Jump to content

rundll32.exe - too many susbisious connections and ram usage


Odeon
 Share

Recommended Posts

Hello,

 

I am a gamer and yesterday my ping was too high when i was playing online games. then i looked at the programs running behind and saw 2 rundll32 exes (  rundll32 *32 from directory C:\Windows\SysWOW64 and rundll32 from directory C:\Windows\System32)

and they were using too much resource from ram. then i checked what is using my internet and saw rundll32 is trying to connect too many ip'es. i had only avira antivirus program and it didnt give me any reports about this problem. later i installed mbam and it began to block some of this ip'es but not all of them.

 

here are some of this ip'es and frst.txt + addition.txt in attc.

 

p  192.168.1.2:55218     54.77.207.254:80      rundll32.exe   HTTP_C      976  1074     0     0   2m 29s high    

tcp  192.168.1.2:55227     54.77.207.254:443     rundll32.exe   Unknown    1560  4875     0     0   2m 29s default

tcp  192.168.1.2:55308     54.171.53.252:80      rundll32.exe   HTTP_C     1100  1244     0     0   1m 11s high    

tcp  192.168.1.2:55250     185.29.133.242:9170   rundll32.exe   HTTP_C    12324  3323     0     0   1m 28s high    

tcp  192.168.1.2:55248     173.193.255.240:80    rundll32.exe   HTTP_C     4083  6104     0     0   1m 28s high    

tcp  192.168.1.2:55252     216.58.210.194:80     rundll32.exe   HTTP_C     6851  4094     0     0   1m 28s high    

tcp  192.168.1.2:55284     216.58.210.194:80     rundll32.exe   HTTP_C      680   769     0     0   1m 20s         

tcp  192.168.1.2:55198     216.58.210.193:443    chrome.exe     Unknown    1229  4608     0     0   3m 34s default

tcp  192.168.1.2:55278     54.76.84.191:80       rundll32.exe   HTTP_C      724   929     0     0   1m 20s high    

tcp  192.168.1.2:55288     54.76.84.191:443      rundll32.exe   Unknown    1400  4779     0     0   1m 19s default

tcp  192.168.1.2:52548     64.233.167.188:5228   chrome.exe     Unknown    3093  8156     0     0  32m 51s default

tcp  192.168.1.2:55310     184.72.38.185:80      rundll32.exe   HTTP_C     1490  1053     0     0    1m 8s high    

tcp  192.168.1.2:55271     23.50.148.174:80      rundll32.exe   HTTP_C_BU  6353 50942     0     0   1m 21s low     

tcp  192.168.1.2:55273     23.50.148.174:80      rundll32.exe   HTTP_C     3346 26263     0     0   1m 21s high    

tcp  192.168.1.2:55286     23.50.148.174:80      rundll32.exe   HTTP_C     2983   296     0     0   1m 20s high    

tcp  192.168.1.2:55326     23.50.148.174:80      rundll32.exe   HTTP_C_BU 25373  152K     0     0  29.031s low     

tcp  192.168.1.2:55327     23.50.148.174:80      rundll32.exe   HTTP_C    16835  117K     0     0  28.704s high    

tcp  192.168.1.2:55329     23.50.148.174:80      rundll32.exe   HTTP_C    10126   744     0     0  27.565s high    

tcp  192.168.1.2:55337     23.221.199.168:80     chrome.exe     HTTP_C      620   396     0     0  20.982s         

tcp  192.168.1.2:55188     195.22.200.163:80     rundll32.exe   HTTP_C    54826  108K  1789   571   4m 28s high    

tcp  192.168.1.2:55321     195.22.200.163:80     rundll32.exe   HTTP_C    54852 46458     0     0  57.548s high    

tcp  192.168.1.2:55266     195.22.200.155:80     rundll32.exe   HTTP_C_BU 14280  125K     0     0   1m 24s low     

tcp  192.168.1.2:55267     195.22.200.155:80     rundll32.exe   HTTP_C_BU 19107  242K     0     0   1m 24s low     

tcp  192.168.1.2:55282     195.22.200.155:80     rundll32.exe   HTTP_C     1557  1689     0     0   1m 20s high    

tcp  192.168.1.2:55249     23.21.75.138:80       rundll32.exe   HTTP_C    28356  3852     0     0   1m 28s high    

tcp  192.168.1.2:55192     216.58.219.131:443    chrome.exe     Unknown    1261  4970     0     0   3m 54s default

tcp  192.168.1.2:55285     54.174.193.128:80     rundll32.exe   HTTP_C     1165  1346     0     0   1m 20s high    

tcp  192.168.1.2:55233     23.50.146.116:80      rundll32.exe   HTTP_C      786   703     0     0   2m 26s         

tcp  192.168.1.2:55235     23.50.146.116:80      rundll32.exe   HTTP_C      581   775     0     0   2m 26s         

tcp  192.168.1.2:55357     37.252.170.113:80     rundll32.exe   HTTP_C_BU  6321  6361  3954  3979   0.858s low     

tcp  192.168.1.2:55325     37.252.170.110:80     rundll32.exe   HTTP_C_BU  5245  3896     0     0  29.531s low     

tcp  192.168.1.2:55220     23.50.149.109:80      rundll32.exe   HTTP_C     5151  6738     0     0   2m 29s high    

tcp  192.168.1.2:55234     23.50.149.109:80      rundll32.exe   HTTP_C     1192  1035     0     0   2m 26s         

tcp  192.168.1.2:55279     23.50.149.109:80      rundll32.exe   HTTP_C     3768  5888     0     0   1m 20s high    

tcp  192.168.1.2:55295     23.50.149.109:80      rundll32.exe   HTTP_C     2882  2488     0     0   1m 17s high    

tcp  192.168.1.2:55221     23.50.148.101:443     rundll32.exe   Unknown    2202 32011     0     0   2m 29s default

tcp  192.168.1.2:55280     23.50.148.101:443     rundll32.exe   Unknown    2250 33923     0     0   1m 20s default

tcp  192.168.1.2:55294     159.8.32.101:80       rundll32.exe   HTTP_C      783   913     0     0   1m 17s high    

tcp  192.168.1.2:55251     159.8.37.100:80       rundll32.exe   HTTP_C     1264   670     0     0   1m 28s high    

tcp  192.168.1.2:55247     162.13.61.90:80       rundll32.exe   HTTP_C     5962 21884     0     0   1m 28s high    

tcp  192.168.1.2:55296     185.29.134.87:80      rundll32.exe   HTTP_C      830   667     0     0   1m 17s         

tcp  192.168.1.2:55330     144.76.59.84:80       chrome.exe     HTTP_C      864  1312     0     0  21.013s         

tcp  192.168.1.2:55246     54.76.70.81:80        rundll32.exe   HTTP_C     5145 13250     0     0   1m 28s high    

 

 

 

 

 

 

Addition.txt

FRST.txt

Link to post
Share on other sites

Greetings and Welcome :D

My nickname is Ruggie and I will be assisting you in cleaning your computer.

  • Malware removal can be a long process and will at times get complicated with multiple steps to perform to ensure that your system is no longer infected.
  • When we start the process, the list of instructions must be followed closely, it may seem difficult at times but it is important that you stay with me until your computer is declared clean.
  • If you are receiving help elsewhere, please let me know so we can close this thread and help someone else.
stop32.png Before going any further, I recommend that you print out (or save to a file) these guidelines and also the instructions when I post them, as part of the repair process may involve going into safe mode and therefore you will not have internet access.

 

----------------------------We will not assist users that are obviously using illegal software----------------------------

If any such evidence is found you will be given the benefit of the doubt and the opportunity to completely uninstall and delete any such data from your system.

During the scanning process if any further evidence shows up your topic will be closed and no further assistance will be provided.

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If your topic was closed and you wish to remove the pirated software or hack please do so and send a PM to an Administrator to have your topic reopened.

 

--------------------------------------

The following guidelines are important but the ones highlighted in RED are of the highest importance and must not be skipped.

right-grn.pngPlease save all tools to the desktop,. Our tools are updated very regularly, sometimes several times per day so always download the latest version from the links I provide.

right-grn.pngPlease be aware, the fixes we perform are specific to this machine, at this moment in time. They must not be used on another computer or unsupervised at another time. This can render your computer unbootable.

right-grn.pngIf at all possible, Make backups of all your important files, whilst we will do our best to ensure that no files are lost or damaged, sometimes things can go wrong.

right-grn.png Refrain from using any tool that hasn't been instructed as it could alter the process that we are working through and cause further problems. Also only use the tools I instruct in the manner provided as they are very powerful and if not used properly can cause even more problems. It is best if you can avoid using the computer at all, apart from to perform the cleaning steps to ensure that any infections aren't spread.

right-grn.png Only paste the contents of log files into your reply, DO NOT attach any log files unless requested to do so.

right-grn.png If you have any questions or get stuck, stop and ask....I am here to help you make this go as smoothly as possible.

right-grn.png If you do not reply within 3 days, your topic will be closed. It can be reopened if you ask. But if you plan on being gone for a longer period, just let me know and I will hold it open for you.

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please download and install Malwarebytes Anti-Malware, or re-run it if you already have it installed.

  • First of all select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and include its content in your next reply.

 

I will be currently looking through the logs you have already provided

Link to post
Share on other sites

Here is the scan log.

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 16.01.2015

Scan Time: 20:22:37

Logfile: scan.txt

Administrator: Yes

 

Version: 2.00.4.1028

Malware Database: v2015.01.16.09

Rootkit Database: v2015.01.14.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: Odeon

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 327453

Time Elapsed: 5 min, 58 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 1

Trojan.MSIL.ED, C:\Users\Odeon\AppData\Local\Temp\repfix.exe, Quarantined, [f45d12e53059a98d66217c8fac566799], 

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

Link to post
Share on other sites

btw when i was scanning mbam blocked some of those ip's .

 

here is the protection log. maybe it helps.

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
 
Protection, 16.01.2015 20:20:52, SYSTEM, ODEON-PC, Protection, Malware Protection, Starting, 
Protection, 16.01.2015 20:20:52, SYSTEM, ODEON-PC, Protection, Malware Protection, Started, 
Protection, 16.01.2015 20:20:52, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.01.2015 20:20:53, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, Started, 
Update, 16.01.2015 20:21:11, SYSTEM, ODEON-PC, Scheduler, Malware Database, 2015.1.15.11, 2015.1.16.9, 
Protection, 16.01.2015 20:21:11, SYSTEM, ODEON-PC, Protection, Refresh, Starting, 
Protection, 16.01.2015 20:21:11, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 16.01.2015 20:21:11, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 16.01.2015 20:21:14, SYSTEM, ODEON-PC, Protection, Refresh, Success, 
Protection, 16.01.2015 20:21:14, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.01.2015 20:21:14, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, Started, 
Scan, 16.01.2015 20:22:20, SYSTEM, ODEON-PC, Manual, Start:16.01.2015 20:21:11, Duration:1 min 8 sec, Threat Scan, Cancelled, 0 Malware Detections, 0 Non-Malware Detections, 
Detection, 16.01.2015 20:25:14, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, IP, 5.149.250.194, 51180, Outbound, C:\Windows\SysWOW64\rundll32.exe, 
Detection, 16.01.2015 20:25:14, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, IP, 5.149.250.194, 51180, Outbound, C:\Windows\SysWOW64\rundll32.exe, 
Detection, 16.01.2015 20:25:22, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, IP, 5.149.250.194, 51297, Outbound, C:\Windows\SysWOW64\rundll32.exe, 
Detection, 16.01.2015 20:25:25, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, IP, 66.45.56.109, redirect.ad-feeds.net, 51318, Outbound, C:\Windows\SysWOW64\rundll32.exe, 
Detection, 16.01.2015 20:25:25, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, IP, 66.45.56.109, redirect.ad-feeds.net, 51318, Outbound, C:\Windows\SysWOW64\rundll32.exe, 
Scan, 16.01.2015 20:29:06, SYSTEM, ODEON-PC, Manual, Start:16.01.2015 20:22:37, Duration:5 min 58 sec, Threat Scan, Completed, 1 Malware Detection, 0 Non-Malware Detections, 
Protection, 16.01.2015 20:30:57, SYSTEM, ODEON-PC, Protection, Malware Protection, Starting, 
Protection, 16.01.2015 20:30:57, SYSTEM, ODEON-PC, Protection, Malware Protection, Started, 
Protection, 16.01.2015 20:30:57, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.01.2015 20:30:58, SYSTEM, ODEON-PC, Protection, Malicious Website Protection, Started, 
 
(end)
Link to post
Share on other sites

Thanks. I think I have found the spefic cause of the main problem you are having, but we wil soon see :D

 

It appears you have another streaming service running - commonly installed without the owners knowledge - Octoplay. This should get rid of it.

 

Step 1

 

We need to uninstall some programs.

Open Programs and Features by clicking the Start button, clicking Control Panel, clicking Programs, and then clicking Programs and Features.

Select the following programs from the list below, one at a time and click Uninstall.
 

  • Octoshape Streaming Services

 

 

Step 2

 

 jrt.pngJunkware Removal Tool
Please download Junkware Removal Tool to your desktop. << Important
Ensure that any security software is temporarily disabled for the duration of the scan. Don't forget to re-enable it afterwards.
 

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by right-clicking jrt.png and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

Step 3

 

adwcleaner.pngAdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • Vista/7/8 users: Right click the adwcleaner.pngAdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove. Please Do Not delete anything at this time.
  • Click the Report button to get the log.
  • Copy and Paste it into your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[R0].txt.
  • Click the X in the upper right corner of the program or click the File menu and click Exit to close the program.

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.
 

 

Items I need to see in your next post:
 

  • How did the uninstall go?
  • FRST fixlog
  • JRT Log
  • ADWcleaner scan log
  • How is it behaving now?

 

 

 

Link to post
Share on other sites

i uninstalled the octopus witouth any problem.

 

here is the jrt log.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Ultimate x64
Ran by Odeon on 16.01.2015 at 21:32:35,85
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 16.01.2015 at 21:34:10,42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
and  adwcleaner log : (its in turkish but no problem for you i guess :) )
 
# AdwCleaner v4.107 - Rapor olusturuldu 16/01/2015 tarihinde 21:36:11
# Guncellendi 07/01/2015 tarafindan Xplode
# Database : 2015-01-13.2 [Live]
# Isletim sistemi : Windows 7 Ultimate Service Pack 1 (64 bits)
# Kullanici adi : Odeon - ODEON-PC
# Adwcleaner konumu : C:\Users\Odeon\Desktop\AdwCleaner.exe
# Tarama turu : Tara
 
***** [ Servisler ] *****
 
 
***** [ Dosyalar / Klasorler ] *****
 
 
***** [ Görevler ] *****
 
 
***** [ Kisayollar ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Tarayicilar ] *****
 
-\\ Internet Explorer v11.0.9600.16428
 
 
-\\ Mozilla Firefox v
 
 
-\\ Google Chrome v39.0.2171.95
 
 
*************************
 
AdwCleaner[R0].txt - [1656 octets] - [15/01/2015 20:48:49]
AdwCleaner[R1].txt - [728 octets] - [16/01/2015 21:36:11]
AdwCleaner[s0].txt - [1719 octets] - [15/01/2015 20:52:38]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [847 octets] ##########
 
and frst log
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-01-2015 01
Ran by Odeon (administrator) on ODEON-PC on 16-01-2015 21:40:42
Running from C:\Users\Odeon\Desktop
Loaded Profiles: Odeon (Available profiles: Odeon)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Türkçe (Türkiye)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
() C:\Windows\SysWOW64\ASGT.exe
(cFos Software GmbH) C:\Program Files\ASRock\XFast LAN\spd.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Windows\System32\PnkBstrA.exe
(DEVGURU Co., LTD.) C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(cFos Software GmbH) C:\Program Files\ASRock\XFast LAN\cfosspeed.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(Wondershare) C:\Program Files (x86)\Wondershare\MobileGo\MobileGoService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(FNet Co., Ltd.) C:\Program Files (x86)\XFastUSB\XFastUsb.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13513288 2013-03-29] (Realtek Semiconductor)
HKLM\...\Run: [iAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [286704 2013-04-30] (Intel Corporation)
HKLM\...\Run: [XFast LAN] => C:\Program Files\ASRock\XFast LAN\cFosSpeed.exe [1441152 2011-10-19] (cFos Software GmbH)
HKLM\...\Run: [Nvtmru] => "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
HKLM\...\Run: [shadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2531472 2014-12-13] (NVIDIA Corporation)
HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [10396440 2014-04-15] (Logitech Inc.)
HKLM-x32\...\Run: [uSB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-11] (Intel Corporation)
HKLM-x32\...\Run: [XFastUSB] => C:\Program Files (x86)\XFastUSB\XFastUsb.exe [5021448 2013-11-23] (FNet Co., Ltd.)
HKLM-x32\...\Run: [googletalk] => C:\Program Files (x86)\Google\Google Talk\googletalk.exe [3739648 2007-01-01] (Google)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [126200 2014-11-20] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [702768 2014-11-24] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-21-2136585609-3857142508-2264692070-1000\...\Run: [ASRock A-Tuning] => [X]
HKU\S-1-5-21-2136585609-3857142508-2264692070-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7394584 2014-12-12] (Piriform Ltd)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MobileGo Service.lnk
ShortcutTarget: MobileGo Service.lnk -> C:\Program Files (x86)\Wondershare\MobileGo\MobileGoService.exe (Wondershare)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2136585609-3857142508-2264692070-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://battlelog.battlefield.com/bf4
HKU\S-1-5-21-2136585609-3857142508-2264692070-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://tr.msn.com/
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF Plugin: @esn/npbattlelog,version=2.5.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.0\npbattlelogx64.dll (EA Digital Illusions CE AB)
FF Plugin: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelogx64.dll (EA Digital Illusions CE AB)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @esn/npbattlelog,version=2.5.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.0\npbattlelog.dll (EA Digital Illusions CE AB)
FF Plugin-x32: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelog.dll (EA Digital Illusions CE AB)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.0.72 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @raidcall.en/RCplugin -> C:\Users\Odeon\AppData\Roaming\rcru\plugins\nprcplugin.dll (Raidcall)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (BetterTTV) - C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2014-06-05]
CHR Extension: (Awesome Screenshot: Capture & Annotate) - C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\Extensions\alelhddbbhepgpmgidjdcjakblofbmce [2014-05-01]
CHR Extension: (Google Drive) - C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-11-23]
CHR Extension: (imgur Extension by Metronomik) - C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehoopddfhgaehhmphfcooacjdpmbjlao [2014-05-31]
CHR Extension: (Lounge Assistant) - C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\Extensions\enjonnlehciedbcidabdglnnihcncbml [2014-09-26]
CHR Extension: (AdBlock) - C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2013-11-23]
CHR Extension: (Lazarus: Form Recovery) - C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\Extensions\loljledaigphbcpfhfmgopdkppkifgno [2013-11-23]
CHR Extension: (Google Cüzdan) - C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-23]
CHR Extension: (Gmail) - C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-11-23]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-11-24] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-11-24] (Avira Operations GmbH & Co. KG)
R2 ASGT; C:\Windows\SysWOW64\ASGT.exe [55296 2012-01-17] () [File not signed]
R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG)
R2 cFosSpeedS; C:\Program Files\ASRock\XFast LAN\spd.exe [395136 2011-10-19] (cFos Software GmbH)
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [93016 2014-04-21] (EasyAntiCheat Ltd)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148560 2014-12-13] (NVIDIA Corporation)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15344 2013-04-30] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [731648 2013-02-13] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-03-12] (Intel Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [174368 2014-02-28] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-03-12] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1701520 2014-12-13] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19823248 2014-12-13] (NVIDIA Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [1900400 2014-11-30] (Electronic Arts)
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76152 2014-09-01] ()
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-05-09] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [239176 2013-02-19] (Realtek Semiconductor)
R2 ss_conn_service; C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [741640 2014-06-16] (DEVGURU Co., LTD.)
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-11-18] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 AsrRamDisk; C:\Windows\System32\DRIVERS\AsrRamDisk.sys [34640 2012-08-09] (ASRock Inc.)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-11-24] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-11-24] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-11-24] (Avira Operations GmbH & Co. KG)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [496400 2013-02-26] (Intel Corporation)
S3 FNETTBOH_305; C:\Windows\System32\drivers\FNETTBOH_305.SYS [32320 2014-12-26] (FNet Co., Ltd.)
R1 FNETURPX; C:\Windows\System32\drivers\FNETURPX.SYS [16648 2013-11-23] (FNet Co., Ltd.)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28656 2013-04-30] (Intel Corporation)
R3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [64280 2013-05-30] (Logitech Inc.)
R3 LGSUsbFilt; C:\Windows\System32\DRIVERS\LGSUsbFilt.Sys [41752 2013-05-30] (Logitech Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-16] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2014-12-13] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
S1 ElRawDisk; \??\C:\Windows\system32\drivers\rsdrvx64.sys [X]
S3 ESEADriver2; \??\C:\Users\Odeon\AppData\Local\Temp\ESEADriver2.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-16 21:34 - 2015-01-16 21:35 - 01242621 _____ (Thisisu) C:\Users\Odeon\Desktop\JRT (1).exe
2015-01-16 21:34 - 2015-01-16 21:34 - 00000621 _____ () C:\Users\Odeon\Desktop\JRT.txt
2015-01-16 21:32 - 2015-01-16 21:32 - 00000000 ____D () C:\Windows\ERUNT
2015-01-16 21:29 - 2015-01-16 21:32 - 01707939 _____ (Thisisu) C:\Users\Odeon\Desktop\JRT.exe
2015-01-16 20:34 - 2015-01-16 20:34 - 00002762 _____ () C:\Users\Odeon\Desktop\protection.txt
2015-01-16 20:32 - 2015-01-16 20:32 - 00001135 _____ () C:\Users\Odeon\Desktop\scan.txt
2015-01-15 21:07 - 2015-01-16 21:40 - 00017876 _____ () C:\Users\Odeon\Desktop\FRST.txt
2015-01-15 21:07 - 2015-01-15 21:07 - 00030386 _____ () C:\Users\Odeon\Desktop\Addition.txt
2015-01-15 21:06 - 2015-01-16 21:40 - 00000000 ____D () C:\FRST
2015-01-15 21:01 - 2015-01-15 21:02 - 02125312 _____ (Farbar) C:\Users\Odeon\Desktop\FRST64.exe
2015-01-15 20:48 - 2015-01-16 21:36 - 00000000 ____D () C:\AdwCleaner
2015-01-15 20:43 - 2015-01-15 20:43 - 00000000 ____D () C:\Users\Odeon\Desktop\tdsskiller
2015-01-15 20:10 - 2015-01-15 20:10 - 00000000 ____D () C:\_OTL
2015-01-15 20:08 - 2015-01-15 20:08 - 02191360 _____ () C:\Users\Odeon\Desktop\AdwCleaner.exe
2015-01-15 20:08 - 2015-01-15 20:08 - 00602112 _____ (OldTimer Tools) C:\Users\Odeon\Desktop\OTL.exe
2015-01-15 01:52 - 2015-01-15 01:52 - 00002772 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2015-01-15 01:52 - 2015-01-15 01:52 - 00000825 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-01-15 01:52 - 2015-01-15 01:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-01-15 01:52 - 2015-01-15 01:52 - 00000000 ____D () C:\Program Files\CCleaner
2015-01-15 01:28 - 2015-01-15 01:28 - 00000000 _____ () C:\Users\Odeon\Desktop\Yeni Metin Belgesi.txt
2015-01-15 01:16 - 2015-01-15 01:28 - 00000000 ____D () C:\Users\Odeon\Desktop\Yeni klasör
2015-01-15 00:27 - 2015-01-16 21:40 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-15 00:27 - 2015-01-15 00:27 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-15 00:27 - 2015-01-15 00:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-15 00:27 - 2015-01-15 00:27 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-15 00:27 - 2015-01-15 00:27 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-15 00:27 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-15 00:27 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-15 00:27 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-14 23:59 - 2015-01-14 23:59 - 00007624 _____ () C:\Users\Odeon\AppData\Local\Resmon.ResmonCfg
2014-12-30 15:53 - 2015-01-02 18:21 - 00000000 ____D () C:\Users\Odeon\AppData\Roaming\TS3Client
2014-12-30 15:53 - 2014-12-30 15:53 - 00001169 _____ () C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
2014-12-30 15:53 - 2014-12-30 15:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client
2014-12-30 15:53 - 2014-12-30 15:53 - 00000000 ____D () C:\Program Files (x86)\TeamSpeak 3 Client
2014-12-28 16:13 - 2014-12-13 11:08 - 32099472 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 25460552 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 24764232 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 20465808 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 17264312 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 13288360 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 13202520 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 10770120 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 10710160 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 10345280 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2014-12-28 16:13 - 2014-12-13 11:08 - 03610440 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 03248968 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 01895056 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6434709.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 01556624 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6434709.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00994384 _____ (NVIDIA Corporation) C:\Windows\system32\nvumdshimx.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00968336 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00942400 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00928072 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00906560 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00876976 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00496272 _____ (NVIDIA Corporation) C:\Windows\system32\nvEncodeAPI64.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00399688 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvEncodeAPI.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00391488 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFROpenGL.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00353224 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00346944 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFROpenGL.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00306328 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00178632 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll
2014-12-28 16:13 - 2014-12-13 11:08 - 00165760 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2014-12-28 16:13 - 2014-12-13 01:47 - 00620176 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvStreaming.exe
2014-12-28 16:13 - 2014-10-09 18:02 - 00195728 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda64v.sys
2014-12-28 16:13 - 2014-10-09 18:02 - 00030536 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdap64.dll
2014-12-28 16:13 - 2014-10-09 08:17 - 01540240 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdagenco64.dll
2014-12-28 16:11 - 2014-11-22 11:46 - 00038032 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2014-12-28 16:11 - 2014-11-22 11:46 - 00032400 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
2014-12-26 19:54 - 2014-12-26 19:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ISO to USB
2014-12-26 19:54 - 2014-12-26 19:54 - 00000000 ____D () C:\Program Files (x86)\ISO to USB
2014-12-26 17:18 - 2014-12-26 20:07 - 00000000 ____D () C:\Program Files (x86)\Easy Image
2014-12-26 17:18 - 2014-12-26 17:18 - 00000000 ____D () C:\Users\Odeon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Easy Image
2014-12-26 17:18 - 2014-12-26 17:18 - 00000000 ____D () C:\Program Files (x86)\AwenGers44
2014-12-24 14:19 - 2014-12-24 14:15 - 00043064 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-12-24 14:16 - 2014-12-24 14:16 - 00000000 ____D () C:\Users\Odeon\AppData\Roaming\Avira
2014-12-24 14:14 - 2014-11-24 10:23 - 00131608 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-12-24 14:14 - 2014-11-24 10:23 - 00119272 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-12-24 14:14 - 2014-11-24 10:23 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2014-12-24 13:57 - 2014-12-24 14:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-12-21 23:00 - 2014-12-21 23:00 - 00000000 ____D () C:\ProgramData\Licenses
2014-12-21 22:43 - 2015-01-16 21:32 - 00000306 _____ () C:\Windows\Tasks\XHKTUV.job
2014-12-21 22:43 - 2014-12-21 22:43 - 00147456 __RSH () C:\Windows\SysWOW64\KBDINBE23.dll
2014-12-21 22:43 - 2014-12-21 22:43 - 00002586 _____ () C:\Windows\System32\Tasks\XHKTUV
2014-12-21 15:45 - 2014-12-21 15:45 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_WinUsb_01007.Wdf
2014-12-21 15:43 - 2014-12-21 15:43 - 00000000 ____D () C:\Program Files\SAMSUNG
2014-12-21 15:43 - 2014-06-16 07:01 - 01490656 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01007.dll
2014-12-21 15:43 - 2014-06-16 07:01 - 00708168 _____ (Microsoft Corporation) C:\Windows\system32\WinUSBCoInstaller.dll
2014-12-21 15:43 - 2014-06-16 07:01 - 00206080 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\system32\Drivers\ssudmdm.sys
2014-12-21 15:42 - 2014-12-21 15:42 - 00000000 ____D () C:\ProgramData\Samsung
2014-12-21 13:56 - 2014-12-21 13:56 - 00000000 ____D () C:\Users\Odeon\Documents\Wondershare
2014-12-21 13:55 - 2014-12-21 13:55 - 00000000 ____D () C:\Users\Odeon\AppData\Roaming\HMYGSetting
2014-12-21 02:54 - 2014-12-21 23:03 - 00000000 ____D () C:\ProgramData\TEMP
2014-12-20 17:59 - 2014-12-20 17:59 - 01002728 _____ (Microsoft Corporation) C:\Windows\system32\WinUSBCoInstaller2.dll
2014-12-20 17:59 - 2014-12-20 17:59 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_WinUsb_01009.Wdf
2014-12-20 17:59 - 2014-06-16 07:01 - 00110336 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\system32\Drivers\ssudbus.sys
2014-12-20 17:52 - 2014-12-21 13:54 - 00000000 ____D () C:\ProgramData\Wondershare
2014-12-20 17:51 - 2014-12-23 23:43 - 00000000 ___HD () C:\Program Files (x86)\DrFoneAndroid_Temp
2014-12-20 17:51 - 2014-12-23 23:43 - 00000000 ____D () C:\Users\Odeon\.android
2014-12-20 17:51 - 2014-12-23 23:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
2014-12-20 17:51 - 2014-12-23 23:43 - 00000000 ____D () C:\Program Files (x86)\Wondershare
2014-12-20 17:51 - 2014-12-21 16:12 - 00000000 ____D () C:\Users\Odeon\AppData\Roaming\Wondershare
2014-12-20 17:51 - 2014-12-20 17:51 - 00000000 ____D () C:\Users\Odeon\AppData\Local\Wondershare
2014-12-20 17:50 - 2014-12-21 13:54 - 00000000 ____D () C:\Users\Public\Documents\Wondershare
2014-12-19 09:14 - 2015-01-14 22:10 - 00001408 _____ () C:\Users\Odeon\AppData\Roaming\BreakingPoint_Options.ini
2014-12-19 09:13 - 2015-01-14 20:36 - 00000293 _____ () C:\Users\Odeon\AppData\Roaming\BreakingPoint_Login.ini
2014-12-19 09:11 - 2015-01-10 18:09 - 00000000 ____D () C:\Users\Odeon\AppData\Local\Arma 3
2014-12-19 09:11 - 2014-12-19 09:13 - 00000000 ____D () C:\Users\Odeon\Documents\Arma 3
2014-12-19 09:11 - 2014-12-19 09:11 - 00000000 ____D () C:\ProgramData\Bohemia Interactive
2014-12-19 09:04 - 2014-12-19 09:04 - 00000706 _____ () C:\Users\Odeon\Desktop\Breaking Point.lnk
2014-12-19 09:03 - 2015-01-10 17:51 - 00000000 ____D () C:\Breaking Point
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-16 21:29 - 2014-04-06 12:42 - 00000000 ____D () C:\Users\Odeon\AppData\Roaming\Octoshape
2015-01-16 21:26 - 2013-11-23 22:31 - 00001020 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-16 21:15 - 2013-11-23 22:37 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-01-16 20:37 - 2009-07-14 05:45 - 00026768 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-16 20:37 - 2009-07-14 05:45 - 00026768 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-16 20:35 - 2011-04-12 15:56 - 00657000 _____ () C:\Windows\system32\perfh01F.dat
2015-01-16 20:35 - 2011-04-12 15:56 - 00139926 _____ () C:\Windows\system32\perfc01F.dat
2015-01-16 20:35 - 2009-07-14 06:13 - 01572100 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-16 20:33 - 2013-11-23 20:26 - 01901168 _____ () C:\Windows\WindowsUpdate.log
2015-01-16 20:30 - 2013-11-23 22:31 - 00001016 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-16 20:30 - 2013-11-23 21:00 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-01-16 20:30 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-16 20:30 - 2009-07-14 05:51 - 00161381 _____ () C:\Windows\setupact.log
2015-01-16 20:29 - 2010-11-21 04:47 - 00254954 _____ () C:\Windows\PFRO.log
2015-01-15 21:52 - 2013-11-23 23:19 - 00000000 ____D () C:\Users\Odeon\AppData\Roaming\Mumble
2015-01-15 01:18 - 2014-02-22 23:24 - 00000000 ____D () C:\Users\Odeon\AppData\Roaming\uTorrent
2015-01-15 00:36 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Branding
2015-01-13 22:10 - 2014-02-22 23:12 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-13 22:10 - 2014-02-22 23:12 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-11 13:14 - 2014-06-20 20:55 - 00000000 ____D () C:\Users\Odeon\Documents\Euro Truck Simulator 2
2015-01-01 11:40 - 2014-08-06 20:41 - 00000000 ____D () C:\Users\Odeon\AppData\Local\Adobe
2014-12-28 16:14 - 2013-11-23 21:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2014-12-26 19:55 - 2013-11-23 22:01 - 00032320 _____ (FNet Co., Ltd.) C:\Windows\system32\Drivers\FNETTBOH_305.SYS
2014-12-24 14:14 - 2013-11-23 23:14 - 00000000 ____D () C:\ProgramData\Avira
2014-12-24 14:14 - 2013-11-23 23:14 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-12-24 13:57 - 2013-11-24 11:10 - 00000000 ____D () C:\ProgramData\Package Cache
2014-12-20 17:54 - 2014-12-14 12:04 - 00000000 ___RD () C:\Users\Odeon\Dropbox
2014-12-20 17:53 - 2014-12-14 12:02 - 00000000 ____D () C:\Users\Odeon\AppData\Roaming\Dropbox
2014-12-20 17:51 - 2013-11-23 20:31 - 00000000 ____D () C:\Users\Odeon
 
Some content of TEMP:
====================
C:\Users\Odeon\AppData\Local\Temp\avgnt.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-14 20:09
 
==================== End Of Log ============================
 
Link to post
Share on other sites

My apologies I omitted a section from the instructions:

 

FRST Fix

If FRST.exe/FRST64.exe is not on your desktop, please download Farbar Recovery Scan Tool and save it to your desktop.
 

  • Download the attached fixlist.txt and save it to your desktop <<< very important - it must be in the same location as FRST.exe/FRST64.exe
  • Right click frst.png and run as administrator. When the tool opens click Yes to the disclaimer.
  • Press the Fix button.
  • It will produce a log called fixlog.txt on your Desktop.
  • Please copy and paste the contents of that log back here.

    NOTICE: This script was written specifically for this user, for use on that particular machine, at this point in time. Running this on another machine may cause damage to your operating system.

 

 

Link to post
Share on other sites

in my first attempt frst.exe stopped working. i tried again and had no problems.

 

here is the result.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-01-2015 01

Ran by Odeon at 2015-01-16 22:01:42 Run:2

Running from C:\Users\Odeon\Desktop

Loaded Profiles: Odeon (Available profiles: Odeon)

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

start

createrestorepoint:

Task: C:\Windows\Tasks\XHKTUV.job => C:\Windows\SysWOW64\KBDINBE23.dll

C:\Windows\SysWOW64\KBDINBE23.dll

Task: {1FD695DC-DFE2-4060-AB18-FA29C3C5EDEF} - System32\Tasks\{E3E36F76-38C9-4279-9256-F9DAF244559C} => pcalua.exe -a C:\Users\Odeon\Desktop\pbsetup\pbsetup.exe -d C:\Users\Odeon\Desktop\pbsetup

AlternateDataStreams: C:\ProgramData\TEMP:C76EDAC3

AlternateDataStreams: C:\ProgramData\TEMP:F0D7EE30

HKU\S-1-5-21-2136585609-3857142508-2264692070-1000\...\Run: [Octoshape Streaming Services] => C:\Users\Odeon\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe [107800 2011-03-24] (Octoshape ApS)

ShortcutTarget: MobileGo Service.lnk -> C:\Program Files (x86)\Wondershare\MobileGo\MobileGoService.exe (Wondershare)

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MobileGo Service.lnk

FF Plugin HKU\S-1-5-21-2136585609-3857142508-2264692070-1000: @octoshape.com/Octoshape Streaming Services,version=1.0 -> C:\Users\Odeon\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1312180-0-npoctoshape.dll (Octoshape ApS)

FF Plugin ProgramFiles/Appdata: C:\Users\Odeon\AppData\Roaming\mozilla\plugins\npoctoshape.dll (Octoshape ApS)

cmd: ipconfig /release

cmd: ipconfig /renew

cmd: ipconfig /flushdns

cmd: netsh winsock reset all

cmd: netsh int ip reset all

cmd: netsh advfirewall reset

cmd: netsh advfirewall set allprofiles state on

emptytemp:

end

*****************

 

Restore point was successfully created.

C:\Windows\Tasks\XHKTUV.job not found.

"C:\Windows\SysWOW64\KBDINBE23.dll" => File/Directory not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1FD695DC-DFE2-4060-AB18-FA29C3C5EDEF} => Key not found. 

C:\Windows\System32\Tasks\{E3E36F76-38C9-4279-9256-F9DAF244559C} not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{E3E36F76-38C9-4279-9256-F9DAF244559C} => Key not found. 

"C:\ProgramData\TEMP" => ":C76EDAC3" ADS not found.

"C:\ProgramData\TEMP" => ":F0D7EE30" ADS not found.

HKU\S-1-5-21-2136585609-3857142508-2264692070-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Octoshape Streaming Services => Value not found.

C:\Program Files (x86)\Wondershare\MobileGo\MobileGoService.exe not found.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MobileGo Service.lnk not found.

HKU\S-1-5-21-2136585609-3857142508-2264692070-1000\Software\MozillaPlugins\@octoshape.com/Octoshape Streaming Services,version=1.0 => Key not found. 

C:\Users\Odeon\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1312180-0-npoctoshape.dll not found.

"C:\Users\Odeon\AppData\Roaming\mozilla\plugins\npoctoshape.dll" => not found.

 

=========  ipconfig /release =========

 

 

Windows IP Yap�land�rmas�

 

 

Ethernet ba�da�t�r�c� Yerel A� Ba�lant�s�:

 

   Ba�lant�ya �zg� DNS Soneki .  . . : 

   Ba�lant� Yerel IPv6 Adresi . . . . . : fe80::dcbc:b972:4d4a:182d%11

   Varsay�lan A� Ge�idi. . . . . . . : 

 

Tunnel ba�da�t�r�c� isatap.homenet.telecomitalia.it:

 

   Medya Durumu  . . . . . . . . . . : Medya Ba�lant�s� kesildi

   Ba�lant�ya �zg� DNS Soneki .  . . : 

 

Tunnel ba�da�t�r�c� Teredo Tunneling Pseudo-Interface:

 

   Medya Durumu  . . . . . . . . . . : Medya Ba�lant�s� kesildi

   Ba�lant�ya �zg� DNS Soneki .  . . : 

 

========= End of CMD: =========

 

 

=========  ipconfig /renew =========

 

 

Windows IP Yap�land�rmas�

 

 

Ethernet ba�da�t�r�c� Yerel A� Ba�lant�s�:

 

   Ba�lant�ya �zg� DNS Soneki .  . . : homenet.telecomitalia.it

   Ba�lant� Yerel IPv6 Adresi . . . . . : fe80::dcbc:b972:4d4a:182d%11

   IPv4 Adresi. . . . . . . . . . . : 192.168.1.2

   Alt A� Maskesi. . . . . . . . . . : 255.255.255.0

   Varsay�lan A� Ge�idi. . . . . . . : 192.168.1.1

 

Tunnel ba�da�t�r�c� isatap.homenet.telecomitalia.it:

 

   Medya Durumu  . . . . . . . . . . : Medya Ba�lant�s� kesildi

   Ba�lant�ya �zg� DNS Soneki .  . . : homenet.telecomitalia.it

 

Tunnel ba�da�t�r�c� Teredo Tunneling Pseudo-Interface:

 

   Ba�lant�ya �zg� DNS Soneki .  . . : 

   IPv6 Adresi. . . . . . . . . . . : 2001:0:9d38:90d7:3850:31ff:3f57:fefd

   Ba�lant� Yerel IPv6 Adresi . . . . . : fe80::3850:31ff:3f57:fefd%12

   Varsay�lan A� Ge�idi. . . . . . . : ::

 

========= End of CMD: =========

 

 

=========  ipconfig /flushdns =========

 

 

Windows IP Yap�land�rmas�

 

DNS ��z�c� �nbelle�i ba�ar�yla temizlendi.

 

========= End of CMD: =========

 

 

=========  netsh winsock reset all =========

 

 

Winsock Katalo�u ba�ar�yla s�f�rland�.

S�f�rlamay� tamamlamak i�in bilgisayar� yeniden ba�latmal�s�n�z.

 

 

========= End of CMD: =========

 

 

=========  netsh int ip reset all =========

 

Arabirim s�f�rlan�yor, Tamam!

Bu eylemi tamamlamak i�in sistemi yeniden ba�lat�n.

 

 

========= End of CMD: =========

 

 

=========  netsh advfirewall reset =========

 

Tamam.

 

 

========= End of CMD: =========

 

 

=========  netsh advfirewall set allprofiles state on =========

 

Tamam.

 

 

========= End of CMD: =========

 

EmptyTemp: => Removed 436.4 MB temporary data.

 

 

The system needed a reboot. 

 

==== End of Fixlog 22:02:03 ====

Link to post
Share on other sites

Let's do a redidual scan while you keep an eye on it. First make sure your Avira is still disabled (it was when you did the FRST scan - showing out of date too)
 
Anti-Virus Scan
Please run a free online scan with the ESET Online Scanner

<< Please disable any existing anti virus product before performing the following. >>

  • Click Run Eset Online Scanner

Note: You will need to use Internet Explorer or Firefox (You will be prompted to install a helper program if you use firefox)for this scan.
Important: Please disable your existing AV software for the duration of the scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start[
  • Make sure that the option Enable detection of potentially unwanted applications is checked
  • Next click on Advanced Settings and select:
  • Make sure that the option Remove found threats is NOT checked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
  • Click Start, the virus database will update, this may take a while depending on your internet connection.
  • Once updated, the online scan will begin. (This scan can take several hours, so please be patient)
  • Once the scan is completed, click Finish
  • Use Notepad to open the logfile located at C:\Program Files (x86)\ESET\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic
Link to post
Share on other sites

hmm it seems it found also something in my cell backup. maybe my overheating and batery problem on my s4 is because of this :D

 

 

 

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# product=EOS

# version=8

# IEXPLORE.EXE=11.00.9600.16428 (winblue_gdr.131013-1700)

# OnlineScanner.ocx=1.0.0.7623

# api_version=3.0.2

# EOSSerial=b99887b9228b764b81815ac91ff2c49b

# engine=22007

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2015-01-16 10:15:07

# local_time=2015-01-16 11:15:07 )

# country="Turkey"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode_1='Avira Desktop'

# compatibility_mode=1810 16777213 100 99 14958 4629107 0 0

# compatibility_mode_1=''

# compatibility_mode=5893 16776574 100 94 36135073 173076357 0 0

# scanned=176861

# found=4

# cleaned=0

# scan_time=2882

sh=65F7B04AA8130E65F6D9619F4A90C3B07A0A7CC2 ft=1 fh=95cb83a560a107ed vn="Win32/AdWare.1ClickDownload.AT application" ac=I fn="C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\00\00000000"

sh=B81F800AC9A5A600EE49B46EBA7661A8526950C9 ft=1 fh=fc75046d2cb7575b vn="Win32/AdWare.1ClickDownload.AW application" ac=I fn="C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\File System\003\t\00\00000000"

sh=B81F800AC9A5A600EE49B46EBA7661A8526950C9 ft=1 fh=fc75046d2cb7575b vn="Win32/AdWare.1ClickDownload.AW application" ac=I fn="C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\File System\003\t\00\00000001"

sh=5DD069D14CC713AECF65AF5761203027D8F62D51 ft=0 fh=0000000000000000 vn="Win32/Exploit.MS04-028 trojan" ac=I fn="E:\telefon bekap\Samsung GT-I9505_20141222_222756.bak"
Link to post
Share on other sites

OK. Well I won't delete that file in the next script as it is a backup file.
 
Any problems so far?
 
FRST Fix

If FRST.exe/FRST64.exe is not on your desktop, please download Farbar Recovery Scan Tool and save it to your desktop.

  • Download the attached fixlist.txt and save it to your desktop <<< very important - it must be in the same location as FRST.exe/FRST64.exe
  • Right click frst.png and run as administrator. When the tool opens click Yes to the disclaimer.
  • Press the Fix button.
  • It will produce a log called fixlog.txt on your Desktop.
  • Please copy and paste the contents of that log back here.

    NOTICE: This script was written specifically for this user, for use on that particular machine, at this point in time. Running this on another machine may cause damage to your operating system.
Link to post
Share on other sites

i dont know what was that but i think you fixed it ruggie. no more rundll32 and strange connections :)

 

i am going to sleep now . if i need to do smthing more please write it. i will do it tomorrow.

 

and send me a paypal link please :)

 

thank you very much for everything. see you later .

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-01-2015

Ran by Odeon at 2015-01-17 01:23:40 Run:3

Running from C:\Users\Odeon\Desktop

Loaded Profiles: Odeon (Available profiles: Odeon)

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

start

C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\00\00000000

C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\File System\003\t\00\00000000

C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\File System\003\t\00\00000001

end

*****************

 

C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\00\00000000 => Moved successfully.

C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\File System\003\t\00\00000000 => Moved successfully.

C:\Users\Odeon\AppData\Local\Google\Chrome\User Data\Default\File System\003\t\00\00000001 => Moved successfully.

 

==== End of Fixlog 01:23:40 ====
Link to post
Share on other sites

Good news, it looks like your system is now clean. A good workman cleans up after himself so let's now attend to that :D

Tool Removal

We need to remove the tools we've used during cleaning your machine

  • Download Delfix from here
  • Ensure Remove disinfection tools is ticked
    Also tick:
    • Activate UAC
    • Create registry backup
    • Purge system restore
    • Reset System Settings
    delfix-select.png
  • Click Run
  • The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply

    We need to uninstall a program
    Open Programs and Features by clicking the Start button, clicking Control Panel, clicking Programs, and then clicking Programs and Features.
    Select the following programs from the list below, one at a time and click Uninstall.
    • ESET Online Scanner
    Delete the following Files and Folders (If Present):
    C:\Program Files (x86)\ESET
    Delete any other .bat, .log, .reg, .txt, and any other files created during this process, and left on the desktop and empty the Recycle Bin.



    Keep your machine updated

    Due to the ever-present tide of malware, it is important to ensure your computer is kept up-to-date to minimize the risk of future infection. An important step is to ensure that automatic updates are enabled.


    To enable automatic updates:

    Windows 7
    To turn on Automatic Updates yourself, follow these steps:
    • Click Start, type Windows update in the search box, and then click Windows Update in the Programs list.
    • In the left pane, click Change settings.
    • Select the option that you want.
    • Under Recommended updates, select the Give me recommended updates the same way I receive important updates or Include recommended updates when downloading, installing, or notifying me about updates check box, and then click OK.
    It is recommended to install an anti-malware to help prevent reinfection.
    Below are some free ones that can help keep you clean.

    Malwarebytes AntiMalware

    As you have installed Malwarebytes, I recommend that you keep this program and use it to help you stay clean.

    The free version will scan your computer and fix the problems it finds but will not provide real-time protection. You must scan regularly to find any threats.
    Consider purchasing the full version for active monitoring of threats.

    JAVA Advice
    WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
    See this article and this article.
    I would recommend that you completely uninstall Java unless you need it to run an important software or need it to play games on-line.
    In that instance I would recommend that you only use Firefox or Chrome to visit those sites and do the following:
    • For Firefox, install the NoScript add-on.
    • For Chrome, install the ScriptSafe add-on.
      -->IMPORTANT<--: After installing the add-ons you will need to tell them that the site you are visiting is allowed to run Javascript. If you don't, the sites won't work properly. Or not at all. You can go to the NoScript home page here to learn how to use the add-on.
    • Disable Java in your browsers until you need it for that software and then enable it. (See How to disable Java in your web browser or How to unplug Java from the browser)
    If you still want to update your Java, follow the instructions below:

    A.
    Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older versions of Java components and update:
    • Download the latest version of the Java Runtime Environment (JRE) Version from Here and save it to your desktop.
    • Look for "Java Platform, Standard Edition". You will see the current Java version and update number under listed under the heading. Example: The newest update is Java SE 8u25
    • Click the "Download button under "JRE".
    • On the Java SE Runtime Environment page, click the button to "Accept License Agreement".
    • Under the Java SE Runtime Environment 8u25 heading:
      To install the version for your system:
      • For Windows 64bit systems, look for Windows x64 - 88.37MB, click the jre-8u25-windows-64.exe file and save it to your desktop. Do Not run it from the Java site.
    • Close any programs you may have running - especially your web browser.
    B.
    Uninstall all versions of Java
    • Click Start > Control Panel > Add/Remove Programs. The list of installed programs will populate.
    • Click the Start Orb, then Control Panel. Under the Programs or Programs and Features section click Uninstall a program. The list of installed programs will populate.
    • Remove all older versions of Java. These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE or J2SE
      The versions I see on the computer are:
      • Java 7 Update
      • Java 8 (64-bit)
      • Java SE Development Kit 8
    • Right click each program and click Uninstall and follow the on screen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    C.
    Install the latest JAVA

    Back on your desktop:
    • Right click the  jre-8u25-windows-x64.exe file, click Run as Administrator and OK the UAC prompt to install the newest version.
    • When the Java Setup - Welcome window opens, click the Install > button.
    • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
    [Note:] The Java Quick Starter (JQS.exe) adds a service to improve the initial start up time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > You will have to be in Classic View to see Java(It looks like a coffee cup). Double-click on Java click the Advanced Tab click Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.


    Update Adobe Flash Player

    NOTE: Depending on your settings, you may have to temporarily disable your antivirus software and firewall.
    • Please click here to go to the FlashPlayer Installation page.
    • In the first column, Adobe Flash Player, make sure the system version (64bit) and the browser are correct.
      • Note: If you use IE and other browsers you will need to install both Flash Player for IE and Flash Player for Other Browsers.
    • In the middle column, Optional offer:, UNCHECK the box next to Yes, install free McAfee Security Scan Plus
    • Click the Install now button. A download window for the install_flashplayer15x64_mssd_aaa_aih.exe file will open. Save it to the desktop.
    • Close the browser and all open windows.
    • Back on the desktop, right click the install_flashplayer15x64_mssd_aaa_aih.exe file and click Run as Administrator to install Flash Player.
    Cryptolocker Warning
    Go here for information about CryptoLocker Ransomeware.
    The main thing with this infection is ~ Backup.
    If you're using an external hard drive, keep it unplugged from the computer when you're not backing up files or using it. This will prevent the infection from getting to your backed up files if you ever do come across it.

    Recommended Programs
    Unchecky is a small service that runs in the background to help keep those "extra toolbars" and tag along search engines from automatically installing. By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed.
    [url=https://www.foolishit.com/vb6-projects/cryptoprevent/

is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system.
Web Of Trust is a browser add-on designed to alert the user before interacting with a potentially malicious website. It will highlight green if a site is known to be safe.

Adblock is a firefox browser add-on that blocks annoying banners, pop-ups and video ads.

General Advice

  • When browsing the internet, look closely at the links you click on. Some aren't always what they seem
  • Avoid Peer to Peer file sharing utilities, these are a minefield of malware infections.
  • Don't open email attachments unless you are expecting them. Even an email from your best friend can be infected, they might not have sent it.
  • Pay attention when installing a program to your computer, particularly to any check boxes that may appear during installation, it is common for unwanted software to be installed in this way.
Link to post
Share on other sites

here is the delfix report.

 

nice work man. thank you very much again. 

 

 

# DelFix v10.8 - Logfile created 17/01/2015 at 17:30:10

# Updated 29/07/2014 by Xplode

# Username : Odeon - ODEON-PC

# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)

 

~ Activating UAC ... OK

 

~ Removing disinfection tools ...

 

Deleted : C:\_OTL

Deleted : C:\FRST

Deleted : C:\AdwCleaner

Deleted : C:\Users\Odeon\Desktop\FRST-OlderVersion

Deleted : C:\TDSSKiller.3.0.0.42_15.01.2015_20.43.42_log.txt

Deleted : C:\Users\Odeon\Desktop\Addition.txt

Deleted : C:\Users\Odeon\Desktop\AdwCleaner.exe

Deleted : C:\Users\Odeon\Desktop\Fixlog.txt

Deleted : C:\Users\Odeon\Desktop\FRST.txt

Deleted : C:\Users\Odeon\Desktop\FRST64.exe

Deleted : C:\Users\Odeon\Desktop\JRT.exe

Deleted : C:\Users\Odeon\Desktop\JRT.txt

Deleted : C:\Users\Odeon\Desktop\OTL.exe

Deleted : C:\Users\Odeon\Desktop\scan.txt

Deleted : HKLM\SOFTWARE\OldTimer Tools

Deleted : HKLM\SOFTWARE\AdwCleaner

 

~ Creating registry backup ... OK

 

~ Cleaning system restore ...

 

Deleted : RP #73 [OTL Restore Point - 15.01.2015 20:10:14 | 01/15/2015 19:10:14]

Deleted : RP #75 [Restore Point Created by FRST | 01/16/2015 21:00:41]

Deleted : RP #77 [Restore Point Created by FRST | 01/16/2015 21:01:42]

 

New restore point created !

 

~ Resetting system settings ... OK

 

########## - EOF - ##########
Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.