Jump to content

Cryptowall came back

asd123321

By asd123321
in Resolved Malware Removal Logs

 Share

Recommended Posts

asd123321

asd123321

Posted
Posted

 It returned after getting firewall working and software updated under this topic:
Cryptowall effects noted, 1 thing won't work

 

It put same notices but now called Instructions
I only see 2 messed up files with Instructions in C: so far, not doc in documents
In either case I did not download or run anything but was looking at some
business sites.  I ran Malwarebytes looking for rootkits only and found none
Did the firewall stop it from doing more or since it put 3 pictures on desktop
to show up at start, it could have done anything?

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits". <---- Very Important
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…




If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


Next,

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...



Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.



Let me see those logs in your next reply...

Thank you,

Kevin...
 

Link to post
Share on other sites
asd123321

asd123321

Posted
  • Author
Posted

I was wondering if in the previous event the Cryptowallwas actually identified in something removed

and if anything here is.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/26/2016
Scan Time: 5:19 PM
Logfile: Maleware log.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.01.26.07
Rootkit Database: v2016.01.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Dave

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 393587
Time Elapsed: 38 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Disabled
Rootkits: Enabled
Heuristics: Disabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

# AdwCleaner v5.031 - Logfile created 26/01/2016 at 21:18:48
# Updated 25/01/2016 by Xplode
# Database : 2016-01-25.3 [server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Dave - DAVE-PC
# Running from : I:\New stuff\adwcleaner_5.031.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\Headlight
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\conduit.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\driverupdate.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\en.softonic.com

***** [ Web browsers ] *****

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1052 bytes] ##########

Additional scan result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01
Ran by Dave (2016-01-26 18:19:52)
Running from I:\New stuff\zip 01-16
Windows 7 Home Premium Service Pack 1 (X64) (2012-08-23 22:43:09)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-3023370978-3506523679-905622001-500 - Administrator - Disabled)
ASPNET (S-1-5-21-3023370978-3506523679-905622001-1005 - Limited - Enabled)
Dave (S-1-5-21-3023370978-3506523679-905622001-1001 - Administrator - Enabled) => C:\Users\Dave
Guest (S-1-5-21-3023370978-3506523679-905622001-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3023370978-3506523679-905622001-1003 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version:  - )
AC3Filter 2.6.0b (HKLM-x32\...\AC3Filter_is1) (Version: 2.6.0b - Alexander Vigovsky)
Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Flash Player 20 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 20.0.0.270 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.14) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.14 - Adobe Systems Incorporated)
AirHockey 3D 1.81 (HKLM-x32\...\AirHockey 3D) (Version: 1.81 - Avalanche Team)
Aliens vs Predator Classic 2000 (HKLM-x32\...\1207665883_is1) (Version: 2.0.0.21 - GOG.com)
AMD Catalyst Install Manager (HKLM\...\{0CB2E2BC-A312-5821-C5C7-A295A1BEFD08}) (Version: 8.0.881.0 - Advanced Micro Devices, Inc.)
America's Army 3 (HKLM-x32\...\Steam App 13140) (Version:  - U.S. Army)
Bass Audio Decoder (remove only) (HKLM-x32\...\Bass Audio Decoder) (Version:  - )
BrettspielWelt (HKLM-x32\...\BrettspielWelt) (Version: 1.0 - BrettspielWelt GmbH)
CD Audio Reader Filter (remove only) (HKLM-x32\...\CD Audio Reader Filter) (Version:  - )
Cisco EAP-FAST Module (HKLM-x32\...\{415B2719-AD3A-4944-B404-C472DB6085B3}) (Version: 2.1.6 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{83770D14-21B9-44B3-8689-F7B523F94560}) (Version: 1.0.12 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}) (Version: 1.0.13 - Cisco Systems, Inc.)
Classic Shell (HKLM\...\{DC45D291-769A-4608-A688-77E6DBC03498}) (Version: 3.6.1 - IvoSoft)
Combat Arms (HKLM-x32\...\Combat Arms) (Version:  - )
ConvertHelper 2.2 (HKLM-x32\...\{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1) (Version:  - DownloadHelper)
Cool Timer 5.2.3.0 (HKLM-x32\...\Cool Timer_is1) (Version:  - Harmony Hollow Software)
Crysis® SP Demo (HKLM-x32\...\{92AF2F5A-4407-4A03-A80A-5A2582264746}) (Version: 1.00.0000 - Electronic Arts)
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version:  3.0 - CutePDF.com)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DCoder Image Source (remove only) (HKLM-x32\...\DCoder Image Source) (Version:  - )
DirectVobSub (remove only) (HKLM-x32\...\DirectVobSub) (Version:  - )
DScaler 5 Mpeg Decoders (HKLM-x32\...\DScaler 5 Mpeg Decoders_is1) (Version:  - )
ffdshow v1.3.4533 [2014-09-29] (HKLM-x32\...\ffdshow_is1) (Version: 1.3.4533.0 - )
FFMPEG Core Files (remove only) (HKLM-x32\...\FFMPEG Core Files) (Version:  - )
Gabest MPEG Splitter (remove only) (HKLM-x32\...\Gabest MPEG Splitter) (Version:  - )
Galaxy Client (HKLM-x32\...\{D6D1DA54-531F-4FA0-B683-CE66ACE3543F}_is1) (Version: 0.1.0.456 - GOG.com)
GEM+/iGOR & Lee's GPL Setup Manager 2.5.0.32 (HKLM-x32\...\GEM+/iGOR & Lee's GPL Setup Manager_is1) (Version:  - GPLSecrets Group)
Guitar Pro 6 Demo (HKLM-x32\...\{14A487F2-1259-4E6C-AE3C-3C888DDBCB60}_is1) (Version:  - Arobas Music)
HAWKEN (HKLM-x32\...\Steam App 271290) (Version:  - Adhesive Games)
Hi-Rez Studios Authenticate and Update Service (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}) (Version: 3.0.0.0 - Hi-Rez Studios)
InstaCodecs (HKLM-x32\...\InstaCodecs_is1) (Version: 1.0 - )
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.36 - Irfan Skiljan)
Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden
Java 8 Update 66 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.18 - Oracle Corporation)
Jericho Demo (HKLM-x32\...\{1CB55F41-7607-4225-B717-387B3C53FDAD}) (Version: 0.10.0000 - Codemasters)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
LAV Filters 0.64 (HKLM-x32\...\lavfilters_is1) (Version: 0.64 - Hendrik Leppkes)
MadVR (remove only) (HKLM-x32\...\MadVR) (Version:  - )
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 1.1 (HKLM-x32\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Games for Windows - LIVE (HKLM-x32\...\{B45FABE7-D101-4D99-A671-E16DA40AF7F0}) (Version: 3.0.86.0 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{B578C85A-A84C-4230-A177-C5B2AF565B8C}) (Version: 3.0.17.0 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 43.0.4 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 43.0.4 (x86 en-US)) (Version: 43.0.4 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 43.0.4.5848 - Mozilla)
Nexon Game Manager (HKLM-x32\...\{EA2DB6E0-72C5-4ef9-A3A0-E6705F4A6A9E}) (Version:  - )
NirSoft VideoCacheView (HKLM-x32\...\NirSoft VideoCacheView) (Version:  - )
NVIDIA PhysX (HKLM-x32\...\{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}) (Version: 9.09.0814 - NVIDIA Corporation)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
OpenSource AVI Splitter (remove only) (HKLM-x32\...\OpenSource AVI Splitter) (Version:  - )
OpenSource DTS/AC3/DD+ Source Filter (remove only) (HKLM-x32\...\OpenSource DTS/AC3/DD+ Source Filter) (Version:  - )
Opera 12.16 (HKLM-x32\...\Opera 12.16.1860) (Version: 12.16.1860 - Opera Software ASA)
Power Tab Editor 1.7 (HKLM-x32\...\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}) (Version: 1.7.0 - Power Tab Software)
Pro Evolution Soccer 5 DEMO(no voice) (HKLM-x32\...\InstallShield_{AEB74EBC-884B-4D76-98BC-4D88FE6F2E7F}) (Version: 1.00.0000 - KONAMI)
Pro Evolution Soccer 5 DEMO(no voice) (x32 Version: 1.00.0000 - KONAMI) Hidden
PT Boats: Knights of The Sea (HKLM-x32\...\PT Boats: Knights of The Sea_is1) (Version: Demo - Akella)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.989 - Even Balance, Inc.)
Real Alternative 2.0.2 (HKLM-x32\...\RealAlt_is1) (Version: 2.0.2 - )
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6194 - Realtek Semiconductor Corp.)
Steam (HKLM-x32\...\Steam) (Version:  - Valve Corporation)
Team Fortress 2 (HKLM-x32\...\Steam App 440) (Version:  - Valve)
TimeShift Demo (HKLM-x32\...\{C319F101-4221-4C5A-A9DE-36A6718F8215}) (Version: 1.00.000 - Sierra)
Tribes Ascend (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF010}) (Version: 1.0.1268.1 - Hi-Rez Studios)
Windows 7 Codec Pack 4.0.7 (HKLM-x32\...\Windows 7 - Codec Pack) (Version: 4.0.7 - Windows 7 Codec Pack)
Windows Essentials Media Codec Pack 4.0 [64-Bit] (HKLM-x32\...\Windows Essentials Media Codec Pack) (Version: 4.0 - Media Codec)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
WinFF 1.2 (HKLM-x32\...\WinFF_is1) (Version:  - WinFF.org)
WinRAR 5.00 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH)
Wireless N-lite USB Adapter Utility (HKLM-x32\...\{71AB49D0-9B47-4624-904C-D44B9B996656}) (Version: 1.5.4.0 - ZyXEL)
Xvid 1.1.3 final uninstall (HKLM-x32\...\Xvid_is1) (Version: 1.1 - Xvid team (Koepi))
Zoom Player (remove only) (HKLM-x32\...\ZoomPlayer) (Version: 10.0.0 - Inmatrix LTD)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {09EB13AC-9899-476C-A438-CBAF94CEF380} - System32\Tasks\{D2B18D4C-E05A-48E6-96E8-597C25889123} => C:\Aliens versus Predator Demo\AvP_Marine_Demo.exe [1998-11-25] ()
Task: {1349E205-A8F8-4405-8AF5-65DFBC7673C2} - System32\Tasks\{04172568-0C0C-4734-AABA-7AB1EE014C42} => C:\NFL Fever 2000 Trial\NFLFEVER.exe [1999-07-27] (MSFT)
Task: {14CB41F0-0735-495E-A7C4-BBBD6CD17BB8} - System32\Tasks\{F20FAA84-E9D2-4C51-975F-44121E8D5C06} => C:\COMET\COMET.EXE [1996-01-17] ()
Task: {233F6ECB-3A5D-440F-86B9-662522E1612C} - System32\Tasks\{EBEED6CC-BB5C-4D93-8CED-7DD9E88CB025} => G:\Quake3\quake3.exe
Task: {282EE9D0-7945-461F-B443-F94B1C237080} - System32\Tasks\{B294D644-12E0-4391-9854-FF8052825471} => C:\Aliens versus Predator Demo\AvP_Marine_Demo.exe [1998-11-25] ()
Task: {347A040B-F4F8-46C8-A642-95AF9ACA4DCE} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-13] (Adobe Systems Incorporated)
Task: {36BA5AF7-D8E7-4A4D-BFA5-8E48D9436B2A} - System32\Tasks\{8E87EF91-E491-4581-960C-6133E34DC5A7} => pcalua.exe -a "G:\Zip files\Software\retrospection_2.1_setup.exe"
Task: {38C55743-B717-4C6B-9B24-2AB39CA3D644} - System32\Tasks\{01D93840-F7FE-4D49-9F30-7CBE6BE4AE0B} => G:\Quake3\quake3.exe
Task: {3A34C632-1B55-4005-9A8F-046C2579460E} - System32\Tasks\{5AED553E-157B-40D2-96BB-7C297884F230} => C:\NHL 2001 Demo\nhl2001demo.exe [2000-09-12] ()
Task: {3C82F805-4F09-48CD-B99D-7191084409C4} - System32\Tasks\{267D3A3C-F1B0-45F2-8404-F9696821CB54} => G:\New stuff\Retrospection\RetrospectionFront.exe
Task: {3ECFE579-31FE-4EC0-85B8-AD789310C5DE} - System32\Tasks\{A96939CF-C34C-4131-80C2-DB3819A5F53B} => C:\Aliens versus Predator Demo\AvP_Marine_Demo.exe [1998-11-25] ()
Task: {5075EA60-34D8-4625-91FF-47F92B787EB4} - System32\Tasks\{D5E7A254-7C82-40CD-A8DE-2B03927B7B88} => C:\NFL Fever 2000 Trial\NFLFEVER.exe [1999-07-27] (MSFT)
Task: {512F5EE8-B32F-47CA-8995-6C42838ECC4A} - System32\Tasks\{AF900DF5-3DD9-4494-8CE6-C654CFE0295D} => C:\adciv\Ac.exe [2001-08-09] ()
Task: {58691C6F-786D-4827-BFA1-E0D113A1F32C} - System32\Tasks\{2FABA12A-E3D8-4AB1-B18B-80D6FAAFB990} => C:\Geardemo\Gear.exe [1996-02-16] ()
Task: {5A40E926-9E86-4B89-9CFD-B12311724371} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto
Task: {6BB9CE94-443D-4B62-94D9-D1D391E2830A} - System32\Tasks\Windows Codec Update Service => C:\Program Files (x86)\Essentials Codec Pack\WECPUpdate.exe [2012-02-03] (MediaCodec.Org)
Task: {6F5CB4A0-2160-4E7F-A92B-1B08FC10191E} - System32\Tasks\{D0F0DB4E-54AF-4EAF-8A0A-748EAE9B7E32} => C:\NFL Fever 2000 Trial\NFLFEVER.exe [1999-07-27] (MSFT)
Task: {6FB1B1B1-0983-47D8-B165-5F22423A975B} - System32\Tasks\{32A15600-D985-4995-A0AD-7889FE7F6A28} => G:\Quake3\quake3.exe
Task: {72E2301D-1D4D-4BC4-8ACE-40F607CB01E7} - System32\Tasks\{9CBDDAFA-7DCB-48A8-B2C8-A221F7C359EE} => C:\adciv\Ac.exe [2001-08-09] ()
Task: {A2D8E75A-73DE-46EC-B307-F792E663C171} - System32\Tasks\{9526E09E-FE95-4B49-81D6-68B8B736B789} => C:\COMET\COMET.EXE [1996-01-17] ()
Task: {B515CB5D-A6C2-4212-90F4-BC9F42768890} - System32\Tasks\{C482FAAA-B35D-405B-B632-305AD9DCDCE6} => C:\Geardemo\Gear.exe [1996-02-16] ()
Task: {B9547313-2419-4495-9AD4-1AA3662ECE2E} - System32\Tasks\{4BAEC7CA-C40C-47D0-8697-691320BD81DE} => G:\New stuff\Retrospection\RetrospectionFront.exe
Task: {D71DAA71-215D-440C-AD50-AC04C62F14DD} - System32\Tasks\{C5D858F8-B98B-4105-B1C7-B39C47513457} => C:\adciv\Ac.exe [2001-08-09] ()
Task: {DD9F510C-95F4-499A-90C8-BAC5BC372FF4} - System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask => start sppsvc
Task: {E4E3DB73-E7EA-41C3-8C15-933D85818729} - System32\Tasks\{6F59A0A7-8343-4A55-AC88-C3ABC5CF6B21} => pcalua.exe -a C:\Users\Dave\AppData\Local\Temp\Temp1_MotoGP08_PC_demo.zip\setup.exe
Task: {F357EC66-21B3-49B5-BB17-C7818DE7C9AD} - System32\Tasks\{EFC0BF62-DA74-43E3-902C-807466C4942E} => C:\COMET\COMET.EXE [1996-01-17] ()

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2013-08-13 10:51 - 2012-10-04 18:49 - 00087152 _____ () C:\Windows\System32\cpwmon64.dll
2012-06-11 15:12 - 2012-06-11 15:12 - 00212480 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.PerformanceTuning.dll
2012-03-05 18:03 - 2012-03-05 18:03 - 00677376 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dll
2012-02-16 16:53 - 2012-02-16 16:53 - 03642880 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Platform.dll
2012-06-11 15:12 - 2012-06-11 15:12 - 00073728 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
2013-09-19 10:13 - 2014-05-18 16:48 - 00076888 _____ () C:\Windows\SysWOW64\PnkBstrA.exe
2012-06-11 15:12 - 2012-06-11 15:12 - 00103424 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
2012-06-11 14:45 - 2012-06-11 14:45 - 00369152 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\87696299.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\87696299.sys => ""="Driver"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-3023370978-3506523679-905622001-1001\...\mail3x.com -> hxxp://ads.mail3x.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3023370978-3506523679-905622001-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.1 - 205.171.3.26
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: IBUpdaterService => 2
MSCONFIG\Services: Updater By SweetPacks => 2
MSCONFIG\Services: vToolbarUpdater15.4.0 => 2
MSCONFIG\Services: ‮etadpug => 2
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^19DBAD56F.lnk => C:\Windows\pss\19DBAD56F.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^HELP_YOUR_FILES.HTML => C:\Windows\pss\HELP_YOUR_FILES.HTML.Startup
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^HELP_YOUR_FILES.PNG => C:\Windows\pss\HELP_YOUR_FILES.PNG.Startup
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^HELP_YOUR_FILES.TXT => C:\Windows\pss\HELP_YOUR_FILES.TXT.Startup
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^INSTRUCTIONS_A37F5173.html => C:\Windows\pss\INSTRUCTIONS_A37F5173.html.Startup
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^INSTRUCTIONS_A37F5173.png => C:\Windows\pss\INSTRUCTIONS_A37F5173.png.Startup
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^INSTRUCTIONS_A37F5173.txt => C:\Windows\pss\INSTRUCTIONS_A37F5173.txt.Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Adobe\Reader 9.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: AMD AVT => Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
MSCONFIG\startupreg: ISUSPM => "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
MSCONFIG\startupreg: Itibiti.exe => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
MSCONFIG\startupreg: SearchProtectAll => C:\Program Files (x86)\SearchProtect\bin\cltmng.exe
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: vProt => "C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [TCP Query User{A4DDB47B-F444-4AE9-9464-1C719DF1E300}E:\quake3\quake3.exe] => (Allow) E:\quake3\quake3.exe
FirewallRules: [uDP Query User{CADF614C-04EF-44A3-AF55-A059EB4D5530}E:\quake3\quake3.exe] => (Allow) E:\quake3\quake3.exe
FirewallRules: [TCP Query User{558236CC-709A-45B0-BE6E-D3AEC9ED4A19}I:\quake3\quake3.exe] => (Allow) I:\quake3\quake3.exe
FirewallRules: [uDP Query User{7753C1F4-5AD0-41AE-9035-06AEA53BE3D3}I:\quake3\quake3.exe] => (Allow) I:\quake3\quake3.exe
FirewallRules: [{EB62D7D7-6BDC-40AC-A983-0D8993DFB765}] => (Allow) C:\Steam\Steam.exe
FirewallRules: [{0FA51F02-A8FC-4D24-8822-735A28F7738E}] => (Allow) C:\Steam\Steam.exe
FirewallRules: [{20B28F8F-587C-4DAB-9BF5-44F6C127CFB0}] => (Allow) C:\Steam\SteamApps\common\Team Fortress 2\hl2.exe
FirewallRules: [{366F0FA4-1D82-4750-92D7-FBDE5D3D5031}] => (Allow) C:\Steam\SteamApps\common\Team Fortress 2\hl2.exe
FirewallRules: [TCP Query User{213CCD6F-7F80-47C1-8488-13936C8A4505}C:\trackmania nations forever\tmforever.exe] => (Allow) C:\trackmania nations forever\tmforever.exe
FirewallRules: [uDP Query User{EEF47740-F71F-42EA-BC20-7B5557812165}C:\trackmania nations forever\tmforever.exe] => (Allow) C:\trackmania nations forever\tmforever.exe

==================== Restore Points =========================

12-01-2016 15:20:50 Windows Update
12-01-2016 19:01:44 Restore Point Created by FRST
12-01-2016 22:19:46 Windows Update
13-01-2016 11:18:12 Removed Java 7 Update 45
24-01-2016 18:14:16 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (01/26/2016 03:35:04 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/26/2016 01:06:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed
Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b
Exception code: 0xc0000005
Fault offset: 0x00000000000033c1
Faulting process id: 0x6d0
Faulting application start time: 0xFuel.Service.exe0
Faulting application path: Fuel.Service.exe1
Faulting module path: Fuel.Service.exe2
Report Id: Fuel.Service.exe3

Error: (01/26/2016 10:42:52 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/26/2016 01:06:35 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed
Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b
Exception code: 0xc0000005
Fault offset: 0x00000000000033c1
Faulting process id: 0x7ac
Faulting application start time: 0xFuel.Service.exe0
Faulting application path: Fuel.Service.exe1
Faulting module path: Fuel.Service.exe2
Report Id: Fuel.Service.exe3

Error: (01/25/2016 11:55:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/25/2016 08:02:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed
Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b
Exception code: 0xc0000005
Fault offset: 0x00000000000033c1
Faulting process id: 0x710
Faulting application start time: 0xFuel.Service.exe0
Faulting application path: Fuel.Service.exe1
Faulting module path: Fuel.Service.exe2
Report Id: Fuel.Service.exe3

Error: (01/25/2016 06:56:41 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/25/2016 04:36:09 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed
Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b
Exception code: 0xc0000005
Fault offset: 0x00000000000033c1
Faulting process id: 0x7a4
Faulting application start time: 0xFuel.Service.exe0
Faulting application path: Fuel.Service.exe1
Faulting module path: Fuel.Service.exe2
Report Id: Fuel.Service.exe3

Error: (01/25/2016 11:31:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/24/2016 11:37:46 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x4fd626ed
Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b
Exception code: 0xc0000005
Fault offset: 0x00000000000033c1
Faulting process id: 0x770
Faulting application start time: 0xFuel.Service.exe0
Faulting application path: Fuel.Service.exe1
Faulting module path: Fuel.Service.exe2
Report Id: Fuel.Service.exe3

System errors:
=============
Error: (01/26/2016 01:06:10 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The AMD FUEL Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/26/2016 01:06:35 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The AMD FUEL Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/25/2016 08:02:11 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The AMD FUEL Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/25/2016 04:36:09 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The AMD FUEL Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/25/2016 11:50:45 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (01/25/2016 11:50:38 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (01/25/2016 11:50:33 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (01/25/2016 11:50:24 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (01/25/2016 11:50:24 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (01/25/2016 11:50:24 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

CodeIntegrity:
===================================
  Date: 2014-11-07 23:26:23.219
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\sfvfs02.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-11-07 23:26:23.199
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\sfvfs02.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: AMD FX-4100 Quad-Core Processor
Percentage of memory in use: 30%
Total physical RAM: 8190.46 MB
Available physical RAM: 5699.57 MB
Total Virtual: 16379.11 MB
Available Virtual: 13419.53 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:240.84 GB) NTFS
Drive e: (DRV3_VOL1) (Fixed) (Total:111.76 GB) (Free:40.81 GB) FAT32
Drive f: (New Volume) (Fixed) (Total:272.85 GB) (Free:272.75 GB) NTFS
Drive i: (New Volume) (Fixed) (Total:292.97 GB) (Free:166.14 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: ACC8B171)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: 486B9E5B)
Partition 1: (Active) - (Size=111.8 GB) - (Type=0C)
Partition 2: (Not Active) - (Size=272.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=293 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-01-2015 01
Ran by Dave (administrator) on DAVE-PC (26-01-2016 18:19:21)
Running from I:\New stuff\zip 01-16
Loaded Profiles: Dave (Available Profiles: Dave)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Hi-Rez Studios) C:\Tribes Ascend\HiPatchService.exe
(IvoSoft) C:\Classic Shell\ClassicStartMenu.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Ralink Technology, Corp.) C:\ZyXEL\N220\Common\RaRegistry.exe
(Ralink Technology, Corp.) C:\ZyXEL\N220\Common\RaRegistry64.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Firegraphic.com) C:\Firegraphic 6\Firegraphic.exe
(BrettspielWelt GmbH) C:\BSW\BrettspielWelt.exe
(MMedia Research Corp) C:\Users\Dave\Desktop\LVIEWPRO.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(Farbar) I:\New stuff\zip 01-16\Farbar RST64.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11464296 2010-09-03] (Realtek Semiconductor)
HKLM\...\Run: [Classic Start Menu] => C:\Classic Shell\ClassicStartMenu.exe [159744 2012-08-19] (IvoSoft)
HKLM-x32\...\Run: [startCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [641704 2012-06-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596528 2015-11-09] (Oracle Corporation)
ShellIconOverlayIdentifiers: [shareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Classic Shell\ClassicExplorer64.dll [2012-08-19] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [shareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Classic Shell\ClassicExplorer32.dll [2012-08-19] (IvoSoft)
BootExecute: autocheck autochk * bootdelete

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.26 205.171.2.26
Tcpip\..\Interfaces\{35924C7C-99D3-4386-BB4E-704C64247C7A}: [DhcpNameServer] 192.168.0.1 205.171.3.26 205.171.2.26
Tcpip\..\Interfaces\{D429B006-59C4-49E1-8F91-0C08DC2AAF25}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKU\S-1-5-21-3023370978-3506523679-905622001-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://en.boardgamearena.com/#!gamelobby
SearchScopes: HKLM-x32 -> DefaultScope {10E6CF9A-A768-44F4-BF6E-609B97ABF1EA} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3023370978-3506523679-905622001-1001 -> DefaultScope {BE50A3BD-1E1F-4688-9FD0-334A74D91E79} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3023370978-3506523679-905622001-1001 -> {BE50A3BD-1E1F-4688-9FD0-334A74D91E79} URL = hxxp://www.google.com/search?q={searchTerms}
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Classic Shell\ClassicExplorer64.dll [2012-08-19] (IvoSoft)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO: ClassicIE9BHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Classic Shell\ClassicIE9DLL_64.dll [2012-08-19] (IvoSoft)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Classic Shell\ClassicExplorer32.dll [2012-08-19] (IvoSoft)
BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2016-01-12] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: No Name -> {A5366673-E8CA-11D3-9CD9-0090271D075B} -> No File
BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2016-01-12] (Oracle Corporation)
BHO-x32: ClassicIE9BHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Classic Shell\ClassicIE9DLL_32.dll [2012-08-19] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Classic Shell\ClassicExplorer64.dll [2012-08-19] (IvoSoft)
Toolbar: HKLM - No Name - {A39E563A-2D0A-4909-B52F-051C44A483CE} -  No File
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Classic Shell\ClassicExplorer32.dll [2012-08-19] (IvoSoft)
Toolbar: HKLM-x32 - FindWide Toolbar - {A39E563A-2D0A-4909-B52F-051C44A483CE} - C:\Program Files (x86)\TNT2\Profiles\11083\passport.dll No File
Toolbar: HKU\S-1-5-21-3023370978-3506523679-905622001-1001 -> No Name - {A39E563A-2D0A-4909-B52F-051C44A483CE} -  No File
DPF: HKLM-x32 {56505FCF-9DB3-49B4-BA5F-BE3AAE44CF2E} hxxps://cityprojects.talgov.net/projectdox/Resources/BravaClient/en/BravaClientXWrapper.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

FireFox:
========
FF ProfilePath: C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\11gg3lcq.default
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-08-05] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-08-05] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2016-01-12] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2016-01-12] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [2013-09-05] (Nexon)
FF Plugin-x32: @real.com/nppl3260;version=6.0.12.450 -> C:\Real Alternative\browser\plugins\nppl3260.dll [2010-02-15] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.448 -> C:\Real Alternative\browser\plugins\nprpjplug.dll [2010-02-15] (RealNetworks, Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-12-17] (Adobe Systems Inc.)
FF Extension: The Addon Bar (restored) - C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\11gg3lcq.default\Extensions\the-addon-bar@GeekInTraining-GiT.xpi [2015-06-14]
FF Extension: Video DownloadHelper - C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\11gg3lcq.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-11-09]

Opera:
=======
StartMenuInternet: (HKLM) Opera - G:\Opera\Opera.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-06-11] (Advanced Micro Devices, Inc.) [File not signed]
S3 GalaxyService; C:\Program Files (x86)\GalaxyClient\GalaxyService.exe [2191648 2014-09-18] (GOG.com)
U2 HiPatchService; C:\Tribes Ascend\HiPatchService.exe [9216 2014-02-28] (Hi-Rez Studios) [File not signed]
S2 MBAMService; C:\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-05-18] ()
R2 RalinkRegistryWriter; C:\ZyXEL\N220\Common\RaRegistry.exe [185632 2009-07-14] (Ralink Technology, Corp.)
R2 RalinkRegistryWriter64; C:\ZyXEL\N220\Common\RaRegistry64.exe [211232 2009-07-14] (Ralink Technology, Corp.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
S3 aspnet_state; %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-14 12:41 - 2016-01-14 12:41 - 00001471 _____ C:\Users\Dave\Desktop\Brettspielwelt.lnk
2016-01-14 12:01 - 2016-01-14 12:01 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-01-14 11:40 - 2016-01-22 16:02 - 00000000 ____D C:\Users\Dave\AppData\Roaming\BSW
2016-01-14 11:40 - 2016-01-14 12:41 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Brettspielwelt
2016-01-14 11:34 - 2016-01-14 12:01 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2016-01-13 23:02 - 2016-01-13 23:02 - 00014590 _____ C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Brettspielwelt  old - Shortcut.lnk
2016-01-13 11:01 - 2016-01-13 11:01 - 00000000 ____D C:\BSW
2016-01-12 18:27 - 2016-01-12 18:35 - 00000000 ____D C:\Users\Dave\Doctor Web
2016-01-12 15:36 - 2016-01-12 15:36 - 00000000 __SHD C:\Users\Dave\AppData\LocalLow\EmieUserList
2016-01-12 15:36 - 2016-01-12 15:36 - 00000000 __SHD C:\Users\Dave\AppData\LocalLow\EmieSiteList
2016-01-12 15:21 - 2014-05-14 11:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2016-01-12 15:21 - 2014-05-14 11:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2016-01-12 15:21 - 2014-05-14 11:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2016-01-12 15:21 - 2014-05-14 11:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2016-01-12 15:21 - 2014-05-14 11:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2016-01-12 15:21 - 2014-05-14 11:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2016-01-12 15:21 - 2014-05-14 11:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2016-01-12 15:21 - 2014-05-14 11:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2016-01-12 15:21 - 2014-05-14 11:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2016-01-12 15:21 - 2014-05-14 11:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2016-01-12 15:21 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2016-01-12 15:21 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2016-01-12 15:21 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2016-01-12 15:21 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2016-01-12 15:00 - 2016-01-26 18:19 - 00000000 ____D C:\FRST
2016-01-12 14:59 - 2016-01-12 15:30 - 00000000 ____D C:\AdwCleaner
2016-01-12 12:22 - 2016-01-13 11:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-01-12 12:22 - 2016-01-12 12:22 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Sun
2016-01-12 12:22 - 2016-01-12 12:22 - 00000000 ____D C:\Users\Dave\.oracle_jre_usage
2016-01-12 12:21 - 2016-01-12 12:21 - 00000000 ____D C:\Program Files (x86)\Java
2016-01-12 12:20 - 2016-01-12 12:20 - 00000000 ____D C:\Users\Dave\AppData\LocalLow\Oracle
2016-01-12 12:00 - 2016-01-12 12:00 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Brettspielwelt  old
2016-01-11 17:42 - 2016-01-11 22:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-01-10 21:44 - 2016-01-10 21:44 - 00000000 ____D C:\Users\Dave\AppData\Local\Chromium
2015-12-30 23:58 - 2015-12-30 23:58 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Guitar Pro 6
2015-12-30 23:58 - 2015-12-30 23:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Guitar Pro 6
2015-12-30 23:58 - 2015-12-30 23:58 - 00000000 ____D C:\ProgramData\Guitar Pro 6
2015-12-30 23:56 - 2015-12-30 23:57 - 00000000 ____D C:\Guitar Pro 6

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-26 17:19 - 2015-01-17 19:32 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-01-26 16:48 - 2013-07-05 08:59 - 00003918 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{A4797549-CAB1-4E29-B9E1-E6B9D2F32C13}
2016-01-26 16:44 - 2013-07-03 14:46 - 00000000 ____D C:\Users\Dave\Documents\Firegraphic
2016-01-26 15:42 - 2009-07-13 23:45 - 00021664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-01-26 15:42 - 2009-07-13 23:45 - 00021664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-01-26 15:39 - 2009-07-14 00:13 - 00740482 _____ C:\Windows\system32\PerfStringBackup.INI
2016-01-26 15:39 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2016-01-26 15:35 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-26 13:01 - 2013-10-29 10:43 - 00000000 ____D C:\Windows\pss
2016-01-26 01:06 - 2014-02-26 13:41 - 00000000 ____D C:\Steam
2016-01-25 16:20 - 2013-07-04 11:10 - 00000000 ____D C:\Capture
2016-01-24 00:39 - 2013-11-10 22:29 - 00000000 ____D C:\Users\Dave\Documents\TrackMania
2016-01-23 11:04 - 2013-08-22 10:38 - 00000000 ____D C:\ProgramData\Zoom Player
2016-01-18 15:19 - 2013-07-03 15:19 - 00008440 _____ C:\Windows\lviewpro.ini
2016-01-15 18:33 - 2012-08-23 23:19 - 00000000 ____D C:\Users\Dave\AppData\Local\ElevatedDiagnostics
2016-01-15 18:33 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2016-01-14 17:59 - 2013-07-02 09:15 - 00000000 ____D C:\Users\Dave\AppData\Roaming\BSW  old
2016-01-14 11:58 - 2013-01-12 20:55 - 00000000 ____D C:\ProgramData\Adobe
2016-01-14 11:45 - 2014-06-16 18:27 - 00000000 ____D C:\Users\Dave\AppData\Local\Adobe
2016-01-14 11:38 - 2013-01-12 20:57 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Adobe
2016-01-14 11:34 - 2013-01-13 21:04 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-01-14 11:29 - 2013-07-01 23:31 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-01-14 11:29 - 2013-07-01 23:31 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-01-13 12:25 - 2012-08-23 17:43 - 00000000 ____D C:\Users\Dave\AppData\Local\VirtualStore
2016-01-13 11:20 - 2013-07-01 23:56 - 00000000 ____D C:\Java
2016-01-12 19:36 - 2012-08-23 17:43 - 00000000 ____D C:\Users\Dave
2016-01-12 19:02 - 2013-08-13 10:08 - 00000000 ____D C:\Users\Dave\AppData\LocalLow\Temp
2016-01-12 16:48 - 2014-07-02 23:30 - 00000000 ____D C:\Users\Dave\Desktop\Tzolkin
2016-01-12 15:31 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SchCache
2016-01-12 15:24 - 2009-07-13 22:20 - 00000000 ____D C:\Windows
2016-01-12 15:20 - 2015-01-17 19:32 - 00000000 ____D C:\Malwarebytes Anti-Malware
2016-01-12 14:29 - 2015-06-14 11:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-01-12 12:23 - 2013-10-29 21:23 - 00000000 ____D C:\ProgramData\Oracle
2016-01-12 12:22 - 2013-10-29 21:23 - 00278624 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2016-01-12 12:22 - 2013-10-29 21:23 - 00191584 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2016-01-12 12:22 - 2013-10-29 21:23 - 00191072 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2016-01-12 12:22 - 2013-10-29 21:23 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2016-01-12 00:25 - 2015-06-14 17:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-01-11 11:32 - 2013-07-02 22:06 - 00000000 ____D C:\4x4 Evolution
2015-12-29 10:20 - 2009-07-14 00:08 - 00032566 _____ C:\Windows\Tasks\SCHEDLGU.TXT

==================== Files in the root of some directories =======

2015-06-14 09:53 - 2015-06-14 09:53 - 0000064 _____ () C:\Users\Dave\AppData\Local\bdb49bc6be0eab049e86c2a65af0618e
2013-07-04 20:53 - 2013-07-05 15:41 - 0009728 _____ () C:\Users\Dave\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-07-03 15:02 - 2013-07-03 15:02 - 0000092 _____ () C:\Users\Dave\AppData\Local\fusioncache.dat
2015-09-29 19:42 - 2015-09-29 19:42 - 0000017 _____ () C:\Users\Dave\AppData\Local\resmon.resmoncfg

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-01-21 17:27

==================== End of FRST.txt ============================

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Apologies I did not see your reply, continue as follows:

 

Download tfc_icon.png TFC to your desktop, from either of the following links

http://oldtimer.geekstogo.com/TFC.exe

http://itxassociates.com/OT-Tools/TFC.exe

Save any open work. TFC will close all open application windows.

Double-click TFC.exe to run the program. Vista or Windows 7 users accept the UAC alert.

If prompted, click "Yes" to reboot.

TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer than a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

Next,

 

dr_web_cureit_zpse80d87bf.jpg
Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop. (Scroll to bottom of page)

  • The file will be randomly named
  • Reboot to safe mode <<<<<------------ http://www.computerhope.com/issues/chsafe.htm
  • Run Dr Web
  • Tick the I agree box and select continue
  • Click select objects for scanning


    drwebselect.JPG

  • Tick all boxes as shown
  • Click the wrench and select automatically apply actions to threats


    drwebfolders.JPG

  • Press start scan
  • The scan will now commence


    drwebscan.JPG

  • Once the scan has finished click open report <<<--- Do not miss this step


    drwebscancomplete.JPG

  • A notepad will open
  • Select File > Save as..
  • Save it to your desktop



This log will be excessive,  Please attach it to your next reply…
 

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)
Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

If Security Check will not run or you get an alert saying it is not supported, Re-boot your PC then try again...
 

 

Let me see those logs, also give an update on any remaining issues or concerns.....

 

Thank you,

 

Kevin...

Link to post
Share on other sites
asd123321

asd123321

Posted
  • Author
Posted

Would you answer my original question? 

DrWeb Cure is too big for your forum. summary is shown.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 7 Home Premium x64
Ran by Dave (Administrator) on Tue 02/02/2016 at 10:54:39.23
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

File System: 20

Successfully deleted: C:\Users\Dave\AppData\Local\{E44C7947-123C-4ADC-8238-25DC54827385} (Empty Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\bdb49bc6be0eab049e86c2a65af0618e (File)
Successfully deleted: C:\Users\Dave\AppData\Local\crashrpt (Folder)
Successfully deleted: C:\Users\Dave\Desktop\uninstall.lnk (Shortcut)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0528617Z (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0EZH29HT (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3R52IOLT (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\809T1FSF (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8AIFIQ8C (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\92XCKTOX (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DHBLL3IT (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IG9W06Z6 (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHUPLJ0A (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MAQ1X81V (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MD90N4EU (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N4BCST75 (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O9B8VKIO (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBOILVM9 (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XGXMWM0X (Folder)
Successfully deleted: C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YGZDHA3C (Folder)

 

Registry: 3

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A39E563A-2D0A-4909-B52F-051C44A483CE} (Registry Value)
Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Toolbar\\{A39E563A-2D0A-4909-B52F-051C44A483CE} (Registry Value)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 02/02/2016 at 10:57:49.85
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Drwebcure
Total 5114601989 bytes in 20708 files scanned (23865 objects)
Total 20619 files (23769 objects) are clean
There are no infected objects detected
Total 95 files are raised error condition

 Results of screen317's Security Check version 1.009 
 Windows 7 Service Pack 1 x64 (UAC is disabled!) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 66 
 Java version 32-bit out of Date!
  Adobe Flash Player 18.0.0.209 Flash Player out of Date! 
 Adobe Reader XI 
 Mozilla Firefox (43.0.4)
````````Process Check: objlist.exe by Laurent```````` 
 windows defender MpCmdRun.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

Scan time is 00:07:38.607

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Do you refer to Cryptowall? if so then no I did not see any evidence to suggest it was on your system.....

 

Why do you not have an Anti-virus program installed? Also UAC is disabled, any specific reason whey?

 

Go here http://www.adobe.com/shockwave/welcome/ and have Adobe Flashplayer checked. Accept new version if required.

There maybe an offer of Google Chrome etc, untick those options if offered...

 

Next,

 

Your Java javaicon.gif is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

 

Upgrading Java:

 

Go to http://java.com/en/ and click on "Do I have Java"

It will check your current version and then offer to update to the latest version

Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

 

***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them. <<-- Very Important


What is the current status of your system, do you have any remaining issues or concerns?

 

Thank you,

 

Kevin

Link to post
Share on other sites
asd123321

asd123321

Posted
  • Author
Posted

It put up the same 3 pictures on desktop to show up at start as the first time which claimed I have joined

the Cryptowall community.  That is why I am wondering did the firewall stop it from doing more or was it a botched attack?

Can it put 3 pictures on desktop to show up at start but not run a program.

 

I turned off Flash for IE for my regular use and would run Mozilla if something needs it.

Would that help?

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Windows Firewall will not stop any version of Cryptowall, I did not see any evidence to suggest your system was or had ever been infected with any version of Cryptowall...

 

Why do you not have an Anti-virus program installed, I also asked that question in your previous thread.

 

lets have a look at start up entries on your system....

 

Close all windows, Select > start icon > all programs > accessories > Right click on "command prompt" > select > Run as administrator > ok any alerts > at the command prompt type or copy and paste the following:

wmic startup get Caption, Location, Command /format:list > 0 & notepad 0

Select "Enter"  Notepad will open with the results, let me see those contents in your reply...

Thank you,

Kevin..

 

****Edit****

 

Can you clarify if the following entries are related to the 3 images you mention as being on your Desktop

 

MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^19DBAD56F.lnk => C:\Windows\pss\19DBAD56F.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^HELP_YOUR_FILES.HTML => C:\Windows\pss\HELP_YOUR_FILES.HTML.Startup
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^HELP_YOUR_FILES.PNG => C:\Windows\pss\HELP_YOUR_FILES.PNG.Startup
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^HELP_YOUR_FILES.TXT => C:\Windows\pss\HELP_YOUR_FILES.TXT.Startup
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^INSTRUCTIONS_A37F5173.html => C:\Windows\pss\INSTRUCTIONS_A37F5173.html.Startup
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^INSTRUCTIONS_A37F5173.png => C:\Windows\pss\INSTRUCTIONS_A37F5173.png.Startup
MSCONFIG\startupfolder: C:^Users^Dave^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Accessories^Startup^INSTRUCTIONS_A37F5173.txt => C:\Windows\pss\INSTRUCTIONS_A37F5173.txt.Startup

 

Those entries are currently disabled, I assume you did that yourself?

Link to post
Share on other sites
asd123321

asd123321

Posted
  • Author
Posted

I don't use anti virus because it is a constant nuisance.

I updated Windows 7 for the first time if that helps stop this sort of thing

 

Caption=RtHDVCpl
Command=C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Caption=Classic Start Menu
Command=C:\Classic Shell\ClassicStartMenu.exe
Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

The  C:\Windows\pss\HELP_YOUR_FILES.PNG.Startup

appeared the first time when it actually destroyed documents

and C:\Windows\pss\INSTRUCTIONS_A37F5173.png.Startup

showed up this time when not much happened. 

 

Yes, I disabled them.

 

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for the update, run the following:

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs....
 

Let me see those logs...

 

 

I don't use anti virus because it is a constant nuisance.

There is a very big risk of infection when you have no anti-virus program....

 

Fixlist.txt

Link to post
Share on other sites
  • 3 weeks later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.