# I have a Trojan. Can you help please?



## Satidraox (Nov 2, 2014)

So i guess I'll start off by posting the System information that is required:

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Ultimate, Service Pack 1, 64 bit
Processor: Intel(R) Core(TM) i3-2330M CPU @ 2.20GHz, Intel64 Family 6 Model 42 Stepping 7
Processor Count: 4
RAM: 4009 Mb
Graphics Card: Intel(R) HD Graphics 3000, 1812 Mb
Hard Drives: C: Total - 88498 MB, Free - 5599 MB; D: Total - 149973 MB, Free - 35796 MB;
Motherboard: SAMSUNG ELECTRONICS CO., LTD., 300E4A/300E5A/300E7A/3430EA/3530EA
Antivirus: None

So now I'll begin describing my problem, which is very difficult actually since this will be abstract, anyway...
So i was playing League of Legends with my friend today whilst on skype when suddenly, computer restarts, it shut down instantaneously and restarted, so i thought it had just overheated, when i came back on again i found that whenever i opened skype, it would turn to not responding, therefore i tried to uninstall and reinstall. As i went onto the skype download page suddenly it would say this:See Exhibit A

Now I was extremely confused as to what kind of error this was, as i was pondering I tried to log back onto my League of legends account (Thought this bit may not be helpful iif you don't play league, if you don't just skip this) After it checked the login queue it than just said cant connect to server, which was weird since i thought I'd already connected to the server.

Finally I think i found out what caused it, One of the ads from Rockettab and Stormwatch which i had no clue were running at the time,(I think my dad accidentally downloaded them) but i have since went and uninstalled them, sent me a pop-up earlier that day which i thought was an update from skype. Normally i just skip these but today I decided to just update it, after that it kinda just went not responding for a while before it came back, i thought nothing was wrong till later on of course.

I should point out that i had been having difficulties connecting to the internet prior to this that i think were unatural on startup. After i started up, it would tell me that something about a proxy server that it wasn't able to connect to. Being the idiot i am, i ignored this since it went back to normal after a couple of minutes.

Now, I am not saying that the skype fake update was the trojan, I'm just saying it is the most likely explanation and yes, i have no antivirus, I guess i reap what i sow for that.

I have a slight theory about how it works, anything that has the word "Download" on it seems to be denied like download.cnet.com which is blocked
I also cannot open Google Chrome, which i started using two days ago, though i had it installed before that. I used Maxthon and I am continuing so in light of the recent events even though I uninstalled with RevoUnInstaller and than reinstalled. IE and Firefox do not have any problems it seems. Just thought it was something interesting that i noticed.

Lastly I have not downloaded anything in the past weeks if you were wondering. Sorry for the wall of text  and i hope you can help, if not than thank you for reading regardless.


----------



## Satidraox (Nov 2, 2014)

Oh, just a quick note, almost everything else doesn't get blocked like facebook, youtube,twitter and tumblr etc.


----------



## Satidraox (Nov 2, 2014)

Something new that i 've found is that i can download things but i either have to be torrenting or i have to be extremely quick about clicking everything otherwise it than blocks it off for me so... i guess some little behaviour that i noticed, not sure if helpful.


----------



## askey127 (Dec 22, 2006)

Hi Satidraox,
Your machine won't survive long without an antivirus.

You also do not have enough free space on your hard drive.
Anything you can remove would help, and then follow by emptying the Recycle bin.
------------------------------------------------------------------
*Create and Run a Windows Defender Boot Disk*
You will need a blank, writeable CD-R, DVD+R or DVD-R for this.
Download the correct version of the Disk Creator for the infected machine (64 bit), and start the installer to create the boot disk. 
You may need to use a clean, uninfected machine to download and create the disk.
Detailed Instruction for Downloading, Creating, and Using the *Windows Defender Boot Disk* is here:
https://blogs.technet.com/b/securit...windows-defender-offline.aspx?Redirected=true

The location for the 64 bit Disk Creator is here:
http://go.microsoft.com/fwlink/?LinkID=234124

Download the correct file *for the infected machine* and save it somewhere you can find it.
(You can use either a 32-bit or 64-bit machine to create the CD)
Double click the downloaded file to burn the Windows Defender Boot Disk.

Insert the Disk you created into the infected machine, and reboot.
After the CD initializes, it will start running a Quick Scan.
Click the button to *Cancel Scan*.
Then choose the *Full Scan* under Scan Options, and *Start Scan*.
This could take an hour or more.

When the scan completes, you will see a summary of malware items found.
Click *Clean PC*.

When the cleaning is finished, remove the disk and reboot the machine.

Let me know how it goes, and we will proceed from there.
askey127


----------



## Satidraox (Nov 2, 2014)

I'll need to wait till tomorrow as I do not have another clean computer at home, therefore I'll just do it at school
Since it, predictably, does not allow me to download it.


----------



## askey127 (Dec 22, 2006)

While you are home, see what you can do to remove unnecessary programs, files, etc. and empty the Recycle bin.
You should try for 15% free space on the C: drive.


----------



## Satidraox (Nov 2, 2014)

I'm afraid you'll have to wait another day sorry >.< I had a math exam today which went over half our lunch break meaning that i didn't have enough time to download the 250 mb of installation files needed. 
I did however make progress on the removing unnecessary stuff, I now have 24ish GB of free space on my C: drive, so i guess its some sort of progress.
And i did try just taking the installation file home and downloading the 250 mb of stuff, that obviously did not work though, but worth a shot I guess.


----------



## Satidraox (Nov 2, 2014)

Well, I've run Windows Defender Offline with the Full scan option and its come up clean. So I don't actually know what to make of it...


----------



## askey127 (Dec 22, 2006)

Satidraox,
Since Windows Defender didn't find anything, it's most likely you have some malicious adware that is screwing up the system.
We can usually find and fix these, if we have the tools avaioable, and if your system files have not been corrupted.
Don't know enough yet to have an opinion.

Please follow each task, in the order given.
-----------------------------------------------------------
*Download the Microsoft Security Essentials Installer*
The download is here: http://www.microsoft.com/security_essentials/
*Choose "Save As" and Save it to your desktop. *
Double Click the icon for the Microsoft Security Essentials installer.
Let it install, update itself, run a scan and delete anything it finds.
=================================================================
If for some reason you have trouble getting *MSE* to install, you can use *Avast*, also free.
*Just make sure you don't install both of them !!*
*Avast*: http://www.avast.com/index
Install it, let it run a full scan, and delete anything it wants.

=====================================================================
*Tools That May Be Required To Fix This*
I will give you a list of tools I am going to want you to have available.
They are all standalone executable programs; none of them need to be "installed".
You just save them to your desktop only as needed, and run them.

If you cannot download them, use a flash drive or CD to save them after downloading them using another PC.
Then copy them to your desktop, one at a time, as needed. None of them are very large.


*64-bit version of FRST* : http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
*CKScanner*: http://downloads.malwareremoval.com/CKScanner.exe
*OTL*: http://oldtimer.geekstogo.com/OTL.exe
*TDSSKiller*: http://www.bleepingcomputer.com/download/tdsskiller/
*Rkill*: http://download.bleepingcomputer.com/grinler/rkill.exe
*Rkill with IExplore name*: http://download.bleepingcomputer.com/grinler/iExplore.exe
*MiniToolbox*: http://download.bleepingcomputer.com/farbar/MiniToolBox.exe
*AdwCleaner*: http://www.bleepingcomputer.com/download/adwcleaner/dl/125/
*MGADiag*: http://go.microsoft.com/fwlink/?linkid=56062
*64 bit version of SystemLook*: http://downloads.malwareremoval.com/SystemLook/SystemLook_x64.exe
*ComboFix*: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
*Junkware removal Tool*: http://www.bleepingcomputer.com/download/junkware-removal-tool/

Let me know how it goes
askey127


----------



## Satidraox (Nov 2, 2014)

Okay I got MSE to half work i guess, since it basically installed, but the trojan interrupted it as it updated, so it couldn't access the internet. I'm doing a full scan regardless of this though.

At this moment in time i have the following of the programs you wanted me to have:
Junkware removal tool
SystemLook
TDSSKiller
OTL
CKScanner
AdwCleaner

The others are on bleepingcomputer which it seems the trojan has a hatred for. Though it did let some through suprisingly. Either i was quick or it might be that it didn't recognise them.

I've made a list of the ones that i require and will have them by tomorrow, probably even though I'll be doing the calculator part of my math exam since they shouldn't take long.

Edit: Also just in case, i haven't run any of the programs, just to let you know... I may be paranoid about this...


----------



## askey127 (Dec 22, 2006)

While you are trying to get everything available, let's try to open things up a bit with what we have:
-------------------------------------------------------------
*AdwCleaner Run*
Close your browser and double click on this icon on your desktop:

You will then see the screen below. Click on the *Scan* button (as indicated), accept any prompts that appear and allow it to run. 
It may take several minutes to complete. 
When it is done, click on the *Clean* button, accept any prompts that appear and allow the system to *Reboot*. 
You will then be presented with the report. Copy & Paste it into a reply here.

If you lose track of the log, it is saved in this folder C:\AdwCleaner\
The filename will be adwcleaner[xx].txt where [xx] will be S1, or S2, etc. whichever filename is newest.
-------------------------------------------------------------
*Run Junkware Removal Tool*

 Shut down/disable your antivirus now to avoid potential conflicts. Usually you can do this by right clicking the Antivirus icon in the System Tray (lower right corner of screen).

*DISABLE MICROSOFT SECURITY ESSENTIALS*
Right click the green MS Security Essentials "schoolhouse" icon in the lower right System tray, and click "Open".
Click the "Settings" tab and in the left pane, then Click "Real Time Protection"
In The Main Window UNCHECK the box for "Turn on real time protection(Recommended)"
Then click "Save Changes".

 Run the tool by double-clicking it. If you are using Win7, right-click *JRT.exe* and select "Run as Administrator".
 The tool will open and start scanning your system.
 Please be patient, as this can take a while to complete, depending on your system's specifications.
 On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next reply.

Don't forget to re-enable Microsoft Security esentials
Let me know. You are doing the right things.
askey127


----------



## Satidraox (Nov 2, 2014)

Okay so a couple of things, heres the log, though its pretty obvious that JRT found nothing:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.6 (11.05.2014:1)
OS: Windows 7 Ultimate x64
Ran by Andrew on 07/11/2014 at 15:26:19.05
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 07/11/2014 at 15:42:44.89
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

But something else is that i had this pop-up last night, 
http://gyazo.com/705fe2a0377ebee559adce1e3821e119
I screen-shotted it but i just closed the text box and continued, any ideas? though i already know its something infecting the system, or atleast thats what i think.

It turns out that "Bleepingcomputer" for some stupid reason is blocked and i had to find other ways to download some of the applications i was missing:
I have added
FRST
IExplore
ComboFix
The rest were only on bleeping computer meaning i couldn't obtain them, though i can get MGADiag.exe, it seems that if i just search for that it doesn't come up with anything so I'll have to copy down the url for next week school.

Finally, I was turning on Microsoft Essentials after the JRT scan thingy and it found this

, so I cleaned it (Obviously) Just thought you should know.


----------



## Satidraox (Nov 2, 2014)

Wait a minute
could it be its working


----------



## Satidraox (Nov 2, 2014)

oookay
so let me tell you the story of what happened just now, you'll see that it was indeed working, i could play league of legends, i was skyping with my friends and just about 10 minutes ago my internet screwed up, so i restarted the router and computer. And now I'm faced with the same problem again.


Haha. I'm really angry now... I'm not sure what caused it still. I did get an error message as i restarted and came back on just before i found out that i was screwed. Don't remember what it said unfortunately.


----------



## Satidraox (Nov 2, 2014)

now heres something interesting. Microsoft Security Essentials is now blocked by group policy. I'm assuming that this thing is either adapting or a person is hacking in real time?


----------



## Satidraox (Nov 2, 2014)

Slowly turning to the possibility of buying a 4th replacement damn haha.... but yeah...


----------



## Satidraox (Nov 2, 2014)

however i will note something that the internet went to hell, do you think the router might be infected? or is that not possible.


----------



## askey127 (Dec 22, 2006)

Satidraox,
------------------------------------------------
*Download and Run Rkill*
Run the tool named Rkill, which may help in allowing other programs to run.
There are different versions with different names. If one of them won't run ,then download and try to run one of the other ones.
After the download, Vista and Win7 users will need to right click the icon and choose Run as Administrator. 
You only need to get *ONE* of these to run, not all of them. You may get warnings from your antivirus about any of these tools. Either ignore the warnings or shutdown your antivirus.

 Double-click on the iExplore or Rkill desktop icon to run the tool.(If using Vista or Windows 7 right-click on it and choose Run As Administrator).
 A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If you get a Warning Message when you try to run it, run it again while the Warning Message is still displayed.
 If it doesn't run on the first try, please try to run it another two or three times.
 If it still does not run, delete the desktop entry. Then try the other filename.
 attempt to use one of them until the tool runs.
 Do not reboot until instructed.
 If the tool does not run as either of the filenames provided after trying each a few times, please let me know.
-------------------------------------------------------------
*Run a Scan With the Farbar Scan Tool*

Double click *FRST64.exe* on your desktop to launch it.
When the tool opens click *Yes* to disclaimer.
Press the *Scan* button.
When finished scanning, 2 logs will open on your Desktop, *FRST.txt* and *Addition.txt*
Please post them in your next reply.
Feel free to use separate replies if it's more convenient.

Let me know what you see.
askey127


----------



## Satidraox (Nov 2, 2014)

Okay before posting the FRST logs I just want to say that RKill is not possible for me to download i think, almost every link is bleepingcomputer, which is of course, blocked so... ill see if i can find a mirror but don't hold your breath :/


----------



## Satidraox (Nov 2, 2014)

Windows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
( ) C:\Windows\System32\lxeacoms.exe
(McAfee, Inc.) D:\Mcafee\VsTskMgr.exe
(McAfee, Inc.) D:\Mcafee\mfeann.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Nota Inc.) C:\Program Files (x86)\Gyazo\GyStation.exe
(eden.fm) C:\Program Files (x86)\Mal Updater 2\MalUpdater.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) D:\iTunes\iTunesHelper.exe
(McAfee, Inc.) D:\Common Framework\UdaterUI.exe
() D:\Rainmeter\Rainmeter.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(McAfee, Inc.) D:\Common Framework\McTray.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Maxthon International ltd.) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
(McAfee, Inc.) D:\Mcafee\shstat.exe
(Maxthon International ltd.) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
(Maxthon International ltd.) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
(Maxthon International ltd.) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
(Maxthon International ltd.) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
(Maxthon International ltd.) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
(Maxthon International ltd.) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
(Maxthon International ltd.) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) \\?\C:\Windows\system32\wbem\WMIADAP.EXE

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13260944 2012-11-19] (Realtek Semiconductor)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM-x32\...\Runonce: [{43164AFD-681B-4F9C-9413-B8972EED6D81}] - cmd.exe /C start /D "C:\Users\Andrew\AppData\Local\Temp" /B {43164AFD-681B-4F9C-9413-B8972EED6D81}.exe -accepteula -accepteulaksn -postboot [x]
HKLM Group Policy restriction on software: C:\Program Files (x86)\Microsoft Security Client <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,,C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe
HKLM-x32\...\Winlogon: [Userinit] userinit.exe,C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe [x]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKCU\...\Run: [Gyazo] - C:\Program Files (x86)\Gyazo\GyStation.exe [2990304 2013-10-30] (Nota Inc.)
HKCU\...\Run: [DAEMON Tools Lite] - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3675352 2013-10-28] (Disc Soft Ltd)
HKCU\...\Run: [Mal Updater 2] - C:\Program Files (x86)\Mal Updater 2\MalUpdater.exe [2299392 2014-11-07] (eden.fm)
HKCU\...\Run: [FfwKoulh] - C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe [142336 2014-11-02] ()
HKCU\...\Run: [ModrAsad] - regsvr32.exe "C:\ProgramData\ModrAsad\ModrAsad.dat"
HKCU\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x91000000
HKCU\...\Policies\Explorer: [NoControlPanel] 0
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] - D:\iTunes\iTunesHelper.exe [152392 2014-08-01] (Apple Inc.)
HKLM-x32\...\Run: [McAfeeUpdaterUI] - D:\Common Framework\UdaterUI.exe [337440 2013-06-25] (McAfee, Inc.)
HKLM-x32\...\Run: [ShStatEXE] - D:\Mcafee\shstat.exe [243560 2014-01-15] (McAfee, Inc.)
Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Curse.lnk
ShortcutTarget: Curse.lnk -> C:\Users\Andrew\AppData\Roaming\Curse Client\Bin\Curse.exe (Curse, Inc)
Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffwkoulh.exe ()
Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
ShortcutTarget: Rainmeter.lnk -> D:\Rainmeter\Rainmeter.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x663E6B8F7120CF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20141102205932.dll (McAfee, Inc.)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20141102205933.dll (McAfee, Inc.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\5imaiwo2.default
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - D:\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 - C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~3\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Andrew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Extension: HTTPS-Everywhere - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\5imaiwo2.default\Extensions\[email protected]
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF Extension: McAfee ScriptScan for Firefox - C:\Program Files (x86)\Common Files\McAfee\SystemCore

Chrome: 
=======
CHR Extension: (Google Docs) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.7_0
CHR Extension: (Google Drive) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\0.1.1.5023_0
CHR Extension: (YouTube) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (HTTPS Everywhere) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcbommkclmclpchllfjekcdonpmejbdp\2014.9.11_0
CHR Extension: (AdBlock) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.13_0
CHR Extension: (ProxMate) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifalmiidchkjjmkkbkoaibpmoeichmki\4.0.6_0
CHR Extension: (CrxMouse) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlgkpaicikihijadgifklkbpdajbkhjo\2.7.8_0
CHR Extension: (Google Wallet) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_0
CHR Extension: (Gmail) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1

==================== Services (Whitelisted) =================

R2 lxea_device; C:\Windows\system32\lxeacoms.exe [1052328 2010-04-14] ( )
S2 McAfeeFramework; D:\Common Framework\FrameworkService.exe [130080 2013-06-25] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [242448 2014-11-02] (McAfee, Inc.)
R2 McTaskManager; D:\Mcafee\VsTskMgr.exe [208416 2014-01-15] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [185280 2014-11-02] (McAfee, Inc.)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

U0 52584068; C:\Windows\System32\drivers\68800282.sys [241248 2014-11-07] (Kaspersky Lab, Yury Parshin)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2014-02-05] (Disc Soft Ltd)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28656 2013-01-14] (Intel Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [180272 2014-11-02] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311600 2014-11-02] (McAfee, Inc.)
U3 mfeavfk01; No ImagePath
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782968 2014-11-02] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [107032 2014-11-02] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344176 2014-11-02] (McAfee, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
S3 rkhdrv40; C:\Windows\SysWow64\Drivers\rkhdrv40.sys [24448 2014-11-03] ()
S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
R3 tap0901t; C:\Windows\System32\DRIVERS\tap0901t.sys [31232 2009-09-16] (Tunngle.net)
S3 cleanhlp; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [x]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E}; \??\D:\VMLaunch\BuddyVM.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-11-07 19:36 - 2014-11-07 19:36 - 00000000 ____D C:\FRST
2014-11-07 19:34 - 2014-11-07 19:34 - 00241248 _____ (Kaspersky Lab, Yury Parshin) C:\Windows\system32\Drivers\68800282.sys
2014-11-07 19:17 - 2014-11-07 19:34 - 00000000 ____D C:\TDSSKiller_Quarantine
2014-11-07 19:14 - 2014-11-07 19:14 - 04184008 _____ (Kaspersky Lab ZAO) C:\Users\Andrew\Desktop\tdsskiller.exe
2014-11-07 16:36 - 2014-11-07 16:36 - 00000000 ___RD C:\Program Files (x86)\Skype
2014-11-07 16:36 - 2014-11-07 16:36 - 00000000 ____D C:\Users\Andrew\AppData\Local\Skype
2014-11-07 01:07 - 2014-11-07 01:07 - 00000000 ____D C:\Windows\Microsoft Antimalware
2014-11-07 00:40 - 2014-11-07 00:40 - 00000000 ____D C:\Windows\ERUNT
2014-11-06 22:18 - 2014-11-06 22:18 - 00001945 _____ C:\Windows\epplauncher.mif
2014-11-06 22:17 - 2014-11-06 22:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
2014-11-06 22:17 - 2014-11-06 22:17 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2014-11-05 22:00 - 2014-11-05 22:00 - 00000000 ____D C:\Users\Andrew\Documents\My Games
2014-11-05 21:32 - 2014-11-05 21:32 - 00000734 _____ C:\Users\Andrew\Desktop\The Binding of Isaac Rebirth.lnk
2014-11-05 10:51 - 2014-11-05 10:51 - 00000000 __SHD C:\found.000
2014-11-05 00:18 - 2014-11-05 00:18 - 00000000 ____D C:\ProgramData\Mozilla
2014-11-03 21:57 - 2014-11-07 19:28 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-03 21:57 - 2014-11-07 19:02 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-03 21:57 - 2014-11-03 21:57 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-11-03 21:57 - 2014-11-03 21:57 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-11-03 20:20 - 2014-11-03 20:20 - 00024448 _____ C:\Windows\SysWOW64\Drivers\rkhdrv40.sys
2014-11-03 20:18 - 2014-11-03 20:18 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rootkit Unhooker
2014-11-03 19:30 - 2014-11-03 19:30 - 00000000 ____D C:\ProgramData\Emsisoft
2014-11-03 16:45 - 2014-11-07 19:18 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
2014-11-03 16:20 - 2014-11-03 16:20 - 00000000 ____D C:\Users\Andrew\AppData\Local\VS Revo Group
2014-11-03 16:20 - 2014-11-03 16:20 - 00000000 ____D C:\ProgramData\VS Revo Group
2014-11-03 16:20 - 2014-11-03 16:20 - 00000000 ____D C:\Program Files\VS Revo Group
2014-11-03 16:20 - 2009-12-30 11:21 - 00031800 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys
2014-11-03 16:18 - 2014-11-07 19:07 - 00000000 ____D C:\AdwCleaner
2014-11-03 01:29 - 2014-11-06 22:35 - 1377456330 _____ C:\Users\Andrew\AppData\Local\nwsesnvg.log
2014-11-02 21:00 - 2014-11-02 21:00 - 00262144 _____ C:\Windows\system32\config\ELAM
2014-11-02 21:00 - 2014-11-02 21:00 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\McAfee
2014-11-02 20:59 - 2014-11-02 20:57 - 00782968 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfehidk.sys
2014-11-02 20:59 - 2014-11-02 20:57 - 00311600 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeavfk.sys
2014-11-02 20:59 - 2014-11-02 20:57 - 00180272 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeapfk.sys
2014-11-02 20:59 - 2014-11-02 20:57 - 00121896 _____ (McAfee, Inc.) C:\Windows\system32\MfeOtlkAddin.dll
2014-11-02 20:59 - 2014-11-02 20:57 - 00107032 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mferkdet.sys
2014-11-02 20:59 - 2014-11-02 20:57 - 00011208 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeclnk.sys
2014-11-02 20:59 - 2014-11-02 20:56 - 00094080 _____ (McAfee, Inc.) C:\Windows\SysWOW64\MfeOtlkAddin.dll
2014-11-02 20:59 - 2014-11-02 20:56 - 00025088 _____ (McAfee, Inc.) C:\Windows\SysWOW64\MFEOtlk.dll
2014-11-02 20:57 - 2014-11-02 20:57 - 00344176 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfewfpk.sys
2014-11-02 20:57 - 2014-11-02 20:57 - 00185280 _____ (McAfee, Inc.) C:\Windows\system32\mfevtps.exe
2014-11-02 20:57 - 2014-11-02 20:57 - 00000000 ____D C:\Program Files\Common Files\McAfee
2014-11-02 20:55 - 2014-11-02 20:57 - 00000000 ____D C:\ProgramData\McAfee
2014-11-02 20:29 - 2014-11-06 22:20 - 00040608 _____ C:\Windows\WindowsUpdate.log
2014-11-02 19:39 - 2014-11-07 19:27 - 00001344 _____ C:\Windows\setupact.log
2014-11-02 19:39 - 2014-11-07 19:18 - 00005536 _____ C:\Windows\PFRO.log
2014-11-02 19:39 - 2014-11-02 19:39 - 00000000 _____ C:\Windows\setuperr.log
2014-11-02 19:20 - 2014-11-02 19:20 - 00002988 _____ C:\Windows\System32\Tasks\{EE981E34-161D-47F9-9931-F3EFEA7F0176}
2014-11-02 19:20 - 2014-11-02 19:20 - 00002988 _____ C:\Windows\System32\Tasks\{CF3D76FD-86EF-420B-B41C-012B2A754575}
2014-11-02 19:20 - 2014-11-02 19:20 - 00002988 _____ C:\Windows\System32\Tasks\{AC456956-978C-4BEF-9AE6-9479C78969AD}
2014-11-02 19:20 - 2014-11-02 19:20 - 00002988 _____ C:\Windows\System32\Tasks\{4EC8747A-1C2B-47DA-B5E5-24AE36804F33}
2014-11-02 19:15 - 2014-11-07 00:37 - 00000000 ____D C:\Windows\system32\appmgmt
2014-11-02 18:56 - 2014-11-07 19:35 - 00000000 _____ C:\Users\Andrew\AppData\Local\wtogxvpv.log
2014-11-02 18:49 - 2014-11-07 19:01 - 00387750 _____ C:\Users\Andrew\AppData\Local\iblurqat.log
2014-11-02 18:49 - 2014-11-07 19:01 - 00007410 _____ C:\Users\Andrew\AppData\Local\giuwtoji.log
2014-11-02 18:49 - 2014-11-07 19:01 - 00000926 _____ C:\Users\Andrew\AppData\Local\iapssmna.log
2014-11-02 18:49 - 2014-11-07 19:01 - 00000217 _____ C:\Users\Andrew\AppData\Local\mpekwawr.log
2014-11-02 18:48 - 2014-11-07 19:35 - 00000028 _____ C:\Users\Andrew\AppData\Local\ycfnmyrj.log
2014-11-02 18:48 - 2014-11-07 19:30 - 00387205 _____ C:\Users\Andrew\AppData\Local\bsyqdgyw.log
2014-11-02 18:48 - 2014-11-07 19:01 - 00000054 _____ C:\Users\Andrew\AppData\Local\ycrrqubu.log
2014-11-02 18:48 - 2014-11-02 18:48 - 00595440 _____ C:\Users\Andrew\AppData\Local\asjwtwxa.log
2014-11-02 18:48 - 2014-11-02 18:48 - 00000064 _____ C:\ProgramData\mgniknvk.log
2014-11-02 18:48 - 2014-11-02 18:48 - 00000000 _____ C:\Users\Andrew\AppData\Local\ycvcptbo.log
2014-11-02 18:48 - 2014-11-02 18:48 - 00000000 _____ C:\Users\Andrew\AppData\Local\ufimxyxd.log
2014-11-02 18:47 - 2014-11-07 19:31 - 00000000 ____D C:\Users\Andrew\AppData\Local\wyixeucq
2014-11-02 18:47 - 2014-11-07 18:49 - 00000000 ____D C:\ProgramData\ModrAsad
2014-10-29 21:34 - 2014-10-29 21:34 - 00052450 _____ C:\Users\Andrew\Downloads\Shinkansen Sid Meier's Civilization Beyond Earth V1000 (1).CT
2014-10-29 21:28 - 2014-10-29 21:28 - 00150719 _____ C:\Users\Andrew\Downloads\Shinkansen Sid Meier's Civilization Beyond Earth V1004.CT
2014-10-29 21:28 - 2014-10-29 21:28 - 00052450 _____ C:\Users\Andrew\Downloads\Shinkansen Sid Meier's Civilization Beyond Earth V1000.CT
2014-10-11 22:04 - 2014-10-11 22:04 - 00000000 ____D C:\Users\Andrew\AppData\Local\Deployment
2014-10-11 22:04 - 2014-10-11 22:04 - 00000000 ____D C:\Users\Andrew\AppData\Local\Apps\2.0

==================== One Month Modified Files and Folders =======

2014-11-07 19:36 - 2014-11-07 19:36 - 00000000 ____D C:\FRST
2014-11-07 19:36 - 2009-07-14 05:13 - 00782986 _____ C:\Windows\system32\PerfStringBackup.INI
2014-11-07 19:36 - 2009-07-14 04:45 - 00014224 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-07 19:36 - 2009-07-14 04:45 - 00014224 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-07 19:35 - 2014-11-02 18:56 - 00000000 _____ C:\Users\Andrew\AppData\Local\wtogxvpv.log
2014-11-07 19:35 - 2014-11-02 18:48 - 00000028 _____ C:\Users\Andrew\AppData\Local\ycfnmyrj.log
2014-11-07 19:34 - 2014-11-07 19:34 - 00241248 _____ (Kaspersky Lab, Yury Parshin) C:\Windows\system32\Drivers\68800282.sys
2014-11-07 19:34 - 2014-11-07 19:17 - 00000000 ____D C:\TDSSKiller_Quarantine
2014-11-07 19:31 - 2014-11-02 18:47 - 00000000 ____D C:\Users\Andrew\AppData\Local\wyixeucq
2014-11-07 19:30 - 2014-11-02 18:48 - 00387205 _____ C:\Users\Andrew\AppData\Local\bsyqdgyw.log
2014-11-07 19:29 - 2014-03-16 16:04 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\Mal Updater
2014-11-07 19:28 - 2014-11-03 21:57 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-07 19:28 - 2014-01-31 01:40 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-07 19:27 - 2014-11-02 19:39 - 00001344 _____ C:\Windows\setupact.log
2014-11-07 19:27 - 2009-07-14 05:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-11-07 19:18 - 2014-11-03 16:45 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
2014-11-07 19:18 - 2014-11-02 19:39 - 00005536 _____ C:\Windows\PFRO.log
2014-11-07 19:14 - 2014-11-07 19:14 - 04184008 _____ (Kaspersky Lab ZAO) C:\Users\Andrew\Desktop\tdsskiller.exe
2014-11-07 19:07 - 2014-11-03 16:18 - 00000000 ____D C:\AdwCleaner
2014-11-07 19:02 - 2014-11-03 21:57 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-07 19:01 - 2014-11-02 18:49 - 00387750 _____ C:\Users\Andrew\AppData\Local\iblurqat.log
2014-11-07 19:01 - 2014-11-02 18:49 - 00007410 _____ C:\Users\Andrew\AppData\Local\giuwtoji.log
2014-11-07 19:01 - 2014-11-02 18:49 - 00000926 _____ C:\Users\Andrew\AppData\Local\iapssmna.log
2014-11-07 19:01 - 2014-11-02 18:49 - 00000217 _____ C:\Users\Andrew\AppData\Local\mpekwawr.log
2014-11-07 19:01 - 2014-11-02 18:48 - 00000054 _____ C:\Users\Andrew\AppData\Local\ycrrqubu.log
2014-11-07 18:55 - 2014-03-16 16:04 - 00000000 ____D C:\Program Files (x86)\Mal Updater 2
2014-11-07 18:53 - 2014-02-01 03:37 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\Skype
2014-11-07 18:49 - 2014-11-02 18:47 - 00000000 ____D C:\ProgramData\ModrAsad
2014-11-07 16:36 - 2014-11-07 16:36 - 00000000 ___RD C:\Program Files (x86)\Skype
2014-11-07 16:36 - 2014-11-07 16:36 - 00000000 ____D C:\Users\Andrew\AppData\Local\Skype
2014-11-07 16:36 - 2014-02-01 03:37 - 00000000 ____D C:\ProgramData\Skype
2014-11-07 01:07 - 2014-11-07 01:07 - 00000000 ____D C:\Windows\Microsoft Antimalware
2014-11-07 00:40 - 2014-11-07 00:40 - 00000000 ____D C:\Windows\ERUNT
2014-11-07 00:37 - 2014-11-02 19:15 - 00000000 ____D C:\Windows\system32\appmgmt
2014-11-06 22:35 - 2014-11-03 01:29 - 1377456330 _____ C:\Users\Andrew\AppData\Local\nwsesnvg.log
2014-11-06 22:20 - 2014-11-02 20:29 - 00040608 _____ C:\Windows\WindowsUpdate.log
2014-11-06 22:18 - 2014-11-06 22:18 - 00001945 _____ C:\Windows\epplauncher.mif
2014-11-06 22:18 - 2014-11-06 22:17 - 00000000 ____D C:\Program Files\Microsoft Security Client
2014-11-06 22:17 - 2014-11-06 22:17 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2014-11-06 22:13 - 2009-07-14 03:20 - 00000000 ____D C:\Windows\system32\NDF
2014-11-06 12:04 - 2014-02-01 18:59 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\uTorrent
2014-11-05 22:00 - 2014-11-05 22:00 - 00000000 ____D C:\Users\Andrew\Documents\My Games
2014-11-05 22:00 - 2014-02-16 17:20 - 00000000 ____D C:\Users\Andrew\AppData\Local\SKIDROW
2014-11-05 21:32 - 2014-11-05 21:32 - 00000734 _____ C:\Users\Andrew\Desktop\The Binding of Isaac Rebirth.lnk
2014-11-05 19:16 - 2014-09-23 15:58 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\vlc
2014-11-05 10:51 - 2014-11-05 10:51 - 00000000 __SHD C:\found.000
2014-11-05 00:27 - 2014-02-08 17:21 - 00000000 ____D C:\Program Files (x86)\Steam
2014-11-05 00:26 - 2014-02-08 17:28 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2014-11-05 00:23 - 2014-02-01 19:02 - 00000000 ____D C:\Users\Andrew\Desktop\Stuff
2014-11-05 00:18 - 2014-11-05 00:18 - 00000000 ____D C:\ProgramData\Mozilla
2014-11-05 00:18 - 2014-02-02 22:31 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2014-11-04 17:53 - 2014-02-01 03:41 - 00000000 ____D C:\ProgramData\Adobe
2014-11-04 17:49 - 2014-02-01 03:41 - 00000000 ____D C:\Program Files (x86)\Adobe
2014-11-04 17:49 - 2014-01-31 02:21 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\Adobe
2014-11-03 21:57 - 2014-11-03 21:57 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-11-03 21:57 - 2014-11-03 21:57 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-11-03 21:57 - 2014-02-02 15:38 - 00000000 ____D C:\Program Files (x86)\Google
2014-11-03 20:20 - 2014-11-03 20:20 - 00024448 _____ C:\Windows\SysWOW64\Drivers\rkhdrv40.sys
2014-11-03 20:18 - 2014-11-03 20:18 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rootkit Unhooker
2014-11-03 19:30 - 2014-11-03 19:30 - 00000000 ____D C:\ProgramData\Emsisoft
2014-11-03 16:20 - 2014-11-03 16:20 - 00000000 ____D C:\Users\Andrew\AppData\Local\VS Revo Group
2014-11-03 16:20 - 2014-11-03 16:20 - 00000000 ____D C:\ProgramData\VS Revo Group
2014-11-03 16:20 - 2014-11-03 16:20 - 00000000 ____D C:\Program Files\VS Revo Group
2014-11-02 21:00 - 2014-11-02 21:00 - 00262144 _____ C:\Windows\system32\config\ELAM
2014-11-02 21:00 - 2014-11-02 21:00 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\McAfee
2014-11-02 20:57 - 2014-11-02 20:59 - 00782968 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfehidk.sys
2014-11-02 20:57 - 2014-11-02 20:59 - 00311600 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeavfk.sys
2014-11-02 20:57 - 2014-11-02 20:59 - 00180272 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeapfk.sys
2014-11-02 20:57 - 2014-11-02 20:59 - 00121896 _____ (McAfee, Inc.) C:\Windows\system32\MfeOtlkAddin.dll
2014-11-02 20:57 - 2014-11-02 20:59 - 00107032 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mferkdet.sys
2014-11-02 20:57 - 2014-11-02 20:59 - 00011208 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeclnk.sys
2014-11-02 20:57 - 2014-11-02 20:57 - 00344176 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfewfpk.sys
2014-11-02 20:57 - 2014-11-02 20:57 - 00185280 _____ (McAfee, Inc.) C:\Windows\system32\mfevtps.exe
2014-11-02 20:57 - 2014-11-02 20:57 - 00000000 ____D C:\Program Files\Common Files\McAfee
2014-11-02 20:57 - 2014-11-02 20:55 - 00000000 ____D C:\ProgramData\McAfee
2014-11-02 20:56 - 2014-11-02 20:59 - 00094080 _____ (McAfee, Inc.) C:\Windows\SysWOW64\MfeOtlkAddin.dll
2014-11-02 20:56 - 2014-11-02 20:59 - 00025088 _____ (McAfee, Inc.) C:\Windows\SysWOW64\MFEOtlk.dll
2014-11-02 19:39 - 2014-11-02 19:39 - 00000000 _____ C:\Windows\setuperr.log
2014-11-02 19:37 - 2014-02-05 22:14 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\DAEMON Tools Lite
2014-11-02 19:34 - 2014-01-29 00:15 - 00000000 ___RD C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-11-02 19:20 - 2014-11-02 19:20 - 00002988 _____ C:\Windows\System32\Tasks\{EE981E34-161D-47F9-9931-F3EFEA7F0176}
2014-11-02 19:20 - 2014-11-02 19:20 - 00002988 _____ C:\Windows\System32\Tasks\{CF3D76FD-86EF-420B-B41C-012B2A754575}
2014-11-02 19:20 - 2014-11-02 19:20 - 00002988 _____ C:\Windows\System32\Tasks\{AC456956-978C-4BEF-9AE6-9479C78969AD}
2014-11-02 19:20 - 2014-11-02 19:20 - 00002988 _____ C:\Windows\System32\Tasks\{4EC8747A-1C2B-47DA-B5E5-24AE36804F33}
2014-11-02 18:48 - 2014-11-02 18:48 - 00595440 _____ C:\Users\Andrew\AppData\Local\asjwtwxa.log
2014-11-02 18:48 - 2014-11-02 18:48 - 00000064 _____ C:\ProgramData\mgniknvk.log
2014-11-02 18:48 - 2014-11-02 18:48 - 00000000 _____ C:\Users\Andrew\AppData\Local\ycvcptbo.log
2014-11-02 18:48 - 2014-11-02 18:48 - 00000000 _____ C:\Users\Andrew\AppData\Local\ufimxyxd.log
2014-10-30 03:50 - 2014-02-01 05:30 - 00275080 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-29 21:34 - 2014-10-29 21:34 - 00052450 _____ C:\Users\Andrew\Downloads\Shinkansen Sid Meier's Civilization Beyond Earth V1000 (1).CT
2014-10-29 21:28 - 2014-10-29 21:28 - 00150719 _____ C:\Users\Andrew\Downloads\Shinkansen Sid Meier's Civilization Beyond Earth V1004.CT
2014-10-29 21:28 - 2014-10-29 21:28 - 00052450 _____ C:\Users\Andrew\Downloads\Shinkansen Sid Meier's Civilization Beyond Earth V1000.CT
2014-10-28 22:31 - 2014-05-20 20:52 - 00000000 ____D C:\Users\Andrew\AppData\Local\My Games
2014-10-17 01:02 - 2014-04-18 00:39 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\Curse Client
2014-10-16 16:05 - 2014-02-16 15:48 - 00000000 ____D C:\ProgramData\Origin
2014-10-15 16:16 - 2014-04-27 22:48 - 00000000 ____D C:\Program Files (x86)\LOLReplay
2014-10-11 22:04 - 2014-10-11 22:04 - 00000000 ____D C:\Users\Andrew\AppData\Local\Deployment
2014-10-11 22:04 - 2014-10-11 22:04 - 00000000 ____D C:\Users\Andrew\AppData\Local\Apps\2.0

Files to move or delete:
====================
C:\Users\Andrew\jagex_cl_runescape_LIVE.dat
C:\Users\Andrew\random.dat

Some content of TEMP:
====================
C:\Users\Andrew\AppData\Local\Temp\adwcleaner_3.311.exe
C:\Users\Andrew\AppData\Local\Temp\ChromeSetup(1).exe
C:\Users\Andrew\AppData\Local\Temp\ChromeSetup.exe
C:\Users\Andrew\AppData\Local\Temp\EmsisoftAntiMalwareSetup.exe
C:\Users\Andrew\AppData\Local\Temp\mseinstall.exe
C:\Users\Andrew\AppData\Local\Temp\obopvhrk.exe
C:\Users\Andrew\AppData\Local\Temp\Quarantine.exe
C:\Users\Andrew\AppData\Local\Temp\RevoUninProSetup.exe
C:\Users\Andrew\AppData\Local\Temp\setup.exe
C:\Users\Andrew\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Andrew\AppData\Local\Temp\SoftonicDownloader_for_windows-defender-offline.exe
C:\Users\Andrew\AppData\Local\Temp\SysInfo.exe
C:\Users\Andrew\AppData\Local\Temp\vhvftcft.exe
C:\Users\Andrew\AppData\Local\Temp\{43164AFD-681B-4F9C-9413-B8972EED6D81}.exe
C:\Users\Andrew\AppData\Local\Temp\{753F2F2C-AD58-43CC-8392-12D205BB25D2}.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-11-07 16:00

==================== End Of Log ============================


----------



## Satidraox (Nov 2, 2014)

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 24-11-2013
Ran by Andrew at 2014-11-07 19:37:59
Running from G:\
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

µTorrent (HKCU Version: 3.4.2.34944)
Adobe AIR (x32 Version: 4.0.0.1390)
Adobe Flash Player 15 ActiveX (x32 Version: 15.0.0.167)
Adobe Reader XI (11.0.09) (x32 Version: 11.0.09)
Apple Application Support (x32 Version: 3.0.6)
Apple Mobile Device Support (Version: 7.1.2.6)
Apple Software Update (x32 Version: 2.1.3.127)
Battle.net (x32)
Bonjour (Version: 3.0.0.10)
calibre 64bit (Version: 1.29.0)
CCleaner (Version: 4.14)
Cheat Engine 6.3 (x32)
Curse (x32 Version: 6.0.0.0)
D3DX10 (x32 Version: 15.4.2368.0902)
DAEMON Tools Lite (x32 Version: 4.48.1.0347)
Definition Update for Microsoft Office 2013 (KB2760587) 64-Bit Edition
Diablo III (x32)
Google Chrome (x32 Version: 38.0.2125.111)
Google Update Helper (x32 Version: 1.3.25.5)
Gyazo 2.0.2 (x32)
iTunes (Version: 11.3.1.2)
Java 7 Update 55 (x32 Version: 7.0.550)
Java Auto Updater (x32 Version: 2.1.9.8)
Junk Mail filter update (x32 Version: 16.4.3508.0205)
League of Legends (x32 Version: 3.0.1)
Mal Updater 2.96 (x32)
Maxthon Cloud Browser (x32 Version: 4.4.1.5000)
McAfee Agent (x32 Version: 4.8.0.887)
McAfee VirusScan Enterprise (x32 Version: 8.8.04001)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Access MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Access Setup Metadata MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft DCF MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Excel MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Groove MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft InfoPath MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Lync MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Office 32-bit Components 2013 (Version: 15.0.4420.1017)
Microsoft Office OSM MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Office OSM UX MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Office Professional Plus 2013 (Version: 15.0.4420.1017)
Microsoft Office Proofing (English) 2013 (Version: 15.0.4420.1017)
Microsoft Office Proofing Tools 2013 - English (Version: 15.0.4420.1017)
Microsoft Office Proofing Tools 2013 - Español (Version: 15.0.4420.1017)
Microsoft Office Shared 32-bit MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Office Shared MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Office Shared Setup Metadata MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft OneNote MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Outlook MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft PowerPoint MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Publisher MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft Security Client (Version: 4.6.0305.0)
Microsoft Security Essentials (Version: 4.6.305.0)
Microsoft SkyDrive (HKCU Version: 17.0.2015.0811)
Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219)
Microsoft Word MUI (English) 2013 (Version: 15.0.4420.1017)
Microsoft XNA Framework Redistributable 4.0 (x32 Version: 4.0.20823.0)
Microsoft_VC80_CRT_x86 (x32 Version: 8.0.50727.4053)
Microsoft_VC90_CRT_x86 (x32 Version: 1.00.0000)
Movie Maker (x32 Version: 16.4.3508.0205)
MSVCRT (x32 Version: 15.4.2862.0708)
MSVCRT_amd64 (x32 Version: 15.4.2862.0708)
MSVCRT110 (x32 Version: 16.4.1108.0727)
MSVCRT110_amd64 (Version: 16.4.1109.0912)
NBTExplorer (x32 Version: 2.6.1.0)
NVIDIA PhysX (x32 Version: 9.13.0725)
osu! (x32 Version: latest)
Outils de vérification linguistique 2013 de Microsoft Office*- Français (Version: 15.0.4420.1017)
Photo Common (x32 Version: 16.4.3508.0205)
Photo Gallery (x32 Version: 16.4.3508.0205)
Rainmeter (x32 Version: 3.1 r2290)
Realtek High Definition Audio Driver (x32 Version: 6.0.1.6782)
Revo Uninstaller Pro 3.1.1 (Version: 3.1.1)
RuneScape Launcher 1.2.3 (x32 Version: 1.2.3)
Skype™ 6.22 (x32 Version: 6.22.105)
Steam (x32)
System Requirements Lab CYRI (x32 Version: 6.0.15.0)
The Binding of Isaac Rebirth 1.0 (x32 Version: 1.0)
Unity Web Player (HKCU Version: )
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (x32 Version: 1)
Update for Microsoft Access 2013 (KB2768008) 64-Bit Edition
Update for Microsoft Access 2013 (KB2827233) 64-Bit Edition
Update for Microsoft InfoPath 2013 (KB2837648) 64-Bit Edition
Update for Microsoft Lync 2013 (KB2817678) 64-Bit Edition
Update for Microsoft Office 2013 (KB2726954) 64-Bit Edition
Update for Microsoft Office 2013 (KB2726996) 64-Bit Edition
Update for Microsoft Office 2013 (KB2738038) 64-Bit Edition
Update for Microsoft Office 2013 (KB2760224) 64-Bit Edition
Update for Microsoft Office 2013 (KB2760242) 64-Bit Edition
Update for Microsoft Office 2013 (KB2760267) 64-Bit Edition
Update for Microsoft Office 2013 (KB2760539) 64-Bit Edition
Update for Microsoft Office 2013 (KB2760553) 64-Bit Edition
Update for Microsoft Office 2013 (KB2760610) 64-Bit Edition
Update for Microsoft Office 2013 (KB2767845) 64-Bit Edition
Update for Microsoft Office 2013 (KB2768016) 64-Bit Edition
Update for Microsoft Office 2013 (KB2817314) 64-Bit Edition
Update for Microsoft Office 2013 (KB2817316) 64-Bit Edition
Update for Microsoft Office 2013 (KB2817490) 64-Bit Edition
Update for Microsoft Office 2013 (KB2817626) 64-Bit Edition
Update for Microsoft Office 2013 (KB2826004) 64-Bit Edition
Update for Microsoft Office 2013 (KB2827225) 64-Bit Edition
Update for Microsoft Office 2013 (KB2827227) 64-Bit Edition
Update for Microsoft Office 2013 (KB2827230) 64-Bit Edition
Update for Microsoft Office 2013 (KB2827239) 64-Bit Edition
Update for Microsoft Office 2013 (KB2837626) 64-Bit Edition
Update for Microsoft Office 2013 (KB2837637) 64-Bit Edition
Update for Microsoft Office 2013 (KB2837638) 64-Bit Edition
Update for Microsoft Office 2013 (KB2837655) 64-Bit Edition
Update for Microsoft Office 2013 (KB2850066) 64-Bit Edition
Update for Microsoft OneNote 2013 (KB2850063) 64-Bit Edition
Update for Microsoft Outlook 2013 (KB2850061) 64-Bit Edition
Update for Microsoft PowerPoint 2013 (KB2767850) 64-Bit Edition
Update for Microsoft Project 2013 (KB2727085) 64-Bit Edition
Update for Microsoft Publisher 2013 (KB2837635) 64-Bit Edition
Update for Microsoft SkyDrive Pro (KB2817495) 64-Bit Edition
Update for Microsoft SkyDrive Pro (KB2837652) 64-Bit Edition
Update for Microsoft Visio 2013 (KB2817306) 64-Bit Edition
Update for Microsoft Visio Viewer 2013 (KB2768338) 64-Bit Edition
Update for Microsoft Word 2013 (KB2837647) 64-Bit Edition
VLC media player (x32 Version: 2.1.5)
Windows Live Communications Platform (x32 Version: 16.4.3508.0205)
Windows Live Essentials (x32 Version: 16.4.3508.0205)
Windows Live Family Safety (Version: 16.4.3508.0205)
Windows Live Family Safety (x32 Version: 16.4.3508.0205)
Windows Live ID Sign-in Assistant (Version: 7.250.4311.0)
Windows Live Installer (x32 Version: 16.4.3508.0205)
Windows Live Mail (x32 Version: 16.4.3508.0205)
Windows Live Messenger (x32 Version: 16.4.3508.0205)
Windows Live MIME IFilter (Version: 16.4.3508.0205)
Windows Live Photo Common (x32 Version: 16.4.3508.0205)
Windows Live PIMT Platform (x32 Version: 16.4.3508.0205)
Windows Live SOXE (x32 Version: 16.4.3508.0205)
Windows Live SOXE Definitions (x32 Version: 16.4.3508.0205)
Windows Live UX Platform (x32 Version: 16.4.3508.0205)
Windows Live UX Platform Language Pack (x32 Version: 16.4.3508.0205)
Windows Live Writer (x32 Version: 16.4.3508.0205)
Windows Live Writer Resources (x32 Version: 16.4.3508.0205)
WinRAR 5.01 (64-bit) (Version: 5.01.0)
World of Warcraft (x32)
YTD Video Downloader 4.8.1 (x32 Version: 4.8.1)

==================== Restore Points =========================

07-11-2014 00:35:48 Removed McAfee VirusScan Enterprise.

==================== Hosts content: ==========================

2009-07-14 02:34 - 2009-06-10 21:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {2FA60BFC-CA1C-4BFB-A7CF-AA61F6BF6E70} - System32\Tasks\{4EC8747A-1C2B-47DA-B5E5-24AE36804F33} => Chrome.exe 
Task: {34805CF4-3CEE-4546-A659-92AEBBA1A2CB} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-11-03] (Google Inc.)
Task: {39BCF2A3-3763-4FA5-B60B-47F26A2916CF} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {4F3D910A-2D4B-4634-A07D-E41FA9CDF345} - System32\Tasks\Maxthon Update => C:\Program Files (x86)\Maxthon\Bin\MxUp.exe [2014-07-31] (Maxthon International ltd.)
Task: {536A40BC-B7EA-42E2-A482-25E077B12CBB} - System32\Tasks\{EE981E34-161D-47F9-9931-F3EFEA7F0176} => Chrome.exe 
Task: {55938C7C-FD6F-42E1-876E-C4984DC9FF79} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2012-10-01] (Microsoft Corporation)
Task: {62B2A169-DBE8-4B4A-877F-EAD19A095BE3} - System32\Tasks\{CF3D76FD-86EF-420B-B41C-012B2A754575} => Chrome.exe 
Task: {62F1483A-106E-4BD2-B3FC-E86345B43BF3} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2012-10-01] (Microsoft Corporation)
Task: {95895D2F-B4A0-426A-BACB-18F01BCD3D81} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-05-20] (Piriform Ltd)
Task: {A1E2777B-AA84-4658-9AC8-D282390AFE13} - System32\Tasks\{AC456956-978C-4BEF-9AE6-9479C78969AD} => Chrome.exe 
Task: {A7758E18-3B5D-468C-AE2B-8FE07686C766} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-23] (Adobe Systems Incorporated)
Task: {CECE3EFD-84CB-4CAF-AA5E-3C72AB7478BA} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2012-10-01] (Microsoft Corporation)
Task: {ECA28893-5015-46F7-9088-C7248D1B0E0F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-11-03] (Google Inc.)
Task: {F442E30B-94DC-4F58-B2E1-0A8B2117DE71} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-10-17 11:25 - 2013-10-17 11:25 - 08866472 _____ () C:\Program Files\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2014-01-31 01:42 - 2013-03-08 11:06 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2014-05-25 14:18 - 2014-05-25 14:18 - 00747192 _____ () D:\Rainmeter\Rainmeter.dll
2014-02-12 19:58 - 2014-02-12 19:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 19:58 - 2014-02-12 19:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-08-30 18:10 - 2014-07-31 08:36 - 00258944 _____ () C:\Program Files (x86)\Maxthon\bin\Maxzlib.dll
2014-08-30 18:10 - 2014-07-31 08:36 - 00247096 _____ () C:\Program Files (x86)\Maxthon\Addons\Mobile\MxMobile.dll
2014-08-30 18:10 - 2014-07-31 08:36 - 00258944 _____ () C:\Program Files (x86)\Maxthon\Bin\maxzlib.dll
2014-08-30 18:10 - 2014-07-31 08:37 - 00887064 _____ () C:\Program Files (x86)\Maxthon\Core\Webkit\libglesv2.dll
2014-08-30 18:10 - 2014-07-31 08:37 - 00109336 _____ () C:\Program Files (x86)\Maxthon\Core\Webkit\libegl.dll
2014-08-30 18:10 - 2014-07-31 08:37 - 04055504 _____ () C:\Program Files (x86)\Maxthon\Core\Webkit\pdf.dll
2014-08-30 18:10 - 2014-07-31 08:37 - 17029808 _____ () C:\Program Files (x86)\Maxthon\Core\Webkit\Npplugins\NPSWF32_14_0_0_145.dll
2014-08-30 18:10 - 2014-07-31 08:37 - 02128152 _____ () C:\Program Files (x86)\Maxthon\Core\Webkit\ffmpegsumo.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\14797551.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\52584068.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\80133336.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\14797551.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\52584068.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\80133336.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (11/07/2014 06:56:56 PM) (Source: Application Error) (User: )
Description: Faulting application name: Skype.exe, version: 6.22.81.105, time stamp: 0xf36bac23
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b8f
Exception code: 0xc0000005
Fault offset: 0x0002dfe4
Faulting process id: 0xe54
Faulting application start time: 0xSkype.exe0
Faulting application path: Skype.exe1
Faulting module path: Skype.exe2
Report Id: Skype.exe3

Error: (11/07/2014 06:54:43 PM) (Source: Application Error) (User: )
Description: Faulting application name: Skype.exe, version: 6.22.81.105, time stamp: 0x545b43cb
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b8f
Exception code: 0xc0000005
Fault offset: 0x0002dfe4
Faulting process id: 0xf90
Faulting application start time: 0xSkype.exe0
Faulting application path: Skype.exe1
Faulting module path: Skype.exe2
Report Id: Skype.exe3

Error: (11/07/2014 06:53:57 PM) (Source: Application Error) (User: )
Description: Faulting application name: Skype.exe, version: 6.22.81.105, time stamp: 0x545b43cb
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b8f
Exception code: 0xc0000005
Fault offset: 0x0002dfe4
Faulting process id: 0xc30
Faulting application start time: 0xSkype.exe0
Faulting application path: Skype.exe1
Faulting module path: Skype.exe2
Report Id: Skype.exe3

System errors:
=============
Error: (11/07/2014 07:28:26 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s).

Error: (11/07/2014 07:28:22 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Validation Trust Protection Service service terminated unexpectedly. It has done this 1 time(s).

Error: (11/07/2014 07:28:20 PM) (Source: Service Control Manager) (User: )
Description: The BuddyVM service failed to start due to the following error: 
%%3

Error: (11/07/2014 07:19:22 PM) (Source: Service Control Manager) (User: )
Description: The BuddyVM service failed to start due to the following error: 
%%3

Error: (11/07/2014 06:51:02 PM) (Source: Service Control Manager) (User: )
Description: The BuddyVM service failed to start due to the following error: 
%%3

Microsoft Office Sessions:
=========================
Error: (11/07/2014 06:56:56 PM) (Source: Application Error)(User: )
Description: Skype.exe6.22.81.105f36bac23ntdll.dll6.1.7601.177254ec49b8fc00000050002dfe4e5401cffabc8c2e35ffC:\Program Files (x86)\Skype\Phone\Skype.exeC:\Windows\SysWOW64\ntdll.dlld80e8d6c-66af-11e4-be63-b803056d4583

Error: (11/07/2014 06:54:43 PM) (Source: Application Error)(User: )
Description: Skype.exe6.22.81.105545b43cbntdll.dll6.1.7601.177254ec49b8fc00000050002dfe4f9001cffabc430295a9C:\Program Files (x86)\Skype\Phone\Skype.exeC:\Windows\SysWOW64\ntdll.dll88c80a2d-66af-11e4-be63-b803056d4583

Error: (11/07/2014 06:53:57 PM) (Source: Application Error)(User: )
Description: Skype.exe6.22.81.105545b43cbntdll.dll6.1.7601.177254ec49b8fc00000050002dfe4c3001cffabbed7261d0C:\Program Files (x86)\Skype\Phone\Skype.exeC:\Windows\SysWOW64\ntdll.dll6d39f93c-66af-11e4-be63-b803056d4583

CodeIntegrity Errors:
===================================
Date: 2014-04-30 19:53:40.987
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\VMLaunch\BuddyVM.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-04-30 19:53:40.876
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\VMLaunch\BuddyVM.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-04-27 17:36:24.293
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\VMLaunch\BuddyVM.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-04-27 17:36:24.215
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\VMLaunch\BuddyVM.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-04-27 13:22:08.630
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\VMLaunch\BuddyVM.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-04-27 13:22:08.548
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\VMLaunch\BuddyVM.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-04-26 19:42:30.878
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\VMLaunch\BuddyVM.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-04-26 19:42:30.800
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\VMLaunch\BuddyVM.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-04-26 15:04:27.543
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\VMLaunch\BuddyVM.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-04-26 15:04:27.449
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\VMLaunch\BuddyVM.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Percentage of memory in use: 53%
Total physical RAM: 4009.55 MB
Available physical RAM: 1882.97 MB
Total Pagefile: 8017.28 MB
Available Pagefile: 5289.99 MB
Total Virtual: 8192 MB
Available Virtual: 8191.79 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:86.42 GB) (Free:22.45 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:146.46 GB) (Free:33.88 GB) NTFS
Drive g: (ICARUS) (Removable) (Total:3.75 GB) (Free:3.75 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: 65489E79)
Partition 1: (Active) - (Size=86 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=146 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: DFC2873B)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)

==================== End Of Log ============================


----------



## Satidraox (Nov 2, 2014)

So thats the FRST.txt first than the Addition.txt


----------



## Satidraox (Nov 2, 2014)

Wait hold on, let me try something to get RKill


----------



## Satidraox (Nov 2, 2014)

Do you think that it could be the router thats the problem, i have been noticing that its been turning off and really dodgy lately
so i might use the spare one that i think i have. Though i'd like to know if its possible that it could be the router since im not altogether sure, the thought of going through so many wires for not much evidence based on doesn't seem appealling so i'd like your opinion.


----------



## Satidraox (Nov 2, 2014)

Well i got RKill to work now, but this is what the log says:

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/07/2014 08:24:23 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000


----------



## Satidraox (Nov 2, 2014)

Last but not least here was the error i got when i logged in, seems to happen everytime now.


----------



## askey127 (Dec 22, 2006)

------------------------------------------------
*Remove Programs Using Control Panel*
From *Start, Control Panel*, click on *Programs and Features*
Click each Entry, as follows, one by one, if it exists, choose *Uninstall*, and give permission to Continue:
*
µTorrent
Java 7 Update 55
McAfee Agent
Unity Web Player
* 
Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------------------
* REBOOT (RESTART) Your Machine*

--------------------------------------------------------
*Run A Fix With FRST*
Download attached *fixlist.txt* file and save it to the Desktop.
*NOTE.* It's important that both the program (either *FRST.exe* or *FRST64.exe*) and *fixlist.txt * be in the same location, or the fix will not work. 
(Both on the Desktop is OK, or both in the same folder elsewhere)

*NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to the operating system*

Run *FRST* and press the *Fix* button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run. 
When finished, FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

askey127


----------



## askey127 (Dec 22, 2006)

My apologies.
I'm having trouble attaching the file FixList.txt as promised.
Will try to do so in ensuing post.
You can do the Uninstall part of the instruction, though.
Hope to have the attachment for you shortly.


----------



## Satidraox (Nov 2, 2014)

Haha no problem dude you've actually been real nice I don't mind waiting, just uninstalling the java stuff


----------



## Satidraox (Nov 2, 2014)

Also, just to let you know, I'm uninstalling both the Mcafee programs since it won't allow me to uninstall the "Mcafee Agent" it seems without uninstalling the other first.


----------



## Satidraox (Nov 2, 2014)

Oh yah, something that probably is very important, but well, in the attatchment you can see there is a malware object, scanned by TDDSKiller, but the problem is that it keeps replicating i done this a couple of times and its still there.


----------



## askey127 (Dec 22, 2006)

I know about that one.

You can make the FixList.txt file yourself, and save to your desktop.
Copy and Paste all the following lines from the Code block into Notepad and save as *FixList.txt* on your Desktop.
Do not include the word "code"

```
HKLM Group Policy restriction on software: C:\Program Files (x86)\Microsoft Security Client <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Microsoft Security Client <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM-x32\...\Winlogon: [Userinit] userinit.exe,C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe [x]
HKCU\...\Run: [Gyazo] - C:\Program Files (x86)\Gyazo\GyStation.exe [2990304 2013-10-30] (Nota Inc.)
HKCU\...\Run: [FfwKoulh] - C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe [142336 2014-11-02] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [ShStatEXE] - D:\Mcafee\shstat.exe [243560 2014-01-15] (McAfee, Inc.)
BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20141102205933.dll (McAfee, Inc.)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20141102205932.dll (McAfee, Inc.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Extension: McAfee ScriptScan for Firefox - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Andrew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [180272 2014-11-02] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311600 2014-11-02] (McAfee, Inc.)
U3 mfeavfk01; No ImagePath
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782968 2014-11-02] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [107032 2014-11-02] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344176 2014-11-02] (McAfee, Inc.)
S3 cleanhlp; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [x]
2014-11-02 20:59 - 2014-11-02 20:57 - 00782968 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfehidk.sys
2014-11-02 20:59 - 2014-11-02 20:57 - 00311600 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeavfk.sys
2014-11-02 20:59 - 2014-11-02 20:57 - 00180272 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeapfk.sys
2014-11-02 20:59 - 2014-11-02 20:57 - 00121896 _____ (McAfee, Inc.) C:\Windows\system32\MfeOtlkAddin.dll
2014-11-02 20:59 - 2014-11-02 20:57 - 00107032 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mferkdet.sys
2014-11-02 20:59 - 2014-11-02 20:57 - 00011208 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeclnk.sys
2014-11-02 20:59 - 2014-11-02 20:56 - 00094080 _____ (McAfee, Inc.) C:\Windows\SysWOW64\MfeOtlkAddin.dll
2014-11-02 20:59 - 2014-11-02 20:56 - 00025088 _____ (McAfee, Inc.) C:\Windows\SysWOW64\MFEOtlk.dll
2014-11-02 20:57 - 2014-11-02 20:57 - 00344176 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfewfpk.sys
2014-11-02 20:57 - 2014-11-02 20:57 - 00185280 _____ (McAfee, Inc.) C:\Windows\system32\mfevtps.exe
2014-11-02 21:00 - 2014-11-02 21:00 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\McAfee
2014-11-06 12:04 - 2014-02-01 18:59 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\uTorrent
C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe
C:\Program Files (x86)\Gyazo\GyStation.exe
C:\Windows\System32\drivers\mfeapfk.sys
C:\Windows\System32\drivers\mfeavfk.sys
C:\Windows\System32\drivers\mfehidk.sys
C:\Windows\System32\drivers\mferkdet.sys
C:\Windows\System32\drivers\mfewfpk.sys
C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys
EmptyTemp:
Cmd: ipconfig /flushdns
```
Once you have this saved as Fixlist.txt, Then you can run the Fix with FRST64 per my previous instruction
askey127


----------



## Satidraox (Nov 2, 2014)

Okay done Heres the log

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-11-2013
Ran by Andrew at 2014-11-07 21:06:20 Run:1
Running from C:\Users\Andrew\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM Group Policy restriction on software: C:\Program Files (x86)\Microsoft Security Client <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Microsoft Security Client <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM-x32\...\Winlogon: [Userinit] userinit.exe,C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe [x]
HKCU\...\Run: [Gyazo] - C:\Program Files (x86)\Gyazo\GyStation.exe [2990304 2013-10-30] (Nota Inc.)
HKCU\...\Run: [FfwKoulh] - C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe [142336 2014-11-02] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [ShStatEXE] - D:\Mcafee\shstat.exe [243560 2014-01-15] (McAfee, Inc.)
BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20141102205933.dll (McAfee, Inc.)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20141102205932.dll (McAfee, Inc.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Extension: McAfee ScriptScan for Firefox - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Andrew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [180272 2014-11-02] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311600 2014-11-02] (McAfee, Inc.)
U3 mfeavfk01; No ImagePath
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782968 2014-11-02] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [107032 2014-11-02] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344176 2014-11-02] (McAfee, Inc.)
S3 cleanhlp; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [x]
2014-11-02 20:59 - 2014-11-02 20:57 - 00782968 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfehidk.sys
2014-11-02 20:59 - 2014-11-02 20:57 - 00311600 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeavfk.sys
2014-11-02 20:59 - 2014-11-02 20:57 - 00180272 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeapfk.sys
2014-11-02 20:59 - 2014-11-02 20:57 - 00121896 _____ (McAfee, Inc.) C:\Windows\system32\MfeOtlkAddin.dll
2014-11-02 20:59 - 2014-11-02 20:57 - 00107032 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mferkdet.sys
2014-11-02 20:59 - 2014-11-02 20:57 - 00011208 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeclnk.sys
2014-11-02 20:59 - 2014-11-02 20:56 - 00094080 _____ (McAfee, Inc.) C:\Windows\SysWOW64\MfeOtlkAddin.dll
2014-11-02 20:59 - 2014-11-02 20:56 - 00025088 _____ (McAfee, Inc.) C:\Windows\SysWOW64\MFEOtlk.dll
2014-11-02 20:57 - 2014-11-02 20:57 - 00344176 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfewfpk.sys
2014-11-02 20:57 - 2014-11-02 20:57 - 00185280 _____ (McAfee, Inc.) C:\Windows\system32\mfevtps.exe
2014-11-02 21:00 - 2014-11-02 21:00 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\McAfee
2014-11-06 12:04 - 2014-02-01 18:59 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\uTorrent
C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe
C:\Program Files (x86)\Gyazo\GyStation.exe
C:\Windows\System32\drivers\mfeapfk.sys
C:\Windows\System32\drivers\mfeavfk.sys
C:\Windows\System32\drivers\mfehidk.sys
C:\Windows\System32\drivers\mferkdet.sys
C:\Windows\System32\drivers\mfewfpk.sys
C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys
EmptyTemp:
Cmd: ipconfig /flushdns
*****************

HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value was restored successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Gyazo => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\FfwKoulh => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched => Value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ShStatEXE => Value not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231} => Key not found.
HKCR\Wow6432Node\CLSID\{7DB2D5A0-7241-4E79-B68D-6309F01C5231} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key not found.
HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231} => Key not found.
HKCR\CLSID\{7DB2D5A0-7241-4E79-B68D-6309F01C5231} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key not found.
HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key deleted successfully.
HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin => Key deleted successfully.
C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll not found.
C:\Program Files (x86)\Common Files\McAfee\SystemCore not found.
HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0 => Key not found.
C:\Users\Andrew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.55.2 => Key not found.
C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=10.55.2 => Key not found.
C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll not found.
mfeapfk => Service not found.
mfeavfk => Service not found.
mfeavfk01 => Service not found.
mfehidk => Service not found.
mferkdet => Service not found.
mfewfpk => Service not found.
cleanhlp => Service deleted successfully.
"C:\Windows\system32\Drivers\mfehidk.sys" => File/Directory not found.
"C:\Windows\system32\Drivers\mfeavfk.sys" => File/Directory not found.
"C:\Windows\system32\Drivers\mfeapfk.sys" => File/Directory not found.
C:\Windows\system32\MfeOtlkAddin.dll => Moved successfully.
"C:\Windows\system32\Drivers\mferkdet.sys" => File/Directory not found.
"C:\Windows\system32\Drivers\mfeclnk.sys" => File/Directory not found.
C:\Windows\SysWOW64\MfeOtlkAddin.dll => Moved successfully.
C:\Windows\SysWOW64\MFEOtlk.dll => Moved successfully.
"C:\Windows\system32\Drivers\mfewfpk.sys" => File/Directory not found.
"C:\Windows\system32\mfevtps.exe" => File/Directory not found.
C:\Users\Andrew\AppData\Roaming\McAfee => Moved successfully.
C:\Users\Andrew\AppData\Roaming\uTorrent => Moved successfully.
Could not move "C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe" => Scheduled to move on reboot.
C:\Program Files (x86)\Gyazo\GyStation.exe => Moved successfully.
"C:\Windows\System32\drivers\mfeapfk.sys" => File/Directory not found.
"C:\Windows\System32\drivers\mfeavfk.sys" => File/Directory not found.
"C:\Windows\System32\drivers\mfehidk.sys" => File/Directory not found.
"C:\Windows\System32\drivers\mferkdet.sys" => File/Directory not found.
"C:\Windows\System32\drivers\mfewfpk.sys" => File/Directory not found.
"C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys" => File/Directory not found.

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-11-07 21:08:57)<=

C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe => Is moved successfully.

==== End of Fixlog ====


----------



## Satidraox (Nov 2, 2014)

So I'm guessing this was to enable Microsoft Security Essentials right? it also detected the file that was causeing the problembefore as in when i deleted it i think everything went back to normal, HOWEVER as we can clearly see, it did come back, so... should i just delete it and do what?


----------



## Satidraox (Nov 2, 2014)

by the way i got microsoft security essentials to instantly start scanning for more, but i haven't deleted that file yet... though common sense would dictate i should last time i took initiative it backfired xD


----------



## Satidraox (Nov 2, 2014)

Last thing that you should know, is that only MSE is back(But i assume thats what the file was for) and that Regsvr32 error came up again after the reboot


----------



## askey127 (Dec 22, 2006)

FRST may have killed it already, but allow MSSE to do its thing and delete what it wants.
There should no longer be Group Policy roadblocks to some of our tools or MSSE.
We may also have killed off the thing that was reinstalling it at reboot.

Let me know how it goes.


----------



## Satidraox (Nov 2, 2014)

Well it did feel good to slap that "Remove" button on that file again, though hopefully i don't have to do it again, I assume that this full scan will take an hour and a bit, since i think that was around the time it took last time, so yeah, go relax or something xD you've helped a lot.


----------



## Satidraox (Nov 2, 2014)

waut a second
why is there a file called "&#14915;&#18012;&#21330;&#23636;&#30033;&#29281;&#28257;&#26996;&#25966;&#1024;" on my desktop? i googled it and its malware?
do i delete it (Obvious answer would be yes but im following to the letter here)


----------



## askey127 (Dec 22, 2006)

I don't know what it is but I would delete it, then empty the Recycle bin.


----------



## Satidraox (Nov 2, 2014)

Alright, i think you can relax for an hour now XD I'll let you know when its done , ill probably restart and than tell you.


----------



## Satidraox (Nov 2, 2014)

It does seem it is taking a significantly larger amount of time than i predicted...


----------



## askey127 (Dec 22, 2006)

That's OK. Let it run.
It's making an index list of the good files.
We killed a lot of the junk.


----------



## Satidraox (Nov 2, 2014)

Okay, so its finished scanning and it says its all clean and all, but still have the same problems, so either right after i deleted it its reinstalled itself or its something else. So what now?


----------



## Satidraox (Nov 2, 2014)

Now i don't know about you but I'm pretty certain this is evidence of it reinstalling 0_0


----------



## Satidraox (Nov 2, 2014)

Yup, i didn't even restart this time, i just scanned it again right after and BAM it was still there.


----------



## Satidraox (Nov 2, 2014)

I'm assuming you're done for the day, but I'll keep posting some info that i find, so here I found where that ffwkoulh.exe thing was, and tried to delete it and this is the message it gave me:


----------



## Satidraox (Nov 2, 2014)

Okay, just now i tried to start in Safe mode with networking, just to see if it would make a difference, and i notcied that scanning with TDDSKiller and MSE didn't show up anything. Even when i tried to find the file manually, it wasn't there like before. 
At this moment in time i also noticed the internet went down, something that has not happened for about five hours, but chose to happen than, just like when I first had the problem where the internet went down except it didn't forcefully restart me. I dunno, maybe it disconnects me to prevent me from cleaning it somehow??? These disconnects have only happened since I got the trojan I'm pretty sure, Its never done this before, and if it does its usually once every couple of months when the internet goes down, not this almost repeatedly forced shutting off. And i mean my router, like, i got to my router and now the light on "Internet" is red, and later shuts off altogether if i attempt to wait it out. I don't know what to make of it.

Regardless I await your response as I have given up today and will continue tomorrow (I'll probably be online all day tomorrow, got nothing better to do now but watch shows now


----------



## askey127 (Dec 22, 2006)

Sati,
We got rid of a lot in the last pass. Maybe at least some of the tools will work better.
-----------------------------------------------------------
*Run ComboFix*
_*IMPORTANT NOTE:* ComboFix is a *VERY POWERFUL* tool. *DO NOT* use it without guidance.
ComboFix uses *very* forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
*You will need to disable all your antivirus software BEFORE running ComboFix.*_.
***Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer***

*DISABLE AV*
Right click the green MS Security Essentials "schoolhouse" icon in the lower right System tray, and click "Open".
Click the "Settings" tab and in the left pane, then Click "Real Time Protection"
In The Main Window UNCHECK the box for "Turn on real time protection(Recommended)"
Then click "Save Changes".

Close all browsers and other open windows.
Now start ComboFix. Right click and choose "Run as administrator".
OK any disclaimers and start the Scan.
*Do not touch the computer AT ALL while ComboFix is running.*
It will run through about 50 tasks, and take a while to assemble the report. 
When finished, the report will open. Post the log in your next reply, and then *Reenable your protection software*
A copy of the log will be located here if you need it-> *C:\ComboFix.txt*
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

Note: If Combofix detects a Rootkit/Bootkit on your system it will give a warning and ask for a reboot. Allow it to do so.
If a Combofix reboot is due to a rootkit, the screen may stay black for several minutes as it boots up. This is normal..

askey127


----------



## askey127 (Dec 22, 2006)

An extra note:
You may well have gotten at least some of this garbage from Softonic.
*Don't download anything from sites known for adware bundling.*
For any online downloads, best avoid using *CNET, Download.com, BrotherSoft, or Softonic*
They package their own "downloaders" and, without notice, deliver serious adware in addition to the desired programs.
Unfortunately, the results may be disastrous for your machine.
Filehippo and MajorGeeks have been safer.


----------



## Satidraox (Nov 2, 2014)

I apologise for my late as i slept at 4 am last night and thus woke up at 4 pm today, however I am currently getting ComboFix through the method that i used for Rkill earlier, however it takes sometime so I'll update you when I'm about to start.


----------



## Satidraox (Nov 2, 2014)

Alright, i got ComboFix and have turned off anti-virus. I'm about to close the browser, I'll see you on the other side


----------



## Satidraox (Nov 2, 2014)

Heres the log:

ComboFix 14-11-03.01 - Andrew 08/11/2014 16:58:28.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.932.81.1033.18.4010.2744 [GMT 0:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Andrew\AppData\Local\asjwtwxa.log
c:\users\Andrew\AppData\Local\bsyqdgyw.log
c:\users\Andrew\AppData\Local\giuwtoji.log
c:\users\Andrew\AppData\Local\iapssmna.log
c:\users\Andrew\AppData\Local\iblurqat.log
c:\users\Andrew\AppData\Local\mpekwawr.log
c:\users\Andrew\AppData\Local\nwsesnvg.log
c:\users\Andrew\AppData\Local\ycfnmyrj.log
c:\users\Andrew\AppData\Local\ycrrqubu.log
.
.
((((((((((((((((((((((((( Files Created from 2014-10-08 to 2014-11-08 )))))))))))))))))))))))))))))))
.
.
2014-11-08 17:06 . 2014-11-08 17:06	--------	d-----w-	c:\users\Default\AppData\Local\temp
2014-11-07 19:36 . 2014-11-07 21:08	--------	d-----w-	C:\FRST
2014-11-07 19:17 . 2014-11-08 01:06	--------	d-----w-	C:\TDSSKiller_Quarantine
2014-11-07 16:36 . 2014-11-07 16:36	--------	d-----w-	c:\users\Andrew\AppData\Local\Skype
2014-11-07 16:36 . 2014-11-07 16:36	--------	d-----w-	c:\program files (x86)\Common Files\Skype
2014-11-07 16:36 . 2014-11-07 16:36	--------	d-----r-	c:\program files (x86)\Skype
2014-11-07 01:07 . 2014-11-07 01:07	--------	d-----w-	c:\windows\Microsoft Antimalware
2014-11-07 00:40 . 2014-11-07 00:40	--------	d-----w-	c:\windows\ERUNT
2014-11-06 22:17 . 2014-11-06 22:17	--------	d-----w-	c:\program files (x86)\Microsoft Security Client
2014-11-06 22:17 . 2014-11-06 22:18	--------	d-----w-	c:\program files\Microsoft Security Client
2014-11-05 10:51 . 2014-11-05 10:51	--------	d-----w-	C:\found.000
2014-11-03 20:20 . 2014-11-03 20:20	24448	----a-w-	c:\windows\SysWow64\drivers\rkhdrv40.sys
2014-11-03 19:30 . 2014-11-03 19:30	--------	d-----w-	c:\programdata\Emsisoft
2014-11-03 16:45 . 2014-11-07 19:18	--------	d-----w-	c:\program files (x86)\Emsisoft Anti-Malware
2014-11-03 16:20 . 2014-11-03 16:20	--------	d-----w-	c:\users\Andrew\AppData\Local\VS Revo Group
2014-11-03 16:20 . 2014-11-03 16:20	--------	d-----w-	c:\programdata\VS Revo Group
2014-11-03 16:20 . 2009-12-30 11:21	31800	----a-w-	c:\windows\system32\drivers\revoflt.sys
2014-11-03 16:20 . 2014-11-03 16:20	--------	d-----w-	c:\program files\VS Revo Group
2014-11-03 16:18 . 2014-11-07 19:07	--------	d-----w-	C:\AdwCleaner
2014-11-02 20:59 . 2014-11-02 20:56	34864	----a-w-	c:\program files (x86)\Mozilla Firefox\ScriptFF.dll
2014-11-02 20:57 . 2014-11-07 21:03	--------	d-----w-	c:\program files\Common Files\McAfee
2014-11-02 20:55 . 2014-11-07 21:00	--------	d-----w-	c:\programdata\McAfee
2014-11-02 19:15 . 2014-11-07 00:37	--------	d-----w-	c:\windows\system32\appmgmt
2014-11-02 18:47 . 2014-11-07 18:49	--------	d-----w-	c:\programdata\ModrAsad
2014-11-02 18:47 . 2014-11-08 16:08	--------	d-----w-	c:\users\Andrew\AppData\Local\wyixeucq
2014-10-29 15:35 . 2014-10-29 15:35	--------	d-----w-	C:\UseUsers
2014-10-11 22:04 . 2014-10-11 22:04	--------	d-----w-	c:\users\Andrew\AppData\Local\Apps
2014-10-11 22:04 . 2014-10-11 22:04	--------	d-----w-	c:\users\Andrew\AppData\Local\Deployment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-31 02:03 . 2014-10-28 22:32	75888	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{766F9DA3-CD24-4702-9222-AAC34100A181}\offreg.dll
2014-10-30 03:50 . 2014-02-01 05:30	275080	------w-	c:\windows\system32\MpSigStub.exe
2014-10-20 02:37 . 2014-11-08 00:06	11627712	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FE8C7E30-C2E9-42EA-90B3-E6E2F7902037}\mpengine.dll
2014-10-20 02:37 . 2014-11-07 16:22	11627712	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-09-23 20:28 . 2014-01-31 01:40	71344	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-23 20:28 . 2014-01-31 01:40	701104	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2014-09-10 15:30 . 2014-11-08 00:06	1188440	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4AA796E3-7294-4C0C-A9DB-D324448C7FAE}\gapaengine.dll
2014-09-10 15:30 . 2014-11-06 22:24	1188440	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-09-09 02:05 . 2014-10-20 15:02	11578928	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{766F9DA3-CD24-4702-9222-AAC34100A181}\mpengine.dll
2014-08-28 22:38 . 2012-07-17 14:37	23256	----a-w-	c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-02-01 20:31	222832	----a-w-	c:\users\Andrew\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-02-01 20:31	222832	----a-w-	c:\users\Andrew\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-02-01 20:31	222832	----a-w-	c:\users\Andrew\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2013-11-02 12:35	1727176	----a-w-	c:\progra~2\MICROS~3\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2013-11-02 12:35	1727176	----a-w-	c:\progra~2\MICROS~3\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2013-11-02 12:35	1727176	----a-w-	c:\progra~2\MICROS~3\Office15\GROOVEEX.DLL
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2013-10-28 3675352]
"Mal Updater 2"="c:\program files (x86)\Mal Updater 2\MalUpdater.exe" [2014-11-07 2299392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2014-08-01 152392]
.
c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Curse.lnk - c:\users\Andrew\AppData\Roaming\Curse Client\Bin\Curse.exe /startup [2014-4-15 6064392]
ffwkoulh.exe [2014-11-2 142336]
Rainmeter.lnk - d:\rainmeter\Rainmeter.exe [2014-5-25 36536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;d:\vmlaunch\BuddyVM.sys;d:\vmlaunch\BuddyVM.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys;c:\windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys;c:\windows\SYSNATIVE\DRIVERS\revoflt.sys [x]
R3 rkhdrv40;Rootkit Unhooker Driver; [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorA.sys [x]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorF.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe;c:\windows\SYSNATIVE\lxeacoms.exe [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys;c:\windows\SYSNATIVE\DRIVERS\tap0901t.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-11-03 21:57	1089352	----a-w-	c:\program files (x86)\Google\Chrome\Application\38.0.2125.111\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-01-31 20:28]
.
2014-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-11-03 21:57]
.
2014-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-11-03 21:57]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-02-01 20:31	261744	----a-w-	c:\users\Andrew\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-02-01 20:31	261744	----a-w-	c:\users\Andrew\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-02-01 20:31	261744	----a-w-	c:\users\Andrew\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2013-11-02 12:30	2331336	----a-w-	c:\progra~1\MICROS~2\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2013-11-02 12:30	2331336	----a-w-	c:\progra~1\MICROS~2\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2013-11-02 12:30	2331336	----a-w-	c:\progra~1\MICROS~2\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-11-19 13260944]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2013-03-22 172016]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2013-03-22 399856]
"Persistence"="c:\windows\system32\igfxpers.exe" [2013-03-22 442352]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <-loopback>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office15\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-ModrAsad - c:\programdata\ModrAsad\ModrAsad.dat
Wow6432Node-HKCU-Run-FfwKoulh - c:\users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
SafeBoot-14797551.sys
SafeBoot-19440896.sys
SafeBoot-25438874.sys
SafeBoot-39174167.sys
SafeBoot-51584204.sys
SafeBoot-52584068.sys
SafeBoot-80133336.sys
SafeBoot-CleanHlp
SafeBoot-CleanHlp.sys
AddRemove-{1a413f37-ed88-4fec-9666-5c48dc4b7bb7} - c:\program files (x86)\GreenTree Applications\YTD Video Downloader\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Maxthon\Bin\MxUp.exe
.
**************************************************************************
.
Completion time: 2014-11-08 17:14:44 - machine was rebooted
ComboFix-quarantined-files.txt 2014-11-08 17:14
.
Pre-Run: 23,194,382,336 bytes free
Post-Run: 23,680,147,456 bytes free
.
- - End Of File - - 5DAF03B42AC5002203ED99C382AC03C3
A36C5E4F47E84449FF07ED3517B43A31


----------



## Satidraox (Nov 2, 2014)

Things i noted were:
-Internet did not go down
-No prompt for rootkit (Probably a bad thing)
-It did reboot though it was pretty much like a normal restart.


----------



## askey127 (Dec 22, 2006)

That's OK.
color=red]---------------------------------------------[/color]
*Run SystemLook*

Double-click *SystemLook_x64.exe* to run it. OK the User Account Control.
Copy the content of the following codebox into the main textfield:

```
:file
c:\users\Andrew\AppData\Local \wyixeucq\ffwkoulh.exe
:reg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon /s
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The results log can also be found on your Desktop, entitled *SystemLook.txt*


----------



## Satidraox (Nov 2, 2014)

Here is the log
SystemLook 04.09.10 by jpshortstuff
Log created at 21:06 on 08/11/2014 by Andrew
Administrator - Elevation successful

========== file ==========

c:\users\Andrew\AppData\Local \wyixeucq\ffwkoulh.exe - Unable to find/read file.

========== reg ==========

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"ReportBootOk"="1"
"Shell"="Explorer.exe"
"PreCreateKnownFolders"="{A520A1A4-1780-4FF6-BD18-167343C5AF16}"
"Userinit"="C:\Windows\system32\userinit.exe,,C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe"
"VMApplet"="SystemPropertiesPerformance.exe /pagefile"
"AutoRestartShell"= 0x0000000001 (1)
"Background"="0 0 0"
"CachedLogonsCount"="10"
"DebugServerCommand"="no"
"ForceUnlockLogon"= 0x0000000000 (0)
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PasswordExpiryWarning"= 0x0000000005 (5)
"PowerdownAfterShutdown"="0"
"ShutdownWithoutLogon"="0"
"WinStationsDisabled"="0"
"DisableCAD"= 0x0000000001 (1)
"scremoveoption"="0"
"ShutdownFlags"= 0x0080000027 (-2147483609)
"LegalNotice Text"=""
"SFCDisable"= 0x0000000000 (0)
"System"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions]
(No values found)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Wireless Group Policy"
"DisplayName"="@wlgpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessWLANPolicyEx"
"GenerateGroupPolicy"="GenerateWLANPolicy"
"DllName"="wlgpclnt.dll"
"NoUserPolicy"= 0x0000000001 (1)
"NoGPOListChanges"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}]
@="Group Policy Environment"
"ProcessGroupPolicy"="ProcessGroupPolicyEnviron"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyEnviron"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExEnviron"
"EventSources"="(Group Policy Environment,Application)"
"DisplayName"="@gpprefcl.dll,-1"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}]
@="Group Policy Local Users and Groups"
"ProcessGroupPolicy"="ProcessGroupPolicyLocUsAndGroups"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyLocUsAndGroups"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExLocUsAndGroups"
"EventSources"="(Group Policy Local Users and Groups,Application)"
"DisplayName"="@gpprefcl.dll,-2"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}]
@="Group Policy Device Settings"
"ProcessGroupPolicy"="ProcessGroupPolicyDevices"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyDevices"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDevices"
"EventSources"="(Group Policy Device Settings,Application)"
"DisplayName"="@gpprefcl.dll,-3"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"="fdeploy.dll"
"NoMachinePolicy"= 0x0000000001 (1)
"NoSlowLink"= 0x0000000001 (1)
"PerUserLocalSettings"= 0x0000000001 (1)
"NoGPOListChanges"= 0x0000000000 (0)
"NoBackgroundPolicy"= 0x0000000000 (0)
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"="(Folder Redirection,Application)"
"DisplayName"="@fdeploy.dll,-261"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
(No values found)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"DisplayName"="@%SystemRoot%\System32\dskquota.dll,-100"
"NoMachinePolicy"= 0x0000000000 (0)
"NoUserPolicy"= 0x0000000001 (1)
"NoSlowLink"= 0x0000000001 (1)
"NoBackgroundPolicy"= 0x0000000001 (1)
"NoGPOListChanges"= 0x0000000001 (1)
"PerUserLocalSettings"= 0x0000000000 (0)
"RequiresSuccessfulRegistry"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000000 (0)
"DllName"="%SystemRoot%\System32\dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}]
@="Group Policy Network Options"
"ProcessGroupPolicy"="ProcessGroupPolicyNetworkOptions"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyNetworkOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExNetworkOptions"
"EventSources"="(Group Policy Network Options,Application)"
"DisplayName"="@gpprefcl.dll,-4"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="QoS Packet Scheduler"
"DisplayName"="@gptext.dll,-201"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"="gptext.dll"
"NoUserPolicy"= 0x0000000001 (1)
"NoGPOListChanges"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"DllName"="gpscript.dll"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"NoSlowLink"= 0x0000000001 (1)
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"NoGPOListChanges"= 0x0000000001 (1)
"NotifyLinkTransition"= 0x0000000001 (1)
"DisplayName"="@gpscript.dll,-1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}]
@="Remote Desktop USB Redirection"
"DllName"="%SystemRoot%\System32\TsUsbRedirectionGroupPolicyExtension.dll"
"RequiresSuccessfulRegistry"= 0x0000000001 (1)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"NoGPOListChanges"= 0x0000000001 (1)
"NoUserPolicy"= 0x0000000001 (1)
"DisplayName"="@%SystemRoot%\System32\TsUsbRedirectionGroupPolicyExtension.dll,-100"
"NoBackgroundPolicy"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Internet Explorer Zonemapping"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"DllName"="C:\Windows\System32\iedkcs32.dll"
"RequiresSuccessfulRegistry"= 0x0000000001 (1)
"NoGPOListChanges"= 0x0000000001 (1)
"DisplayName"="@C:\Windows\System32\iedkcs32.dll,-3051"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}]
@="Group Policy Drive Maps"
"ProcessGroupPolicy"="ProcessGroupPolicyDrives"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyDrives"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDrives"
"EventSources"="(Group Policy Drive Maps,Application)"
"NoMachinePolicy"= 0x0000000001 (1)
"DisplayName"="@gpprefcl.dll,-5"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)
"NoBackgroundPolicy"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}]
@="Group Policy Folders"
"ProcessGroupPolicy"="ProcessGroupPolicyFolders"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyFolders"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFolders"
"EventSources"="(Group Policy Folders,Application)"
"DisplayName"="@gpprefcl.dll,-6"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}]
@="Group Policy Network Shares"
"ProcessGroupPolicy"="ProcessGroupPolicyNetShares"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyNetShares"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExNetShares"
"EventSources"="(Group Policy Network Shares,Application)"
"NoUserPolicy"= 0x0000000001 (1)
"DisplayName"="@gpprefcl.dll,-7"
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}]
@="Group Policy Files"
"ProcessGroupPolicy"="ProcessGroupPolicyFiles"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyFiles"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFiles"
"EventSources"="(Group Policy Files,Application)"
"DisplayName"="@gpprefcl.dll,-8"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}]
@="Group Policy Data Sources"
"ProcessGroupPolicy"="ProcessGroupPolicyDataSources"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyDataSources"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDataSources"
"EventSources"="(Group Policy Data Sources,Application)"
"DisplayName"="@gpprefcl.dll,-9"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB}]
@="Group Policy Ini Files"
"ProcessGroupPolicy"="ProcessGroupPolicyIniFile"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyIniFile"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExIniFile"
"EventSources"="(Group Policy Ini Files,Application)"
"DisplayName"="@gpprefcl.dll,-10"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}]
@="Windows Search Group Policy Extension"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="%SystemRoot%\System32\srchadmin.dll"
"RequiresSuccessfulRegistry"= 0x0000000001 (1)
"NoSlowLink"= 0x0000000000 (0)
"NoGPOListChanges"= 0x0000000001 (1)
"NoUserPolicy"= 0x0000000000 (0)
"NoMachinePolicy"= 0x0000000000 (0)
"PerUserLocalSettings"= 0x0000000000 (0)
"EnableAsynchronousProcessing"= 0x0000000001 (1)
"NoBackgroundPolicy"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@="Internet Explorer User Accelerators"
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"DllName"="C:\Windows\System32\iedkcs32.dll"
"RequiresSuccessfulRegistry"= 0x0000000001 (1)
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"NoGPOListChanges"= 0x0000000001 (1)
"DisplayName"="@C:\Windows\System32\iedkcs32.dll,-3051"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@="Security"
"DisplayName"="@(runtime.system32)\scecli.dll,-7650"
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"= 0x0000000001 (1)
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"= 0x0000000001 (1)
"DllName"="scecli.dll"
"NoUserPolicy"= 0x0000000001 (1)
"NoGPOListChanges"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)
"MaxNoGPOListChangesInterval"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]
@="Deployed Printer Connections"
"DisplayName"="@%systemroot%\system32\gpprnext.dll,-1"
"DllName"="%systemroot%\system32\gpprnext.dll"
"EnableAsynchronousProcessing"= 0x0000000001 (1)
"ExtensionEventSource"=""
"GenerateGroupPolicy"="PrinterGenerateGroupPolicy"
"MaxNoGPOListChangesInterval"= 0x0000000000 (0)
"NoBackgroundPolicy"= 0x0000000000 (0)
"NoGPOListChanges"= 0x0000000000 (0)
"NoMachinePolicy"= 0x0000000000 (0)
"NoSlowLink"= 0x0000000001 (1)
"NotifyLinkTransition"= 0x0000000000 (0)
"NoUserPolicy"= 0x0000000000 (0)
"PerUserLocalSettings"= 0x0000000000 (0)
"ProcessGroupPolicy"="PrinterProcessGroupPolicy"
"ProcessGroupPolicyEx"="PrinterProcessGroupPolicyEx"
"RequiresSuccessfulRegistry"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}]
@="Group Policy Services"
"ProcessGroupPolicy"="ProcessGroupPolicyServices"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyServices"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExServices"
"EventSources"="(Group Policy Services,Application)"
"DisplayName"="@gpprefcl.dll,-11"
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@="Internet Explorer Branding"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="C:\Windows\System32\iedkcs32.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoSlowLink"= 0x0000000001 (1)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"NoGPOListChanges"= 0x0000000001 (1)
"NoMachinePolicy"= 0x0000000001 (1)
"DisplayName"="@C:\Windows\System32\iedkcs32.dll,-3014"
"NoBackgroundPolicy"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}]
@="Group Policy Folder Options"
"ProcessGroupPolicy"="ProcessGroupPolicyFolderOptions"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyFolderOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFolderOptions"
"EventSources"="(Group Policy Folder Options,Application)"
"DisplayName"="@gpprefcl.dll,-12"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}]
@="Group Policy Scheduled Tasks"
"ProcessGroupPolicy"="ProcessGroupPolicySchedTasks"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicySchedTasks"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExSchedTasks"
"EventSources"="(Group Policy Scheduled Tasks,Application)"
"DisplayName"="@gpprefcl.dll,-13"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}]
@="Group Policy Registry"
"ProcessGroupPolicy"="ProcessGroupPolicyRegistry"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyRegistry"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExRegistry"
"EventSources"="(Group Policy Registry,Application)"
"DisplayName"="@gpprefcl.dll,-14"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@="802.3 Group Policy"
"DisplayName"="@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"="dot3gpclnt.dll"
"NoUserPolicy"= 0x0000000001 (1)
"NoGPOListChanges"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}]
@="Group Policy Printers"
"ProcessGroupPolicy"="ProcessGroupPolicyPrinters"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyPrinters"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExPrinters"
"EventSources"="(Group Policy Printers,Application)"
"DisplayName"="@gpprefcl.dll,-16"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}]
@="Group Policy Shortcuts"
"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyShortcuts"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExShortcuts"
"EventSources"="(Group Policy Shortcuts,Application)"
"DisplayName"="@gpprefcl.dll,-17"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@="Microsoft Offline Files"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="%SystemRoot%\System32\cscobj.dll"
"RequiresSuccessfulRegistry"= 0x0000000001 (1)
"NoSlowLink"= 0x0000000000 (0)
"NoGPOListChanges"= 0x0000000000 (0)
"NoUserPolicy"= 0x0000000000 (0)
"NoMachinePolicy"= 0x0000000000 (0)
"PerUserLocalSettings"= 0x0000000000 (0)
"EnableAsynchronousProcessing"= 0x0000000001 (1)
"NoBackgroundPolicy"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Software Installation"
"RequiresSucessfulRegistry"= 0x0000000000 (0)
"DllName"="appmgmts.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoSlowLink"= 0x0000000001 (1)
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"EventSources"="(Application Management,Application) (MsiInstaller,Application)"
"NoUserPolicy"= 0x0000000000 (0)
"DisplayName"="@appmgmts.dll,-3252"
"PerUserLocalSettings"= 0x0000000001 (1)
"NoBackgroundPolicy"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}]
@="TCPIP"
"DisplayName"="@gptext.dll,-204"
"ProcessGroupPolicy"="ProcessTCPIPPolicy"
"DllName"="gptext.dll"
"NoUserPolicy"= 0x0000000001 (1)
"NoGPOListChanges"= 0x0000000001 (1)
"RequiresSuccessfulRegistry"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@="Internet Explorer Machine Accelerators"
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"DllName"="C:\Windows\System32\iedkcs32.dll"
"RequiresSuccessfulRegistry"= 0x0000000001 (1)
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"NoGPOListChanges"= 0x0000000001 (1)
"DisplayName"="@C:\Windows\System32\iedkcs32.dll,-3051"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="IP Security"
"ProcessGroupPolicyEx"="ProcessIPSECPolicyEx"
"GenerateGroupPolicy"="GenerateIPSECPolicy"
"DllName"="%SystemRoot%\System32\polstore.dll"
"NoUserPolicy"= 0x0000000001 (1)
"NoGPOListChanges"= 0x0000000000 (0)
"DisplayName"="@C:\Windows\system32\polstore.dll,-5012"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}]
@="Group Policy Internet Settings"
"ProcessGroupPolicy"="ProcessGroupPolicyInternet"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyInternet"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExInternet"
"EventSources"="(Group Policy Internet Settings,Application)"
"NoMachinePolicy"= 0x0000000001 (1)
"DisplayName"="@gpprefcl.dll,-18"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}]
@="Group Policy Start Menu Settings"
"ProcessGroupPolicy"="ProcessGroupPolicyStartMenu"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyStartMenu"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExStartMenu"
"EventSources"="(Group Policy Start Menu Settings,Application)"
"DisplayName"="@gpprefcl.dll,-19"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}]
@="Group Policy Regional Options"
"ProcessGroupPolicy"="ProcessGroupPolicyRegionOptions"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyRegionOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExRegionOptions"
"EventSources"="(Group Policy Regional Options,Application)"
"DisplayName"="@gpprefcl.dll,-20"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}]
@="Group Policy Power Options"
"ProcessGroupPolicy"="ProcessGroupPolicyPowerOptions"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyPowerOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExPowerOptions"
"EventSources"="(Group Policy Power Options,Application)"
"DisplayName"="@gpprefcl.dll,-21"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}]
@="Audit Policy Configuration"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"DllName"="auditcse.dll"
"NoUserPolicy"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)
"MaxNoGPOListChangesInterval"= 0x00000003c0 (960)
"ForceRefreshFG"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}]
@="Group Policy Applications"
"ProcessGroupPolicy"="ProcessGroupPolicyApplications"
"DllName"="gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyApplications"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExApplications"
"EventSources"="(Group Policy Applications,Application)"
"NoMachinePolicy"= 0x0000000001 (1)
"DisplayName"="@gpprefcl.dll,-15"
"PerUserLocalSettings"= 0x0000000001 (1)
"EnableAsynchronousProcessing"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}]
@="Enterprise QoS"
"DisplayName"="@gptext.dll,-203"
"ProcessGroupPolicy"="ProcessEQoSPolicy"
"DllName"="gptext.dll"
"RequiresSuccessfulRegistry"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}]
@="CP"
"DisplayName"="@gptext.dll,-205"
"ProcessGroupPolicy"="ProcessConnectivityPlatformPolicy"
"DllName"="gptext.dll"
"NoUserPolicy"= 0x0000000001 (1)
"NoGPOListChanges"= 0x0000000001 (1)
"RequiresSuccessfulRegistry"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify]
(No values found)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"= 0x0000000001 (1)
"Impersonate"= 0x0000000001 (1)
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\SpecialAccounts]
(No values found)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\SpecialAccounts\UserList]
(No values found)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\AutoLogonChecked]
(No values found)

-= EOF =-


----------



## Satidraox (Nov 2, 2014)

Sorry about the delay, was watching Doctor Who.


----------



## askey127 (Dec 22, 2006)

Let's see if that extra space is causing a problem.
---------------------------------------------
*Run SystemLook*

Double-click *SystemLook_x64.exe* to run it. OK the User Account Control.
Copy the content of the following codebox into the main textfield:

```
:file
c:\users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The results log can also be found on your Desktop, entitled *SystemLook.txt*


----------



## Satidraox (Nov 2, 2014)

SystemLook 04.09.10 by jpshortstuff
Log created at 21:39 on 08/11/2014 by Andrew
Administrator - Elevation successful

========== file ==========

c:\users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe - File found and opened.
MD5: 0FB3D555F0BA510D6DCD4C1C1177E507
Created at 16:08 on 08/11/2014
Modified at 18:47 on 02/11/2014
Size: 142336 bytes
Attributes: --a-s--
FileDescription: 
FileVersion: 118.88.41.118
ProductVersion: 118.88.41.118
OriginalFilename: zBuyqTMXkQA.exe
InternalName: zBuyqTMXkQA.exe
LegalCopyright: (C) qTcPoQ

-= EOF =-


----------



## askey127 (Dec 22, 2006)

That's the villain allright.
----------------------------------------------
*Perform a Custom Fix with OTL*
Right click *OTL* on your desktop, and choose "Run as administrator" to open it.

In the *Custom Scans/Fixes* box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):

```
:Commands
[CREATERESTOREPOINT]

:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\Windows\system32\userinit.exe,"

:Files
c:\users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe
c:\users\Andrew\AppData\Local\wyixeucq\zBuyqTMXkQA.exe
ipconfig /flushdns /c

:Commands
[emptyjava]
[emptyflash] 
[EMPTYTEMP]
```

Then click the *Run Fix* button at the top.
Let the program run unhindered, and click to allow the Reboot when it is done.
When the computer Reboots, and you start your usual account, a Notepad text file will appear.
That is the *FIX log* file. Copy the contents of that file and post it in your next reply. 
It will also be available and named by timestamp here: *C:\_OTL\Moved Files\mmddyyyy_hhmmss.log*

Tell me how it's running.


----------



## Satidraox (Nov 2, 2014)

Will do, 1 second.


----------



## Satidraox (Nov 2, 2014)

okay so heres the log:
All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\\"Userinit"|"C:\Windows\system32\userinit.exe," /E : value set successfully!
========== FILES ==========
c:\users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe moved successfully.
File\Folder c:\users\Andrew\AppData\Local\wyixeucq\zBuyqTMXkQA.exe not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Andrew\Desktop\cmd.bat deleted successfully.
C:\Users\Andrew\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: Andrew
->Java cache emptied: 10091583 bytes

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 10.00 mb

[EMPTYFLASH]

User: All Users

User: Andrew
->Flash cache emptied: 72294 bytes

User: Default
->Flash cache emptied: 57472 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

[EMPTYTEMP]

User: All Users

User: Andrew
->Temp folder emptied: 266284466 bytes
->Temporary Internet Files folder emptied: 7508260 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2515378 bytes
->Google Chrome cache emptied: 10705827 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 46488880 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 318.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 11082014_215410

Files\Folders moved on Reboot...
C:\Users\Andrew\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


----------



## Satidraox (Nov 2, 2014)

But heres the catch, when i logged on i instantly went to the folder where it resides, and it wasn't there, a couple of minutes later, i checked and its there again, so... something else is a problem?


----------



## askey127 (Dec 22, 2006)

Oh, yeah.
We will have to find what is re-creating it.
I don't like that Buddy VM. Can you get rid of it?
What esle did you download from Softonic or CNET before this all happened?
I will have to quit for today soon, sorry.


----------



## Satidraox (Nov 2, 2014)

1 second im doing it again but not opening anything (on my phone atm)


----------



## Satidraox (Nov 2, 2014)

Whats buddy vm??? Ehmm


----------



## Satidraox (Nov 2, 2014)

Whelp now its there at the start regardless


----------



## askey127 (Dec 22, 2006)

It's on your D: drive. Is that from your cloud backup stuff?
---------------------------------------------
Please download *SystemLook* from the link below and save it to your Desktop.
_Download Mirror #1_ (64-bit)

Double-click *SystemLook_x64.exe* to run it. OK the User Account Control.
Copy the content of the following codebox into the main textfield:

```
:filefind
*ffwkoulh*

:folderfind
*wyixeucq*

:regfind
wyixeucq
ffwkoulh
```

Click the *Look* button to start the scan.
Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The results log can also be found on your Desktop, entitled *SystemLook.txt*


----------



## Satidraox (Nov 2, 2014)

okay so right now its scanning but i wanna get the "Buddy VM" thing outta the way first so this is what my D drive looks like


----------



## Satidraox (Nov 2, 2014)

Here is the scan you asked for too:
SystemLook 04.09.10 by jpshortstuff
Log created at 22:13 on 08/11/2014 by Andrew
Administrator - Elevation successful

========== filefind ==========

Searching for "*ffwkoulh*"
C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-FfwKoulh.reg.dat	--a---- 151 bytes	[17:13 08/11/2014]	[17:13 08/11/2014] C9B3ADE8E2E82FE2D4F7DCCF12D0DC4C
C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe	--a-s-- 142336 bytes	[21:59 08/11/2014]	[18:47 02/11/2014] (Unable to calculate MD5)
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffwkoulh.exe	----s-- 142336 bytes	[18:47 02/11/2014]	[18:47 02/11/2014] (Unable to calculate MD5)
C:\_OTL\MovedFiles\11082014_215410\c_users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe	--a-s-- 142336 bytes	[16:08 08/11/2014]	[18:47 02/11/2014] 0FB3D555F0BA510D6DCD4C1C1177E507

========== folderfind ==========

Searching for "*wyixeucq*"
C:\Users\Andrew\AppData\Local\wyixeucq	d------	[18:47 02/11/2014]
C:\_OTL\MovedFiles\11082014_215410\c_users\Andrew\AppData\Local\wyixeucq	d------	[21:54 08/11/2014]

========== regfind ==========

Searching for "wyixeucq"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"FfwKoulh"="C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\Windows\system32\userinit.exe,,C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\Windows\system32\userinit.exe,,C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe"
[HKEY_USERS\S-1-5-21-1579403671-1547770932-1621466672-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"FfwKoulh"="C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe"

Searching for "ffwkoulh"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"FfwKoulh"="C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\Windows\system32\userinit.exe,,C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\Windows\system32\userinit.exe,,C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe"
[HKEY_USERS\S-1-5-21-1579403671-1547770932-1621466672-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"FfwKoulh"="C:\Users\Andrew\AppData\Local\wyixeucq\ffwkoulh.exe"

-= EOF =-


----------



## Satidraox (Nov 2, 2014)

just to add, i don't mind any of these files being deleted, since theres only one that i need which is 103_pana, which is full of holiday photos from last summer


----------



## askey127 (Dec 22, 2006)

Can you see this?
d:\vmlaunch\BuddyVM.sys
It's used in a Service
If you can't find it, do this first.
-----------------------------------------------
*Enable the Viewing of Hidden Files *

 Close all programs so that you are at your desktop.
Click on the *Start* button. This is the small round button with the Windows flag in the lower left corner.
Click on the *Control Panel* menu option.
 When the control panel opens click on the *Appearance and Personalization* link.
Under the *Folder Options* category, click on *Show Hidden Files or Folders*.
 Under the *Hidden files and folders* section select the radio button labeled *Show hidden files, folders, or drives*.
 Remove the checkmark from the checkbox labeled *Hide extensions for known file types*.
Remove the checkmark from the checkbox labeled *Hide protected operating system files (Recommended)*.
 Press the *Apply* button and then the* OK* button..
Now Windows 7 is configured to show all hidden files.

We have to put together a collection of removals, both file and registry entries.
It will need to be tomorrow.


----------



## Satidraox (Nov 2, 2014)

no problem, thanks for today. I'll look for it while you're gone.


----------



## Satidraox (Nov 2, 2014)

yeah, its nowhere to be found, since i already had the folder settings you mentioned above and it hasn't appeared. 

I'll just assume this is the problem then....


----------



## Satidraox (Nov 2, 2014)

I'll just add this as a note for tomorrow, i could just erase the drive, i mean nothing is really important as i can just move the photos away...


----------



## Satidraox (Nov 2, 2014)

I'd also like to confirm that i didn't download it which means my dad might've


----------



## askey127 (Dec 22, 2006)

Satidraox,
You can hold up on that for now. 
This infection clearly has another program watching to see if it gets deleted.
Need to remove them both at the same time, along with the Registry entries that call it/them.
..Detective work to find the guard dog. Could be very difficult.

Have you downloaded MGADIAG ?

-----------------------------------------------------------------
Copy and paste the following lines into a new Notepad document.

```
dir %appdata%  >> "%userprofile%\desktop\look.txt"
dir %appdata%\*.* /L /A /B /S|Find ".exe"  >> "%userprofile%\desktop\look.txt"
dir C:\ProgramData >> "%userprofile%\desktop\look.txt"
dir C:\ProgramData\*.* /L /A /B /S|Find ".exe"  >> "%userprofile%\desktop\look.txt"
dir %userprofile%\AppData\Local >> "%userprofile%\desktop\look.txt"
dir %userprofile%\AppData\Local\*.* /L /A /B /S|Find ".exe"  >> "%userprofile%\desktop\look.txt"
dir %userprofile%\AppData\LocalLow >> "%userprofile%\desktop\look.txt"
dir %userprofile%\AppData\LocalLow\*.* /L /A /B /S|Find ".exe"  >> "%userprofile%\desktop\look.txt"
```
Save it to your desktop as file type *All Files* and Filename *TRYIT.BAT*
Double click *TRYIT.BAT* on your desktop, and post the contents of *look.txt* from your desktop

(It will likely be a few hundred lines)


----------



## Satidraox (Nov 2, 2014)

Volume in drive C has no label.
Volume Serial Number is C045-7974

Directory of C:\Users\Andrew\AppData\Roaming

08/11/2014 22:10 .
08/11/2014 22:10 ..
26/09/2014 14:48 .minecraft
03/09/2014 20:11 AdbDriverInstaller
04/11/2014 17:49 Adobe
12/04/2014 15:08 Apple Computer
06/02/2014 20:54 Battle.net
23/03/2014 22:23 calibre
18/04/2014 00:39 Curse
18/04/2014 00:41 Curse Advertising
17/10/2014 01:02 Curse Client
02/11/2014 19:37 DAEMON Tools Lite
04/05/2014 15:33 FarSky
06/02/2014 18:20 Gyazo
29/01/2014 00:15 Identities
01/02/2014 07:12 LolClient
31/01/2014 02:21 Macromedia
17/04/2014 00:05 Maxthon3
14/07/2009 07:45 Media Center Programs
18/06/2014 21:56 Mozilla
01/02/2014 03:50 ooVoo Details
17/02/2014 16:09 Origin
20/06/2014 20:17 Rainmeter
01/02/2014 03:44 Riot Games
07/11/2014 18:53 Skype
01/05/2014 16:06 SYSTEMAX Software Development
22/09/2014 22:52 To the Moon - Freebird Games
03/09/2014 10:44 Tunngle
11/05/2014 18:42 Unity
05/11/2014 19:16 vlc
01/02/2014 19:04 WinRAR
0 File(s) 0 bytes
31 Dir(s) 23,734,165,504 bytes free
c:\users\andrew\appdata\roaming\adbdriverinstaller\usb_driver\adbdriverinstallerx64.exe
c:\users\andrew\appdata\roaming\curse client\bin\coherentui_host.exe
c:\users\andrew\appdata\roaming\curse client\bin\curse.exe
c:\users\andrew\appdata\roaming\curse client\bin\curse.exe.config
c:\users\andrew\appdata\roaming\curse client\bin\curse.overlayhelper.exe
c:\users\andrew\appdata\roaming\curse client\bin\curse.overlayhelper.exe.config
c:\users\andrew\appdata\roaming\curse client\bin\curseclientupdater.exe
c:\users\andrew\appdata\roaming\curse client\bin\curseclientupdater.exe.config
c:\users\andrew\appdata\roaming\curse client\bin\cursesetuphelper.exe
c:\users\andrew\appdata\roaming\curse client\bin\cursesetuphelper.exe.config
c:\users\andrew\appdata\roaming\curse client\bin\dxwebsetup.exe
c:\users\andrew\appdata\roaming\curse client\bin\easyhook32svc.exe
c:\users\andrew\appdata\roaming\curse client\bin\easyhook64svc.exe
c:\users\andrew\appdata\roaming\microsoft\installer\{dee70742-f4e9-44ca-b2b9-ee95dcf37295}\curseclient.exe
c:\users\andrew\appdata\roaming\microsoft\installer\{fae99c85-0732-4c58-9c6b-10b5b12fa2e9}\launcher.exe
c:\users\andrew\appdata\roaming\microsoft\windows\start menu\programs\startup\ffwkoulh.exe
c:\users\andrew\appdata\roaming\rainmeter\rainmeter.exe
Volume in drive C has no label.
Volume Serial Number is C045-7974

Directory of C:\ProgramData

05/11/2014 00:18 .
05/11/2014 00:18 ..
16/08/2014 16:26 34BE82C4-E596-4e99-A191-52C6199EBF69
04/11/2014 17:53 Adobe
12/04/2014 15:05 Apple
12/04/2014 15:06 Apple Computer
28/06/2014 12:04 Battle.net
06/02/2014 20:54 Blizzard Entertainment
06/02/2014 21:35 DAEMON Tools Lite
03/11/2014 19:30 Emsisoft
18/06/2014 22:35 Freemake
07/04/2014 17:47 InstallMate
01/02/2014 03:52 LogMeIn
11/06/2014 18:14 1,112 lxeaJSW.log
11/06/2014 18:07 86 lxeascan.log
11/06/2014 18:14 lx_Cats
07/11/2014 21:00 McAfee
02/11/2014 18:48 64 mgniknvk.log
02/02/2014 23:17 Microsoft Help
01/02/2014 20:25 Microsoft SkyDrive
02/02/2014 14:14 Microsoft Toolkit
07/11/2014 18:49 ModrAsad
05/11/2014 00:18 Mozilla
20/05/2014 18:34 Oracle
16/10/2014 16:05 Origin
24/04/2014 18:17 regid.1986-12.com.adobe
02/02/2014 14:00 regid.1991-06.com.microsoft
18/07/2014 12:56 Riot Games
07/11/2014 16:36 Skype
08/02/2014 22:15 Steam
01/02/2014 03:49 Sun
01/05/2014 16:06 SYSTEMAX Software Development
06/02/2014 20:30 SystemRequirementsLab
03/09/2014 10:41 Tunngle
03/11/2014 16:20 VS Revo Group
3 File(s) 1,262 bytes
32 Dir(s) 23,734,161,408 bytes free
c:\programdata\34be82c4-e596-4e99-a191-52c6199ebf69\geardifx.exe
c:\programdata\34be82c4-e596-4e99-a191-52c6199ebf69\x64\difxinst64.exe
c:\programdata\adobe\setup\{ac76ba86-7ad7-1033-7b44-ab0000000001}\setup.exe
c:\programdata\apple computer\installer cache\itunes 11.3.1.2\setupadmin.exe
c:\programdata\battle.net\agent\agent.exe
c:\programdata\battle.net\agent\blizzard uninstaller.exe
c:\programdata\battle.net\agent\blizzarderror.exe
c:\programdata\battle.net\agent\agent.3427\agent.exe
c:\programdata\battle.net\agent\agent.3526\agent.exe
c:\programdata\battle.net\agent\agent.beta.2737\agent.exe
c:\programdata\battle.net\agent\agent.beta.2753\agent.exe
c:\programdata\battle.net\client\blizzard launcher.exe
c:\programdata\battle.net\client\blizzard launcher.1682\blizzard launcher.exe
c:\programdata\battle.net\client\blizzard launcher.2012\blizzard launcher.exe
c:\programdata\installmate\{1446a17d-ba8b-4860-aa8b-f2a9cfa5838b}\setup.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{09c9e5d5-0755-26c2-7112-aaee8d56e264}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{1685c040-df8b-6122-69ba-a3780da2806f}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{2ac47c8c-d10f-8824-bac9-6c9d0532b53a}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{2e888c73-4a61-8afa-def3-c9cb690c8050}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{33124799-bdab-7de3-e3fe-2e8ce1ea2dff}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{49f459b2-4e29-0e70-d8a0-61049b9928ea}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{6b021db7-e54f-b9f6-349a-7b81cfe635b4}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{6ce4dc9e-aed3-63d2-6320-cf2fa119ebee}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{7733b739-abb2-6a4f-b7b0-27fcc12cd164}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{7e59c0c3-977b-34a1-d3a1-d56c3bfc3921}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{9806c633-8ab3-9ef4-a987-7af4f50c7dfa}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{a3d4ddad-2acc-a589-f837-03283d371f9e}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{b2561d06-5669-94a3-7ffb-edd74f0aeb64}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{cac17bf1-5c47-e04d-55ef-aee680bfc3f8}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{cac4588f-c5bf-9bfd-c602-51c121e3cc58}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{e0253927-a895-413d-36c0-a3c9049fdd11}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{f55eff0e-09e4-97f7-b041-62e77a9a1144}-svchost.exe
c:\programdata\microsoft\microsoft antimalware\localcopy\{f70e67e7-4e88-0623-c7d2-390f754c7fa5}-svchost.exe
c:\programdata\microsoft\windows\wer\reportarchive\appcrash_armsvc.exe_36a36ba09e98caba5a4231ea96a39159b2be4e5_11248600
c:\programdata\microsoft\windows\wer\reportarchive\appcrash_mscorsvw.exe_fc2bbc135d71652f556a265d4cbdf36590b275_1124907c
c:\programdata\microsoft\windows\wer\reportarchive\appcrash_armsvc.exe_36a36ba09e98caba5a4231ea96a39159b2be4e5_11248600\report.wer
c:\programdata\microsoft\windows\wer\reportarchive\appcrash_mscorsvw.exe_fc2bbc135d71652f556a265d4cbdf36590b275_1124907c\report.wer
Volume in drive C has no label.
Volume Serial Number is C045-7974

Directory of C:\Users\Andrew\AppData\Local

08/11/2014 21:59 .
08/11/2014 21:59 ..
17/07/2014 19:34 Adobe
12/04/2014 15:05 Apple
12/04/2014 15:08 Apple Computer
11/10/2014 22:04 Apps
08/11/2014 17:08 595,440 asjwtwxa.log
09/11/2014 02:22 Battle.net
12/04/2014 15:00 Black_Tree_Gaming
23/07/2014 18:28 Blizzard
06/02/2014 20:54 Blizzard Entertainment
09/11/2014 14:48 371,937 bsyqdgyw.log
23/03/2014 22:19 calibre-cache
16/02/2014 17:34 Darksiders2
11/10/2014 22:04 Deployment
29/01/2014 00:27 DriverToolkit
06/11/2014 22:12 ElevatedDiagnostics
04/09/2014 10:16 111,904 GDIPFONTCACHEV1.DAT
08/11/2014 17:10 7,410 giuwtoji.log
02/02/2014 15:40 Google
08/11/2014 17:10 926 iapssmna.log
08/11/2014 17:10 387,750 iblurqat.log
01/02/2014 03:52 LogMeIn
20/04/2014 15:46 Microsoft
02/02/2014 13:57 Microsoft Help
15/04/2014 18:09 MogiOrigins
18/06/2014 21:56 Mozilla
08/11/2014 17:10 217 mpekwawr.log
28/10/2014 22:31 My Games
04/02/2014 23:02 NBTExplorer
29/01/2014 00:26 Programs
23/06/2014 07:07 Setup Integrity Check
05/11/2014 22:00 SKIDROW
07/11/2014 16:36 Skype
18/02/2014 17:23 Skyrim
08/02/2014 17:07 Skyrim_behiviour_editor
09/11/2014 14:52 Temp
02/11/2014 18:48 0 ufimxyxd.log
07/11/2014 20:49 Unity
29/01/2014 00:15 VirtualStore
03/11/2014 16:20 VS Revo Group
01/02/2014 19:53 Windows Live
09/11/2014 14:52 0 wtogxvpv.log
08/11/2014 21:59 wyixeucq
09/11/2014 14:52 28 ycfnmyrj.log
08/11/2014 17:08 54 ycrrqubu.log
02/11/2014 18:48 0 ycvcptbo.log
12 File(s) 1,475,666 bytes
35 Dir(s) 23,734,157,312 bytes free
c:\users\andrew\appdata\local\microsoft\office\oteledata-outlook.exe.txt
c:\users\andrew\appdata\local\microsoft\skydrive\skydrive.exe
c:\users\andrew\appdata\local\microsoft\skydrive\17.0.2015.0811\skydriveconfig.exe
c:\users\andrew\appdata\local\microsoft\skydrive\17.0.2015.0811\skydrivesetup.exe
c:\users\andrew\appdata\local\microsoft\skydrive\logs\skydrive.exe.err.2014-02-01-203045.115.log
c:\users\andrew\appdata\local\microsoft\skydrive\logs\skydrive.exe.reg.2014-02-01-203045.114.log
c:\users\andrew\appdata\local\microsoft\skydrive\update\skydrivesetup.exe
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_a2guard.exe_3c563259c9adb7ca0c840fcef433621bf5ec5f_124418d3
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_chrome.exe_6d62dac8e32d772c918e74147f19fbc51fb17b9_0c343bf8
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_curse.exe_bd58d574ecfdbe5160804fad5d5da7136364c7e2_288421c7
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_darksiders2.exe_3a4fc8b354e589df34bc028a3d41d116e4a8de_1438ba1a
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_explorer.exe_4adaf4e9fa718f5c145e893b61bbb626b7823a9_120b1aa1
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_fraps.exe_83f5ac8582655d1cde3cee03bb1903047a5be8a_12f7cfc6
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolclient.exe_dd421031a86e77f8f969d722a4e8652916c7419_0d4c8a64
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolclient.exe_dd421031a86e77f8f969d722a4e8652916c7419_12abe3e0
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolclient.exe_dd421031a86e77f8f969d722a4e8652916c7419_1316ad1b
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolclient.exe_dd421031a86e77f8f969d722a4e8652916c7419_14e4d3c3
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolclient.exe_dd421031a86e77f8f969d722a4e8652916c7419_157ae28d
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolclient.exe_dd421031a86e77f8f969d722a4e8652916c7419_1a5320bf
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lollauncher.exe_173e607a1cae4bb68424734db553758edefdee3_09e4734b
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lollauncher.exe_40efc97a91a0e2e97524bfdcdf18c6d8cf5e7f_03a47d88
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lollauncher.exe_e16eb1ccc65dfc1cc96fe538d8ed58d85c91724_2c0d4e77
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolpatcher.exe_49f2849a43fe47b825b12d5c2e815671c478650_edd75e37
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_maxthon.exe_8f8f25eb4a40b1fbda871dfa23ae9166d97a8f73_11a4b7ab
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_maxthon.exe_baa4f8db2986cbaeae997b33c372e098b3659c5a_18b437f1
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_maxthon.exe_be65f37c49e1d691df97fe4b559d1279a5f26_3d35b973
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_msiexec.exe_d0ea797826ffeb1412979cbda5541321cc27859_81ac8e4b
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_nexusclient.exe_3ed0fac194a495e62fe4ff6cdbb4aa9e271cfc_0d532f06
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_nexusclient.exe_5899c9b8fecc30d4f799204817f468f1890567f_1db3681c
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_nexusclient.exe_a9a9b1d629d0ed9169a919a178f0d12f13af77f9_0397773c
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_nexusclient.exe_a9a9b1d629d0ed9169a919a178f0d12f13af77f9_1d25b593
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_pixelpiracy.exe_29722258511afd3c2269e44e9e5ed3e42f606389_3599fb8e
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_0bf1d76a
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_11c85466
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_15068dbd
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_170df4aa
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_72eb9d4a47b3938fdc366f6c4bcacb02b10a424_0b649368
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_72eb9d4a47b3938fdc366f6c4bcacb02b10a424_0f8ba9c6
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_b48effeefc4921d3f4ff11d444ad2873982e39_0bf9a331
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_b48effeefc4921d3f4ff11d444ad2873982e39_11c862c8
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_04489ebe
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_05c7b376
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_0c393d6d
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_0d5a78b7
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_0ef47a3d
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_11a13552
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_1d8e3045
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_e7aa9855b2136a885b52ddfcc05eba16153867_f8ec5e5f
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_terraria.exe_7afc3a6c6a31ae251ab9ae2a43cb971e0f9a70_1aa54bb0
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_tesv.exe_6891a09fbc1d923db3512cc5399b33d5538f28_2c473713
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_tesv.exe_6891a09fbc1d923db3512cc5399b33d5538f28_3b71072d
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_tesv.exe_c23d229e7e31d3f54ed02fc5990d74945cacce5_20d0ca0a
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_titanfall.exe_288ad99320a8a9a13f8f1a5be79172967b80e68a_048c80b5
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_xcomew.exe_601492e8c8c4a0947ba03b439398e52e2e704681_15f31079
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_amnesia.exe_ac5c445330f73ae927d75578d74a84ccc132040_14b114e6
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_curse.exe_d37d478861a12f28389952908b286cd51eead355_11d4472c
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_lolclient.exe_7eb3c0c6bc8ba3b4bfec1eb0b39e1982d595ffd_0870753e
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_maxthon.exe_1121a114a1b3cad37e4ef8a7658632a14313_1813aa78
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_maxthon.exe_1121a114a1b3cad37e4ef8a7658632a14313_1af4bdc6
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_maxthon.exe_ab9171cdbd24a92cd504d65de4aaa394d3b5a_1c01c436
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_maxthon.exe_ae489eb180959ac0fff4f1a46f9e882e79a68da2_04c7abd8
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_maxthon.exe_af45b1655ad70757a66dca341b7f4eb333e6e1d_0cbac1af
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_maxthon.exe_e8547962b3d2569fbc773568228695b1f19c826c_223f2ac0
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_notepad.exe_57a3212b607b60539e1894ff9d30175cc0cbb2af_0b37256b
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_unwise.exe_ff8131fd18480ba69f789827baa9d2133ae6d10_457a440b
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\critical_iexplore.exe_3ade11686b4e7b1a9f5552e6419664a04c714d3b_1962083a
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_iexplore.exe_65ef996c46f28ef1286261a17cb142e350e6fa_10441582
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_iexplore.exe_65ef996c46f28ef1286261a17cb142e350e6fa_3ba11b9b
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_msseces.exe_69dc9d8ae0a7566f8286813459e343547b7d4a_16c2eaa0
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_msseces.exe_f0afc3829daab2ad55ae454cdeede98423ad_05330cfe
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_msseces.exe_f0afc3829daab2ad55ae454cdeede98423ad_088bd9b1
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_msseces.exe_f0afc3829daab2ad55ae454cdeede98423ad_0e7044fb
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_mssswizard.exe_1de43350ad53ebb74893ca37397688fbb05efa10_05d2957b
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_mssswizard.exe_3da861cf37b65ad34ac79672c3e74cab4f29c7_121df298
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_mssswizard.exe_3da861cf37b65ad34ac79672c3e74cab4f29c7_13c7e32d
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_mssswizard.exe_3da861cf37b65ad34ac79672c3e74cab4f29c7_14436e0e
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_a2guard.exe_3c563259c9adb7ca0c840fcef433621bf5ec5f_124418d3\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_chrome.exe_6d62dac8e32d772c918e74147f19fbc51fb17b9_0c343bf8\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_curse.exe_bd58d574ecfdbe5160804fad5d5da7136364c7e2_288421c7\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_darksiders2.exe_3a4fc8b354e589df34bc028a3d41d116e4a8de_1438ba1a\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_explorer.exe_4adaf4e9fa718f5c145e893b61bbb626b7823a9_120b1aa1\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_fraps.exe_83f5ac8582655d1cde3cee03bb1903047a5be8a_12f7cfc6\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolclient.exe_dd421031a86e77f8f969d722a4e8652916c7419_0d4c8a64\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolclient.exe_dd421031a86e77f8f969d722a4e8652916c7419_12abe3e0\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolclient.exe_dd421031a86e77f8f969d722a4e8652916c7419_1316ad1b\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolclient.exe_dd421031a86e77f8f969d722a4e8652916c7419_14e4d3c3\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolclient.exe_dd421031a86e77f8f969d722a4e8652916c7419_157ae28d\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolclient.exe_dd421031a86e77f8f969d722a4e8652916c7419_1a5320bf\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lollauncher.exe_173e607a1cae4bb68424734db553758edefdee3_09e4734b\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lollauncher.exe_40efc97a91a0e2e97524bfdcdf18c6d8cf5e7f_03a47d88\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lollauncher.exe_e16eb1ccc65dfc1cc96fe538d8ed58d85c91724_2c0d4e77\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_lolpatcher.exe_49f2849a43fe47b825b12d5c2e815671c478650_edd75e37\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_maxthon.exe_8f8f25eb4a40b1fbda871dfa23ae9166d97a8f73_11a4b7ab\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_maxthon.exe_baa4f8db2986cbaeae997b33c372e098b3659c5a_18b437f1\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_maxthon.exe_be65f37c49e1d691df97fe4b559d1279a5f26_3d35b973\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_msiexec.exe_d0ea797826ffeb1412979cbda5541321cc27859_81ac8e4b\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_nexusclient.exe_3ed0fac194a495e62fe4ff6cdbb4aa9e271cfc_0d532f06\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_nexusclient.exe_5899c9b8fecc30d4f799204817f468f1890567f_1db3681c\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_nexusclient.exe_a9a9b1d629d0ed9169a919a178f0d12f13af77f9_0397773c\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_nexusclient.exe_a9a9b1d629d0ed9169a919a178f0d12f13af77f9_1d25b593\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_pixelpiracy.exe_29722258511afd3c2269e44e9e5ed3e42f606389_3599fb8e\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_0bf1d76a\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_11c85466\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_15068dbd\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_170df4aa\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_72eb9d4a47b3938fdc366f6c4bcacb02b10a424_0b649368\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_72eb9d4a47b3938fdc366f6c4bcacb02b10a424_0f8ba9c6\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_b48effeefc4921d3f4ff11d444ad2873982e39_0bf9a331\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_b48effeefc4921d3f4ff11d444ad2873982e39_11c862c8\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_04489ebe\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_05c7b376\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_0c393d6d\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_0d5a78b7\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_0ef47a3d\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_11a13552\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_c35a343a29ac3e4e743fea4a7d78df706315bc10_1d8e3045\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_skype.exe_e7aa9855b2136a885b52ddfcc05eba16153867_f8ec5e5f\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_terraria.exe_7afc3a6c6a31ae251ab9ae2a43cb971e0f9a70_1aa54bb0\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_tesv.exe_6891a09fbc1d923db3512cc5399b33d5538f28_2c473713\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_tesv.exe_6891a09fbc1d923db3512cc5399b33d5538f28_3b71072d\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_tesv.exe_c23d229e7e31d3f54ed02fc5990d74945cacce5_20d0ca0a\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_titanfall.exe_288ad99320a8a9a13f8f1a5be79172967b80e68a_048c80b5\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\appcrash_xcomew.exe_601492e8c8c4a0947ba03b439398e52e2e704681_15f31079\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_amnesia.exe_ac5c445330f73ae927d75578d74a84ccc132040_14b114e6\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_curse.exe_d37d478861a12f28389952908b286cd51eead355_11d4472c\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_lolclient.exe_7eb3c0c6bc8ba3b4bfec1eb0b39e1982d595ffd_0870753e\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_maxthon.exe_1121a114a1b3cad37e4ef8a7658632a14313_1813aa78\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_maxthon.exe_1121a114a1b3cad37e4ef8a7658632a14313_1af4bdc6\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_maxthon.exe_ab9171cdbd24a92cd504d65de4aaa394d3b5a_1c01c436\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_maxthon.exe_ae489eb180959ac0fff4f1a46f9e882e79a68da2_04c7abd8\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_maxthon.exe_af45b1655ad70757a66dca341b7f4eb333e6e1d_0cbac1af\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_maxthon.exe_e8547962b3d2569fbc773568228695b1f19c826c_223f2ac0\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_notepad.exe_57a3212b607b60539e1894ff9d30175cc0cbb2af_0b37256b\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\apphang_unwise.exe_ff8131fd18480ba69f789827baa9d2133ae6d10_457a440b\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\critical_iexplore.exe_3ade11686b4e7b1a9f5552e6419664a04c714d3b_1962083a\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_iexplore.exe_65ef996c46f28ef1286261a17cb142e350e6fa_10441582\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_iexplore.exe_65ef996c46f28ef1286261a17cb142e350e6fa_3ba11b9b\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_msseces.exe_69dc9d8ae0a7566f8286813459e343547b7d4a_16c2eaa0\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_msseces.exe_f0afc3829daab2ad55ae454cdeede98423ad_05330cfe\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_msseces.exe_f0afc3829daab2ad55ae454cdeede98423ad_088bd9b1\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_msseces.exe_f0afc3829daab2ad55ae454cdeede98423ad_0e7044fb\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_mssswizard.exe_1de43350ad53ebb74893ca37397688fbb05efa10_05d2957b\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_mssswizard.exe_3da861cf37b65ad34ac79672c3e74cab4f29c7_121df298\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_mssswizard.exe_3da861cf37b65ad34ac79672c3e74cab4f29c7_13c7e32d\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportarchive\noncritical_mssswizard.exe_3da861cf37b65ad34ac79672c3e74cab4f29c7_14436e0e\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportqueue\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_cab_13c6cef1
c:\users\andrew\appdata\local\microsoft\windows\wer\reportqueue\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_cab_13c6cef1\report.wer
c:\users\andrew\appdata\local\microsoft\windows\wer\reportqueue\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_cab_13c6cef1\werb8a4.tmp.werinternalmetadata.xml
c:\users\andrew\appdata\local\microsoft\windows\wer\reportqueue\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_cab_13c6cef1\werc6e7.tmp.appcompat.txt
c:\users\andrew\appdata\local\microsoft\windows\wer\reportqueue\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_cab_13c6cef1\werc801.tmp.hdmp
c:\users\andrew\appdata\local\microsoft\windows\wer\reportqueue\appcrash_skype.exe_28e4881346cd414298ca66887d1f89b5833bb1b_cab_13c6cef1\wercd40.tmp.mdmp
c:\users\andrew\appdata\local\nbtexplorer\nbtexplorer.exe_url_e0t4ely5m4fuh2w3i133kllpvyg553lg
c:\users\andrew\appdata\local\nbtexplorer\nbtexplorer.exe_url_qximupvqagjecgsjatcxkiisydwi3ske
c:\users\andrew\appdata\local\nbtexplorer\nbtexplorer.exe_url_e0t4ely5m4fuh2w3i133kllpvyg553lg\2.6.1.0
c:\users\andrew\appdata\local\nbtexplorer\nbtexplorer.exe_url_e0t4ely5m4fuh2w3i133kllpvyg553lg\2.6.1.0\user.config
c:\users\andrew\appdata\local\nbtexplorer\nbtexplorer.exe_url_qximupvqagjecgsjatcxkiisydwi3ske\2.6.1.0
c:\users\andrew\appdata\local\nbtexplorer\nbtexplorer.exe_url_qximupvqagjecgsjatcxkiisydwi3ske\2.6.1.0\user.config
c:\users\andrew\appdata\local\temp\obopvhrk.exe
c:\users\andrew\appdata\local\temp\vhvftcft.exe
c:\users\andrew\appdata\local\wyixeucq\ffwkoulh.exe
Volume in drive C has no label.
Volume Serial Number is C045-7974

Directory of C:\Users\Andrew\AppData\LocalLow

11/05/2014 18:36 .
11/05/2014 18:36 ..
02/02/2014 14:43 Adobe
01/02/2014 19:53 Microsoft
01/02/2014 03:46 Sun
07/11/2014 20:49 Unity
0 File(s) 0 bytes
6 Dir(s) 23,734,132,736 bytes free
c:\users\andrew\appdata\locallow\sun\java\jre1.7.0_55\lzma.exe


----------



## Satidraox (Nov 2, 2014)

So yeah, the log is above and i just managed to get MGADiag like you wanted, sorry for the delay set the alarm to go off 3 hours ago but, damn sure is comfy when approaching winter


----------



## askey127 (Dec 22, 2006)

Satidraox,

----------------------------------------------
*Perform a Custom Fix with OTL*
Right click *OTL* on your desktop, and choose "Run as administrator" to open it.

In the *Custom Scans/Fixes* box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):

```
:Commands
[CREATERESTOREPOINT]

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"FfwKoulh"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\Windows\system32\userinit.exe,"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\Windows\system32\userinit.exe,"
[HKEY_USERS\S-1-5-21-1579403671-1547770932-1621466672-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"FfwKoulh"=-

:Files
C:\Users\Andrew\AppData\Local\iblurqat.log
C:\Users\Andrew\AppData\Local\mpekwawr.log
C:\Users\Andrew\AppData\Local\ufimxyxd.log
C:\Users\Andrew\AppData\Local\wtogxvpv.log
C:\Users\Andrew\AppData\Local\ycfnmyrj.log
C:\Users\Andrew\AppData\Local\ycrrqubu.log
C:\Users\Andrew\AppData\Local\ycvcptbo.log
c:\users\andrew\appdata\local\temp\obopvhrk.exe
c:\users\andrew\appdata\local\temp\vhvftcft.exe
c:\users\andrew\appdata\local\wyixeucq\ffwkoulh.exe
ipconfig /flushdns /c

:Commands
[emptyjava]
[emptyflash] 
[EMPTYTEMP]
[RESETHOSTS]
```

Then click the *Run Fix* button at the top.
Let the program run unhindered, and click to allow the Reboot when it is done.
When the computer Reboots, and you start your usual account, a Notepad text file will appear.
That is the *FIX log* file. Copy the contents of that file and post it in your next reply. 
It will also be available and named by timestamp here: *C:\_OTL\Moved Files\mmddyyyy_hhmmss.log*
---------------------------------------------
*Run CKScanner*
Right-Click *CKScanner.exe*, choose *Run as administrator* and click *Search For Files*.
After a couple minutes or less, when some text appears in the box, click *Save List To File*.
A message box will verify the file saved. *It is important that you run the program just once.*.
Double-click the *CKFiles.txt* icon on your desktop, give permission if asked, and copy/paste the contents in your next reply.

So we are looking for the FIX log from OTL, and the CKFiles log from CKScanner.
askey127


----------



## Satidraox (Nov 2, 2014)

Argh, this is so annoying :/ the internet keeps cutting out so, just bear with me a moment. OTL is right now rebooting.


----------



## Satidraox (Nov 2, 2014)

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\FfwKoulh deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\"Userinit"|"C:\Windows\system32\userinit.exe," /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\"Userinit"|"C:\Windows\system32\userinit.exe," /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-1579403671-1547770932-1621466672-1000\Software\Microsoft\Windows\CurrentVersion\Run\\FfwKoulh not found.
========== FILES ==========
C:\Users\Andrew\AppData\Local\iblurqat.log moved successfully.
C:\Users\Andrew\AppData\Local\mpekwawr.log moved successfully.
C:\Users\Andrew\AppData\Local\ufimxyxd.log moved successfully.
C:\Users\Andrew\AppData\Local\wtogxvpv.log moved successfully.
C:\Users\Andrew\AppData\Local\ycfnmyrj.log moved successfully.
C:\Users\Andrew\AppData\Local\ycrrqubu.log moved successfully.
C:\Users\Andrew\AppData\Local\ycvcptbo.log moved successfully.
c:\users\andrew\appdata\local\temp\obopvhrk.exe moved successfully.
c:\users\andrew\appdata\local\temp\vhvftcft.exe moved successfully.
File\Folder c:\users\andrew\appdata\local\wyixeucq\ffwkoulh.exe not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Andrew\Desktop\cmd.bat deleted successfully.
C:\Users\Andrew\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: Andrew
->Java cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: Andrew
->Flash cache emptied: 3283 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

[EMPTYTEMP]

User: All Users

User: Andrew
->Temp folder emptied: 295105481 bytes
->Temporary Internet Files folder emptied: 99924 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8214 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 282.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.69.0 log created on 11092014_152839

Files\Folders moved on Reboot...
C:\Users\Andrew\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


----------



## Satidraox (Nov 2, 2014)

Currently running CKScanner.


----------



## Satidraox (Nov 2, 2014)

Wait, it has occured to me that i did not run OTL as admin, do you think i should do it again?


----------



## Satidraox (Nov 2, 2014)

This is CKScanners log

CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
c:\frst\quarantine\utorrent\3dmgame-pixel.piracy.v.0.7.0.cracked-3dm.torrent
c:\frst\quarantine\utorrent\adobe photoshop cs6 13.0.1 final multilanguage (cracked dll) [chingliu].torrent
c:\frst\quarantine\utorrent\cube world + crack files by hax99.rar.torrent
scanner sequence 3.CP.11.CGAPFZ
----- EOF -----


----------



## askey127 (Dec 22, 2006)

OK.

Run it again as admin. I also made a Slight change, actually
----------------------------------------------
*Perform a Custom Fix with OTL*
Right click *OTL* on your desktop, and choose "Run as administrator" to open it.

In the *Custom Scans/Fixes* box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):

```
:Commands
[CREATERESTOREPOINT]

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"FfwKoulh"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\Windows\system32\userinit.exe,"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\Windows\system32\userinit.exe,"
[HKEY_USERS\S-1-5-21-1579403671-1547770932-1621466672-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"FfwKoulh"=-

:Files
C:\Users\Andrew\AppData\Local\iblurqat.log
C:\Users\Andrew\AppData\Local\mpekwawr.log
C:\Users\Andrew\AppData\Local\ufimxyxd.log
C:\Users\Andrew\AppData\Local\wtogxvpv.log
C:\Users\Andrew\AppData\Local\ycfnmyrj.log
C:\Users\Andrew\AppData\Local\ycrrqubu.log
C:\Users\Andrew\AppData\Local\ycvcptbo.log
c:\users\andrew\appdata\local\temp\obopvhrk.exe
c:\users\andrew\appdata\local\temp\vhvftcft.exe
c:\users\andrew\appdata\local\wyixeucq\ffwkoulh.exe
c:\users\andrew\appdata\local\wyixeucq
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
```

Then click the *Run Fix* button at the top.
Let the program run unhindered, and click to allow the Reboot when it is done.
When the computer Reboots, and you start your usual account, a Notepad text file will appear.
That is the *FIX log* file. Copy the contents of that file and post it in your next reply. 
It will also be available and named by timestamp here: *C:\_OTL\Moved Files\mmddyyyy_hhmmss.log*


----------



## Satidraox (Nov 2, 2014)

alright, will do, one second.


----------



## Satidraox (Nov 2, 2014)

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\FfwKoulh deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\"Userinit"|"C:\Windows\system32\userinit.exe," /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\"Userinit"|"C:\Windows\system32\userinit.exe," /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-1579403671-1547770932-1621466672-1000\Software\Microsoft\Windows\CurrentVersion\Run\\FfwKoulh not found.
========== FILES ==========
File\Folder C:\Users\Andrew\AppData\Local\iblurqat.log not found.
C:\Users\Andrew\AppData\Local\mpekwawr.log moved successfully.
C:\Users\Andrew\AppData\Local\ufimxyxd.log moved successfully.
File\Folder C:\Users\Andrew\AppData\Local\wtogxvpv.log not found.
C:\Users\Andrew\AppData\Local\ycfnmyrj.log moved successfully.
C:\Users\Andrew\AppData\Local\ycrrqubu.log moved successfully.
C:\Users\Andrew\AppData\Local\ycvcptbo.log moved successfully.
c:\users\andrew\appdata\local\temp\obopvhrk.exe moved successfully.
c:\users\andrew\appdata\local\temp\vhvftcft.exe moved successfully.
File\Folder c:\users\andrew\appdata\local\wyixeucq\ffwkoulh.exe not found.
File\Folder c:\users\andrew\appdata\local\wyixeucq not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Andrew\Desktop\cmd.bat deleted successfully.
C:\Users\Andrew\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Andrew
->Temp folder emptied: 19270585 bytes
->Temporary Internet Files folder emptied: 99924 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1076 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 824 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 18.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 11092014_155326

Files\Folders moved on Reboot...
C:\Users\Andrew\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


----------



## askey127 (Dec 22, 2006)

See whether the file :
c:\users\andrew\appdata\local\wyixeucq\ffwkoulh.exe
is still there now.
If it is, right click it and choose *take ownership*
then right click again and choose *rename* 
rename it to *claptrap.exe* or something you can remember.


----------



## Satidraox (Nov 2, 2014)

agh, i have to go get that thing which lets me take ownership, one second


----------



## Satidraox (Nov 2, 2014)

okay... so no "Take Ownsership" option comes up even if i right click... what gives huh...


----------



## Satidraox (Nov 2, 2014)

and even though i can take ownsership of the folder, i cant rename it since its being used


----------



## Satidraox (Nov 2, 2014)

Beeee right back


----------



## askey127 (Dec 22, 2006)

There is no easy way to change whatever permissions are needed to remove that junk. 
It could take a long time just to find out what settings are causing the trap.
If you really want to avoid the prospect of Reformat and Re-Install of the Win7, you can use a Linux boot CD to remove the files.
It doesn't touch anything in the system unless you want it to. 
The small Linux system runs entirely from the CD, and can see the entire Windows drive, (may call it SDA2 or something).
You can use it to delete what you want.

Puppy Linux Retro is here:
http://distro.ibiblio.org/quirky/precise-5.7.1/precise-5.7.1.iso
It's about 156Mb.

BURNCDCC is here if you don't have an image burner
ftp://terabyteunlimited.com/burncdcc.zip

burn the image of the Puppy iso file to a blank CD-R
You can use a DVD as well, but you don't need to.

If you boot the machine from the Puppy Linux CD, it will be able to see the entire C: drive, 
and you will be able to remove any file you want
-------------------------------------
The only other method involves to arrange things so that FRST64 is used in Windows Recovery Mode from a flash drive.
It's mostly command line oriented, with FRST and repair instructions on a flash drive, and mostly use for machines that won't boot when you need a scan without Windows running.
That's not really our situation.

Tell me what you would like to do.
You have three options, as I see it. Only the first one is assured of fixing the problem.
1) Reinstall (not repair) Windows
2) Make the Linux CD and attempt to remove the offending files
3) Run FRST64 in the Windows Recovery Console


----------



## Satidraox (Nov 2, 2014)

haha, i thought it'd end up this way, but i guess i was too hopeful? i dunno. But I'll just install Windows again soon. Not now since i have some homework to do for tomorrow but i will soon. 

I'd just like to say, thank you for bearing with me and helping me loads, even though the end result was unfavorable at least we tried


----------



## askey127 (Dec 22, 2006)

As a last ditch method, we could try installing File Assassin, which is a brute force remover.
I can give you a list of the files to remove and you could at least try it.
File Assassin is here: https://www.malwarebytes.org/fileassassin/
You open file assassin and drop or list the files you want removed.

You need to kill these if they exist, 
C:\Users\Andrew\AppData\Local\iblurqat.log
C:\Users\Andrew\AppData\Local\mpekwawr.log
C:\Users\Andrew\AppData\Local\ufimxyxd.log
C:\Users\Andrew\AppData\Local\wtogxvpv.log
C:\Users\Andrew\AppData\Local\ycfnmyrj.log
C:\Users\Andrew\AppData\Local\ycrrqubu.log
C:\Users\Andrew\AppData\Local\ycvcptbo.log
c:\users\andrew\appdata\local\temp\obopvhrk.exe
c:\users\andrew\appdata\local\temp\vhvftcft.exe
c:\users\andrew\appdata\local\wyixeucq\ffwkoulh.exe

and any other <random name>.log files in that folder

Killing off all other files in the folder : c:\users\andrew\appdata\local\wyixeucq
would also be a good idea.


----------



## Satidraox (Nov 2, 2014)

Very well, worth a shot i guess


----------



## Satidraox (Nov 2, 2014)

aaaaand the file "ffwkoulh.exe" is hidden to FileAssassin, and though I'm able delete most of the .log files i think 4 just keep coming back, so... yaah...


----------



## askey127 (Dec 22, 2006)

This behaves like a rootkit, but the detectors we have are not showing it.
The infection may be a new one.


----------



## Satidraox (Nov 2, 2014)

Waiiiiiit
quick
for some reason its let me do whatever i want for a bit
i dlete the log fiels
and the ffwkoulh.exe


----------



## Satidraox (Nov 2, 2014)

What else do i need to do, hurry i dont know how long this'll last, since last time this happened it was only for about two hours since i realised it


----------



## Satidraox (Nov 2, 2014)

oh wait, you're gone, well ill update you on if it comes back again i guess... which im expecting, im not sure what triggers it...


----------



## askey127 (Dec 22, 2006)

I would run Malwarebytes anti-malware and Microsoft Security Essentialsscans while you can.
One of the tools may have been successful on reboot.

Going forward.....
---------------------------------------------------------------
*Avoid Unwanted Adware*
There are a couple seriously important tips about avoiding unwanted adware.

*Never agree to download anything, if prompted to do so while Online*.
that goes for, "Your codec/browser/flash... needs to be updated to do this, blah, blah.."
or "you need to first download the xyz.. program to do what you want". 
OK to download updates if prompted when machine boots, while not yet online.

*Don't download anything from sites known for adware bundling.*
For any online downloads, best avoid using *CNET, Download.com, BrotherSoft, or Softonic*
They package their own "downloaders" and, without notice, deliver serious adware in addition to the desired programs.
Unfortunately, the results may be disastrous for your machine.

*FileHippo* and *MajorGeeks* have so far been better to use for downloading software.
The website of any program's original author is best of all.


----------



## Satidraox (Nov 2, 2014)

Yeah, don't worry about me, its my dad that i need to educate on this matter it seems.
I've rescanned it once already and its come up clean but I'm currently doing it again, cause y'know, I'd really hate for it to come back again.

Thanks for your guidance!!!!


----------



## Satidraox (Nov 2, 2014)

So the bad news is, its back and the good news is... well there really isn't any good news...


----------



## Satidraox (Nov 2, 2014)

I'm just going to do a clean install cause this is driving me insane, I've already nearly broken one of the moniters and i don't really want to lose another haha, so I'll see you on the otherside to see how it went and if i need a new laptop or not.


----------



## Satidraox (Nov 2, 2014)

Damn, this thread has been a rollercoaster now that i look at it haha


----------



## Satidraox (Nov 2, 2014)

Well to finish off i guess, errm yeah i done a clean install of windows 7 ultimate, me being the idiot i am i of course forgot the Drivers, but im getting those tomorrow. Just wanted to say (sorry for the repeat) thabks for at least trying


----------

