PDA

View Full Version : SahOepDRop and UniDeeAls keep re-installing every time I open Chrome


klapaucius122
2015-02-19, 06:43
Hi there,

I attached the logs as below. I have previously tried to fix the malware with the fix function of spybot 2.4 and malwarebytes Anti-Malware (Free) 2.04.1028 as suggested by some general malware removal guide but both proves fail. My computer is having AVG AntiVirus Free Edition 2014 and it prompt me to click "protect me" several times for it found malware within my computer and I did it.

Thanks in advance for the help offered.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-02-2015 01
Ran by user (administrator) on USER-PC on 19-02-2015 04:19:50
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available profiles: user)
Platform: Microsoft Windows 7 旗艦版 Service Pack 1 (X86) OS Language: 中文 (繁體,台灣)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgcsrvx.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgwdsvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEDICTUPDATE.EXE
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Rocket Division Software) C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
(AVG Secure Search) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\3.2.0\ToolbarUpdater.exe
() C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\3.2.0\loggingserver.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgui.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Advanced Micro Devices Inc.) C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgemcx.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(ATI Technologies Inc.) C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_13_0_0_206_ActiveX.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Tweaking.com) C:\Program Files\Tweaking.com\Registry Backup\TweakingRegistryBackup.exe
(Tweaking.com) C:\Program Files\Tweaking.com\Registry Backup\files\vss_start.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Program Files\Tweaking.com\Registry Backup\files\vss_7_8_2008_2012_32.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Tweaking.com) C:\Program Files\Tweaking.com\Registry Backup\files\vss_pause.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2014\avgui.exe [5188112 2014-12-16] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [StartCCC] => C:\Program Files\AMD\ATI.ACE\Core-Static\x86\CLIStart.exe [748232 2014-11-20] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [USB3MON] => C:\Program Files\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292088 2013-09-17] (Intel Corporation)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\...\Run: [Emtion] => regsvr32.exe C:\Users\user\AppData\Local\Emtion\fontmanager.dll <===== ATTENTION
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\...\Run: [Ehtion] => C:\Windows\System32\regsvr32.exe C:\Users\user\AppData\Local\Idsoft\jinstall.dll
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\...\Run: [Google Update] => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe [107912 2014-10-22] (Google Inc.)
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\...\Run: [DevidAgent] => C:\Users\user\Downloads\Dev_Agent_Setup.exe /autorun
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\...\MountPoints2: E - E:\LaunchU3.exe -a
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\...\MountPoints2: {a9857f62-614c-11e4-9ba9-047d7bb6a204} - G:\LaunchU3.exe -a
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2014-04-18] (Microsoft Corporation)
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver Toolkit 8.4 License key Crack Plus Keygen.lnk
ShortcutTarget: Driver Toolkit 8.4 License key Crack Plus Keygen.lnk -> C:\ProgramData\{1665ace2-ce59-61dd-1665-5ace2ce5b38b}\Driver Toolkit 8.4 License key Crack Plus Keygen.exe (No File)
ShellIconOverlayIdentifiers: [1SecureIconsProvider] -> {FC9D8189-520A-4417-AED7-9EAC810C6FBA} => C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll No File
BootExecute: autocheck autochk * sdnclean.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
SearchScopes: HKLM -> DefaultScope {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=21902&r=2015/02/10&hid=14292003671132990066&lg=EN&cc=GB&unqvl=82
SearchScopes: HKLM -> {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=21902&r=2015/02/10&hid=14292003671132990066&lg=EN&cc=GB&unqvl=82
SearchScopes: HKU\S-1-5-21-1295911863-593079498-3894259846-1000 -> DefaultScope {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=20041099_oem_dg&ch=33
SearchScopes: HKU\S-1-5-21-1295911863-593079498-3894259846-1000 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=20041099_oem_dg&ch=33
SearchScopes: HKU\S-1-5-21-1295911863-593079498-3894259846-1000 -> {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=21902&r=2015/02/10&hid=14292003671132990066&lg=EN&cc=GB&unqvl=82
BHO: 4225FF56-3467-2D27-B321-46508CBC2FC3 Class -> {4225FF56-3467-2D27-B321-46508CBC2FC3} -> C:\Program Files\QvodPlayer\AddIn\{4225FF56-3467-2D27-B321-46508CBC2FC3}\QvodAddr.dll No File
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\3.2.0\ViProtocol.dll (AVG Secure Search)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 158.143.223.209 158.143.96.212 158.143.128.120
Tcpip\..\Interfaces\{23DFFE70-EB60-479F-805A-759C0855FD00}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{24E4DBB4-8655-4540-966F-81C42AF98E9B}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{6AE9E996-5EA8-4293-BA89-0066DBB8D1BF}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{CB19CF2B-18C5-489F-A6DA-535FE7FCED4D}: [NameServer] 8.8.8.8,8.8.8.8

FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6us053y3.default
FF SearchEngineOrder.1: WebSearch
FF DefaultSearchEngine: WebSearch
FF SelectedSearchEngine: WebSearch
FF SearchEngineOrder.1,S: WebSearch
FF DefaultSearchEngine,S: WebSearch
FF SelectedSearchEngine,S: WebSearch
FF DefaultSearchUrl: hxxp://websearch.look-for-it.info/?pid=21902&r=2015/02/10&hid=14292003671132990066&lg=EN&cc=GB&unqvl=82&l=1&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_14_0_0_125.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1211151.dll (Adobe Systems, Inc.)
FF Plugin: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\3.2.0\\npsitesafety.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1295911863-593079498-3894259846-1000: @qvod.com/QvodInsert -> C:\Program Files\QvodPlayer\npQvodInsert.dll No File
FF Plugin HKU\S-1-5-21-1295911863-593079498-3894259846-1000: @tools.google.com/Google Update;version=3 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-1295911863-593079498-3894259846-1000: @tools.google.com/Google Update;version=9 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-1295911863-593079498-3894259846-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\creativecommons.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\findbook-zh-TW.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\wikipedia-zh-TW.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-answer-zh-TW.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-bid-zh-TW.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-zh-TW.xml
FF Extension: Greasemonkey - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6us053y3.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2014-11-30]

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR HomePage: Default -> hxxp://hk.yahoo.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/", "https://mysearch.avg.com?cid={F855F5E5-08B0-4282-9D04-9C928A1FBE79}&mid=e912d75cf8e847d2b118d5343d524bf7-222af305a5eecf5856eb527ea7e3d9a20cba5ac8&lang=zh-tw&ds=AVG&coid=avgtbavg&pr=fr&d=2014-08-30 03:00:29&v=3.2.0.14&pid=wtu&sg=&sap=hp", "https://mysearch.avg.com?cid={F855F5E5-08B0-4282-9D04-9C928A1FBE79}&mid=e912d75cf8e847d2b118d5343d524bf7-222af305a5eecf5856eb527ea7e3d9a20cba5ac8&lang=zh-tw&ds=AVG&coid=avgtbavg&pr=fr&d=2014-08-30 03:00:29&v=3.2.0.15&pid=wtu&sg=&sap=hp"
CHR DefaultSearchKeyword: Default -> google.co.uk
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-04-18]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-18]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-18]
CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-18]
CHR Extension: (AdBlock) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-04-25]
CHR Extension: (Google Input Tools) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mclkkofklkfljcocdinagocijmpgbhab [2014-06-03]
CHR Extension: (Google Wallet) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-18]
CHR Extension: (No Name) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdnfnkhpgegpcingjbfihlkjeighnddk [2014-11-05]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-18]
StartMenuInternet: Google Chrome.JFTVAPEOOHZ4SI4O7HUYTBBIMI - C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3247120 2014-12-16] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [289328 2014-12-16] (AVG Technologies CZ, s.r.o.)
R2 ImeDictUpdateService; C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICTUPDATE.EXE [59760 2010-01-21] (Microsoft Corporation)
S2 KMService; C:\Windows\system32\srvany.exe [8192 2014-04-18] () [File not signed]
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 StarWindServiceAE; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [275968 2007-05-28] (Rocket Division Software) [File not signed]
R2 vToolbarUpdater3.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\3.2.0\ToolbarUpdater.exe [1843736 2014-08-30] (AVG Secure Search)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\System32\DRIVERS\athr.sys [3237888 2013-10-25] (Qualcomm Atheros Communications, Inc.)
R1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [121624 2014-06-30] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [200984 2014-07-21] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [147736 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [21272 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [189720 2014-10-24] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [241944 2014-06-17] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [98584 2014-10-29] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27416 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [197400 2014-10-20] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [42784 2014-08-30] (AVG Technologies)
R3 IPvE; C:\Windows\System32\DRIVERS\IPvEx86.sys [20464 2011-04-18] (IPVE)
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [16880 2013-09-17] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [352752 2013-09-17] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [801776 2013-09-17] (Intel Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [55104 2012-07-17] (Intel Corporation)
R1 MpKsl3a261f24; C:\Windows\system32\MpEngineStore\MpKsl3a261f24.sys [39464 2015-02-18] (Microsoft Corporation)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [722416 2014-04-18] () [File not signed]
U3 awo6gci1; C:\Windows\system32\Drivers\awo6gci1.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero size file/folder)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 Tosrfcom; No ImagePath
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U3 aswMBR; \??\C:\Users\user\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\user\AppData\Local\Temp\aswVmm.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-19 04:19 - 2015-02-19 04:20 - 00018899 _____ () C:\Users\user\Downloads\FRST.txt
2015-02-19 04:18 - 2015-02-19 04:19 - 00000000 ____D () C:\FRST
2015-02-19 04:18 - 2015-02-19 04:18 - 01126400 _____ (Farbar) C:\Users\user\Downloads\FRST.exe
2015-02-19 04:17 - 2015-02-19 04:17 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-USER-PC-Windows-7-Ultimate-(32-bit).dat
2015-02-19 04:16 - 2015-02-19 04:16 - 00058980 _____ () C:\Users\user\Downloads\Extras.Txt
2015-02-19 04:16 - 2015-02-19 04:16 - 00000000 ____D () C:\RegBackup
2015-02-19 04:15 - 2015-02-19 04:15 - 00002181 _____ () C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2015-02-19 04:15 - 2015-02-19 04:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2015-02-19 04:15 - 2015-02-19 04:15 - 00000000 ____D () C:\Program Files\Tweaking.com
2015-02-19 04:14 - 2015-02-19 04:14 - 04804736 _____ () C:\Users\user\Desktop\tweaking.com_registry_backup_setup.exe
2015-02-19 04:14 - 2015-02-19 04:14 - 00157230 _____ () C:\Users\user\Downloads\OTL.Txt
2015-02-19 04:05 - 2015-02-19 04:05 - 00791393 _____ (Lars Hederer ) C:\Users\user\Downloads\erunt-setup.exe
2015-02-19 03:57 - 2015-02-19 03:57 - 00602112 _____ (OldTimer Tools) C:\Users\user\Downloads\OTL.exe
2015-02-19 03:56 - 2015-02-19 03:56 - 05200384 _____ (AVAST Software) C:\Users\user\Downloads\aswmbr.exe
2015-02-18 17:33 - 2015-02-18 17:44 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-02-18 17:33 - 2015-02-18 17:33 - 00002131 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-02-18 17:33 - 2015-02-18 17:33 - 00002119 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-02-18 17:33 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2015-02-18 17:31 - 2015-02-18 17:32 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\user\Downloads\spybot-2.4.exe
2015-02-18 17:18 - 2015-02-18 17:18 - 00000000 ____D () C:\Windows\system32\MpEngineStore
2015-02-18 17:17 - 2015-02-18 17:17 - 38804664 _____ (Microsoft Corporation) C:\Users\user\Downloads\Windows-KB890830-V5.21.exe
2015-02-18 16:33 - 2015-02-18 16:33 - 00145416 _____ () C:\Windows\Minidump\021815-35927-01.dmp
2015-02-18 15:01 - 2015-02-18 15:01 - 00000000 ____D () C:\ProgramData\7bb444f000002f6c
2015-02-18 14:58 - 2015-02-19 00:22 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-18 14:58 - 2015-02-18 14:58 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-18 14:58 - 2015-02-18 14:58 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-18 14:58 - 2015-02-18 14:58 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-02-18 14:58 - 2014-11-21 06:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-02-18 14:58 - 2014-11-21 06:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-02-18 14:58 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-02-18 14:57 - 2015-02-18 14:58 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\user\Downloads\mbam-setup-2.0.4.1028.exe
2015-02-18 02:31 - 2015-02-18 15:02 - 00000000 ____D () C:\Program Files\karmacracy
2015-02-18 02:10 - 2015-02-18 02:10 - 00000000 ____D () C:\ProgramData\hcaebajahgdglpefoihffockgahhafol
2015-02-15 06:50 - 2015-02-18 02:36 - 00000020 _____ () C:\Users\user\AppData\Roaming\appdataFr3.bin
2015-02-11 06:17 - 2015-02-11 06:17 - 00145416 _____ () C:\Windows\Minidump\021115-32744-01.dmp
2015-02-10 23:38 - 2015-02-10 23:38 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_iusb3hcs_01009.Wdf
2015-02-10 23:38 - 2013-09-17 06:47 - 00041984 _____ (Intel Corporation) C:\Windows\system32\Drivers\USB3Ver.dll
2015-02-10 23:37 - 2015-02-10 23:37 - 05472920 _____ () C:\Users\user\Downloads\Intel(R)_USB_3.0_eXtensible_Host_Controller_Driver.zip
2015-02-10 23:37 - 2013-09-17 06:48 - 00801776 _____ (Intel Corporation) C:\Windows\system32\Drivers\iusb3xhc.sys
2015-02-10 23:37 - 2013-09-17 06:48 - 00352752 _____ (Intel Corporation) C:\Windows\system32\Drivers\iusb3hub.sys
2015-02-10 23:37 - 2013-09-17 06:48 - 00016880 _____ (Intel Corporation) C:\Windows\system32\Drivers\iusb3hcs.sys
2015-02-10 23:37 - 2009-07-14 11:27 - 01461992 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01009.dll
2015-02-10 23:30 - 2015-02-10 23:30 - 02894032 _____ (Intel(R) Corporation) C:\Users\user\Downloads\SetupChipset.exe
2015-02-10 23:30 - 2015-02-10 23:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel Driver Update Utility
2015-02-10 23:30 - 2015-02-10 23:30 - 00000000 ____D () C:\Program Files\Intel Driver Update Utility
2015-02-10 23:28 - 2015-02-10 23:38 - 00000000 ____D () C:\Program Files\Intel
2015-02-10 23:27 - 2015-02-10 23:27 - 02703452 _____ () C:\Users\user\Downloads\Chipset_10.0.24_Public.zip
2015-02-10 23:22 - 2015-02-18 03:30 - 00000000 ____D () C:\ProgramData\466349820094711118
2015-02-10 23:22 - 2015-02-10 23:24 - 00000000 ____D () C:\ProgramData\fgidcfnohdkpedainaofagbbceifmemi
2015-02-10 23:15 - 2015-02-10 23:22 - 00000000 ____D () C:\Program Files\DriverToolkit
2015-02-10 23:15 - 2015-02-10 23:15 - 00000000 ____D () C:\Users\user\AppData\Local\DriverToolkit
2015-02-10 23:14 - 2015-02-10 23:15 - 02448688 _____ (Megaify Software ) C:\Users\user\Downloads\driver_setup.exe
2015-02-10 23:13 - 2015-02-10 23:13 - 00347816 _____ (Microsoft Corporation) C:\Users\user\Downloads\MicrosoftFixit.Devices.Run.exe
2015-02-10 23:10 - 2015-02-10 23:10 - 00000000 ____D () C:\Intel
2015-02-10 23:09 - 2015-02-10 23:09 - 05422844 _____ () C:\Users\user\Downloads\Intel(R)_USB_3.0_eXtensible_Host_Controller_Driver_3.0.4.65.zip
2015-02-10 23:08 - 2015-02-10 23:09 - 222875784 _____ (AMD Inc.) C:\Users\user\Downloads\amd-catalyst-omega-14.12-with-dotnet45-win7-32bit.exe
2015-02-10 23:04 - 2015-02-10 23:05 - 50694624 _____ (AMD Inc.) C:\Users\user\Downloads\amd-catalyst-omega-14.12-sb-sata-ahci-win8.1-win7.exe
2015-02-08 19:45 - 2015-02-08 19:45 - 00051934 _____ () C:\Windows\system32\CCCInstall_201502081945345207.log
2015-02-08 19:45 - 2015-02-08 19:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Catalyst Control Center
2015-02-08 19:45 - 2015-02-08 19:45 - 00000000 ____D () C:\ProgramData\ATI
2015-02-08 19:45 - 2015-02-08 19:45 - 00000000 ____D () C:\Program Files\AMD AVT
2015-02-08 19:06 - 2015-02-08 19:06 - 00000000 ____D () C:\Users\user\AppData\Local\Intel
2015-02-07 23:11 - 2015-02-18 16:33 - 420767878 _____ () C:\Windows\MEMORY.DMP
2015-02-07 23:11 - 2015-02-07 23:11 - 00145368 _____ () C:\Windows\Minidump\020715-52385-01.dmp
2015-02-04 11:39 - 2015-02-04 11:39 - 00174193 _____ () C:\Users\user\Downloads\下載.htm
2015-02-03 14:28 - 2015-02-03 14:28 - 00000079 _____ () C:\Windows\wininit.ini
2015-02-03 14:27 - 2015-02-03 14:30 - 00000000 ____D () C:\Users\user\Documents\CJ
2015-02-01 02:53 - 2015-02-18 17:37 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2015-02-01 01:57 - 2015-02-01 02:00 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-01-30 02:31 - 2015-01-30 02:35 - 00000000 ____D () C:\Users\user\Desktop\Win 7
2015-01-30 00:47 - 2015-01-30 04:10 - 00000392 __RSH () C:\ProgramData\ntuser.pol
2015-01-29 21:54 - 2015-01-29 21:54 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-29 04:50 - 2015-01-29 04:50 - 00000000 ____D () C:\Users\user\AppData\Roaming\AVG
2015-01-29 04:36 - 2015-02-01 02:56 - 00000000 ____D () C:\Users\user\AppData\Local\Avg
2015-01-29 04:34 - 2015-01-29 04:54 - 00000000 ____D () C:\ProgramData\AVG
2015-01-29 02:57 - 2015-01-29 02:57 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt
2015-01-29 02:41 - 2015-01-31 02:50 - 00000000 ____D () C:\Users\user\AppData\Local\Idsoft
2015-01-29 02:41 - 2015-01-31 02:50 - 00000000 ____D () C:\Users\user\AppData\Local\Emtion
2015-01-26 19:00 - 2015-02-18 16:33 - 00000000 ____D () C:\Windows\Minidump
2015-01-26 19:00 - 2015-01-26 19:00 - 00145368 _____ () C:\Windows\Minidump\012615-24663-01.dmp
2015-01-20 16:59 - 2015-01-20 16:59 - 00000000 ____D () C:\Program Files\Mozilla Firefox

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-19 03:57 - 2009-07-14 02:37 - 00000000 ____D () C:\Windows\tracing
2015-02-19 03:28 - 2014-04-24 15:54 - 00000548 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1295911863-593079498-3894259846-1000UA.job
2015-02-19 02:23 - 2009-07-14 04:34 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-19 02:23 - 2009-07-14 04:34 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-19 02:19 - 2014-04-17 21:38 - 01164627 _____ () C:\Windows\WindowsUpdate.log
2015-02-19 02:16 - 2009-07-14 04:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-19 02:16 - 2009-07-14 04:39 - 00073728 _____ () C:\Windows\setupact.log
2015-02-18 21:28 - 2014-04-24 15:54 - 00000496 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1295911863-593079498-3894259846-1000Core.job
2015-02-18 16:33 - 2014-04-18 01:24 - 00107554 _____ () C:\Windows\PFRO.log
2015-02-18 15:01 - 2014-05-11 20:42 - 00000000 ____D () C:\Users\user\AppData\Roaming\Skype
2015-02-10 23:30 - 2014-06-10 16:13 - 00000000 ____D () C:\ProgramData\Package Cache
2015-02-10 23:07 - 2014-06-10 16:15 - 00000000 ____D () C:\Program Files\AMD
2015-02-10 23:05 - 2014-04-24 15:46 - 00000000 ____D () C:\AMD
2015-02-08 20:48 - 2009-07-14 02:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-02-08 19:45 - 2014-06-10 16:19 - 00000000 ____D () C:\ProgramData\AMD
2015-02-08 19:43 - 2014-06-10 16:12 - 00000000 ____D () C:\Program Files\ATI Technologies
2015-02-07 23:11 - 2014-06-28 17:57 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-02-05 21:31 - 2014-04-18 09:12 - 00002334 _____ () C:\Users\user\Desktop\Google Chrome.lnk
2015-02-01 03:22 - 2014-04-18 09:16 - 00000000 ____D () C:\ProgramData\AVG2014
2015-02-01 02:59 - 2014-04-18 09:13 - 00000000 ____D () C:\ProgramData\MFAData
2015-02-01 02:58 - 2014-04-18 09:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-02-01 02:10 - 2014-04-18 09:38 - 00000000 ____D () C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2015-02-01 02:10 - 2014-04-18 09:37 - 00000000 ____D () C:\Program Files\Common Files\Apple
2015-02-01 01:56 - 2009-07-14 02:37 - 00000000 ____D () C:\Windows\system32\LogFiles
2015-01-30 02:03 - 2014-04-17 21:51 - 01302614 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-30 02:03 - 2009-07-14 08:31 - 00399860 _____ () C:\Windows\system32\prfh0404.dat
2015-01-30 02:03 - 2009-07-14 08:31 - 00121596 _____ () C:\Windows\system32\prfc0404.dat
2015-01-30 00:47 - 2009-07-14 02:37 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2015-01-29 17:49 - 2014-04-17 22:35 - 113756392 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-29 04:46 - 2014-04-18 09:15 - 00000000 ____D () C:\Program Files\AVG
2015-01-29 02:59 - 2014-07-05 06:39 - 00000000 ____D () C:\Users\user\AppData\Roaming\uTorrent
2015-01-29 02:51 - 2009-07-14 04:52 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-01-29 02:40 - 2014-04-17 21:46 - 00000000 ____D () C:\Users\user\AppData\Local\VirtualStore
2015-01-29 02:38 - 2014-12-06 10:46 - 00000000 ____D () C:\Users\user\AppData\Roaming\vlc

==================== Files in the root of some directories =======

2015-02-15 06:50 - 2015-02-18 02:36 - 0000020 _____ () C:\Users\user\AppData\Roaming\appdataFr3.bin
2014-05-24 13:35 - 2014-08-14 09:02 - 0000954 _____ () C:\Users\user\AppData\Roaming\coreavc.ini
2014-08-19 21:46 - 2014-08-19 21:46 - 0007596 _____ () C:\Users\user\AppData\Local\Resmon.ResmonCfg

Some content of TEMP:
====================
C:\Users\user\AppData\Local\Temp\amd-catalyst-omega-14.12-without-dotnet45-win7-32bit.exe
C:\Users\user\AppData\Local\Temp\AutoDetectUtilApp.exe
C:\Users\user\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\user\AppData\Local\Temp\mgwz.dll
C:\Users\user\AppData\Local\Temp\SDShelEx-win32.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-02-13 03:36

==================== End Of Log ============================

aswMBR version 1.0.1.2290 Copyright(c) 2014 AVAST Software
Run date: 2015-02-19 04:23:32
-----------------------------
04:23:32.124 OS Version: Windows 6.1.7601 Service Pack 1
04:23:32.124 Number of processors: 4 586 0x3A09
04:23:32.124 ComputerName: USER-PC UserName: user
04:23:34.527 Initialize success
04:23:34.537 VM: initialized successfully
04:23:34.540 VM: Intel CPU supported
04:23:44.133 VM: disk I/O atapi.sys
04:23:53.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
04:23:53.078 Disk 0 Vendor: TOSHIBA_MQ01ABD050 AX001A Size: 476940MB BusType: 11
04:23:53.124 Disk 0 MBR read successfully
04:23:53.124 Disk 0 MBR scan
04:23:53.140 Disk 0 Windows 7 default MBR code
04:23:53.156 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
04:23:53.156 Disk 0 Boot: NTFS code=1
04:23:53.171 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
04:23:53.193 Disk 0 scanning sectors +976771072
04:23:53.255 Disk 0 scanning C:\Windows\system32\drivers
04:24:01.886 Service scanning
04:24:44.122 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
04:24:50.602 Modules scanning
04:24:50.602 Disk 0 trace - called modules:
04:24:50.602
04:24:50.602 Disk 0 statistics 83225/0/0 @ 5.48 MB/s
04:24:50.602 Scan finished successfully
04:25:08.616 Disk 0 MBR has been saved successfully to "C:\Users\user\Desktop\Logs\MBR.dat"
04:25:08.621 The log file has been saved successfully to "C:\Users\user\Desktop\Logs\aswMBR.txt"






12065
12066
12067
Juliet
2015-02-19, 16:13
cracked/pirated/keygen software. Participating in the use of such software is a security risk; your infected computer is evidence of this. We do not approve of nor support illegal software.

Malware authors promote and release cracked software to spread their infections. I strongly recommend you refrain from participating in this activity; your computer will be reinfected otherwise. Simply visiting a cracked software site can result in infection from exploitation of vulnerabilities in your installed software.

Continuing in this practice will ensure your computer is continuously susceptible to malware infections, remote attacks, exposure of personal information, and identity theft. In some instances an infection may cause so much damage to your system that recovery is not possible and the only option is to reformat your Hard Drive and reinstall your Operating System. Please refer to the following articles for more information.

The Hidden Risks of Using Pirated Software (http://blogs.msdn.com/b/govtech/archive/2013/03/25/the-hidden-risks-of-using-pirated-software.aspx)
IDC White paper: The Dangersous World of Counterfeit and Pirated Software (http://www.microsoft.com/en-us/news/download/presskits/antipiracy/docs/idc030513.pdf)
Software Piracy on the Internet: A Threat To Your Securiy (http://global.bsa.org/internetreport2009/2009internetpiracyreport.pdf)
File Sharing, Piracy, and Malware (http://acms.ucsd.edu/students/resnet/malware_filesharing.html)
Pirated software carries malware payload that can cost billions (http://www.infosecurity-magazine.com/view/31449/pirated-software-carries-malware-payload-that-can-cost-billions/)


~~~~~~~~~~~~~~~~~~~~~~~~~~``
P2P Warning

I see you have peer-to-peer (P2P) file sharing software installed on your computer (uTorrent). I advise you avoid P2P file sharing programs; they are a security risk which can make your computer susceptible to malware. File sharing networks are thoroughly infected and infested with malware - worms (http://en.wikipedia.org/wiki/Computer_worm), backdoor Trojans (http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99), IRCBots (http://en.wikipedia.org/wiki/IRC_bot), and rootkits (http://en.wikipedia.org/wiki/Rootkit) propagate via P2P file sharing networks, gaming, and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. The best way to reduce the risk of infection is to avoid these types of web sites and not use P2P applications. Please read the following articles for more information.

Risks of File-Sharing Technology (http://www.us-cert.gov/cas/tips/ST05-007.html)
P2P Software User Advisories (http://aresgalaxy.sourceforge.net/p2prisks.htm)
More malware is traveling on P2P networks these days (http://www.computerworld.com/s/article/9240067/More_malware_is_traveling_on_P2P_networks_these_days)

Your P2P software can be removed by following the instructions below.

Press the Windows Key http://i.imgur.com/pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
Search for the aforementioned programme(s), right-click and click Uninstall.

If you choose not to, please refrain from using the programme(s) during this process.

**
~~

Make sure you export your passwords and bookmarks first so you still know how to login to sites.

Instructions on how to backup your Favourites/Bookmarks and other data can be found below.
http://i.imgur.com/U5NwUGc.pngBackup Chrome Bookmarks (http://www.wikihow.com/Export-Bookmarks-from-Chrome)

Please download and install Revo Uninstaller 1.95 (http://www.revouninstaller.com/download/revosetup.exe).
Then please run Revo Uninstaller and select Google Chrome
Please click Uninstall icon to uninstall the selected program.
Please choose Advanced.
Then click Next and follow the prompts.
Please click Select All and Delete to delete all registry items, folders and files listed by Revo.
If asked to restart the computer, please do so.
Install the latest stable version from the link below:
Google Chrome 38.0.2125.111 (https://dl.google.com/tag/s/appguid%3D{8A69D345-D564-463C-AFF1-A69D9E530F96}%26iid%3D{F4BE8D58-3A95-ACDE-2273-22C620A10DB3}%26lang%3Den%26browser%3D4%26usagestats%3D0%26appname%3DGoogle%20Chrome%26needsadmin%3Dprefers%26installdataindex%3Ddefaultbrowser/update2/installers/ChromeStandaloneSetup.exe) and let me know if the program installed successfully.

To download Google Chrome again use the link below after running the script I create.
https://support.google.com/chrome/answer/95346?hl=en



Please go to one of the below sites to scan the following files:
Virus Total (Recommended) (http://www.virustotal.com/)
jotti.org (http://virusscan.jotti.org/)
VirScan (http://virscan.org/)
click on Browse, and upload the following file for analysis:

C:\Windows\system32\Drivers\awo6gci1.sys


Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

~~~

Running from C:\Users\user\Downloads

It's best we move Farbar's to desktop.

Please go to your downloads folder, locate Farbar Recovery Scan Tool, right click and select CUT
Go to an open spot on your desktop, right click and select PASTE
You should now have Farbar Recovery Scan Tool on your desktop.

***

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG




start
CloseProcesses:
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\...\Run: [Emtion] => regsvr32.exe C:\Users\user\AppData\Local\Emtion\fontmanager.dll <===== ATTENTION
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\...\Run: [Ehtion] => C:\Windows\System32\regsvr32.exe C:\Users\user\AppData\Local\Idsoft\jinstall.dll
ShortcutTarget: Driver Toolkit 8.4 License key Crack Plus Keygen.lnk -> C:\ProgramData\{1665ace2-ce59-61dd-1665-5ace2ce5b38b}\Driver Toolkit 8.4 License key Crack Plus Keygen.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=21902&r=2015/02/10&hid=14292003671132990066&lg=EN&cc=GB&unqvl=82
SearchScopes: HKLM -> {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=21902&r=2015/02/10&hid=14292003671132990066&lg=EN&cc=GB&unqvl=82
SearchScopes: HKU\S-1-5-21-1295911863-593079498-3894259846-1000 -> DefaultScope {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=20041099_oem_dg&ch=33
SearchScopes: HKU\S-1-5-21-1295911863-593079498-3894259846-1000 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=20041099_oem_dg&ch=33
SearchScopes: HKU\S-1-5-21-1295911863-593079498-3894259846-1000 -> {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=21902&r=2015/02/10&hid=14292003671132990066&lg=EN&cc=GB&unqvl=82
BHO: 4225FF56-3467-2D27-B321-46508CBC2FC3 Class -> {4225FF56-3467-2D27-B321-46508CBC2FC3} -> C:\Program Files\QvodPlayer\AddIn\{4225FF56-3467-2D27-B321-46508CBC2FC3}\QvodAddr.dll No File
FF SearchEngineOrder.1: WebSearch
FF DefaultSearchEngine: WebSearch
FF SelectedSearchEngine: WebSearch
FF SearchEngineOrder.1,S: WebSearch
FF DefaultSearchEngine,S: WebSearch
FF SelectedSearchEngine,S: WebSearch
FF DefaultSearchUrl: hxxp://websearch.look-for-it.info/?pid=21902&r=2015/02/10&hid=14292003671132990066&lg=EN&cc=GB&unqvl=82&l=1&q=
FF Plugin: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\3.2.0\\npsitesafety.dll No File
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin HKU\S-1-5-21-1295911863-593079498-3894259846-1000: @qvod.com/QvodInsert -> C:\Program Files\QvodPlayer\npQvodInsert.dll No File
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR StartupUrls: Default -> "hxxp://www.google.com/", "https://mysearch.avg.com?cid={F855F5E5-08B0-4282-9D04-9C928A1FBE79}&mid=e912d75cf8e847d2b118d5343d524bf7-222af305a5eecf5856eb527ea7e3d9a20cba5ac8&lang=zh-tw&ds=AVG&coid=avgtbavg&pr=fr&d=2014-08-30 03:00:29&v=3.2.0.14&pid=wtu&sg=&sap=hp", "https://mysearch.avg.com?cid={F855F5E5-08B0-4282-9D04-9C928A1FBE79}&mid=e912d75cf8e847d2b118d5343d524bf7-222af305a5eecf5856eb527ea7e3d9a20cba5ac8&lang=zh-tw&ds=AVG&coid=avgtbavg&pr=fr&d=2014-08-30 03:00:29&v=3.2.0.15&pid=wtu&sg=&sap=hp"
S3 Tosrfcom; No ImagePath
C:\Users\user\AppData\Local\Temp\amd-catalyst-omega-14.12-without-dotnet45-win7-32bit.exe
C:\Users\user\AppData\Local\Temp\AutoDetectUtilApp.exe
C:\Users\user\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\user\AppData\Local\Temp\mgwz.dll
C:\Users\user\AppData\Local\Temp\SDShelEx-win32.dll
CustomCLSID: HKU\S-1-5-21-1295911863-593079498-3894259846-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1295911863-593079498-3894259846-1000_Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\localserver32 -> C:\Users\user\AppData\Local\Temp\DbBe4f1\temp\Driver Toolkit 8.4 License key Crack Plus Keygen.exe N (the data entry has 6 more characters).
EmptyTemp:
Hosts:
End


Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
Juliet
2015-02-19, 16:14
Let me also add

http://i.imgur.com/BY4dvz9.png AdwCleaner

Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) and save the file to your Desktop.
Right-Click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click Scan.
Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
Follow the prompts and allow your computer to reboot.
After rebooting, a log (AdwCleaner[S0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/) to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.


~~~
please post
VirusTotal scan
Fixlog.txt
C:\AdwCleaner.txt
JRT.txt
klapaucius122
2015-02-19, 20:11
Thanks for the prompt reply :)

Error occured when installing Google Chrome 38.0.2125.111
Unable to locate C:\Windows\system32\Drivers\awo6gci1.sys , there are no such file when I browse that folder. Therefore can't perform the VirusTotal scan
Other procedures are completed.


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-02-2015 01
Ran by user at 2015-02-19 17:35:53 Run:1
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available profiles: user)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\...\Run: [Emtion] => regsvr32.exe C:\Users\user\AppData\Local\Emtion\fontmanager.dll <===== ATTENTION
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\...\Run: [Ehtion] => C:\Windows\System32\regsvr32.exe C:\Users\user\AppData\Local\Idsoft\jinstall.dll
ShortcutTarget: Driver Toolkit 8.4 License key Crack Plus Keygen.lnk -> C:\ProgramData\{1665ace2-ce59-61dd-1665-5ace2ce5b38b}\Driver Toolkit 8.4 License key Crack Plus Keygen.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=21902&r=2015/02/10&hid=14292003671132990066&lg=EN&cc=GB&unqvl=82
SearchScopes: HKLM -> {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=21902&r=2015/02/10&hid=14292003671132990066&lg=EN&cc=GB&unqvl=82
SearchScopes: HKU\S-1-5-21-1295911863-593079498-3894259846-1000 -> DefaultScope {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=20041099_oem_dg&ch=33
SearchScopes: HKU\S-1-5-21-1295911863-593079498-3894259846-1000 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=20041099_oem_dg&ch=33
SearchScopes: HKU\S-1-5-21-1295911863-593079498-3894259846-1000 -> {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=21902&r=2015/02/10&hid=14292003671132990066&lg=EN&cc=GB&unqvl=82
BHO: 4225FF56-3467-2D27-B321-46508CBC2FC3 Class -> {4225FF56-3467-2D27-B321-46508CBC2FC3} -> C:\Program Files\QvodPlayer\AddIn\{4225FF56-3467-2D27-B321-46508CBC2FC3}\QvodAddr.dll No File
FF SearchEngineOrder.1: WebSearch
FF DefaultSearchEngine: WebSearch
FF SelectedSearchEngine: WebSearch
FF SearchEngineOrder.1,S: WebSearch
FF DefaultSearchEngine,S: WebSearch
FF SelectedSearchEngine,S: WebSearch
FF DefaultSearchUrl: hxxp://websearch.look-for-it.info/?pid=21902&r=2015/02/10&hid=14292003671132990066&lg=EN&cc=GB&unqvl=82&l=1&q=
FF Plugin: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\3.2.0\\npsitesafety.dll No File
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin HKU\S-1-5-21-1295911863-593079498-3894259846-1000: @qvod.com/QvodInsert -> C:\Program Files\QvodPlayer\npQvodInsert.dll No File
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR StartupUrls: Default -> "hxxp://www.google.com/", "https://mysearch.avg.com?cid={F855F5E5-08B0-4282-9D04-9C928A1FBE79}&mid=e912d75cf8e847d2b118d5343d524bf7-222af305a5eecf5856eb527ea7e3d9a20cba5ac8&lang=zh-tw&ds=AVG&coid=avgtbavg&pr=fr&d=2014-08-30 03:00:29&v=3.2.0.14&pid=wtu&sg=&sap=hp", "https://mysearch.avg.com?cid={F855F5E5-08B0-4282-9D04-9C928A1FBE79}&mid=e912d75cf8e847d2b118d5343d524bf7-222af305a5eecf5856eb527ea7e3d9a20cba5ac8&lang=zh-tw&ds=AVG&coid=avgtbavg&pr=fr&d=2014-08-30 03:00:29&v=3.2.0.15&pid=wtu&sg=&sap=hp"
S3 Tosrfcom; No ImagePath
C:\Users\user\AppData\Local\Temp\amd-catalyst-omega-14.12-without-dotnet45-win7-32bit.exe
C:\Users\user\AppData\Local\Temp\AutoDetectUtilApp.exe
C:\Users\user\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\user\AppData\Local\Temp\mgwz.dll
C:\Users\user\AppData\Local\Temp\SDShelEx-win32.dll
CustomCLSID: HKU\S-1-5-21-1295911863-593079498-3894259846-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1295911863-593079498-3894259846-1000_Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\localserver32 -> C:\Users\user\AppData\Local\Temp\DbBe4f1\temp\Driver Toolkit 8.4 License key Crack Plus Keygen.exe N (the data entry has 6 more characters).
EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Emtion => value deleted successfully.
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Ehtion => value deleted successfully.
C:\ProgramData\{1665ace2-ce59-61dd-1665-5ace2ce5b38b}\Driver Toolkit 8.4 License key Crack Plus Keygen.exe not found.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB82DE59-BC4C-4172-9AC4-73315F71CFFE}" => Key deleted successfully.
HKCR\CLSID\{BB82DE59-BC4C-4172-9AC4-73315F71CFFE} => Key not found.
HKU\S-1-5-21-1295911863-593079498-3894259846-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-1295911863-593079498-3894259846-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}" => Key deleted successfully.
HKCR\CLSID\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} => Key not found.
"HKU\S-1-5-21-1295911863-593079498-3894259846-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB82DE59-BC4C-4172-9AC4-73315F71CFFE}" => Key deleted successfully.
HKCR\CLSID\{BB82DE59-BC4C-4172-9AC4-73315F71CFFE} => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4225FF56-3467-2D27-B321-46508CBC2FC3}" => Key deleted successfully.
"HKCR\CLSID\{4225FF56-3467-2D27-B321-46508CBC2FC3}" => Key deleted successfully.
Firefox SearchEngineOrder.1 deleted successfully.
Firefox DefaultSearchEngine deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
Firefox SearchEngineOrder.1,S deleted successfully.
Firefox DefaultSearchEngine,S deleted successfully.
Firefox SelectedSearchEngine,S deleted successfully.
Firefox DefaultSearchUrl deleted successfully.
"HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin" => Key deleted successfully.
"HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => Key deleted successfully.
"HKU\S-1-5-21-1295911863-593079498-3894259846-1000\Software\MozillaPlugins\@qvod.com/QvodInsert" => Key deleted successfully.
C:\Program Files\QvodPlayer\npQvodInsert.dll not found.
CHR dev: Chrome dev build detected! <======= ATTENTION => Error: No automatic fix found for this entry.
Chrome StartupUrls not detected.
Tosrfcom => Service deleted successfully.
C:\Users\user\AppData\Local\Temp\amd-catalyst-omega-14.12-without-dotnet45-win7-32bit.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\AutoDetectUtilApp.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\DseShExt-x86.dll => Moved successfully.
C:\Users\user\AppData\Local\Temp\mgwz.dll => Moved successfully.
C:\Users\user\AppData\Local\Temp\SDShelEx-win32.dll => Moved successfully.
"HKU\S-1-5-21-1295911863-593079498-3894259846-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => Key deleted successfully.
"HKU\S-1-5-21-1295911863-593079498-3894259846-1000_Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}" => Key deleted successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 1.3 GB temporary data.


The system needed a reboot.

==== End of Fixlog 17:37:26 ====

# AdwCleaner v4.111 - Logfile created 19/02/2015 at 17:47:39
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x86)
# Username : user - USER-PC
# Running from : C:\Users\user\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

Service Deleted : vToolbarUpdater3.2.0

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\ProgramData\466349820094711118
Folder Deleted : C:\ProgramData\7bb444f000002f6c
Folder Deleted : C:\Program Files\baidu
Folder Deleted : C:\Program Files\DriverToolkit
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\users\user\AppData\Local\DriverToolkit
Folder Deleted : C:\ProgramData\fgidcfnohdkpedainaofagbbceifmemi
Folder Deleted : C:\ProgramData\hcaebajahgdglpefoihffockgahhafol

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\DriverToolkit
Key Deleted : HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Deleted : HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Deleted : HKLM\SOFTWARE\AVG SafeGuard toolbar
Key Deleted : HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17239


-\\ Mozilla Firefox v35.0 (x86 zh-TW)


-\\ Chromium v


*************************

AdwCleaner[R0].txt - [3185 bytes] - [19/02/2015 17:42:10]
AdwCleaner[S0].txt - [3184 bytes] - [19/02/2015 17:47:39]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3243 bytes] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 7 Ultimate x86
Ran by user on 2015/02/19 週四 at 17:53:36.42
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"



~~~ Folders

Successfully deleted: [Folder] "C:\Windows\system32\ai_recyclebin"



~~~ FireFox

Successfully deleted: [Folder] C:\Users\user\AppData\Roaming\mozilla\firefox\profiles\6us053y3.default\extensions\staged
Emptied folder: C:\Users\user\AppData\Roaming\mozilla\firefox\profiles\6us053y3.default\minidumps [4 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2015/02/19 週四 at 17:54:53.72
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Juliet
2015-02-19, 20:48
See if this link allows you to download Google Chrome
http://www.google.com/chrome/

Use the below tutorial to unhide files and folders, try to scan the file again at Virus Total
C:\Windows\system32\Drivers\awo6gci1.sys

http://www.bleepingcomputer.com/tutorials/show-hidden-files-in-windows-7/


~~~~~

Let's update and then run a Threat scan using MalwareBytes

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link

Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

~~~~~
What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.


http://i.imgur.com/GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

Please download ESET Online Scan (http://download.eset.com/special/eos/esetsmartinstaller_enu.exe) and save the file to your Desktop.
Temporarily disable your anti-virus software. For instructions, please refer to the following link (http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/).
Double-click esetsmartinstaller_enu.exe to run the programme.
Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
Agree to the Terms of Use once more and click Start. Allow components to download.
Place a checkmark next to Enable detection of potentially unwanted applications.
Click Advanced settings. Place a checkmark next to:

Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology


Ensure Remove found threats is unchecked.
Click Start.
Wait for the scan to finish. Please be patient as this can take some time.
Upon completion, click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png. If no threats were found, skip the next two bullet points.
Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
Push the Back button.
Place a checkmark next to http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
Re-enable your anti-virus software.
Copy the contents of the log and paste in your next reply.


post
MBAM log
Eset log
klapaucius122
2015-02-20, 01:03
I downloaded Google Chrome successfully this time.
However I am still unable to find the file awo6gci1.sys even after unhiding all files and folders
Other procedures are completed

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2015/2/19
Scan Time: 下午 09:45:10
Logfile: Malwarebytes log.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.19.10
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: user

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 307668
Time Elapsed: 16 min, 54 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Deep Rootkit Scan: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


C:\Program Files\R.G. Mechanics\L.A.Noire\steam_api.dll a variant of Win32/HackTool.Crack.BQ potentially unsafe application
C:\ProgramData\Microsoft\Secure\Icons\temp\tmp5883.exe Win32/Boaxxe.BR trojan
C:\Users\All Users\Microsoft\Secure\Icons\temp\tmp5883.exe Win32/Boaxxe.BR trojan
C:\Users\user\AppData\Local\Emtion\CNBP_xxx.DLL a variant of Win32/Boaxxe.CO.gen trojan
C:\Users\user\AppData\Local\Emtion\fontmanager.dll a variant of Win32/Boaxxe.CO.gen trojan
C:\Users\user\AppData\Local\Idsoft\DRS.dll a variant of Win32/Boaxxe.CO.gen trojan
C:\Users\user\AppData\Local\Idsoft\jinstall.dll a variant of Win32/Boaxxe.CO.gen trojan
Juliet
2015-02-20, 01:30
C:\Program Files\R.G. Mechanics\L.A.Noire\steam_api.dll a variant of Win32/HackTool.Crack
reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.


Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)



start
CloseProcesses:
C:\Program Files\R.G. Mechanics\L.A.Noire\steam_api.dll
C:\ProgramData\Microsoft\Secure\Icons\temp\tmp5883.exe
C:\Users\All Users\Microsoft\Secure\Icons\temp\tmp5883.exe
C:\Users\user\AppData\Local\Emtion\CNBP_xxx.DLL
C:\Users\user\AppData\Local\Emtion\fontmanager.dll
C:\Users\user\AppData\Local\Idsoft\DRS.dll
C:\Users\user\AppData\Local\Idsoft\jinstall.dll
EmptyTemp:
CreateRestorePoint:
End


Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


How is your computer now?
klapaucius122
2015-02-20, 02:45
My computer is fine now really appreciate the help. :)
Just one last question, is it better for me to keep all the malware removal tools in my computer or is it okay to remove all of them?

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-02-2015 01
Ran by user at 2015-02-20 00:38:51 Run:2
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available profiles: user)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
C:\Program Files\R.G. Mechanics\L.A.Noire\steam_api.dll
C:\ProgramData\Microsoft\Secure\Icons\temp\tmp5883.exe
C:\Users\All Users\Microsoft\Secure\Icons\temp\tmp5883.exe
C:\Users\user\AppData\Local\Emtion\CNBP_xxx.DLL
C:\Users\user\AppData\Local\Emtion\fontmanager.dll
C:\Users\user\AppData\Local\Idsoft\DRS.dll
C:\Users\user\AppData\Local\Idsoft\jinstall.dll
EmptyTemp:
CreateRestorePoint:
End
*****************

Processes closed successfully.
C:\Program Files\R.G. Mechanics\L.A.Noire\steam_api.dll => Moved successfully.
C:\ProgramData\Microsoft\Secure\Icons\temp\tmp5883.exe => Moved successfully.
"C:\Users\All Users\Microsoft\Secure\Icons\temp\tmp5883.exe" => File/Directory not found.
C:\Users\user\AppData\Local\Emtion\CNBP_xxx.DLL => Moved successfully.
C:\Users\user\AppData\Local\Emtion\fontmanager.dll => Moved successfully.
C:\Users\user\AppData\Local\Idsoft\DRS.dll => Moved successfully.
C:\Users\user\AppData\Local\Idsoft\jinstall.dll => Moved successfully.
Restore point was successfully created.
EmptyTemp: => Removed 250.1 MB temporary data.


The system needed a reboot.

==== End of Fixlog 00:39:49 ====
Juliet
2015-02-20, 03:23
My computer is fine now really appreciate the help.
Just one last question, is it better for me to keep all the malware removal tools in my computer or is it okay to remove all of them?
Your quite welcome

Let's remove the tools and quarantine folders that can possibly be picked up from other scanners as malicious.


http://i.imgur.com/AFZxnZc.jpg DelFix

Please download DelFix (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/9-delfix)
or from here http://www.bleepingcomputer.com/download/delfix/ and save the file to your Desktop.
Double-click DelFix.exe to run the programme.
Place a checkmark next to the following items:

Activate UAC
Remove disinfection tools


Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).


~~~~~~~~~~~~~~~`


Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) by quietman7, MVP


The following programmes come highly recommended in the security community.

http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpgAdBlock (https://adblockplus.org/en/firefox) is a browser add-on that blocks annoying banners, pop-ups and video ads.
http://i.imgur.com/E8I37RF.pngCryptoPrevent (https://www.foolishit.com/) places policy restrictions on loading points for ransomware (eg.CryptoPrevent), preventing your files from being encrypted.
http://i.imgur.com/EG85Vjt.png Malwarebytes Anti-Exploit (https://www.malwarebytes.org/antiexploit/) (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpgMalwarebytes Anti-Malware Premium (https://www.malwarebytes.org/) (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript (http://noscript.net/) is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
http://i.imgur.com/3O8r9Uq.png (http://www.sandboxie.com/) Sandboxie (http://www.sandboxie.com/) isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secuina PSI (http://secunia.com/vulnerability_scanning/personal/) will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster (https://www.brightfort.com/spywareblaster.html) is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.pngWeb of Trust (https://www.mywot.com/) (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
Juliet
2015-02-22, 15:01
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Since this issue appears resolved ... this Topic is closed.