Jump to content

Possible WGA malware infection


Recommended Posts

Hi,

 

My pc recently has been acting up with explore.exe taking up 2GB or more memory and 40% or more CPU usage. I think that I may have been infected with a malware as I have rebooted several times and the symptoms still persist.

 

I would like to request for assistance on how to clean this malware and not have to reformat my pc if possible :(

 

Thanks in advance for any help given!

Link to post
Share on other sites

Hello NoIEever, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. :)
 
General P2P/Piracy Notice:
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • If you are unable to copy/paste your logs directly into your post, please attach the file.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
  • Ensure you are following this topic. Click xetYzdbu.png.pagespeed.ic.U7AjmRUewW.png at the top of the page.
     

======================================================
 
STEP 1
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 2
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
  • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
  • Right-Click FRST.exe / FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
     

STEP 3
YARWD1t.png.pagespeed.ce.nvhmVeYDe3.pngTDSSKiller Scan

  • Please download TDSSKiller and save the file to your Desktop.
  • Right-Click TDSSKiller.exe and select xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator to run the programme.
  • Click Change parameters. Place a checkmark next to Detect TDLFS file system and Verify file digital signatures.
  • ​Click Start Scan. Do not use the computer during the scan.
  • If objects are found, change the action to skip.
  • Click Continue and close the window.
  • A log will be created and saved to the root directory (usually C:\). Attach the file in your next reply.
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • MBAM scan log
  • FRST.txt
  • Addition.txt
  • TDSSKiller log (attached!)
Link to post
Share on other sites

Hi Adam,

 

Thank you so much for your help!

 

I would like to note a few things before posting the logs. Here are some of the changes that happened after I had posted my initial request for help: -

1) My Antivirus scanner completed its scan and quarantined this file

    C:\ProgramData\Windows Genuine Advantage\{C24D71A9-0E03-4114-8598-F3B6099F337E}\api-ms-win-system-neth-l1-1-0.dll

2) MBAM also quarantined this file

    C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\fwcfg.dll

 

After a reboot, explore.exe no longer seems to run funny and take up huge amounts of CPU and memory. However, I am not entirely sure if the malware/problem is still there so here are the logs requested: -

 

MBAM scan log

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/1/2014
Scan Time: 10:16:10 PM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.12.01.02
Rootkit Database: v2014.11.30.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: kwchoo

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 320241
Time Elapsed: 9 min, 40 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Deep Rootkit Scan: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-12-2014
Ran by kwchoo (administrator) on LIANLI-PC on 01-12-2014 22:51:22
Running from C:\Users\kwchoo\Desktop
Loaded Profile: kwchoo (Available profiles: kwchoo)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
(北京悠然天地科技有限公司) C:\Program Files (x86)\kuaiyong\DRM\KYDeviceServer.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
() C:\Windows\SysWOW64\NMSAccessU.exe
(Splashtop Inc.) C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
(Splashtop Inc.) C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe
(CyberGhost S.R.L) C:\Program Files\CyberGhost 5\Service.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
() C:\Users\kwchoo\Desktop\PortableApps\NetMeter v1.1.41\NetMeter.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13196432 2012-09-26] (Realtek Semiconductor)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [4090824 2012-11-16] (ESET)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [2419512 2012-11-05] (Logitech, Inc.)
HKLM-x32\...\Run: [startCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642728 2012-09-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [JMB36X IDE Setup] => C:\Windows\RaidTool\xInsIDE.exe [43632 2010-01-19] ()
HKLM-x32\...\Run: [RUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe [115048 2011-09-20] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-3521432705-3805891651-312030912-1000\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3673728 2012-11-06] (DT Soft Ltd)
HKU\S-1-5-21-3521432705-3805891651-312030912-1000\...\Run: [NetMeter] => C:\Users\kwchoo\Desktop\PortableApps\NetMeter v1.1.41\NetMeter.exe [293888 2011-02-05] ()
HKU\S-1-5-21-3521432705-3805891651-312030912-1000\...\MountPoints2: {46d02078-dfda-11e3-ae83-4061860c485d} - G:\Windows\CHECK\DriveNavigator.exe
ShellIconOverlayIdentifiers: [iDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll (Tonec Inc.)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3521432705-3805891651-312030912-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://malaysia.msn.com/?rd=1&ucc=MY&dcc=MY&opt=0&ocid=iehp&tc=4
HKU\S-1-5-21-3521432705-3805891651-312030912-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xA83ABB57C5DACD01
HKU\S-1-5-21-3521432705-3805891651-312030912-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll (Internet Download Manager, Tonec Inc.)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll (Internet Download Manager, Tonec Inc.)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll (Logitech, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default
FF Homepage: www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_8_800_168.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_168.dll ()
FF Plugin-x32: @kuaiyong.yrtd.com,version=1.0.1.1 -> C:\Program Files (x86)\kuaiyong\np_kyplugin.dll (YRTD)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll (Nullsoft, Inc.)
FF Extension: Flashblock - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2013-04-18]
FF Extension: Alldebrid - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\alldebrid@alldebrid.com.xpi [2014-04-07]
FF Extension: AutoCopy 2 - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\autocopy2@teo.pl.xpi [2014-03-06]
FF Extension: Element Hiding Helper for Adblock Plus - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\elemhidehelper@adblockplus.org.xpi [2014-02-21]
FF Extension: FireGestures - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\firegestures@xuldev.org.xpi [2012-12-16]
FF Extension: Session Manager - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2014-08-12]
FF Extension: FlashGot - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2012-12-16]
FF Extension: LittleFox - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\{29852C08-1E91-4889-A6BF-C77F91D6A8F3}.xpi [2012-12-16]
FF Extension: ScrapBook - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}.xpi [2012-12-16]
FF Extension: Adblock Plus - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-12-16]
FF Extension: Tab Mix Plus - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi [2012-12-16]
FF Extension: Greasemonkey - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2014-02-21]
FF Extension: Always on Top - C:\Users\kwchoo\AppData\Roaming\Mozilla\Firefox\Profiles\kgrm01k3.default\Extensions\{E6C93316-271E-4b3d-8D7E-FE11B4350AEB}.xpi [2014-08-13]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2012-12-21]
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
FF Extension: ESET Smart Security Extension - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2012-12-16]
FF HKU\S-1-5-21-3521432705-3805891651-312030912-1000\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\kwchoo\AppData\Roaming\IDM\idmmzcc5
FF Extension: IDM CC - C:\Users\kwchoo\AppData\Roaming\IDM\idmmzcc5 [2014-08-12]
FF HKU\S-1-5-21-3521432705-3805891651-312030912-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\kwchoo\AppData\Roaming\IDM\idmmzcc5

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [edaibbiobngpbmeonadpbfafbkimjbdd] - C:\ProgramData\Logitech\LogiSmoothChromeExt.crx [2012-12-21]
CHR HKLM-x32\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2014-08-11]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 CGVPNCliService; C:\Program Files\CyberGhost 5\Service.exe [64624 2014-06-12] (CyberGhost S.R.L)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2443960 2014-10-30] (Microsoft Corporation)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [913184 2012-11-16] (ESET)
R2 KYDeviceServer; C:\Program Files (x86)\kuaiyong\DRM\KYDeviceServer.exe [140096 2013-11-11] (北京悠然天地科技有限公司)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
R2 NMSAccess; C:\Windows\SysWOW64\NMSAccessU.exe [71096 2009-01-12] ()
S3 OpenVPNService; C:\Program Files\OpenVPN\bin\openvpnserv.exe [37176 2013-08-23] (The OpenVPN Project)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 arusb_win7x; C:\Windows\System32\DRIVERS\arusb_win7x.sys [769024 2010-06-01] (Atheros Communications, Inc.)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [209808 2012-11-16] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [148528 2012-03-28] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [137144 2012-03-28] (ESET)
R2 IntelHaxm; C:\Windows\System32\DRIVERS\IntelHaxm.sys [85008 2012-05-22] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-10-01] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-12-01] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-10-01] (Malwarebytes Corporation)
R3 rusb3hub; C:\Windows\System32\DRIVERS\rusb3hub.sys [114568 2012-08-27] (Renesas Electronics Corporation)
R3 rusb3xhc; C:\Windows\System32\DRIVERS\rusb3xhc.sys [230280 2012-08-27] (Renesas Electronics Corporation)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2013-08-12] (Duplex Secure Ltd.)
U5 UnlockerDriver5; C:\Users\kwchoo\Desktop\PortableApps\Unlocker Portable v1.90\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]
U3 af5o1hce; C:\Windows\System32\Drivers\af5o1hce.sys [0 ] (Advanced Micro Devices)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-01 22:30 - 2014-12-01 22:51 - 00015295 _____ () C:\Users\kwchoo\Desktop\FRST.txt
2014-12-01 22:29 - 2014-12-01 22:51 - 00000000 ____D () C:\FRST
2014-12-01 22:28 - 2014-12-01 22:28 - 02117120 _____ (Farbar) C:\Users\kwchoo\Desktop\FRST64.exe
2014-12-01 21:09 - 2014-12-01 21:09 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-12-01 21:09 - 2014-12-01 21:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-01 21:09 - 2014-12-01 21:09 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-01 21:09 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-12-01 21:09 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-12-01 20:35 - 2014-12-01 21:16 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-01 20:35 - 2014-12-01 21:09 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-12-01 20:35 - 2014-12-01 20:51 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-12-01 20:34 - 2014-12-01 20:51 - 00000000 ____D () C:\Users\kwchoo\Desktop\mbar
2014-12-01 20:34 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-12-01 20:32 - 2014-12-01 20:32 - 16448208 _____ (Malwarebytes Corp.) C:\Users\kwchoo\Desktop\mbar-1.08.2.1001.exe
2014-12-01 17:50 - 2014-12-01 17:50 - 00000000 ____D () C:\Users\kwchoo\Desktop\ProcessExplorer
2014-12-01 15:37 - 2014-12-01 19:02 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2014-12-01 15:37 - 2014-12-01 15:37 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-11-02 23:26 - 2014-11-02 23:26 - 00009156 _____ () C:\Users\kwchoo\Desktop\All RO Songs.m3u

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-01 22:51 - 2013-02-23 00:28 - 00000000 ____D () C:\Users\kwchoo\AppData\Roaming\Skype
2014-12-01 21:27 - 2012-12-15 18:33 - 01076047 _____ () C:\Windows\WindowsUpdate.log
2014-12-01 21:19 - 2009-07-14 15:45 - 00016944 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-01 21:19 - 2009-07-14 15:45 - 00016944 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-01 21:12 - 2012-12-16 21:11 - 00172596 _____ () C:\Windows\PFRO.log
2014-12-01 21:12 - 2009-07-14 16:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-01 21:12 - 2009-07-14 15:51 - 00087054 _____ () C:\Windows\setupact.log
2014-12-01 21:11 - 2012-12-16 20:48 - 00000000 ____D () C:\Users\kwchoo\AppData\Roaming\DMCache
2014-12-01 19:50 - 2012-12-16 01:24 - 00000000 ____D () C:\ProgramData\TEMP
2014-12-01 18:10 - 2013-03-22 02:54 - 00007623 _____ () C:\Users\kwchoo\AppData\Local\Resmon.ResmonCfg
2014-11-22 01:25 - 2014-10-24 01:50 - 00009350 _____ () C:\Users\kwchoo\AppData\Localtransition_569b2c4b9bcb90cf036714add3a312f6.ini
2014-11-21 15:17 - 2014-03-18 17:11 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-11-20 04:40 - 2013-01-01 18:51 - 00396450 _____ () C:\Windows\system32\perfh011.dat
2014-11-20 04:40 - 2013-01-01 18:51 - 00106316 _____ () C:\Windows\system32\perfc011.dat
2014-11-20 04:40 - 2009-07-14 16:13 - 01220036 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-12 02:03 - 2014-06-18 04:35 - 00019091 _____ () C:\Users\kwchoo\Desktop\HV FS.txt
2014-11-11 02:29 - 2012-12-16 20:48 - 00000000 ____D () C:\Users\kwchoo\Downloads\Video

Some content of TEMP:
====================
C:\Users\kwchoo\AppData\Local\Temp\bassmod.dll
C:\Users\kwchoo\AppData\Local\Temp\Foxit Updater.exe
C:\Users\kwchoo\AppData\Local\Temp\install_flashplayer12x32au_mssd_aaa_aih.exe
C:\Users\kwchoo\AppData\Local\Temp\LMkRstPt.exe
C:\Users\kwchoo\AppData\Local\Temp\SkypeSetup.exe
C:\Users\kwchoo\AppData\Local\Temp\System.Data.SQLite.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-11-30 12:55

==================== End Of Log ============================

 

Addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01-12-2014
Ran by kwchoo at 2014-12-01 22:51:41
Running from C:\Users\kwchoo\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: ESET NOD32 Antivirus 5.2 (Enabled - Up to date) {77DEAFED-8149-104B-25A1-21771CA47CD1}
AS: ESET NOD32 Antivirus 5.2 (Enabled - Up to date) {CCBF4E09-A773-1FC5-1F11-1A056723366C}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.8.800.94 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 11.8.800.168 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{46DA7FD9-8BC1-7BA8-98D1-27F46647871B}) (Version: 8.0.891.0 - Advanced Micro Devices, Inc.)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2EF5D87E-B7BD-458F-8428-E4D0B8B4E65C}) (Version: 7.0.0.117 - Apple Inc.)
Appledriver_64bit 豎 11.1.1.11 (HKLM-x32\...\{7BAC362A-44D1-4B1D-A578-B898A79DA8B5}_is1) (Version: 11.1.1.11 - )
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Castle Crashers (HKLM-x32\...\Castle Crashers_is1) (Version:  - )
Combined Community Codec Pack 2013-08-01 (HKLM-x32\...\Combined Community Codec Pack_is1) (Version: 2013.08.01.0 - CCCP Project)
CyberGhost 5 (HKLM\...\CyberGhost 5_is1) (Version:  - CyberGhost S.R.L.)
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.46.1.0327 - DT Soft Ltd)
Diablo III (HKLM-x32\...\Diablo III) (Version:  - Blizzard Entertainment)
eReg (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
ESET NOD32 Antivirus (HKLM\...\{8A22EA5F-5507-4DC1-BD30-43C1EB95BFBD}) (Version: 5.2.15.0 - ESET, spol. s r.o.)
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 5.4.4.1128 - Foxit Corporation)
Intel® Hardware Accelerated Execution Manager (HKLM\...\{7824FFE2-E5BE-4530-91AA-C1F442FD4A82}) (Version: 1.0.1 - Intel Corporation)
Internet Download Manager (HKLM-x32\...\Internet Download Manager) (Version:  - Tonec Inc.)
JMicron JMB36X Driver (HKLM-x32\...\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}) (Version: 1.00.0000 - JMicron Technology Corp.)
Logitech SetPoint 6.51 (HKLM\...\sp6) (Version: 6.51.8 - Logitech)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 15.0.4667.1002 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Mozilla Firefox 31.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 31.0 (x86 en-US)) (Version: 31.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
NVIDIA PhysX (HKLM-x32\...\{DA909E62-3B45-4BA1-8B58-FCAEBA4BCEC9}) (Version: 9.12.0213 - NVIDIA Corporation)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4667.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4667.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4667.1002 - Microsoft Corporation) Hidden
OpenVPN 2.3.2-I003  (HKLM\...\OpenVPN) (Version: 2.3.2-I003 - )
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6738 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{17528CE4-C333-48FB-A9E4-D841E795CDCE}) (Version: 3.0.23.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 3.0.23.0 - Renesas Electronics Corporation) Hidden
Skype™ 6.14 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.14.104 - Skype Technologies S.A.)
Splashtop Software Updater (HKLM-x32\...\Splashtop Software Updater) (Version: 1.5.6.15 - Splashtop Inc.)
Splashtop Streamer (HKLM-x32\...\{B7C5EA94-B96A-41F5-BE95-25D78B486678}) (Version: 2.5.5.4 - Splashtop Inc.)
SpywareBlaster 5.0 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.0.0 - BrightFort LLC)
SyncBackPro (HKLM-x32\...\SyncBackPro_is1) (Version: 6.2.0.15 - 2BrightSparks)
TAP-Windows 9.9.2 (HKLM\...\TAP-Windows) (Version: 9.9.2 - )
TP-LINK Wireless Client Utility (HKLM-x32\...\{5EF44D3A-E86E-434C-8418-71E277C565DF}) (Version: 2.0 - TP-LINK)
Universal Adb Driver (HKLM-x32\...\{D9C4202E-6D51-4B06-A8F1-22316E654BCA}) (Version: 1.0.0 - ClockworkMod)
Wakfu (HKU\S-1-5-21-3521432705-3805891651-312030912-1000\...\wakfu) (Version:  - Ankama Games)
Winamp (HKLM-x32\...\Winamp) (Version: 5.63  - Nullsoft, Inc)
Winamp Detector Plug-in (HKU\S-1-5-21-3521432705-3805891651-312030912-1000\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc)
WinRAR 4.20 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)
・鋓摠 2.0.5.3 (HKLM-x32\...\{2E3FA0CF-AC2D-4E6F-8EF3-D75E91681441}_is1) (Version: 2.0.5.3 - ・)
・枻・豎 2.123 (HKLM-x32\...\{0B41A8C4-1FB8-4B8B-B8FE-D643A617A7DB}_is1) (Version: 2.123 - )

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3521432705-3805891651-312030912-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\fwcfg.dll No File

==================== Restore Points  =========================

30-11-2014 02:02:43 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 13:34 - 2009-06-11 08:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {10761916-EC10-4439-A859-43E840C46FEA} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2014-10-07] (Microsoft Corporation)
Task: {388D1844-36FB-4184-8065-0E1252F616ED} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {B4C67406-3586-4452-8FAE-9FE7B1DE71A9} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2014-10-08] (Microsoft Corporation)
Task: {BB9CDD66-C9D9-4EC6-B294-5D1091907521} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2014-10-08] (Microsoft Corporation)

==================== Loaded Modules (whitelisted) =============

2014-03-18 17:11 - 2014-05-20 09:19 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2013-06-16 21:29 - 2009-01-12 11:15 - 00071096 _____ () C:\Windows\SysWOW64\NMSAccessU.exe
2012-12-17 00:39 - 2011-02-05 05:47 - 00293888 _____ () C:\Users\kwchoo\Desktop\PortableApps\NetMeter v1.1.41\NetMeter.exe
2014-11-21 15:15 - 2014-09-24 00:36 - 08897696 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2013-09-13 22:51 - 2013-09-13 22:51 - 00087952 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2013-09-13 22:51 - 2013-09-13 22:51 - 01242952 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-11-21 15:15 - 2014-09-23 22:43 - 08897696 _____ () C:\Program Files\Microsoft Office 15\root\Office15\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-3521432705-3805891651-312030912-500 - Administrator - Disabled)
Guest (S-1-5-21-3521432705-3805891651-312030912-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3521432705-3805891651-312030912-1003 - Limited - Enabled)
kwchoo (S-1-5-21-3521432705-3805891651-312030912-1000 - Administrator - Enabled) => C:\Users\kwchoo

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (12/01/2014 10:46:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17514, time stamp: 0x4ce7a144
Faulting module name: SHELL32.dll, version: 6.1.7601.18222, time stamp: 0x51f1ddfa
Exception code: 0xc000041d
Fault offset: 0x00000000000a0f11
Faulting process id: 0xabc
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3

Error: (12/01/2014 09:48:50 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"1".Error in manifest or policy file "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"2" on line UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (11/30/2014 00:56:06 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"1".Error in manifest or policy file "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"2" on line UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (11/21/2014 03:54:29 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"1".Error in manifest or policy file "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"2" on line UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (11/19/2014 01:50:45 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program java.exe version 7.0.400.43 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: db4

Start Time: 01d003999f6c92c6

Termination Time: 144

Application Path: C:\Program Files (x86)\Wakfu\game\jre\win32\x86\bin\java.exe

Report Id:

Error: (11/15/2014 09:14:14 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"1".Error in manifest or policy file "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"2" on line UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (11/12/2014 03:01:14 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"1".Error in manifest or policy file "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"2" on line UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (11/10/2014 03:33:44 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"1".Error in manifest or policy file "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"2" on line UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (11/09/2014 02:38:14 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Skype.exe, version: 6.14.0.104, time stamp: 0x52f90e3e
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xe0fafafa
Fault offset: 0x00000000
Faulting process id: 0x14b4
Faulting application start time: 0xSkype.exe0
Faulting application path: Skype.exe1
Faulting module path: Skype.exe2
Report Id: Skype.exe3

Error: (11/08/2014 04:56:00 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Skype.exe, version: 6.14.0.104, time stamp: 0x52f90e3e
Faulting module name: Skype.exe, version: 6.14.0.104, time stamp: 0x52f90e3e
Exception code: 0x40000015
Fault offset: 0x00ab5b0e
Faulting process id: 0x394
Faulting application start time: 0xSkype.exe0
Faulting application path: Skype.exe1
Faulting module path: Skype.exe2
Report Id: Skype.exe3

System errors:
=============
Error: (11/30/2014 00:59:21 PM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (11/30/2014 00:24:01 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CyberGhost 5 Client Service service failed to start due to the following error:
%%1053

Error: (11/30/2014 00:24:01 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the CyberGhost 5 Client Service service to connect.

Error: (11/19/2014 00:16:04 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CyberGhost 5 Client Service service failed to start due to the following error:
%%1053

Error: (11/19/2014 00:16:04 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the CyberGhost 5 Client Service service to connect.

Error: (11/18/2014 02:18:30 PM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: WMPNetworkSvc0x80070420

Error: (11/13/2014 06:12:05 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CyberGhost 5 Client Service service failed to start due to the following error:
%%1053

Error: (11/13/2014 06:12:05 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the CyberGhost 5 Client Service service to connect.

Error: (11/12/2014 04:33:46 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CyberGhost 5 Client Service service failed to start due to the following error:
%%1053

Error: (11/12/2014 04:33:46 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the CyberGhost 5 Client Service service to connect.

Microsoft Office Sessions:
=========================
Error: (12/01/2014 10:46:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Explorer.EXE6.1.7601.175144ce7a144SHELL32.dll6.1.7601.1822251f1ddfac000041d00000000000a0f11abc01d00d4f67866d56C:\Windows\Explorer.EXEC:\Windows\system32\SHELL32.dllb1bb1f29-794f-11e4-8dd1-4061860c485d

Error: (12/01/2014 09:48:50 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0"c:\program files\microsoft office 15\root\office15\lync.exe.Manifestc:\program files\microsoft office 15\root\office15\UccApi.DLL1

Error: (11/30/2014 00:56:06 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0"c:\program files\microsoft office 15\root\office15\lync.exe.Manifestc:\program files\microsoft office 15\root\office15\UccApi.DLL1

Error: (11/21/2014 03:54:29 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0"c:\program files\microsoft office 15\root\office15\lync.exe.Manifestc:\program files\microsoft office 15\root\office15\UccApi.DLL1

Error: (11/19/2014 01:50:45 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: java.exe7.0.400.43db401d003999f6c92c6144C:\Program Files (x86)\Wakfu\game\jre\win32\x86\bin\java.exe

Error: (11/15/2014 09:14:14 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0"c:\program files\microsoft office 15\root\office15\lync.exe.Manifestc:\program files\microsoft office 15\root\office15\UccApi.DLL1

Error: (11/12/2014 03:01:14 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0"c:\program files\microsoft office 15\root\office15\lync.exe.Manifestc:\program files\microsoft office 15\root\office15\UccApi.DLL1

Error: (11/10/2014 03:33:44 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0"c:\program files\microsoft office 15\root\office15\lync.exe.Manifestc:\program files\microsoft office 15\root\office15\UccApi.DLL1

Error: (11/09/2014 02:38:14 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Skype.exe6.14.0.10452f90e3eunknown0.0.0.000000000e0fafafa0000000014b401cffb082ca3f8aaC:\Program Files (x86)\Skype\Phone\Skype.exeunknown403a7980-675d-11e4-9453-4061860c485d

Error: (11/08/2014 04:56:00 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Skype.exe6.14.0.10452f90e3eSkype.exe6.14.0.10452f90e3e4000001500ab5b0e39401cffa89d59c9deaC:\Program Files (x86)\Skype\Phone\Skype.exeC:\Program Files (x86)\Skype\Phone\Skype.exe5476cdcc-66a7-11e4-9453-4061860c485d

CodeIntegrity Errors:
===================================
  Date: 2013-09-22 22:37:39.078
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\kwchoo\Desktop\PortableApps\Unlocker Portable v1.90\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-09-22 22:37:39.047
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\kwchoo\Desktop\PortableApps\Unlocker Portable v1.90\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-09-22 22:37:39.000
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\kwchoo\Desktop\PortableApps\Unlocker Portable v1.90\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-09-22 22:37:38.969
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\kwchoo\Desktop\PortableApps\Unlocker Portable v1.90\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel® Core i5 CPU 750 @ 2.67GHz
Percentage of memory in use: 14%
Total physical RAM: 16375.12 MB
Available physical RAM: 14070.34 MB
Total Pagefile: 32748.42 MB
Available Pagefile: 30015.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.8 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:149.9 GB) (Free:36.83 GB) NTFS
Drive d: (Data1) (Fixed) (Total:781.51 GB) (Free:150.66 GB) NTFS
Drive e: (Data2) (Fixed) (Total:2794.39 GB) (Free:131.89 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: E3878E99)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=149.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=781.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 2794.5 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End Of Log ============================

TDSSKiller.3.0.0.41_01.12.2014_22.57.26_log.txt

Link to post
Share on other sites

Hello, 
 
Sorry for the delay. 
 

I would like to note a few things before posting the logs.

Thank you for letting me know. 
 
 
Do you recognise the following programmes?

  • ソ・テニサケ鋓摠ヨ 2.0.5.3 
  • ソ・テラハヤエケワタ枻・ー豎セ 2.123
  • kuaiyong
     

Please do the following. 
 
STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startHKU\S-1-5-21-3521432705-3805891651-312030912-1000\...\MountPoints2: {46d02078-dfda-11e3-ae83-4061860c485d} - G:\Windows\CHECK\DriveNavigator.exeU3 af5o1hce; C:\Windows\System32\Drivers\af5o1hce.sys [0 ] (Advanced Micro Devices)S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]S3 tsusbhub; system32\drivers\tsusbhub.sys [X]S3 VGPU; System32\drivers\rdvgkmd.sys [X]2014-12-01 15:37 - 2014-12-01 19:02 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}2014-12-01 15:37 - 2014-12-01 15:37 - 00000000 ____D () C:\ProgramData\Windows Genuine AdvantageC:\Users\kwchoo\AppData\Local\Temp\bassmod.dllC:\Users\kwchoo\AppData\Local\Temp\Foxit Updater.exeC:\Users\kwchoo\AppData\Local\Temp\install_flashplayer12x32au_mssd_aaa_aih.exeC:\Users\kwchoo\AppData\Local\Temp\LMkRstPt.exeC:\Users\kwchoo\AppData\Local\Temp\SkypeSetup.exeC:\Users\kwchoo\AppData\Local\Temp\System.Data.SQLite.dllCustomCLSID: HKU\S-1-5-21-3521432705-3805891651-312030912-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\fwcfg.dll No FileAlternateDataStreams: C:\ProgramData\TEMP:5C321E34CMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
mlEX1wH.png RogueKiller

  • Please download RogueKiller (x64) and save the file to your Desktop.
  • Close any running programmes.
  • Right-Click RogueKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
  • A browser window may open. Close the browser window.
  • Click jpgUwzp.png. Upon completion, click phPvmc6.png.
  • Close the programme. Do not fix anything!
  • A log (RKreport.txt) will be open. Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Do you recognise the programmes?
  • Fixlog.txt
  • RKreport.txt
Link to post
Share on other sites

Do you recognise the programmes?

Yeah I do. They are a chinese language type of program installed. I did not change my unicode settings hence the weird symbols.

 

Here are the logs: -

 

Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-12-2014
Ran by kwchoo at 2014-12-02 21:14:00 Run:1
Running from C:\Users\kwchoo\Desktop
Loaded Profile: kwchoo (Available profiles: kwchoo)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKU\S-1-5-21-3521432705-3805891651-312030912-1000\...\MountPoints2: {46d02078-dfda-11e3-ae83-4061860c485d} - G:\Windows\CHECK\DriveNavigator.exe
U3 af5o1hce; C:\Windows\System32\Drivers\af5o1hce.sys [0 ] (Advanced Micro Devices)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2014-12-01 15:37 - 2014-12-01 19:02 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2014-12-01 15:37 - 2014-12-01 15:37 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
C:\Users\kwchoo\AppData\Local\Temp\bassmod.dll
C:\Users\kwchoo\AppData\Local\Temp\Foxit Updater.exe
C:\Users\kwchoo\AppData\Local\Temp\install_flashplayer12x32au_mssd_aaa_aih.exe
C:\Users\kwchoo\AppData\Local\Temp\LMkRstPt.exe
C:\Users\kwchoo\AppData\Local\Temp\SkypeSetup.exe
C:\Users\kwchoo\AppData\Local\Temp\System.Data.SQLite.dll
CustomCLSID: HKU\S-1-5-21-3521432705-3805891651-312030912-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\fwcfg.dll No File
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
end
*****************

"HKU\S-1-5-21-3521432705-3805891651-312030912-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{46d02078-dfda-11e3-ae83-4061860c485d}" => Key deleted successfully.
"HKCR\CLSID\{46d02078-dfda-11e3-ae83-4061860c485d}" => Key not found.
af5o1hce => Service not found.
EagleX64 => Service deleted successfully.
Synth3dVsc => Service deleted successfully.
tsusbhub => Service deleted successfully.
VGPU => Service deleted successfully.
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} => Moved successfully.
C:\ProgramData\Windows Genuine Advantage => Moved successfully.
C:\Users\kwchoo\AppData\Local\Temp\bassmod.dll => Moved successfully.
C:\Users\kwchoo\AppData\Local\Temp\Foxit Updater.exe => Moved successfully.
C:\Users\kwchoo\AppData\Local\Temp\install_flashplayer12x32au_mssd_aaa_aih.exe => Moved successfully.
C:\Users\kwchoo\AppData\Local\Temp\LMkRstPt.exe => Moved successfully.
C:\Users\kwchoo\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
C:\Users\kwchoo\AppData\Local\Temp\System.Data.SQLite.dll => Moved successfully.
"HKU\S-1-5-21-3521432705-3805891651-312030912-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}" => Key deleted successfully.
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========  netsh winsock reset all =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

=========  netsh int ipv4 reset =========

Reseting Global, OK!
Reseting Interface, OK!
Reseting Unicast Address, OK!
Reseting Subinterface, OK!
Restart the computer to complete this action.

========= End of CMD: =========

=========  netsh int ipv6 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.

========= End of CMD: =========

EmptyTemp: => Removed 2.4 GB temporary data.

The system needed a reboot.

==== End of Fixlog ====

 

RKreport.txt

RogueKiller V10.0.8.0 (x64) [Nov 20 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : kwchoo [Administrator]
Mode : Scan -- Date : 12/02/2014  21:28:30

¤¤¤ Processes : 1 ¤¤¤
[suspicious.Path] NetMeter.exe -- C:\Users\kwchoo\Desktop\PortableApps\NetMeter v1.1.41\NetMeter.exe[-] -> Killed [TermProc]

¤¤¤ Registry : 11 ¤¤¤
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3521432705-3805891651-312030912-1000\Software\Microsoft\Windows\CurrentVersion\Run | NetMeter : C:\Users\kwchoo\Desktop\PortableApps\NetMeter v1.1.41\NetMeter.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3521432705-3805891651-312030912-1000\Software\Microsoft\Windows\CurrentVersion\Run | NetMeter : C:\Users\kwchoo\Desktop\PortableApps\NetMeter v1.1.41\NetMeter.exe  -> Found
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnlockerDriver5 (\??\C:\Users\kwchoo\Desktop\PortableApps\Unlocker Portable v1.90\UnlockerDriver5.sys) -> Found
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UnlockerDriver5 (\??\C:\Users\kwchoo\Desktop\PortableApps\Unlocker Portable v1.90\UnlockerDriver5.sys) -> Found
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\UnlockerDriver5 (\??\C:\Users\kwchoo\Desktop\PortableApps\Unlocker Portable v1.90\UnlockerDriver5.sys) -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3521432705-3805891651-312030912-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3521432705-3805891651-312030912-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 7 (Driver: Loaded) ¤¤¤
[iRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_CREATE[0] : Unknown @ 0xcb232c0
[iRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_CLOSE[2] : Unknown @ 0xcb232c0
[iRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0xcb232c0
[iRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0xcb232c0
[iRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_POWER[22] : Unknown @ 0xcb232c0
[iRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0xcb232c0
[iRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_PNP[27] : Unknown @ 0xcb232c0

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] kgrm01k3.default : user_pref("browser.startup.homepage", "www.google.com"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1001FALS-00J7B1 ATA Device +++++
--- User ---
[MBR] 3f8b2132d3cd23c9b28341b05287f3bc
[bSP] 53537f0fa4806b1e4a8c5c8e85824460 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 153500 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 314574848 | Size: 800267 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD30EFRX-68AX9N0 ATA Device +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[bSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK

Link to post
Share on other sites

Hello, 
 
Thank you for the information. 
Please provide an update on your computer after completing the steps below. 
 
STEP 1
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and folder backups are made for anything removed using this tool. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

 
STEP 2
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Hide advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • MBAM Scan log
  • ESET Online Scan log
  • Update on computer
Link to post
Share on other sites

MBAM Scan log (I suppose you meant AdwCleaner[s0].txt log)

# AdwCleaner v4.103 - Report created 02/12/2014 at 21:52:42
# Updated 01/12/2014 by Xplode
# Database : 2014-12-01.2 [Live]
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : kwchoo - LIANLI-PC
# Running from : C:\Users\kwchoo\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

[x] Not Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\kuaiyong
[x] Not Deleted : C:\Program Files (x86)\kuaiyong
[x] Not Deleted : C:\Users\kwchoo\AppData\Roaming\kuaiyong

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKLM\SOFTWARE\PIP

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16540

-\\ Mozilla Firefox v31.0 (x86 en-US)

*************************

AdwCleaner[R0].txt - [1038 octets] - [02/12/2014 21:45:31]
AdwCleaner[s0].txt - [933 octets] - [02/12/2014 21:52:42]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [992 octets] ##########

 

ESET Online Scan log

No  threats were found

 

Update on computer

My computer seems to be running normally with no high CPU and Memory usage when there are no applications running.

Link to post
Share on other sites

Hello, 
 

MBAM Scan log (I suppose you meant AdwCleaner[s0].txt log)

Yes, that's correct. Sorry about that.
 

My computer seems to be running normally with no high CPU and Memory usage when there are no applications running.

Very good. 
 
Lets updated your vulnerable software to reduce the risk of reinfection. 
 
STEP 1
CXrghb6.png Update Outdated Software

Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

  • jfMhRM5.png Adobe Flash Player (uncheck the "Optional Offer")
  • Qlf57ne.png Mozilla Firefox
  • u9DsAVv.png Follow these instructions to check for and download the latest Windows Updates.
  • ehzOq95.png I recommend installing the latest version of Internet Explorer for added security. The latest version IE can be installed via Windows Update.
     

STEP 2
oxliOQk.png Security Check

  • Please download SecurityCheck and save the file to your Desktop.
  • Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
  • A log (checkup.txt) will automatically open on your Desktop.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • checkup.txt
  • How is your computer performing? Are there any outstanding issues?
Link to post
Share on other sites

Here is the log. Note that I did not update Firefox because it breaks my add-ons far too often when I upgrade. Thanks again for your help.

 

checkup.txt 

Results of screen317's Security Check version 0.99.91 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
ESET NOD32 Antivirus 5.2  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0   
 Malwarebytes Anti-Malware version 2.0.3.1025 
 Adobe Flash Player 15.0.0.239 
 Mozilla Firefox 31.0 Firefox out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 ESET NOD32 Antivirus egui.exe 
 ESET NOD32 Antivirus ekrn.exe 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````
 

How is your computer performing? Are there any outstanding issues?

My computer is performing fine with no outstanding issues.

Link to post
Share on other sites

Hello, 
 

My computer is performing fine with no outstanding issues.

Excellent. 
 

----------------

Now for the good news. 
 
All Clean!
Congratulations, your computer appears clean!  :)
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful
 
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. YSCcjW7.png
 
AFZxnZc.jpg DelFix

  • Please download DelFix and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset system settings
  • Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
 
======================================================
 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

The following programmes come highly recommended in the security community.

  • xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpg AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
  • E8I37RF.pngCryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware. 
  • EG85Vjt.png Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpg Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
  • xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
  • 3O8r9Uq.png Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
  • DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secunia PSI will scan your computer for vulnerable software that is outdatedand automatically find the latest update for you.
  • xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.png Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
 
======================================================
 
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
 
Thank you for using Malwarebytes.
 
Safe Surfing. :)  
Adam

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.