____D () C:\Users\Dook\Downloads\Comics
2014-01-24 14:38 - 2014-01-24 14:38 - 00001588 _____ () C:\Users\Dook\Desktop\Eador-Mechanics.doc - Shortcut.lnk
2014-01-24 14:37 - 2014-01-24 14:37 - 00001565 _____ () C:\Users\Dook\Desktop\MTG.lnk
2014-01-23 20:56 - 2014-01-23 20:56 - 00000946 _____ () C:\Users\Dook\Desktop\Zeno Clash 2.lnk

ZeroAccess:
C:\Windows\Installer\{2bc322fd-374a-335c-86c0-be0568af8c80}
C:\Windows\Installer\{2bc322fd-374a-335c-86c0-be0568af8c80}\@

Files to move or delete:
====================
C:\ProgramData\737923934.exe


Some content of TEMP:
====================
C:\Users\Dook\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Dook\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Dook\AppData\Local\Temp\libusb-1.0.dll
C:\Users\Dook\AppData\Local\Temp\setup.exe
C:\Users\Dook\AppData\Local\Temp\ShellLink.dll
C:\Users\Dook\AppData\Local\Temp\steam1r.exe
C:\Users\Dook\AppData\Local\Temp\swt-win32-3448.dll
C:\Users\Dook\AppData\Local\Temp\ubi3B87.tmp.exe
C:\Users\Dook\AppData\Local\Temp\ubi5A4E.tmp.exe
C:\Users\Dook\AppData\Local\Temp\Uninstall.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-02-18 00:45

==================== End Of Log ============================

 

 

ADDITION.txt log

 

------------------------------

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-02-2014
Ran by Dook at 2014-02-21 09:34:25
Running from C:\Users\Dook\Desktop
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Security Center ========================

AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

"How To Survive" (x32 Version: 1.0.0.0 - )
"XCOM - Enemy Within" (x32 Version: 1.0.0.926 - )
12 Labours of Hercules (x32 Version: 1.1)
7-Zip 9.20 (x64 edition) (Version: 9.20.00.0 - Igor Pavlov)
Adobe AIR (x32 Version: 2.5.1.17730 - Adobe Systems Inc.)
Adobe AIR (x32 Version: 2.5.1.17730 - Adobe Systems Inc.) Hidden
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.2.202.235 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (x32 Version: 11.8.800.94 - Adobe Systems Incorporated)
Adobe Reader X (x32 Version: 10.0.0 - Adobe Systems Incorporated)
Age of Mythology - The Titans Expansion (x32 Version:  - )
Age of Mythology (x32 Version:  - )
Age of Wonders (x32 Version:  - )
Age of Wonders II (x32 Version:  - )
Alarm Clock v1.0 (x32 Version:  - Moore Design Lmt.)
All My Gods (x32 Version: 1.0)
Anomaly 2 © 11 bit studios version 1 (x32 Version: 1 - )
ASUS nVidia Driver (x32 Version: 1.00.0000 - ASUSTek) Hidden
Avernum (x32 Version: 1.0.1 - Spiderweb Software)
AviSynth 2.5 (x32 Version:  - )
AVStoDVD 2.6.0 (x32 Version: 2.6.0 - MrC)
Baldur's Gate II: Enhanced Edition (x32 Version: 1 - )
Batman Arkham Origins version 1.0.3 (x32 Version: 1.0.3 - Joker_RETURNS, WB. Entertainment)
Batman.Arkham Origins + 1 DLC (x32 Version: Batman.Arkham Origins + 1 DLC (25.10.2013))
Battle for Wesnoth 1.8.5 (x32 Version: 1.8.5 - )
Bully Scholarship Edition (x32 Version: 1.00.0200 - Rockstar Games)
Bully Scholarship Edition (x32 Version: 1.00.0200 - Rockstar Games) Hidden
CCleaner (Version: 3.26 - Piriform)
Circle of Eight Modpack version 7.6.0 NC (x32 Version: 7.6.0 NC - Circle of Eight)
ComicRack v0.9.149 (Version: v0.9.149 - cYo Soft)
Dead Space™ 2 (x32 Version: 1.0.941.0 - Electronic Arts)
Deadfall Adventures (x32 Version: 1 - )
DEMISE (x32 Version:  - )
DROD: Journey to Rooted Hold 2.0.12 (x32 Version: 2.0.12 - Caravel Games)
Droid Assault / by NSIS (x32 Version:  - Puppy Games)
Dual-Core Optimizer (x32 Version: 1.1.4.0169 - AMD)
Duke Nukem Forever (x32 Version:  - )
Dungeons & Dragons Online ®:  Eberron Unlimited ™ v01.13.00.802 (x32 Version: 01.13.00.8029 - Atari, Inc.)
Eador - Masters of The Broken World (x32 Version:  - )
Fable III (x32 Version: 1.0.0001.131 - Microsoft Game Studios) Hidden
Fallout 3 (HKCU Version: 1.00.0000 - Bethesda Softworks)
Fallout: New Vegas (x32 Version:  - Bethesda Softworks)
Far Cry 2 with Fortunes Pack (x32 Version:  - GOG.com)
ffdshow v1.2.4422 [2012-04-09] (x32 Version: 1.2.4422.0 - )
Fieldrunners 2 1.0 (x32 Version: 1.0 - Cat-A-Cat)
Flashback (x32 Version: 1 - )
Folk Tale (x32 Version:  - )
From Dust (x32 Version: 1.0.0 - Ubisoft)
FTL version 1.01 (x32 Version: 1.01 - Subset Games)
Glare (x32 Version: 1 - )
Grand Theft Auto IV (x32 Version: 1.00.0000 - Rockstar Games)
Grand Theft Auto: Episodes from Liberty City (x32 Version: 1.0.0002.135 - Rockstar Games Inc.) Hidden
Grand Theft Auto: Episodes from Liberty City (x32 Version: 1.0.0003.135 - Rockstar Games Inc.) Hidden
Grand Theft Auto: Episodes From Liberty City (x32 Version: 1.1.0.0 - Rockstar Games)
Grimm (x32 Version:  - Spicyhorse Games)
Haali Media Splitter (x32 Version:  - )
Hellgate: London (Version: 1.10.180.3416 - Flagship Studios)
Horizon (x32 Version:  - Iceberg Interactive)
Hydrophobia Prophecy (x32 Version: 1.0.0.1 - VEBMAX)
I Am Alive (x32 Version: 1.00.0 - Ubisoft)
I Am Alive (x32 Version: 1.00.0 - Ubisoft) Hidden
ImgBurn (x32 Version: 2.5.7.0 - LIGHTNING UK!)
Java 7 Update 25 (x32 Version: 7.0.250 - Oracle)
Java Auto Updater (x32 Version: 2.1.9.5 - Sun Microsystems, Inc.) Hidden
Java 7 Update 5 (64-bit) (Version: 7.0.50 - Oracle)
Kingdoms of Amalur Reckoning (x32 Version:  - )
King's Bounty. The Legend (Remove Only) (Version: 1.0.0.0 - Atari)
King's Bounty. The Legend (Remove Only) (x32 Version: 1.0.0.0 - Atari)
Legend of Grimrock (x32 Version:  - GOG.com)
Magic Carpet 2 (x32 Version: 2.0.0.6 - GOG.com)
Magic The Gathering - Duels of the Planeswalkers 2013 (x32 Version:  - )
Majesty 2 Collection (x32 Version:  - Paradox Interactive)
Mark of the Ninja Special Edition (x32 Version:  - )
Master Of Magic (x32 Version:  - GOG.com)
MediaInfo (x32 Version:  - MediaInfo.SourceForge.net)
Microsoft .NET Framework 1.1 (x32 Version:  - )
Microsoft .NET Framework 1.1 (x32 Version: 1.1.4322 - Microsoft) Hidden
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Compatibility Toolkit 5.6 (x32 Version: 5.6.7324.0 - Microsoft Corporation)
Microsoft Games for Windows - LIVE (x32 Version: 3.1.186.0 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (x32 Version: 3.1.99.0 - Microsoft Corporation)
Microsoft Reader (x32 Version:  - )
Microsoft Silverlight (x32 Version: 4.1.10329.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (x32 Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148 - Microsoft

Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161 - Microsoft

Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (x32 Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (Version: 12.0.21005 - Microsoft Corporation)

Hidden
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (Version: 12.0.21005 - Microsoft Corporation) Hidden
Microsoft XNA Framework Redistributable 3.1 (x32 Version: 3.1.10527.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (x32 Version: 4.0.20823.0 - Microsoft Corporation)
Might and Magic X Legacy (x32 Version: 1 - )
Mozilla Firefox 19.0.2 (x86 en-US) (x32 Version: 19.0.2 - Mozilla)
Mozilla Maintenance Service (x32 Version: 19.0.2 - Mozilla)
MSXML4 Parser (x32 Version: 1.0.0 - Microsoft Game Studios)
My Game Long Name (Version:  - Epic Games, Inc.)
Neverwinter (x32 Version:  - Cryptic Studios)
Newsbin Pro (Version: 6.21 - DJI Interprises, LLC)
Northern Tale 2 1.0 (x32 Version: 1.0 - Cat-A-Cat)
NVIDIA 3D Vision Driver 296.10 (Version: 296.10 - NVIDIA Corporation)
NVIDIA Control Panel 296.10 (Version: 296.10 - NVIDIA Corporation) Hidden
NVIDIA Graphics Driver 296.10 (Version: 296.10 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.12.0 (Version: 1.3.12.0 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.62.312 - NVIDIA Corporation) Hidden
NVIDIA PhysX (x32 Version: 9.13.0725 - NVIDIA Corporation)
NVIDIA Stereoscopic 3D Driver (x32 Version: 7.17.12.9610 - NVIDIA Corporation) Hidden
Octodad Dadliest Catch (x32 Version:  )
OpenAL (x32 Version:  - )
OpenOffice.org 3.3 (x32 Version: 3.3.9567 - OpenOffice.org)
Pando Media Booster (x32 Version: 2.3.5.1 - Pando Networks Inc.)
Panzer Corps (x32 Version: 1.00 - Slitherine)
Panzer Corps version 1.0 (x32 Version: 1.0 - )
Papers, Please (x32 Version: 2.0.0.4 - GOG.com)
Plants vs. Zombies (x32 Version:  - PopCap Games)
Pool of Radiance: RoMD (x32 Version:  - )
Populous - The Beginning (x32 Version:  - GOG.com)
POR (Version:  - )
QuickPar 0.9 (x32 Version: 0.9 - Peter B. Clements)
Rage (x32 Version: )
Realtek Ethernet Controller Driver For Windows 7 (x32 Version: 7.17.304.2010 - Realtek)
Rise of Venice (x32 Version: 1 - )
Risen 2: Dark Waters (x32 Version: 1.0.1210.0 )
Rockstar Games Social Club (x32 Version: 1.00.0000 - Rockstar Games)
Rogue Legacy version 0.0.0.9 (x32 Version: 0.0.0.9 )
Sacrifice (x32 Version:  - )
Saints Row IV Update 5 Incl. DLC (x32 Version: 1 - )
Sanctum 2 © CoffeeStainStudios version 1 (x32 Version: 1 - )
Shadow Warrior (x32 Version:  - Devolver Digital)
Shadowrun Returns (x32 Version:  - Harebrained Holdings)
SmartGlobe Deluxe V3.12 (x32 Version:  - Oregon Scientific)
Solar 2 version 1.01 (x32 Version: 1.01 - )
Stanza (x32 Version:  - )
StarTopia (x32 Version:  - GOG.com)
State of Decay - Breakdown (x32 Version:  - )
Steam (x32 Version: 1.0.0.0 - Valve Corporation)
Stonekeep (x32 Version: 2.0.0.10 - GOG.com)
SUPERAntiSpyware (Version: 5.7.1018 - SUPERAntiSpyware.com)
Temple of Elemental Evil (x32 Version: 1.00.000 - )
Tetrobot and Co (x32 Version:  -)
The Cave 1.1.0 (x32 Version: 1.1.0 - Double Fine Productions)
Titan Attacks (x32 Version: 2.00.6 - Puppy Games)
Torchlight II © Runic Games version 1 (x32 Version: 1 - )
Ubisoft Game Launcher (x32 Version: 1.0.0.0 - UBISOFT)
Ultima 4 - Quest of the Avatar (x32 Version: 2.0.0.19 - GOG.com)
Ultratron / by NSIS (x32 Version:  - Puppy Games)
Unity Web Player (HKCU Version:  - Unity Technologies ApS)
Unreal Development Kit: 2012-07 (Version:  - Epic Games, Inc.)
Uplay (x32 Version: 3.0 - Ubisoft)
Viscera Cleanup Detail - ALPHA (Version:  - RuneStorm)
Viscera Cleanup Detail: Santas Rampage
Viscera Cleanup Detail: Santa's Rampage (x32 Version:  - RuneStorm)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (x32 Version: 9.0.30729 - Microsoft Corporation) Hidden
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (x32 Version: 9.0.30729.01 - Microsoft Corporation)
Visual Studio 2008 x64 Redistributables (x32 Version: 10.0.0.2 - AVG Technologies)
VLC media player 1.1.5 (x32 Version: 1.1.5 - VideoLAN)
Warlock - Master of the Arcane © Paradox Interactive version 1 (x32 Version: 1 - )
Weird Worlds: Return To Infinite Space v1.30 (x32 Version:  - Digital Eel)
WinRAR archiver (x32 Version:  - )
Zeno Clash 2 (x32 Version: )
Zip Motion Block Video codec (Remove Only) (Version:  - DOSBox Team)

==================== Restore Points  =========================

21-02-2014 00:28:24 avast! Free Antivirus Setup
21-02-2014 01:05:13 Windows Modules Installer
21-02-2014 01:29:56 avast! antivirus system restore point
21-02-2014 01:36:29 avast! antivirus system restore point
21-02-2014 01:48:45 avast! antivirus system restore point
21-02-2014 02:36:31 Restore Operation

==================== Hosts content: ==========================

2009-07-13 21:34 - 2013-03-03 05:56 - 00582353 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1  localhost
127.0.0.1  fr.a2dfp.net
127.0.0.1  m.fr.a2dfp.net
127.0.0.1  ad.a8.net
127.0.0.1  asy.a8ww.net
127.0.0.1  abcstats.com
127.0.0.1  a.abv.bg
127.0.0.1  adserver.abv.bg
127.0.0.1  adv.abv.bg
127.0.0.1  bimg.abv.bg
127.0.0.1  ca.abv.bg
127.0.0.1  www2.a-counter.kiev.ua
127.0.0.1  track.acclaimnetwork.com
127.0.0.1  accuserveadsystem.com
127.0.0.1  www.accuserveadsystem.com
127.0.0.1  achmedia.com
127.0.0.1  aconti.net
127.0.0.1  secure.aconti.net
127.0.0.1  www.aconti.net #[Dialer.Aconti]
127.0.0.1  csh.actiondesk.com
127.0.0.1  www.activemeter.com #[Tracking.Cookie]
127.0.0.1  ads.activepower.net
127.0.0.1  stat.active24stats.nl #[Tracking.Cookie]
127.0.0.1  cms.ad2click.nl
127.0.0.1  ad2games.com
127.0.0.1  ads.ad2games.com
127.0.0.1  content.ad20.net
127.0.0.1  core.ad20.net
127.0.0.1  banner.ad.nu

There are 1000 more lines.


==================== Scheduled Tasks (whitelisted) =============

Task: {2C764E98-B467-4AE0-A38D-A59CAB0510AF} - System32\Tasks\{C2B1A140-2659-4618-95FD-1397C5D1BE3D} => D:

\INSTALL.EXE
Task: {6A36FA60-0603-45B8-9F2F-DBB5C1EE51B0} - System32\Tasks\{A7AC37F8-598E-4867-B2D8-2AD3276E56BB} => C:

\Games\Anachronox\anox.exe
Task: {75AAAB47-6D9C-4E2E-A511-1F629D4FA482} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST

Software\Avast\AvastEmUpdate.exe
Task: {833CA20C-E7A0-4DC3-9555-DE08E51FFF1E} - System32\Tasks\{D668E880-AFB8-4AE1-91A1-BE9638C0F326} => C:

\Games\kotor\launcher.exe
Task: {DBEC5176-8ACF-4B9D-945C-CAE6524B68E5} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner

\CCleaner.exe [2012-12-19] (Piriform Ltd)
Task: {FFF2FFCC-182F-4475-885A-A132BCE0EC6B} - System32\Tasks\{1E476B08-8197-4055-B66B-21A97D7FA4FA} => D:

\INSTALL.EXE

==================== Loaded Modules (whitelisted) =============

2011-03-22 20:50 - 2013-03-12 13:22 - 03069848 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2012-02-29 12:26 - 2012-02-29 12:26 - 00360768 _____ () C:\Program Files (x86)\NVIDIA Corporation\3D Vision

\Nv3DVStreaming.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData:gs5sys
AlternateDataStreams: C:\Users\All Users:gs5sys
AlternateDataStreams: C:\Users\Dook:gs5sys
AlternateDataStreams: C:\ProgramData\Application Data:gs5sys
AlternateDataStreams: C:\ProgramData\TEMP:38849DE5
AlternateDataStreams: C:\ProgramData\Templates:gs5sys
AlternateDataStreams: C:\Users\Dook\Application Data:gs5sys
AlternateDataStreams: C:\Users\Dook\Cookies:gs5sys
AlternateDataStreams: C:\Users\Dook\Local Settings:gs5sys
AlternateDataStreams: C:\Users\Dook\Templates:gs5sys
AlternateDataStreams: C:\Users\Dook\AppData\Local:gs5sys
AlternateDataStreams: C:\Users\Dook\AppData\Roaming:gs5sys
AlternateDataStreams: C:\Users\Dook\AppData\Local\Application Data:gs5sys
AlternateDataStreams: C:\Users\Dook\AppData\Local\History:gs5sys
AlternateDataStreams: C:\Users\Dook\Documents\desktop.ini:gs5sys
AlternateDataStreams: C:\Users\Public\Documents\desktop.ini:gs5sys

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\35300461.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\47847442.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\35300461.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\47847442.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR250 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== Disabled items from MSCONFIG ==============


==================== Faulty Device Manager Devices =============

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed.

(Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might

be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: sptd
Description: sptd
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: sptd
Problem: : This device is not present, is not working properly, or does not have all its drivers installed.

(Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might

be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (02/21/2014 06:42:06 AM) (Source: Application Error) (User: )
Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2
Faulting module name: OLEAUT32.dll, version: 6.1.7600.16872, time stamp: 0x4e5873c1
Exception code: 0xc0000005
Fault offset: 0x0001604c
Faulting process id: 0xd6c
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3

Error: (02/21/2014 05:49:43 AM) (Source: Application Error) (User: )
Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2
Faulting module name: OLEAUT32.dll, version: 6.1.7600.16872, time stamp: 0x4e5873c1
Exception code: 0xc0000005
Fault offset: 0x0001604c
Faulting process id: 0xdc8
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3

Error: (02/21/2014 05:48:11 AM) (Source: Application Error) (User: )
Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2
Faulting module name: OLEAUT32.dll, version: 6.1.7600.16872, time stamp: 0x4e5873c1
Exception code: 0xc0000005
Fault offset: 0x0001604c
Faulting process id: 0xc60
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3

Error: (02/21/2014 05:46:55 AM) (Source: Application Error) (User: )
Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2
Faulting module name: OLEAUT32.dll, version: 6.1.7600.16872, time stamp: 0x4e5873c1
Exception code: 0xc0000005
Fault offset: 0x0001604c
Faulting process id: 0xec8
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3

Error: (02/21/2014 05:46:18 AM) (Source: Application Error) (User: )
Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2
Faulting module name: OLEAUT32.dll, version: 6.1.7600.16872, time stamp: 0x4e5873c1
Exception code: 0xc0000005
Fault offset: 0x0001604c
Faulting process id: 0xd74
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3

Error: (02/21/2014 05:40:24 AM) (Source: System Restore) (User: )
Description: The restore point selected was damaged or deleted during the restore (Scheduled Checkpoint).

Error: (02/20/2014 09:36:20 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service has failed to create the new search index. Internal error <4,

0x8004117f, Failed to add project: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects>.

Error: (02/20/2014 09:36:20 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service cannot open the Jet property store.


Details:
    0x%08x (0x8004117f - The content index server cannot update or access information because of a

database error.  Stop and restart the search service.  If the problem persists, reset and recrawl the content

index.  In some cases it may be necessary to delete and recreate the content index.  (HRESULT : 0x8004117f))

Error: (02/20/2014 09:36:20 PM) (Source: ESENT) (User: )
Description: Windows (1452) Windows: Unable to create a new logfile because the database cannot write to the log

drive. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -1032.

Error: (02/20/2014 09:36:20 PM) (Source: ESENT) (User: )
Description: Windows (1452) Windows: An attempt to move the file "C:\ProgramData\Microsoft\Search\Data

\Applications\Windows\MSStmp.log" to "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log" failed

with system error 5 (0x00000005): "Access is denied. ".  The move file operation will fail with error -1032

(0xfffffbf8).


System errors:
=============
Error: (02/21/2014 09:32:18 AM) (Source: DCOM) (User: )
Description: 1084NVSvc{DCAB0989-1301-4319-BE5F-ADE89F88581C}

Error: (02/21/2014 07:53:57 AM) (Source: DCOM) (User: )
Description: 1068fdPHost{D3DCB472-7261-43CE-924B-0704BD730D5F}

Error: (02/21/2014 07:53:57 AM) (Source: DCOM) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (02/21/2014 07:53:41 AM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (02/21/2014 07:53:41 AM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (02/21/2014 07:53:35 AM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (02/21/2014 07:53:29 AM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (02/21/2014 07:53:24 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
discache
SASDIFSV
SASKUTIL
spldr
sptd
Wanarpv6

Error: (02/21/2014 07:53:24 AM) (Source: Service Control Manager) (User: )
Description: The IPsec Policy Agent service depends the following service: BFE. This service might not be

installed.

Error: (02/21/2014 07:53:24 AM) (Source: Service Control Manager) (User: )
Description: The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service

might not be installed.


Microsoft Office Sessions:
=========================
Error: (02/21/2014 06:42:06 AM) (Source: Application Error)(User: )
Description: mbam.exe1.75.0.1511f8eb2OLEAUT32.dll6.1.7600.168724e5873c1c00000050001604cd6c01cf2ef9f0ae4cb1C:

\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\syswow64\OLEAUT32.dll2fe5abb2-9aed-11e3-9835

-485b39977c51

Error: (02/21/2014 05:49:43 AM) (Source: Application Error)(User: )
Description: mbam.exe1.75.0.1511f8eb2OLEAUT32.dll6.1.7600.168724e5873c1c00000050001604cdc801cf2ef2a00bcafeC:

\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\syswow64\OLEAUT32.dllde687bb3-9ae5-11e3-

a38c-485b39977c51

Error: (02/21/2014 05:48:11 AM) (Source: Application Error)(User: )
Description: mbam.exe1.75.0.1511f8eb2OLEAUT32.dll6.1.7600.168724e5873c1c00000050001604cc6001cf2ef26946ada5C:

\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\syswow64\OLEAUT32.dlla7ace3db-9ae5-11e3-

a38c-485b39977c51

Error: (02/21/2014 05:46:55 AM) (Source: Application Error)(User: )
Description: mbam.exe1.75.0.1511f8eb2OLEAUT32.dll6.1.7600.168724e5873c1c00000050001604cec801cf2ef23c05645aC:

\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\syswow64\OLEAUT32.dll7a588f8d-9ae5-11e3-

a38c-485b39977c51

Error: (02/21/2014 05:46:18 AM) (Source: Application Error)(User: )
Description: mbam.exe1.75.0.1511f8eb2OLEAUT32.dll6.1.7600.168724e5873c1c00000050001604cd7401cf2ef22530ddc7C:

\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\syswow64\OLEAUT32.dll644e5df1-9ae5-11e3-

a38c-485b39977c51

Error: (02/21/2014 05:40:24 AM) (Source: System Restore)(User: )
Description: Scheduled Checkpoint

Error: (02/20/2014 09:36:20 PM) (Source: Windows Search Service)(User: )
Description: 40x8004117fFailed to add project: C:\ProgramData\Microsoft\Search\Data\Applications\Windows

\Projects

Error: (02/20/2014 09:36:20 PM) (Source: Windows Search Service)(User: )
Description:
Details:
    0x%08x (0x8004117f - The content index server cannot update or access information because of a

database error.  Stop and restart the search service.  If the problem persists, reset and recrawl the content

index.  In some cases it may be necessary to delete and recreate the content index.  (HRESULT : 0x8004117f))

Error: (02/20/2014 09:36:20 PM) (Source: ESENT)(User: )
Description: Windows1452Windows: -1032

Error: (02/20/2014 09:36:20 PM) (Source: ESENT)(User: )
Description: Windows1452Windows: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.logC:

\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log-1032 (0xfffffbf8)5 (0x00000005)Access is denied.


CodeIntegrity Errors:
===================================
  Date: 2012-05-17 18:42:44.756
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\sega

\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have

installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown

source.

  Date: 2012-05-17 18:42:44.726
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\sega

\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have

installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown

source.

  Date: 2012-05-17 18:42:44.706
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\sega

\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have

installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown

source.

  Date: 2012-05-17 18:42:44.686
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\sega

\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have

installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown

source.

  Date: 2012-05-17 17:13:14.234
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\sega

\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have

installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown

source.

  Date: 2012-05-17 17:13:14.219
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\sega

\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have

installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown

source.


==================== Memory info ===========================

Percentage of memory in use: 24%
Total physical RAM: 4094.05 MB
Available physical RAM: 3081.54 MB
Total Pagefile: 10220.27 MB
Available Pagefile: 9288.04 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:5.79 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: D2A1CA1E)

Partition: GPT Partition Type.

==================== End Of Log ============================

Link to post
Share on other sites

  • Staff

Hello Poorsoul

I need you to download this script I have made for you --> fixlist.txt

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.

When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Gringo

Link to post
Share on other sites

Here you go:

 

FIXLOG.txt

 

 

__________

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 20-02-2014
Ran by Dook at 2014-02-21 11:04:42 Run:1
Running from C:\Users\Dook\Desktop
Boot Mode: Safe Mode (with Networking)
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-2980796359-892880252-2195086714-1000\...\CurrentVersion\Windows: [Load] C:\{$5812-5333-4513-5757-7153$}\nacl64.exe <===== ATTENTION
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 02 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
C:\Windows\Installer\{2bc322fd-374a-335c-86c0-be0568af8c80}
C:\Windows\Installer\{2bc322fd-374a-335c-86c0-be0568af8c80}\@
C:\ProgramData\737923934.exe
C:\Users\Dook\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Dook\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Dook\AppData\Local\Temp\libusb-1.0.dll
C:\Users\Dook\AppData\Local\Temp\setup.exe
C:\Users\Dook\AppData\Local\Temp\ShellLink.dll
C:\Users\Dook\AppData\Local\Temp\steam1r.exe
C:\Users\Dook\AppData\Local\Temp\swt-win32-3448.dll
C:\Users\Dook\AppData\Local\Temp\ubi3B87.tmp.exe
C:\Users\Dook\AppData\Local\Temp\ubi5A4E.tmp.exe
C:\Users\Dook\AppData\Local\Temp\Uninstall.exe


*****************

HKU\S-1-5-21-2980796359-892880252-2195086714-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => Value was restored successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000002\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
C:\Windows\Installer\{2bc322fd-374a-335c-86c0-be0568af8c80} => Moved successfully.
"C:\Windows\Installer\{2bc322fd-374a-335c-86c0-be0568af8c80}\@" => File/Directory not found.
C:\ProgramData\737923934.exe => Moved successfully.
C:\Users\Dook\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe => Moved successfully.
C:\Users\Dook\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
C:\Users\Dook\AppData\Local\Temp\libusb-1.0.dll => Moved successfully.
C:\Users\Dook\AppData\Local\Temp\setup.exe => Moved successfully.
C:\Users\Dook\AppData\Local\Temp\ShellLink.dll => Moved successfully.
C:\Users\Dook\AppData\Local\Temp\steam1r.exe => Moved successfully.
C:\Users\Dook\AppData\Local\Temp\swt-win32-3448.dll => Moved successfully.
C:\Users\Dook\AppData\Local\Temp\ubi3B87.tmp.exe => Moved successfully.
C:\Users\Dook\AppData\Local\Temp\ubi5A4E.tmp.exe => Moved successfully.
C:\Users\Dook\AppData\Local\Temp\Uninstall.exe => Moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

  • Staff

Hello Poorsoul

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo

Link to post
Share on other sites

There is no improvement. I am running all of these in safemode still. Outside of safemode, those processes keep coming back and I still cannot even run lots of things including malwarebytes, unfortunately.  JRT.exe will not run for some reason, it gives a "7-zip internal error code 105". I can manually extract the files but I do not know which program to run and dont want to experiment.

 

 

Here is the ADW cleaner log:

 

--------------------------------------

# AdwCleaner v3.019 - Report created 21/02/2014 at 13:24:55
# Updated 17/02/2014 by Xplode
# Operating System : Windows 7 Home Premium  (64 bits)
# Username : Dook - DOOK-PC
# Running from : C:\Users\Dook\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Trymedia
Folder Deleted : C:\ProgramData\AlawarEntertainment
Folder Deleted : C:\ProgramData\AlawarWrapper
Folder Deleted : C:\Users\Dook\AppData\Local\Conduit
Folder Deleted : C:\Users\Dook\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Dook\AppData\Roaming\AlawarEntertainment
Folder Deleted : C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\Extensions\{51114877-d928-5d13-4e22-53a228937a5c}

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\14919ea49a8f3b4aa3cf1058d9a64cec
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2737658
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Adobe Updater]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Trymedia Systems

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7600.16800


-\\ Mozilla Firefox v19.0.2 (en-US)

[ File : C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\prefs.js ]


-\\ Google Chrome v

[ File : C:\Users\Dook\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [2820 octets] - [21/02/2014 13:19:12]
AdwCleaner[s0].txt - [2624 octets] - [21/02/2014 13:24:55]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2684 octets] ##########

Link to post
Share on other sites

  • Staff

Hello Poorsoul

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
Link to post
Share on other sites

Initially Combofix would not run at all, not even in safe mode. I got the following error when I attempt to execute the file (even as administrator):

"Windows cannot find 'c:\users\dook\desktop\combofix.exe' Make sure you typed the name correctly and try again."

I then changed the name of combofix.exe to 1combofix.exe and it launched and generated a log file.

 

I will reboot and see how things are and then come back, I just didn't want to lose this log file somehow.

 

 

Combofix log:

 

------------------------------

 

 

ComboFix 14-02-20.01 - Dook 02/21/2014  16:21:37.3.4 - x64 NETWORK
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4094.3410 [GMT -5:00]
Running from: c:\users\Dook\Desktop\1ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\737923934.exe
c:\temp\svchost.exe
c:\users\Dook\AppData\Local\Temp\_uninstall\_uninstall1168
c:\users\Dook\AppData\Local\Temp\{66031825-925D-4D02-B668-6AB0FF28F704}\setup.isn
c:\users\Dook\AppData\Local\Temp\2eahvb1p.tl2\Menu_Select11.wav
c:\users\Dook\AppData\Local\Temp\a5iqfonu.uv3\Menu_Select03.wav
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Cookies\index.dat
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\fla6B97.tmp
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\fla73EE.tmp
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\fla7866.tmp
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\fla8C07.tmp
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\flaF002.tmp
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\History\History.IE5\desktop.ini
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\History\History.IE5\index.dat
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\5ZNCVVK2\desktop.ini
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\9UJ2HIS7\desktop.ini
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\desktop.ini
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\index.dat
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\VT7NPY2J\desktop.ini
c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\W83NXTXS\desktop.ini
c:\users\Dook\AppData\Local\Temp\be29e7f1-71ae-4703-50cb-1d52be512f51\twapi-be29e7f1-71ae-4703-50cb-1d52be512f51.dll
c:\users\Dook\AppData\Local\Temp\Cookies\index.dat
c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2005_d3dx9_25_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2005_d3dx9_25_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_d3dx9_30_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_d3dx9_30_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_MDX1_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_MDX1_x86_Archive.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_xinput_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_xinput_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_d3dx10_33_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_d3dx10_33_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_d3dx9_33_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_d3dx9_33_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_xinput_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_xinput_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Aug2005_d3dx9_27_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Aug2005_d3dx9_27_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2006_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2006_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2006_xinput_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2006_xinput_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2007_d3dx10_35_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2007_d3dx10_35_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2007_d3dx9_35_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2007_d3dx9_35_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2007_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2007_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\BDANT.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\BDAXP.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Coupon.xps
c:\users\Dook\AppData\Local\Temp\DXREDIST\Dec2005_d3dx9_28_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Dec2005_d3dx9_28_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\DEC2006_d3dx10_00_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\DEC2006_d3dx10_00_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\DEC2006_d3dx9_32_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\DEC2006_d3dx9_32_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\DEC2006_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\DEC2006_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\DSETUP.dll
c:\users\Dook\AppData\Local\Temp\DXREDIST\dsetup32.dll
c:\users\Dook\AppData\Local\Temp\DXREDIST\dxdllreg_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\dxnt.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\DXSETUP.exe
c:\users\Dook\AppData\Local\Temp\DXREDIST\dxupdate.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Feb2005_d3dx9_24_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Feb2005_d3dx9_24_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Feb2006_d3dx9_29_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Feb2006_d3dx9_29_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Feb2006_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Feb2006_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\FEB2007_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\FEB2007_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2005_d3dx9_26_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2005_d3dx9_26_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2006_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2006_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2007_d3dx10_34_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2007_d3dx10_34_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2007_d3dx9_34_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2007_d3dx9_34_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2007_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2007_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_d3dx10_38_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_d3dx10_38_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_d3dx9_38_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_d3dx9_38_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_X3DAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_X3DAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_XAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_XAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_d3dx10_37_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_d3dx10_37_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_d3dx9_37_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_d3dx9_37_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_X3DAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_X3DAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_XAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_XAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_d3dx10_36_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_d3dx10_36_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_d3dx9_36_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_d3dx9_36_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_X3DAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_X3DAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Oct2005_xinput_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\Oct2005_xinput_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\OCT2006_d3dx9_31_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\OCT2006_d3dx9_31_x86.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\OCT2006_XACT_x64.cab
c:\users\Dook\AppData\Local\Temp\DXREDIST\OCT2006_XACT_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Binaries\InstallData\eula.rtf
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Binaries\UnSetup.exe
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\AMD\amdcpusetup.exe
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\Binaries\InstallData\eula.rtf
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\Binaries\UnSetup.exe
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\APR2007_xinput_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\APR2007_xinput_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\DSETUP.dll
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\dsetup32.dll
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\dxdllreg_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\DXSETUP.exe
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\dxupdate.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Feb2010_X3DAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Feb2010_X3DAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_XAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_XAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\vcredist_x64_vs2010sp1.exe
c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\vcredist_x86_vs2010sp1.exe
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Binaries\InstallData\eula.rtf
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Binaries\UnSetup.exe
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\AMD\amdcpusetup.exe
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\Binaries\InstallData\eula.rtf
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\Binaries\UnSetup.exe
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\APR2007_xinput_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\APR2007_xinput_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\DSETUP.dll
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\dsetup32.dll
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\dxdllreg_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\DXSETUP.exe
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\dxupdate.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Feb2010_X3DAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Feb2010_X3DAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_XAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_XAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\vcredist_x64_vs2010sp1.exe
c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\vcredist_x86_vs2010sp1.exe
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Binaries\InstallData\eula.rtf
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Binaries\UnSetup.exe
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\AMD\amdcpusetup.exe
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\Binaries\InstallData\eula.rtf
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\Binaries\UnSetup.exe
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\APR2007_xinput_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\APR2007_xinput_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\DSETUP.dll
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\dsetup32.dll
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\dxdllreg_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\DXSETUP.exe
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\dxupdate.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Feb2010_X3DAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Feb2010_X3DAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_XAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_XAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\vcredist_x64_vs2010sp1.exe
c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\vcredist_x86_vs2010sp1.exe
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Binaries\InstallData\eula.rtf
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Binaries\UnSetup.exe
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\AMD\amdcpusetup.exe
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\Binaries\InstallData\eula.rtf
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\Binaries\UnSetup.exe
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\APR2007_xinput_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\APR2007_xinput_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\DSETUP.dll
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\dsetup32.dll
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\dxdllreg_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\DXSETUP.exe
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\dxupdate.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Feb2010_X3DAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Feb2010_X3DAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_XAudio_x64.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_XAudio_x86.cab
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\vcredist_x64_vs2010sp1.exe
c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\vcredist_x86_vs2010sp1.exe
c:\users\Dook\AppData\Local\Temp\foido0n3.qdj\Menu_Select03.wav
c:\users\Dook\AppData\Local\Temp\G4WL\dotnetfx3.exe
c:\users\Dook\AppData\Local\Temp\G4WL\dotnetfx3_x64.exe
c:\users\Dook\AppData\Local\Temp\G4WL\msiexec.exe
c:\users\Dook\AppData\Local\Temp\G4WL\vcredist_x86.exe
c:\users\Dook\AppData\Local\Temp\G4WL\XLiveRedist01.02.0241.00.msi
c:\users\Dook\AppData\Local\Temp\History\History.IE5\desktop.ini
c:\users\Dook\AppData\Local\Temp\History\History.IE5\index.dat
c:\users\Dook\AppData\Local\Temp\i1ruykcp.hzh\Menu_Select03.wav
c:\users\Dook\AppData\Local\Temp\is-0A355.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-0A355.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-0A355.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-0FSDA.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-0FSDA.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-0FSDA.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-0K59K.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-0K59K.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-0K59K.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-10U1N.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-10U1N.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-10U1N.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-18CO4.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-18CO4.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-18CO4.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-1I329.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-1I329.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-1I329.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-27FA1.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-27FA1.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-27FA1.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-4KEFH.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-4KEFH.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-4KEFH.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-4NGAQ.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-4NGAQ.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-4NGAQ.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-4V0GO.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-4V0GO.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-4V0GO.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-6EQUJ.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-6EQUJ.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-6EQUJ.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-6N0NP.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-6N0NP.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-6N0NP.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-73829.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-73829.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-73829.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-778HJ.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-778HJ.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-778HJ.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-7RNOJ.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-7RNOJ.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-7RNOJ.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-7U2EU.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-7U2EU.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-7U2EU.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-7VHBG.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-7VHBG.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-7VHBG.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-8E9U7.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-8E9U7.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-8E9U7.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-9PBD9.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-9PBD9.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-9PBD9.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-9Q167.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-9Q167.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-9Q167.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-B2TJU.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-B2TJU.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-B2TJU.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-DG0D5.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-DG0D5.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-DG0D5.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-DPHD0.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-DPHD0.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-DPHD0.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-EQOGK.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-EQOGK.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-EQOGK.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-FH8EU.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-FH8EU.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-FH8EU.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-GVNDU.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-GVNDU.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-GVNDU.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-JSILQ.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-JSILQ.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-JSILQ.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-KKHKH.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-KKHKH.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-KKHKH.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-LAOK4.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-LAOK4.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-LAOK4.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-LLIGF.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-LLIGF.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-LLIGF.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-LRSAS.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-LRSAS.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-LRSAS.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-LTHBL.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-LTHBL.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-LTHBL.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-N771U.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-N771U.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-N771U.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-N9UBV.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-N9UBV.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-N9UBV.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-NIE2P.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-NIE2P.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-NIE2P.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-PT6QV.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-PT6QV.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-PT6QV.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-RKOUP.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-RKOUP.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-RKOUP.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-S0IFS.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-S0IFS.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-S0IFS.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-S651D.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-S651D.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-S651D.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-S96MM.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-S96MM.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-S96MM.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-TBPV3.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-TBPV3.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-TBPV3.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-U96MK.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-U96MK.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-U96MK.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\is-UEA4M.tmp\_isetup\_setup64.tmp
c:\users\Dook\AppData\Local\Temp\is-UEA4M.tmp\_isetup\_shfoldr.dll
c:\users\Dook\AppData\Local\Temp\is-UEA4M.tmp\bassmusic.dll
c:\users\Dook\AppData\Local\Temp\jghrf2uq.yfw\Menu_Select11.wav
c:\users\Dook\AppData\Local\Temp\jrt\APPID_clsid.dat
c:\users\Dook\AppData\Local\Temp\jrt\APPID_files.dat
c:\users\Dook\AppData\Local\Temp\jrt\APPPATHS.dat
c:\users\Dook\AppData\Local\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat
c:\users\Dook\AppData\Local\Temp\jrt\ask.bat
c:\users\Dook\AppData\Local\Temp\jrt\askCLSID.dat
c:\users\Dook\AppData\Local\Temp\jrt\askregkey_x64.dat
c:\users\Dook\AppData\Local\Temp\jrt\askregkey_x86.dat
c:\users\Dook\AppData\Local\Temp\jrt\askregvalue_x64.dat
c:\users\Dook\AppData\Local\Temp\jrt\askregvalue_x86.dat
c:\users\Dook\AppData\Local\Temp\jrt\askservices.dat
c:\users\Dook\AppData\Local\Temp\jrt\badAPPINIT.dat
c:\users\Dook\AppData\Local\Temp\jrt\badFOLDERS.cfg
c:\users\Dook\AppData\Local\Temp\jrt\badFOLDERScom.cfg
c:\users\Dook\AppData\Local\Temp\jrt\badFOLDERSstart.cfg
c:\users\Dook\AppData\Local\Temp\jrt\badLNK.cfg
c:\users\Dook\AppData\Local\Temp\jrt\badvalues.cfg
c:\users\Dook\AppData\Local\Temp\jrt\BHO_clsid.dat
c:\users\Dook\AppData\Local\Temp\jrt\BHO_name.dat
c:\users\Dook\AppData\Local\Temp\jrt\browsermngr_keys.cfg
c:\users\Dook\AppData\Local\Temp\jrt\browsermngr_values.cfg
c:\users\Dook\AppData\Local\Temp\jrt\CHOICE.DAT
c:\users\Dook\AppData\Local\Temp\jrt\CHR_extensions.cfg
c:\users\Dook\AppData\Local\Temp\jrt\chrome.bat
c:\users\Dook\AppData\Local\Temp\jrt\CHRregkey_x64.cfg
c:\users\Dook\AppData\Local\Temp\jrt\CHRregkey_x86.cfg
c:\users\Dook\AppData\Local\Temp\jrt\CLSID_clsid.dat
c:\users\Dook\AppData\Local\Temp\jrt\currentmd5.txt
c:\users\Dook\AppData\Local\Temp\jrt\CUT.DAT
c:\users\Dook\AppData\Local\Temp\jrt\defaultscope.cfg
c:\users\Dook\AppData\Local\Temp\jrt\delfolders.bat
c:\users\Dook\AppData\Local\Temp\jrt\delorphans.bat
c:\users\Dook\AppData\Local\Temp\jrt\ELEVATIONPOLICY_clsid.dat
c:\users\Dook\AppData\Local\Temp\jrt\erunt\ERDNT.E_E
c:\users\Dook\AppData\Local\Temp\jrt\erunt\ERDNTDOS.LOC
c:\users\Dook\AppData\Local\Temp\jrt\erunt\ERDNTWIN.LOC
c:\users\Dook\AppData\Local\Temp\jrt\erunt\ERUNT.EXE.manifest
c:\users\Dook\AppData\Local\Temp\jrt\erunt\ERUNT.LOC
c:\users\Dook\AppData\Local\Temp\jrt\erunt\README.TXT
c:\users\Dook\AppData\Local\Temp\jrt\ev_clear.bat
c:\users\Dook\AppData\Local\Temp\jrt\EXT.dat
c:\users\Dook\AppData\Local\Temp\jrt\FFbrowsermngr.dat
c:\users\Dook\AppData\Local\Temp\jrt\FFextensions.dat
c:\users\Dook\AppData\Local\Temp\jrt\FFpluginREG.dat
c:\users\Dook\AppData\Local\Temp\jrt\FFplugins.dat
c:\users\Dook\AppData\Local\Temp\jrt\FFprefs.dat
c:\users\Dook\AppData\Local\Temp\jrt\FFregkey_x64.dat
c:\users\Dook\AppData\Local\Temp\jrt\FFregkey_x86.dat
c:\users\Dook\AppData\Local\Temp\jrt\FFwhtlist.cfg
c:\users\Dook\AppData\Local\Temp\jrt\FFXML.dat
c:\users\Dook\AppData\Local\Temp\jrt\FFXPI.dat
c:\users\Dook\AppData\Local\Temp\jrt\firefox.bat
c:\users\Dook\AppData\Local\Temp\jrt\FWCLSID.dat
c:\users\Dook\AppData\Local\Temp\jrt\IEwhtlst.cfg
c:\users\Dook\AppData\Local\Temp\jrt\IFEO.dat
c:\users\Dook\AppData\Local\Temp\jrt\INTERFACE_clsid.dat
c:\users\Dook\AppData\Local\Temp\jrt\MENUEXT.dat
c:\users\Dook\AppData\Local\Temp\jrt\misc.bat
c:\users\Dook\AppData\Local\Temp\jrt\modules.dat
c:\users\Dook\AppData\Local\Temp\jrt\moduleservices.dat
c:\users\Dook\AppData\Local\Temp\jrt\newmd5.txt
c:\users\Dook\AppData\Local\Temp\jrt\NIRCMD.DAT
c:\users\Dook\AppData\Local\Temp\jrt\NOTIFY.dat
c:\users\Dook\AppData\Local\Temp\jrt\PREAPPROVED_clsid.dat
c:\users\Dook\AppData\Local\Temp\jrt\PRODUCTS.dat
c:\users\Dook\AppData\Local\Temp\jrt\REGhcr.cfg
c:\users\Dook\AppData\Local\Temp\jrt\REGhkcu_and_hklm_allow.cfg
c:\users\Dook\AppData\Local\Temp\jrt\REGhkcu_and_hklm_software.cfg
c:\users\Dook\AppData\Local\Temp\jrt\REGhkcu_software_appdatalow.cfg
c:\users\Dook\AppData\Local\Temp\jrt\REGhkcu_software_microsoft.cfg
c:\users\Dook\AppData\Local\Temp\jrt\REGhklm_software_classes.cfg
c:\users\Dook\AppData\Local\Temp\jrt\REGISTRYUSERSID.cfg
c:\users\Dook\AppData\Local\Temp\jrt\runvalues_x64.cfg
c:\users\Dook\AppData\Local\Temp\jrt\runvalues_x86.cfg
c:\users\Dook\AppData\Local\Temp\jrt\S1518COMPONENTS.dat
c:\users\Dook\AppData\Local\Temp\jrt\SED.DAT
c:\users\Dook\AppData\Local\Temp\jrt\sednewline.txt
c:\users\Dook\AppData\Local\Temp\jrt\services.dat
c:\users\Dook\AppData\Local\Temp\jrt\serviceseventlog.cfg
c:\users\Dook\AppData\Local\Temp\jrt\SETTINGS_clsid.dat
c:\users\Dook\AppData\Local\Temp\jrt\SHORTCUT.DAT
c:\users\Dook\AppData\Local\Temp\jrt\STATS_clsid.dat
c:\users\Dook\AppData\Local\Temp\jrt\temp\null.txt
c:\users\Dook\AppData\Local\Temp\jrt\TRACING.dat
c:\users\Dook\AppData\Local\Temp\jrt\TYPELIB_clsid.dat
c:\users\Dook\AppData\Local\Temp\jrt\UNINSTALL.dat
c:\users\Dook\AppData\Local\Temp\jrt\UpgradeCodes.dat
c:\users\Dook\AppData\Local\Temp\jrt\WGET.DAT
c:\users\Dook\AppData\Local\Temp\jrt\WOW6432NODE.dat
c:\users\Dook\AppData\Local\Temp\pk52pezg.wuf\Menu_Select11.wav
c:\users\Dook\AppData\Local\Temp\SUPERSetup\languages.txt
c:\users\Dook\AppData\Local\Temp\SUPERSetup\setup.db3
c:\users\Dook\AppData\Local\Temp\SUPERSetup\setup.dll
c:\users\Dook\AppData\Local\Temp\Temporary Internet Files\Content.IE5\772GECJO\desktop.ini
c:\users\Dook\AppData\Local\Temp\Temporary Internet Files\Content.IE5\9B32K8FB\desktop.ini
c:\users\Dook\AppData\Local\Temp\Temporary Internet Files\Content.IE5\BJUZKIIV\desktop.ini
c:\users\Dook\AppData\Local\Temp\Temporary Internet Files\Content.IE5\desktop.ini
c:\users\Dook\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
c:\users\Dook\AppData\Local\Temp\Temporary Internet Files\Content.IE5\KRFKNLOU\desktop.ini
c:\users\Dook\AppData\Local\Temp\wrd-107c-12f0-28e7ca6c.~lk\~swd1.dat
c:\users\Dook\AppData\Local\Temp\wrd-107c-12f0-28e7ca6c.~lk\~swd1.swf
c:\users\Dook\AppData\Local\Temp\wrd-107c-12f0-28e7ca6c.~lk\0.mdd
c:\users\Dook\AppData\Local\Temp\wrd-107c-12f0-28e7ca6c.~lk\1.mdd
c:\users\Dook\AppData\Local\Temp\wrd-107c-12f0-28e7ca6c.~lk\2.mdd
c:\users\Dook\AppData\Local\Temp\wrd-107c-12f0-28e7ca6c.~lk\3.mdd
c:\users\Dook\AppData\Local\Temp\wrd-132c-dfc-2dd6b4d6.~lk\~swd1.dat
c:\users\Dook\AppData\Local\Temp\wrd-132c-dfc-2dd6b4d6.~lk\~swd1.swf
c:\users\Dook\AppData\Local\Temp\wrd-132c-dfc-2dd6b4d6.~lk\0.mdd
c:\users\Dook\AppData\Local\Temp\wrd-132c-dfc-2dd6b4d6.~lk\1.mdd
c:\users\Dook\AppData\Local\Temp\wrd-132c-dfc-2dd6b4d6.~lk\2.mdd
c:\users\Dook\AppData\Local\Temp\wrd-132c-dfc-2dd6b4d6.~lk\3.mdd
c:\users\Dook\AppData\Local\Temp\wrd-13b0-12d4-3da21e3d.~lk\~swd1.dat
c:\users\Dook\AppData\Local\Temp\wrd-13b0-12d4-3da21e3d.~lk\~swd1.swf
c:\users\Dook\AppData\Local\Temp\wrd-13b0-12d4-3da21e3d.~lk\0.mdd
c:\users\Dook\AppData\Local\Temp\wrd-13b0-12d4-3da21e3d.~lk\1.mdd
c:\users\Dook\AppData\Local\Temp\wrd-13b0-12d4-3da21e3d.~lk\2.mdd
c:\users\Dook\AppData\Local\Temp\wrd-13b0-12d4-3da21e3d.~lk\3.mdd
c:\users\Dook\AppData\Local\Temp\wrd-190-137c-2113e38f.~lk\~swd1.dat
c:\users\Dook\AppData\Local\Temp\wrd-190-137c-2113e38f.~lk\~swd1.swf
c:\users\Dook\AppData\Local\Temp\wrd-190-137c-2113e38f.~lk\0.mdd
c:\users\Dook\AppData\Local\Temp\wrd-190-137c-2113e38f.~lk\1.mdd
c:\users\Dook\AppData\Local\Temp\wrd-190-137c-2113e38f.~lk\2.mdd
c:\users\Dook\AppData\Local\Temp\wrd-190-137c-2113e38f.~lk\3.mdd
c:\users\Dook\AppData\Local\Temp\wrd-1b0-d1c-1633dcee.~lk\~swd1.dat
c:\users\Dook\AppData\Local\Temp\wrd-1b0-d1c-1633dcee.~lk\~swd1.swf
c:\users\Dook\AppData\Local\Temp\wrd-1b0-d1c-1633dcee.~lk\0.mdd
c:\users\Dook\AppData\Local\Temp\wrd-1b0-d1c-1633dcee.~lk\1.mdd
c:\users\Dook\AppData\Local\Temp\wrd-1b0-d1c-1633dcee.~lk\2.mdd
c:\users\Dook\AppData\Local\Temp\wrd-1b0-d1c-1633dcee.~lk\3.mdd
c:\users\Dook\AppData\Local\Temp\wrd-22f4-28d0-659838c2.~lk\~swd1.dat
c:\users\Dook\AppData\Local\Temp\wrd-22f4-28d0-659838c2.~lk\~swd1.swf
c:\users\Dook\AppData\Local\Temp\wrd-22f4-28d0-659838c2.~lk\0.mdd
c:\users\Dook\AppData\Local\Temp\wrd-22f4-28d0-659838c2.~lk\1.mdd
c:\users\Dook\AppData\Local\Temp\wrd-22f4-28d0-659838c2.~lk\2.mdd
c:\users\Dook\AppData\Local\Temp\wrd-22f4-28d0-659838c2.~lk\3.mdd
c:\users\Dook\AppData\Local\Temp\wrd-2e8-668-cc1c40.~lk\~swd1.dat
c:\users\Dook\AppData\Local\Temp\wrd-2e8-668-cc1c40.~lk\~swd1.swf
c:\users\Dook\AppData\Local\Temp\wrd-2e8-668-cc1c40.~lk\0.mdd
c:\users\Dook\AppData\Local\Temp\wrd-2e8-668-cc1c40.~lk\1.mdd
c:\users\Dook\AppData\Local\Temp\wrd-2e8-668-cc1c40.~lk\2.mdd
c:\users\Dook\AppData\Local\Temp\wrd-2e8-668-cc1c40.~lk\3.mdd
c:\users\Dook\AppData\Local\Temp\wrd-438-1160-27bc453a.~lk\~swd1.dat
c:\users\Dook\AppData\Local\Temp\wrd-438-1160-27bc453a.~lk\~swd1.swf
c:\users\Dook\AppData\Local\Temp\wrd-438-1160-27bc453a.~lk\0.mdd
c:\users\Dook\AppData\Local\Temp\wrd-438-1160-27bc453a.~lk\1.mdd
c:\users\Dook\AppData\Local\Temp\wrd-438-1160-27bc453a.~lk\2.mdd
c:\users\Dook\AppData\Local\Temp\wrd-438-1160-27bc453a.~lk\3.mdd
c:\users\Dook\AppData\Local\Temp\wrd-464-f7c-274a9749.~lk\~swd1.dat
c:\users\Dook\AppData\Local\Temp\wrd-464-f7c-274a9749.~lk\~swd1.swf
c:\users\Dook\AppData\Local\Temp\wrd-464-f7c-274a9749.~lk\0.mdd
c:\users\Dook\AppData\Local\Temp\wrd-464-f7c-274a9749.~lk\1.mdd
c:\users\Dook\AppData\Local\Temp\wrd-464-f7c-274a9749.~lk\2.mdd
c:\users\Dook\AppData\Local\Temp\wrd-464-f7c-274a9749.~lk\3.mdd
c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\~swd1.dat
c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\~swd1.swf
c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\0.mdd
c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\1.mdd
c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\2.mdd
c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\3.mdd
c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\4.mdd
c:\users\Dook\AppData\Local\Temp\wrd-cc8-dd4-bbfb9fa.~lk\~swd1.dat
c:\users\Dook\AppData\Local\Temp\wrd-cc8-dd4-bbfb9fa.~lk\~swd1.swf
c:\users\Dook\AppData\Local\Temp\wrd-cc8-dd4-bbfb9fa.~lk\0.mdd
c:\users\Dook\AppData\Local\Temp\wrd-cc8-dd4-bbfb9fa.~lk\1.mdd
c:\users\Dook\AppData\Local\Temp\wrd-cc8-dd4-bbfb9fa.~lk\2.mdd
c:\users\Dook\AppData\Local\Temp\wrd-cc8-dd4-bbfb9fa.~lk\3.mdd
c:\users\Dook\AppData\Local\Temp\wrd-fa8-1b50-29f78be2.~lk\~swd1.dat
c:\users\Dook\AppData\Local\Temp\wrd-fa8-1b50-29f78be2.~lk\~swd1.swf
c:\users\Dook\AppData\Local\Temp\wrd-fa8-1b50-29f78be2.~lk\0.mdd
c:\users\Dook\AppData\Local\Temp\wrd-fa8-1b50-29f78be2.~lk\1.mdd
c:\users\Dook\AppData\Local\Temp\wrd-fa8-1b50-29f78be2.~lk\2.mdd
c:\users\Dook\AppData\Local\Temp\wrd-fa8-1b50-29f78be2.~lk\3.mdd
c:\users\Dook\AppData\Local\Temp\z3izla2e.o5q\Menu_Select11.wav
c:\users\Dook\AppData\Roaming\AB4D2F.dat
c:\users\Dook\AppData\Roaming\log.txt
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-21 to 2014-02-21  )))))))))))))))))))))))))))))))
.
.
2014-02-21 21:29 . 2014-02-21 21:29    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-02-21 21:29 . 2014-02-21 21:29    --------    d-----w-    c:\users\hedev\AppData\Local\temp
2014-02-21 21:29 . 2014-02-21 21:29    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-02-21 18:19 . 2014-02-21 18:24    --------    d-----w-    C:\AdwCleaner
2014-02-21 14:33 . 2014-02-21 17:28    --------    d-----w-    C:\FRST
2014-02-21 12:55 . 2014-02-21 12:55    421704    ----a-w-    c:\windows\system32\drivers\pxzsvitd.sys
2014-02-21 12:54 . 2014-02-21 12:54    421704    ----a-w-    c:\windows\system32\drivers\alskvflw.sys
2014-02-21 12:52 . 2014-02-21 12:52    421704    ----a-w-    c:\windows\system32\drivers\lrkxzijc.sys
2014-02-21 12:52 . 2014-02-21 12:52    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2014-02-21 12:41 . 2014-02-21 12:41    421704    ----a-w-    c:\windows\system32\drivers\ggkphcrz.sys
2014-02-21 12:32 . 2014-02-21 12:32    421704    ----a-w-    c:\windows\system32\drivers\zmavmbuo.sys
2014-02-21 11:48 . 2014-02-21 11:48    --------    d-----w-    c:\users\Dook\AppData\Roaming\SUPERAntiSpyware.com
2014-02-21 11:48 . 2014-02-21 17:30    --------    d-----w-    c:\program files\SUPERAntiSpyware
2014-02-21 11:48 . 2014-02-21 11:48    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2014-02-21 01:58 . 2014-02-21 01:59    --------    d-----w-    c:\users\Dook\AppData\Roaming\QuickScan
2014-02-21 01:08 . 2014-02-21 01:08    943777    ----a-w-    c:\windows\SysWow64\scrypt130511GeForce GTX 460glg2tc1472w64l4.bin
2014-02-21 01:04 . 2014-02-21 01:04    --------    d-----w-    c:\users\Dook\AppData\Local\Microsoft Corporation
2014-02-21 01:04 . 2014-02-21 01:04    --------    d-----w-    c:\programdata\Microsoft Corporation
2014-02-21 00:29 . 2014-02-21 00:29    --------    d-s---w-    c:\windows\SysWow64\Microsoft
2014-02-20 11:42 . 2014-02-20 11:42    --------    d-----w-    c:\users\Dook\AppData\Roaming\Basilisk Games
2014-02-20 11:13 . 2014-02-21 11:42    --------    d-----w-    C:\{$5812-5333-4513-5757-7153$}
2014-02-04 01:43 . 2014-02-04 01:43    --------    d-----w-    c:\users\Dook\AppData\Local\Octodad Dadliest Catch
2014-02-04 01:43 . 2014-02-04 01:43    --------    d-----w-    c:\programdata\CODEX
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2014-01-06 6563608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe"="c:\users\Dook\AppData\Roaming\Microsoft\Windows\Recent.vbe" [2013-01-20 15550]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Windows Configuration"="c:\{$5812-5333-4513-5757-7153$}\nacl64.exe" [2014-02-19 1199104]
.
c:\users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
msconfig.ini.url [2014-2-20 54]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer9"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys;c:\windows\SYSNATIVE\Drivers\sptd.sys [x]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R3 PSEXESVC;PsExec;c:\windows\PSEXESVC.EXE;c:\windows\PSEXESVC.EXE [x]
R3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\DRIVERS\9kdUSB64.sys;c:\windows\SYSNATIVE\DRIVERS\9kdUSB64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://ixquick.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\

FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-35300461.sys
SafeBoot-47847442.sys
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
AddRemove-GOGPACKPAPERSPLEASE_is1 - c:\games\Papers
AddRemove-UnityWebPlayer - c:\users\Dook\AppData\Local\Unity\WebPlayer\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2980796359-892880252-2195086714-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:7d,cf,5b,34,ec,48,56,42,4e,88,81,b0,58,70,a2,9c,53,42,fb,dd,c7,30,71,
   2b,c2,8e,5d,7b,e5,2c,20,76,49,a3,73,c8,75,c3,43,87,85,a3,71,31,ca,c2,89,09,\
"??"=hex:e2,bf,e6,2a,68,02,e7,0c,52,ce,22,c1,42,12,59,53
.
[HKEY_USERS\S-1-5-21-2980796359-892880252-2195086714-1000\Software\SecuROM\License information*]
"datasecu"=hex:3c,a9,11,c3,79,9f,72,00,7d,67,71,ff,bc,ee,af,78,a2,74,45,58,80,
   1a,0e,82,c7,b5,b9,b9,1e,c7,28,41,16,66,87,aa,ca,e5,71,03,93,5c,e5,b9,af,0d,\
"rkeysecu"=hex:20,5c,10,af,cd,f4,aa,f1,13,38,db,b1,20,73,47,4f
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-02-21  16:31:43
ComboFix-quarantined-files.txt  2014-02-21 21:31
.
Pre-Run: 6,396,448,768 bytes free
Post-Run: 7,458,119,680 bytes free
.
- - End Of File - - E784641523815399F56707B12A31C67A
A36C5E4F47E84449FF07ED3517B43A31
 

Link to post
Share on other sites

  • Staff

Hello Poorsoul

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit

2.Unzip the contents to a folder in a convenient location.

3.Open the folder where the contents were unzipped and run mbar.exe

4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.

6.Wait while the system shuts down and the cleanup process is performed.

7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

  • •Internet access

    •Windows Update

    •Windows Firewall

9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.

10.Verify that your system is now functioning normally.

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from MBAR and Roguekiller and also let me know how the computer is doing at this time.

Gringo

Link to post
Share on other sites

Noticible difference once you got MBAR running, no more popups on reboot, I can d/l with firefox now and it looks like I might have permissions restored as well. Thanks!

Here are some log files:

 

 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.013000 GHz
Memory total: 4292923392, free: 2510106624

Downloaded database version: v2014.02.22.01
Downloaded database version: v2014.02.20.01
=======================================
Initializing...
------------ Kernel report ------------
     02/21/2014 21:40:20
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\spoa.sys
\SystemRoot\System32\Drivers\WMILIB.SYS
\SystemRoot\System32\Drivers\SCSIPORT.SYS
\SystemRoot\system32\DRIVERS\ACPI.sys
\SystemRoot\system32\DRIVERS\msisadrv.sys
\SystemRoot\system32\DRIVERS\vdrvroot.sys
\SystemRoot\system32\DRIVERS\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\DRIVERS\pciide.sys
\SystemRoot\system32\DRIVERS\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\atapi.sys
\SystemRoot\system32\DRIVERS\ataport.SYS
\SystemRoot\system32\DRIVERS\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\amdppm.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\ASACPI.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\System32\Drivers\a3y6iww9.SYS
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\nvhda64v.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\atksgt.sys
\SystemRoot\system32\DRIVERS\lirsgt.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\shell32.dll
\Windows\System32\imm32.dll
\Windows\System32\msctf.dll
\Windows\System32\lpk.dll
\Windows\System32\urlmon.dll
\Windows\System32\Wldap32.dll
\Windows\System32\nsi.dll
\Windows\System32\clbcatq.dll
\Windows\System32\user32.dll
\Windows\System32\psapi.dll
\Windows\System32\setupapi.dll
\Windows\System32\gdi32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\oleaut32.dll
\Windows\System32\iertutil.dll
\Windows\System32\difxapi.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\ole32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\kernel32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\wininet.dll
\Windows\System32\imagehlp.dll
\Windows\System32\advapi32.dll
\Windows\System32\usp10.dll
\Windows\System32\normaliz.dll
\Windows\System32\comdlg32.dll
\Windows\System32\sechost.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\wintrust.dll
\Windows\System32\devobj.dll
\Windows\System32\comctl32.dll
\Windows\System32\crypt32.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8004acb060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa800484f060
Lower Device Driver Name: \Driver\atapi\
IRP handler 0 of \Driver\atapi points to an unknown module
Unhooking enabled.
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8004acb060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa800484f060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8004acb060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004acbb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004acb060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800484d520, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa800484f060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a009e504e0, 0xfffffa8004acb060, 0xfffffa8005057790
Lower DeviceData: 0xfffff8a003a07300, 0xfffffa800484f060, 0xfffffa8004db8430
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sptd.sys (0x00000020)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D2A1CA1E

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 976564224

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Infected: C:\ProgramData\737923934.exe --> [Trojan.Agent]
Infected: C:\Users\Dook\AppData\Local\Temp\phatk121016.cl --> [Trojan.BitcoinMiner]
Infected: C:\Users\Dook\AppData\Local\Temp\scrypt130511.cl --> [Trojan.BitcoinMiner]
Infected: C:\Users\Dook\AppData\Local\Temp\diablo130302.cl --> [Trojan.BitcoinMiner]
Infected: C:\Users\Dook\AppData\Local\Temp\poclbm130302.cl --> [Trojan.BitcoinMiner]
Infected: C:\Users\Dook\AppData\Local\Temp\diakgcn121016.cl --> [Trojan.BitcoinMiner]
Infected: C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.ini.url --> [Trojan.Agent]
Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|Load --> [Trojan.Agent]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avcenter.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avguard.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ccuac.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ComboFix.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\hijackthis.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\keyscrambler.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbam.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MpCmdRun.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCui.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\msseces.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\spybotsd.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERAntiSpyware.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\wireshark.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\zlclient.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE|Debugger --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BDAGENT.EXE|Debugger --> [security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EGUI.EXE|Debugger --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avcenter.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avguard.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ccuac.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ComboFix.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\hijackthis.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\keyscrambler.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbam.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MpCmdRun.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCui.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\msseces.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\spybotsd.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERAntiSpyware.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\wireshark.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\zlclient.exe --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE|Debugger --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BDAGENT.EXE|Debugger --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EGUI.EXE|Debugger --> [security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows Configuration --> [Trojan.Agent]
Infected: C:\{$5812-5333-4513-5757-7153$} --> [Trojan.Agent.BCM]
Infected: C:\{$5812-5333-4513-5757-7153$}\737923934 --> [Trojan.Agent.BCM]
Infected: C:\{$5812-5333-4513-5757-7153$}\nacl64.exe --> [Trojan.Agent.BCM]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NACL64.EXE --> [Trojan.Agent.BCM]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NACL64.EXE --> [Trojan.Agent.BCM]
Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|Load --> [Trojan.Agent.BCM]
Infected: C:\{$5812-5333-4513-5757-7153$}\nacl64.exe --> [Trojan.Agent.BCM]
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.013000 GHz
Memory total: 4292923392, free: 2946220032

=======================================
Initializing...
------------ Kernel report ------------
     02/21/2014 22:09:31
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\System32\drivers\imofugc.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\spkw.sys
\SystemRoot\System32\Drivers\WMILIB.SYS
\SystemRoot\System32\Drivers\SCSIPORT.SYS
\SystemRoot\system32\DRIVERS\ACPI.sys
\SystemRoot\system32\DRIVERS\msisadrv.sys
\SystemRoot\system32\DRIVERS\vdrvroot.sys
\SystemRoot\system32\DRIVERS\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\DRIVERS\pciide.sys
\SystemRoot\system32\DRIVERS\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\atapi.sys
\SystemRoot\system32\DRIVERS\ataport.SYS
\SystemRoot\system32\DRIVERS\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\amdppm.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\ASACPI.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\System32\Drivers\akpvt71p.SYS
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\nvhda64v.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\atksgt.sys
\SystemRoot\system32\DRIVERS\lirsgt.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\setupapi.dll
\Windows\System32\ole32.dll
\Windows\System32\gdi32.dll
\Windows\System32\iertutil.dll
\Windows\System32\msctf.dll
\Windows\System32\clbcatq.dll
\Windows\System32\imm32.dll
\Windows\System32\nsi.dll
\Windows\System32\urlmon.dll
\Windows\System32\psapi.dll
\Windows\System32\user32.dll
\Windows\System32\normaliz.dll
\Windows\System32\wininet.dll
\Windows\System32\advapi32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\sechost.dll
\Windows\System32\shlwapi.dll
\Windows\System32\lpk.dll
\Windows\System32\imagehlp.dll
\Windows\System32\kernel32.dll
\Windows\System32\usp10.dll
\Windows\System32\shell32.dll
\Windows\System32\difxapi.dll
\Windows\System32\msvcrt.dll
\Windows\System32\Wldap32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\crypt32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\comctl32.dll
\Windows\System32\wintrust.dll
\Windows\System32\devobj.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8004abe060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa8004841060
Lower Device Driver Name: \Driver\atapi\
IRP handler 0 of \Driver\atapi points to an unknown module
Unhooking enabled.
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8004abe060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa8004841060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8004abe060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80049468c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004abe060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004858520, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8004841060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a00bd27590, 0xfffffa8004abe060, 0xfffffa80045d0790
Lower DeviceData: 0xfffff8a00bce57f0, 0xfffffa8004841060, 0xfffffa800452de40
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sptd.sys (0x00000020)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D2A1CA1E

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 976564224

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Infected: C:\Users\Dook\AppData\Local\Temp\svchost.exe --> [Trojan.BitCoinMiner]
Infected: C:\Users\Dook\AppData\Local\Temp\phatk121016.cl --> [Trojan.BitcoinMiner]
Infected: C:\Users\Dook\AppData\Local\Temp\scrypt130511.cl --> [Trojan.BitcoinMiner]
Infected: C:\Users\Dook\AppData\Local\Temp\diablo130302.cl --> [Trojan.BitcoinMiner]
Infected: C:\Users\Dook\AppData\Local\Temp\poclbm130302.cl --> [Trojan.BitcoinMiner]
Infected: C:\Users\Dook\AppData\Local\Temp\diakgcn121016.cl --> [Trojan.BitcoinMiner]
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

 

RKreport did not generate an "RKreport(2).txt" file, but here is a file it generated

 

RogueKiller V8.8.8 _x64_ [Feb 19 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Dook [Admin rights]
Mode : Scan -- Date : 02/21/2014 22:29:07
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721050CLA362 ATA Device +++++
--- User ---
[MBR] 79afe5bcbfc5f257e57928f6acf34914
[bSP] 1f84320b928eeee4fd2e6532c395516f : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_02212014_222907.txt >>
RKreport[0]_D_02212014_220541.txt;RKreport[0]_S_02212014_220257.txt


 

 

Link to post
Share on other sites

  • Staff

Hello Poorsoul

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache:: 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.