Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus that keeps changing my DNS


  • This topic is locked This topic is locked
28 replies to this topic

#1 whatsinaname

whatsinaname

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 05 April 2016 - 10:13 PM

I have been infected by a redirect virus on my Windows 10 desktop. This affects all the other computers and mobile devices on my home wi-fi network. In the browsers of all the devices, I keep getting redirected to a site called www.tradeadexchange.com which then further redirects me to some other ad sites. I have scanned the computer with various malware tools (including windows defender and malwarebytes), but none seems to detect anything. This virus also changes my modem DNS automatically. I keep it to 'Obtain DNS Server address automatically,' but the next time I check, it has been set to use some other preferred and alternate DNS server addresses. I have tried everything I can think of - reinstalled firmware on both my modem and router, cleared browser data on all devices, but this thing just doesn't go away. Please help.

 

-----------------------

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by raj (administrator) on DESKTOP (06-04-2016 08:16:03)
Running from D:\Downloads
Loaded Profiles: --
Platform: Windows 7 Ultimate (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome Remote Desktop\50.0.2661.22\remoting_host.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
() C:\Program Files\Nitro\Pro 9\Nitro_UpdateService.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Nitro PDF Software) C:\Program Files\Nitro\Pro 9\NitroPDFDriverService9x64.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome Remote Desktop\50.0.2661.22\remoting_host.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Microsoft Corporation) C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(© 2015 Microsoft Corporation) C:\Users\raj\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(SurfRight B.V.) D:\Downloads\HitmanPro_x64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(McAfee Inc) D:\Downloads\stinger32.exe
(McAfee Inc.) C:\Program Files\McAfee\Real Protect\RealProtect.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\System32\SrTasks.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13671792 2014-03-14] (Realtek Semiconductor)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [472984 2013-06-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-06-08] (Oracle Corporation)
HKLM\...\RunOnce: [RealProtect] => C:\Program Files\McAfee\Real Protect\RealProtect.exe [1716592 2016-04-06] (McAfee Inc.)
HKLM-x32\...\Winlogon: [Userinit]  [X]
HKU\S-1-5-21-1409686930-1291303467-1380052953-1001\...\Run: [Google Update] => C:\Users\raj\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-28] (Google Inc.)
HKU\S-1-5-21-1409686930-1291303467-1380052953-1001\...\Run: [Google Photos Backup] => C:\Users\raj\AppData\Local\Programs\Google\Google Photos Backup\Google Photos Backup.exe [3791176 2015-12-11] (Google, Inc)
HKU\S-1-5-21-1409686930-1291303467-1380052953-1001\...\Run: [BingSvc] => C:\Users\raj\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-12] (© 2015 Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
GroupPolicyUsers\S-1-5-21-1409686930-1291303467-1380052953-1006\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-1409686930-1291303467-1380052953-1005\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-1409686930-1291303467-1380052953-1004\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-1409686930-1291303467-1380052953-1001\User: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
Winsock: Catalog5-x64 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{04e71261-dd5d-4da2-9ffa-956f6b73f9de}: [DhcpNameServer] 192.168.0.1
ManualProxies: 
 
Internet Explorer:
==================
HKU\S-1-5-21-1409686930-1291303467-1380052953-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://google.co.in/
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-01-08] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll [2016-03-15] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\ssv.dll [2015-08-06] (Oracle Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-01-08] (Microsoft Corporation)
BHO-x32: FlashGetBHO -> {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} -> C:\Users\raj\AppData\Roaming\FlashGetBHO\FlashGetBHO.dll [2012-11-01] (Trend Media Group)
BHO-x32: Free Download Manager -> {CC59E0F9-7E43-44FA-9FAA-8377850BF205} -> C:\Program Files (x86)\Free Download Manager\iefdm2.dll [2015-08-07] (FreeDownloadManager.ORG)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL [2016-03-15] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\jp2ssv.dll [2015-08-06] (Oracle Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-09-10] (Microsoft Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL [2015-09-10] (Microsoft Corporation)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-01-08] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-01-08] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-09-10] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-02-27] (VideoLAN)
FF Plugin-x32: @java.com/DTPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\dtplugin\npDeployJava1.dll [2015-08-06] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\plugin2\npjp2.dll [2015-08-06] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\NPSPWRAP.DLL [2015-09-10] (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 9\npnitromozilla.dll [2014-07-16] (Nitro PDF)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-11-25] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-11-25] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-09-27] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1409686930-1291303467-1380052953-1001: @tools.google.com/Google Update;version=3 -> C:\Users\raj\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-1409686930-1291303467-1380052953-1001: @tools.google.com/Google Update;version=9 -> C:\Users\raj\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF HKU\S-1-5-21-1409686930-1291303467-1380052953-1001\...\Firefox\Extensions: [fdm_ffext@freedownloadmanager.org] - C:\ProgramData\Free Download Manager\Firefox\Extensions\2.1.4
FF Extension: Free Download Manager extension - C:\ProgramData\Free Download Manager\Firefox\Extensions\2.1.4 [2016-03-25]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR StartupUrls: Default -> "hxxp://mail.ru/cnt/7993/"
CHR DefaultSearchURL: Default -> hxxp://www.google.co.in/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
CHR DefaultSearchKeyword: Default -> google.co.in__
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\raj\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-28]
CHR Extension: (Adblock Plus) - C:\Users\raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-03-09]
CHR Extension: (Google Search) - C:\Users\raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (User-Agent Switcher for Google Chrome) - C:\Users\raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffhkkpnppgnfaobgihpdblnhmmbodake [2016-04-06]
CHR Extension: (Chrome Remote Desktop) - C:\Users\raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp [2016-03-30]
CHR Extension: (Google Docs Offline) - C:\Users\raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (Search Center) - C:\Users\raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndfplmdnbnefomnjiknbpejdceedhdmf [2015-05-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Gmail) - C:\Users\raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-01-08]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdobeActiveFileMonitor12.0; C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe [181152 2013-09-25] (Adobe Systems Incorporated)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2016-01-08] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2016-01-08] (Microsoft Corporation)
R2 chromoting; C:\Program Files (x86)\Google\Chrome Remote Desktop\50.0.2661.22\remoting_host.exe [69016 2016-03-08] (Google Inc.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2828016 2016-02-09] (Microsoft Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373160 2016-02-02] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 NitroDriverReadSpool9; C:\Program Files\Nitro\Pro 9\NitroPDFDriverService9x64.exe [230920 2014-07-16] (Nitro PDF Software)
R2 NitroUpdateService; C:\Program Files\Nitro\Pro 9\Nitro_UpdateService.exe [417800 2014-07-16] ()
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [253776 2013-03-06] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
S2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [32768 2015-08-25] (Google Inc)
R3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [49584 2016-04-06] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
S3 netr28ux; C:\Windows\System32\drivers\netr28ux.sys [2196480 2015-10-30] (MediaTek Inc.)
S3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [38216 2014-10-04] (NVIDIA Corporation)
R0 PxHlpa64; C:\Windows\System32\drivers\PxHlpa64.sys [56336 2013-07-19] (Corel Corporation)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek                                            )
S3 tap0903; C:\Windows\system32\DRIVERS\tap0903.sys [39424 2014-10-01] (The OpenVPN Project)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
R3 XtuAcpiDriver; C:\Windows\System32\drivers\XtuAcpiDriver.sys [63840 2016-02-02] (Intel Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-06 08:04 - 2016-04-06 08:16 - 00000000 ____D C:\FRST
2016-04-06 08:04 - 2016-04-06 08:04 - 00000000 ____D C:\ProgramData\USOShared
2016-04-06 08:04 - 2016-04-06 08:04 - 00000000 ____D C:\ProgramData\USOPrivate
2016-04-06 08:04 - 2016-04-06 08:04 - 00000000 ____D C:\Program Files\McAfee
2016-04-06 08:03 - 2016-04-06 08:03 - 00000000 ____D C:\Program Files (x86)\stinger
2016-04-06 07:37 - 2016-04-06 07:37 - 00049584 _____ C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2016-04-06 07:37 - 2016-04-06 07:37 - 00000000 ____D C:\ProgramData\HitmanPro
2016-04-04 22:55 - 2016-04-04 22:55 - 00001162 _____ C:\Users\raj\Desktop\explorer.lnk
2016-04-04 22:54 - 2016-04-04 22:54 - 00000146 _____ C:\Users\raj\Desktop\Sound.lnk
2016-04-03 11:11 - 2016-04-03 11:11 - 00000000 ____D C:\Users\Jovi\AppData\Local\iClone
2016-04-02 22:30 - 2016-04-02 22:30 - 00001984 _____ C:\Users\Public\Desktop\iClone v6.42 PRO.lnk
2016-04-02 22:09 - 2016-04-02 22:09 - 00000000 ____D C:\Users\raj\AppData\Local\iClone
2016-04-02 22:09 - 2016-04-02 22:09 - 00000000 ____D C:\Pack
2016-04-02 22:06 - 2016-04-02 22:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iClone 6
2016-04-02 22:06 - 2016-04-02 22:06 - 00000000 ____D C:\ProgramData\Reallusion
2016-04-02 22:05 - 2016-04-02 22:05 - 00000000 ____D C:\Program Files\Reallusion
2016-04-02 15:37 - 2016-04-03 19:27 - 00000000 ____D C:\Users\raj\AppData\Local\transmission
2016-03-28 11:47 - 2016-03-28 11:47 - 00000000 ____D C:\Users\Code\AppData\LocalLow\Temp
2016-03-28 08:52 - 2016-03-28 08:57 - 00000000 ____D C:\AdwCleaner
2016-03-27 08:11 - 2016-03-28 08:51 - 00003594 _____ C:\Users\raj\Desktop\Rkill.txt
2016-03-25 15:57 - 2016-03-25 15:57 - 00000000 ____D C:\ProgramData\Free Download Manager
2016-03-23 15:21 - 2016-03-23 17:13 - 00278609 _____ C:\Users\raj\Desktop\GMP forms.xlsx
2016-03-20 20:06 - 2016-03-20 20:06 - 00001175 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-20 20:06 - 2016-03-20 20:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-03-16 09:59 - 2016-03-16 09:59 - 00000000 ___RD C:\Users\Code\3D Objects
2016-03-09 09:32 - 2016-02-24 15:21 - 07474528 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-03-09 09:32 - 2016-02-24 12:10 - 01224704 _____ (Microsoft Corporation) C:\WINDOWS\system32\Unistore.dll
2016-03-09 09:32 - 2016-02-24 11:41 - 03593216 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2016-03-09 09:32 - 2016-02-24 11:37 - 00949248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Unistore.dll
2016-03-09 09:32 - 2016-02-24 11:30 - 02273792 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-03-09 09:32 - 2016-02-24 11:25 - 01996288 _____ (Microsoft Corporation) C:\WINDOWS\system32\ActiveSyncProvider.dll
2016-03-09 09:32 - 2016-02-24 11:04 - 01707520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ActiveSyncProvider.dll
2016-03-09 09:32 - 2016-02-24 10:50 - 22376960 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2016-03-09 09:32 - 2016-02-24 10:48 - 18677760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2016-03-09 09:32 - 2016-02-24 10:42 - 19339776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-03-09 09:32 - 2016-02-24 10:40 - 24600576 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-03-09 09:31 - 2016-03-01 11:01 - 00848168 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfsvr.dll
2016-03-09 09:31 - 2016-03-01 10:52 - 00709688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfsvr.dll
2016-03-09 09:31 - 2016-02-24 15:22 - 01997328 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
2016-03-09 09:31 - 2016-02-24 15:18 - 00713568 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-03-09 09:31 - 2016-02-24 15:17 - 01173344 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-03-09 09:31 - 2016-02-24 15:10 - 00513888 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-03-09 09:31 - 2016-02-24 15:04 - 01613664 _____ (Microsoft Corporation) C:\WINDOWS\system32\diagtrack.dll
2016-03-09 09:31 - 2016-02-24 14:58 - 03449168 _____ (Microsoft Corporation) C:\WINDOWS\system32\WSService.dll
2016-03-09 09:31 - 2016-02-24 14:45 - 01557768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
2016-03-09 09:31 - 2016-02-24 14:28 - 00794888 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfds.dll
2016-03-09 09:31 - 2016-02-24 14:24 - 00127840 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBSTOR.SYS
2016-03-09 09:31 - 2016-02-24 14:21 - 01322248 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
2016-03-09 09:31 - 2016-02-24 14:20 - 00808800 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe
2016-03-09 09:31 - 2016-02-24 14:16 - 06607080 _____ (Microsoft Corporation) C:\WINDOWS\system32\windows.storage.dll
2016-03-09 09:31 - 2016-02-24 14:13 - 00625000 _____ (Microsoft Corporation) C:\WINDOWS\system32\ClipSVC.dll
2016-03-09 09:31 - 2016-02-24 14:09 - 00358752 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
2016-03-09 09:31 - 2016-02-24 14:09 - 00141560 _____ (Microsoft Corporation) C:\WINDOWS\system32\AuthHost.exe
2016-03-09 09:31 - 2016-02-24 13:49 - 00670928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfds.dll
2016-03-09 09:31 - 2016-02-24 13:44 - 00216416 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxAllUserStore.dll
2016-03-09 09:31 - 2016-02-24 13:41 - 01997152 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2016-03-09 09:31 - 2016-02-24 13:41 - 00957608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
2016-03-09 09:31 - 2016-02-24 13:41 - 00703840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe
2016-03-09 09:31 - 2016-02-24 13:41 - 00652392 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxgi.dll
2016-03-09 09:31 - 2016-02-24 13:41 - 00394080 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms1.sys
2016-03-09 09:31 - 2016-02-24 13:41 - 00258280 _____ (Microsoft Corporation) C:\WINDOWS\system32\sqmapi.dll
2016-03-09 09:31 - 2016-02-24 13:40 - 00630632 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontdrvhost.exe
2016-03-09 09:31 - 2016-02-24 13:40 - 00576864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys
2016-03-09 09:31 - 2016-02-24 13:39 - 00640472 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll
2016-03-09 09:31 - 2016-02-24 13:39 - 00147808 _____ (Microsoft Corporation) C:\WINDOWS\system32\wermgr.exe
2016-03-09 09:31 - 2016-02-24 13:36 - 05242496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\windows.storage.dll
2016-03-09 09:31 - 2016-02-24 13:29 - 00294752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll
2016-03-09 09:31 - 2016-02-24 13:09 - 00045568 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserDataTypeHelperUtil.dll
2016-03-09 09:31 - 2016-02-24 13:09 - 00023552 _____ (Microsoft Corporation) C:\WINDOWS\system32\ExtrasXmlParser.dll
2016-03-09 09:31 - 2016-02-24 13:08 - 00187744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppxAllUserStore.dll
2016-03-09 09:31 - 2016-02-24 13:08 - 00111616 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserDataTimeUtil.dll
2016-03-09 09:31 - 2016-02-24 13:07 - 00045056 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserDataLanguageUtil.dll
2016-03-09 09:31 - 2016-02-24 13:06 - 00060416 _____ (Microsoft Corporation) C:\WINDOWS\system32\PimIndexMaintenanceClient.dll
2016-03-09 09:31 - 2016-02-24 13:05 - 00540752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontdrvhost.exe
2016-03-09 09:31 - 2016-02-24 13:05 - 00523752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxgi.dll
2016-03-09 09:31 - 2016-02-24 13:05 - 00220064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sqmapi.dll
2016-03-09 09:31 - 2016-02-24 13:05 - 00045568 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2016-03-09 09:31 - 2016-02-24 13:03 - 00538736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wer.dll
2016-03-09 09:31 - 2016-02-24 13:03 - 00141664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wermgr.exe
2016-03-09 09:31 - 2016-02-24 13:01 - 00118272 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontsub.dll
2016-03-09 09:31 - 2016-02-24 13:00 - 00025600 _____ (Microsoft Corporation) C:\WINDOWS\system32\wfapigp.dll
2016-03-09 09:31 - 2016-02-24 12:58 - 00070656 _____ (Microsoft Corporation) C:\WINDOWS\system32\POSyncServices.dll
2016-03-09 09:31 - 2016-02-24 12:53 - 00091648 _____ (Microsoft Corporation) C:\WINDOWS\system32\asycfilt.dll
2016-03-09 09:31 - 2016-02-24 12:53 - 00068096 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserDataPlatformHelperUtil.dll
2016-03-09 09:31 - 2016-02-24 12:52 - 00196608 _____ (Microsoft Corporation) C:\WINDOWS\system32\fwpolicyiomgr.dll
2016-03-09 09:31 - 2016-02-24 12:50 - 00195072 _____ (Microsoft Corporation) C:\WINDOWS\system32\VCardParser.dll
2016-03-09 09:31 - 2016-02-24 12:50 - 00167936 _____ (Microsoft Corporation) C:\WINDOWS\system32\dafBth.dll
2016-03-09 09:31 - 2016-02-24 12:50 - 00087552 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxSysprep.dll
2016-03-09 09:31 - 2016-02-24 12:49 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\dssvc.dll
2016-03-09 09:31 - 2016-02-24 12:49 - 00031232 _____ (Microsoft Corporation) C:\WINDOWS\system32\seclogon.dll
2016-03-09 09:31 - 2016-02-24 12:45 - 00365568 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2016-03-09 09:31 - 2016-02-24 12:44 - 00274944 _____ (Microsoft Corporation) C:\WINDOWS\system32\ExSMime.dll
2016-03-09 09:31 - 2016-02-24 12:43 - 00121856 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppointmentActivation.dll
2016-03-09 09:31 - 2016-02-24 12:42 - 00243712 _____ (Microsoft Corporation) C:\WINDOWS\system32\cemapi.dll
2016-03-09 09:31 - 2016-02-24 12:42 - 00221184 _____ (Microsoft Corporation) C:\WINDOWS\system32\PhoneCallHistoryApis.dll
2016-03-09 09:31 - 2016-02-24 12:40 - 00093184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wpninprc.dll
2016-03-09 09:31 - 2016-02-24 12:39 - 00258560 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserDataAccountApis.dll
2016-03-09 09:31 - 2016-02-24 12:39 - 00161792 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxSip.dll
2016-03-09 09:31 - 2016-02-24 12:37 - 00252928 _____ (Microsoft Corporation) C:\WINDOWS\system32\PimIndexMaintenance.dll
2016-03-09 09:31 - 2016-02-24 12:35 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
2016-03-09 09:31 - 2016-02-24 12:33 - 00088576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\olepro32.dll
2016-03-09 09:31 - 2016-02-24 12:32 - 00161280 _____ (Microsoft Corporation) C:\WINDOWS\system32\CallHistoryClient.dll
2016-03-09 09:31 - 2016-02-24 12:31 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2016-03-09 09:31 - 2016-02-24 12:31 - 00146432 _____ (Microsoft Corporation) C:\WINDOWS\system32\AuthBroker.dll
2016-03-09 09:31 - 2016-02-24 12:31 - 00067584 _____ (Microsoft Corporation) C:\WINDOWS\system32\profext.dll
2016-03-09 09:31 - 2016-02-24 12:30 - 00214528 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Devices.Scanners.dll
2016-03-09 09:31 - 2016-02-24 12:29 - 00450560 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Internal.Bluetooth.dll
2016-03-09 09:31 - 2016-02-24 12:29 - 00360448 _____ (Microsoft Corporation) C:\WINDOWS\system32\vaultsvc.dll
2016-03-09 09:31 - 2016-02-24 12:29 - 00318976 _____ (Microsoft Corporation) C:\WINDOWS\system32\domgmt.dll
2016-03-09 09:31 - 2016-02-24 12:28 - 00685568 _____ (Microsoft Corporation) C:\WINDOWS\system32\scapi.dll
2016-03-09 09:31 - 2016-02-24 12:25 - 00790528 _____ (Microsoft Corporation) C:\WINDOWS\system32\EmailApis.dll
2016-03-09 09:31 - 2016-02-24 12:25 - 00224256 _____ (Microsoft Corporation) C:\WINDOWS\system32\PackageStateRoaming.dll
2016-03-09 09:31 - 2016-02-24 12:25 - 00018944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ExtrasXmlParser.dll
2016-03-09 09:31 - 2016-02-24 12:24 - 00526336 _____ (Microsoft Corporation) C:\WINDOWS\system32\FirewallAPI.dll
2016-03-09 09:31 - 2016-02-24 12:24 - 00288768 _____ (Microsoft Corporation) C:\WINDOWS\system32\vaultcli.dll
2016-03-09 09:31 - 2016-02-24 12:24 - 00228352 _____ (Microsoft Corporation) C:\WINDOWS\system32\wsqmcons.exe
2016-03-09 09:31 - 2016-02-24 12:24 - 00037888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDataTypeHelperUtil.dll
2016-03-09 09:31 - 2016-02-24 12:23 - 00089088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDataTimeUtil.dll
2016-03-09 09:31 - 2016-02-24 12:23 - 00037888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDataLanguageUtil.dll
2016-03-09 09:31 - 2016-02-24 12:22 - 00451584 _____ (Microsoft Corporation) C:\WINDOWS\system32\werui.dll
2016-03-09 09:31 - 2016-02-24 12:22 - 00048128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PimIndexMaintenanceClient.dll
2016-03-09 09:31 - 2016-02-24 12:21 - 00037376 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2016-03-09 09:31 - 2016-02-24 12:19 - 00726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\ChatApis.dll
2016-03-09 09:31 - 2016-02-24 12:17 - 00093696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontsub.dll
2016-03-09 09:31 - 2016-02-24 12:16 - 00020480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wfapigp.dll
2016-03-09 09:31 - 2016-02-24 12:14 - 01713664 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRHInproc.dll
2016-03-09 09:31 - 2016-02-24 12:14 - 00915456 _____ (Microsoft Corporation) C:\WINDOWS\system32\configurationclient.dll
2016-03-09 09:31 - 2016-02-24 12:14 - 00700416 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppointmentApis.dll
2016-03-09 09:31 - 2016-02-24 12:14 - 00056320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\POSyncServices.dll
2016-03-09 09:31 - 2016-02-24 12:13 - 00957952 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRH.dll
2016-03-09 09:31 - 2016-02-24 12:13 - 00286720 _____ (Microsoft Corporation) C:\WINDOWS\system32\deviceaccess.dll
2016-03-09 09:31 - 2016-02-24 12:11 - 00982016 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxPackaging.dll
2016-03-09 09:31 - 2016-02-24 12:11 - 00436736 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentClient.dll
2016-03-09 09:31 - 2016-02-24 12:10 - 00078848 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\asycfilt.dll
2016-03-09 09:31 - 2016-02-24 12:10 - 00056320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDataPlatformHelperUtil.dll
2016-03-09 09:31 - 2016-02-24 12:09 - 01390592 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2016-03-09 09:31 - 2016-02-24 12:09 - 00164864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fwpolicyiomgr.dll
2016-03-09 09:31 - 2016-02-24 12:08 - 00150528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\VCardParser.dll
2016-03-09 09:31 - 2016-02-24 12:06 - 01847808 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMPDMC.exe
2016-03-09 09:31 - 2016-02-24 12:04 - 00938496 _____ (Microsoft Corporation) C:\WINDOWS\system32\ContactApis.dll
2016-03-09 09:31 - 2016-02-24 12:04 - 00303104 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2016-03-09 09:31 - 2016-02-24 12:02 - 00223744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ExSMime.dll
2016-03-09 09:31 - 2016-02-24 12:02 - 00098304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppointmentActivation.dll
2016-03-09 09:31 - 2016-02-24 12:01 - 00200704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cemapi.dll
2016-03-09 09:31 - 2016-02-24 12:01 - 00169984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PhoneCallHistoryApis.dll
2016-03-09 09:31 - 2016-02-24 11:58 - 00870912 _____ (Microsoft Corporation) C:\WINDOWS\system32\MPSSVC.dll
2016-03-09 09:31 - 2016-02-24 11:58 - 00196608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDataAccountApis.dll
2016-03-09 09:31 - 2016-02-24 11:58 - 00135168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppxSip.dll
2016-03-09 09:31 - 2016-02-24 11:55 - 00401408 _____ (Microsoft Corporation) C:\WINDOWS\system32\sharemediacpl.dll
2016-03-09 09:31 - 2016-02-24 11:53 - 00129024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CallHistoryClient.dll
2016-03-09 09:31 - 2016-02-24 11:52 - 00053248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\profext.dll
2016-03-09 09:31 - 2016-02-24 11:51 - 00315904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Internal.Bluetooth.dll
2016-03-09 09:31 - 2016-02-24 11:51 - 00168448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.Scanners.dll
2016-03-09 09:31 - 2016-02-24 11:48 - 01490432 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserDataService.dll
2016-03-09 09:31 - 2016-02-24 11:48 - 00575488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\EmailApis.dll
2016-03-09 09:31 - 2016-02-24 11:48 - 00184832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PackageStateRoaming.dll
2016-03-09 09:31 - 2016-02-24 11:47 - 00369664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\FirewallAPI.dll
2016-03-09 09:31 - 2016-02-24 11:46 - 00394752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\werui.dll
2016-03-09 09:31 - 2016-02-24 11:43 - 00540160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ChatApis.dll
2016-03-09 09:31 - 2016-02-24 11:39 - 01443328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SRHInproc.dll
2016-03-09 09:31 - 2016-02-24 11:39 - 00793600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SRH.dll
2016-03-09 09:31 - 2016-02-24 11:39 - 00552960 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppointmentApis.dll
2016-03-09 09:31 - 2016-02-24 11:39 - 00228352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\deviceaccess.dll
2016-03-09 09:31 - 2016-02-24 11:37 - 00890368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppxPackaging.dll
2016-03-09 09:31 - 2016-02-24 11:37 - 00342528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppXDeploymentClient.dll
2016-03-09 09:31 - 2016-02-24 11:34 - 01497088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMPDMC.exe
2016-03-09 09:31 - 2016-02-24 11:33 - 00769536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ContactApis.dll
2016-03-09 09:31 - 2016-02-24 11:31 - 01831936 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.dll
2016-03-09 09:31 - 2016-02-24 11:30 - 01098752 _____ (Microsoft Corporation) C:\WINDOWS\system32\dosvc.dll
2016-03-09 09:31 - 2016-02-24 11:27 - 02158592 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2016-03-09 09:31 - 2016-02-24 11:13 - 00184320 _____ (Microsoft Corporation) C:\WINDOWS\system32\fwbase.dll
2016-03-09 09:31 - 2016-02-24 10:52 - 00163328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fwbase.dll
2016-03-09 09:31 - 2016-02-24 10:42 - 05321728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2016-03-09 09:31 - 2016-02-24 10:39 - 06972416 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2016-03-09 09:31 - 2016-02-24 10:35 - 12586496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wmp.dll
2016-03-09 09:31 - 2016-02-24 10:33 - 14252544 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmp.dll
2016-03-09 09:31 - 2016-02-24 10:29 - 05661696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2016-03-09 09:31 - 2016-02-24 10:25 - 07835648 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2016-03-07 13:42 - 2016-03-07 13:42 - 00000000 ____D C:\Users\Jovi\AppData\LocalLow\Google
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-06 07:46 - 2015-08-06 14:21 - 00000922 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-06 07:46 - 2014-11-26 10:08 - 00000406 _____ C:\WINDOWS\Tasks\WpsNotifyTask_raj.job
2016-04-06 07:38 - 2015-06-04 16:02 - 00000916 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1409686930-1291303467-1380052953-1001UA.job
2016-04-06 07:34 - 2015-06-16 12:25 - 00000406 _____ C:\WINDOWS\Tasks\WpsUpdateTask_raj.job
2016-04-06 07:32 - 2015-10-30 12:54 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-04-06 07:27 - 2016-02-05 12:12 - 00000000 ____D C:\Users\raj
2016-04-06 07:27 - 2016-02-05 12:09 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-04-06 07:27 - 2015-10-30 12:54 - 00000000 ____D C:\WINDOWS\system32\AppLocker
2016-04-06 07:27 - 2015-08-06 14:21 - 00000918 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-06 07:27 - 2014-11-25 18:20 - 00000000 __SHD C:\Users\raj\IntelGraphicsProfiles
2016-04-06 07:10 - 2015-10-30 12:51 - 00000000 ____D C:\WINDOWS\INF
2016-04-06 07:10 - 2015-08-06 12:16 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-04-06 07:05 - 2016-02-05 12:26 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-04-06 07:05 - 2016-02-05 12:09 - 00000000 ____D C:\ProgramData\NVIDIA
2016-04-05 22:55 - 2014-11-25 20:52 - 00000000 ____D C:\Users\raj\AppData\Roaming\vlc
2016-04-05 20:43 - 2014-11-25 20:06 - 00004148 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{341632BF-1E94-474E-8F1F-86BE8BB15A27}
2016-04-05 17:01 - 2015-02-21 12:57 - 00000000 ____D C:\Users\raj\AppData\Local\ElevatedDiagnostics
2016-04-05 15:38 - 2015-06-04 16:02 - 00000864 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1409686930-1291303467-1380052953-1001Core.job
2016-04-05 07:28 - 2015-10-30 12:54 - 00000000 ___HD C:\Program Files\WindowsApps
2016-04-04 16:18 - 2015-06-19 22:07 - 00000000 ____D C:\Users\raj\AppData\Roaming\Skype
2016-04-04 11:51 - 2015-01-15 11:26 - 00000000 ____D C:\Users\raj\AppData\Roaming\Nitro
2016-04-03 17:08 - 2014-12-30 11:20 - 00000000 ____D C:\Users\Jazz\AppData\Local\Google
2016-04-03 16:15 - 2014-11-29 16:58 - 00000000 ____D C:\Users\Jazz\AppData\Roaming\.minecraft
2016-04-03 16:14 - 2014-11-28 15:10 - 00000000 __SHD C:\Users\Jazz\IntelGraphicsProfiles
2016-04-03 11:11 - 2014-11-28 17:02 - 00000000 __SHD C:\Users\Jovi\IntelGraphicsProfiles
2016-04-03 10:20 - 2015-06-10 15:25 - 00000000 __SHD C:\Users\Code\IntelGraphicsProfiles
2016-04-03 08:57 - 2015-05-19 09:15 - 00008704 _____ C:\Users\raj\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-04-02 22:05 - 2014-11-25 20:44 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-04-02 00:33 - 2016-02-05 12:12 - 00000000 ____D C:\Users\Jovi
2016-04-02 00:33 - 2016-02-05 12:12 - 00000000 ____D C:\Users\Code
2016-04-01 22:40 - 2014-12-30 11:01 - 00004150 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{BE049CD2-7B1C-4DB5-9848-24A6126E40A6}
2016-04-01 19:13 - 2014-12-31 18:49 - 00004150 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{50F12FEC-B8DA-442C-82A5-39F955804FEF}
2016-03-31 17:07 - 2015-08-25 11:48 - 00000000 ____D C:\Users\raj\AppData\Roaming\Free Download Manager
2016-03-31 16:45 - 2016-02-05 12:36 - 00000604 __RSH C:\Users\raj\ntuser.pol
2016-03-31 10:57 - 2016-02-22 17:38 - 00000000 ____D C:\Users\Code\AppData\Roaming\Skype
2016-03-31 07:15 - 2016-02-05 12:12 - 00000000 ____D C:\Users\Jazz
2016-03-30 12:47 - 2014-11-25 22:24 - 00000000 ____D C:\Program Files (x86)\Google
2016-03-30 00:57 - 2015-11-04 09:44 - 00000000 ____D C:\Users\raj\AppData\Roaming\Adobe
2016-03-30 00:47 - 2015-08-06 14:22 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-03-29 15:09 - 2014-11-28 15:10 - 00000000 ____D C:\Users\Jazz\AppData\Local\Packages
2016-03-29 10:58 - 2015-06-10 15:25 - 00000000 ____D C:\Users\Code\AppData\Local\Packages
2016-03-29 10:57 - 2014-11-28 17:02 - 00000000 ____D C:\Users\Jovi\AppData\Local\Packages
2016-03-29 08:01 - 2014-11-25 16:25 - 00000000 ____D C:\Users\raj\AppData\Local\Packages
2016-03-28 08:57 - 2015-10-30 11:58 - 01572864 ___SH C:\WINDOWS\system32\config\BBI
2016-03-27 08:20 - 2015-05-29 17:13 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-03-25 15:57 - 2015-08-25 11:48 - 00001140 _____ C:\Users\raj\Desktop\Free Download Manager.lnk
2016-03-24 14:01 - 2014-11-24 13:27 - 03731600 _____ C:\Users\raj\Desktop\DIR803_FW104b02.bin
2016-03-24 01:28 - 2015-10-30 12:41 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-03-20 20:06 - 2015-05-29 17:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-03-19 17:56 - 2015-12-18 09:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LEGO MARVEL Super Heroes
2016-03-15 15:28 - 2015-10-30 12:54 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-03-15 15:27 - 2015-09-10 18:44 - 00000000 ____D C:\Program Files\Microsoft Office 15
2016-03-13 11:39 - 2015-08-07 20:17 - 00002401 _____ C:\Users\Jazz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-03-13 11:39 - 2015-08-07 20:17 - 00000000 ___RD C:\Users\Jazz\OneDrive
2016-03-12 00:49 - 2015-10-30 12:54 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-03-11 15:40 - 2015-08-06 13:50 - 00002401 _____ C:\Users\Jovi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-03-11 15:40 - 2015-08-06 13:50 - 00000000 ___RD C:\Users\Jovi\OneDrive
2016-03-11 12:45 - 2015-01-15 11:33 - 00000000 ____D C:\Users\raj\AppData\Roaming\Nitro PDF
2016-03-11 12:38 - 2015-08-06 12:27 - 00002398 _____ C:\Users\raj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-03-10 10:43 - 2016-02-05 12:05 - 00495456 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-03-10 00:35 - 2015-10-30 12:54 - 00000000 ____D C:\Program Files\Windows Portable Devices
2016-03-10 00:35 - 2015-10-30 12:54 - 00000000 ____D C:\Program Files\Windows Multimedia Platform
2016-03-10 00:35 - 2015-10-30 12:54 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2016-03-10 00:35 - 2015-10-30 12:54 - 00000000 ____D C:\Program Files (x86)\Windows Multimedia Platform
2016-03-09 11:00 - 2014-11-25 17:06 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-03-09 10:54 - 2014-11-25 17:06 - 143659408 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-03-09 09:29 - 2014-11-28 17:02 - 00000000 ____D C:\Users\Jovi\AppData\Local\Google
2016-03-09 09:28 - 2015-08-07 17:15 - 00000000 ____D C:\Users\Jovi\AppData\Local\MicrosoftEdge
2016-03-08 12:42 - 2015-10-30 12:56 - 00829944 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-03-08 12:42 - 2015-10-30 12:56 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
 
==================== Files in the root of some directories =======
 
2015-06-24 12:21 - 2015-06-24 12:21 - 0000132 _____ () C:\Users\raj\AppData\Roaming\Adobe GIF Format CS5 Prefs
2015-06-12 00:22 - 2015-09-15 21:04 - 0000132 _____ () C:\Users\raj\AppData\Roaming\Adobe PNG Format CS5 Prefs
2015-05-19 09:15 - 2016-04-03 08:57 - 0008704 _____ () C:\Users\raj\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-11-28 23:49 - 2014-12-13 12:05 - 0007622 _____ () C:\Users\raj\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
C:\Users\Code\AppData\Local\Temp\ubi57E9.tmp.exe
C:\Users\raj\AppData\Local\Temp\SkypeSetup.exe
C:\Users\raj\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\wininit.exe IS MISSING <==== ATTENTION
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-04-04 12:31
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 PM

Posted 06 April 2016 - 03:50 PM

Greetings whatsinaname and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Before doing anything can you tell me:

Are you familiare with mail.ru?
Did you set any User Restrictions?
Does WpsUpdateTask_raj.job look familiar?

When you ran FRST an Addition.txt report should have been placed on your Desktop. Please copy and paste the contents in your reply.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"For unto us a Child is born, Unto us a Son is given;"

#3 whatsinaname

whatsinaname
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 06 April 2016 - 08:01 PM

Hi Gary, thank you for replying. My name is Raj.

 

Are you familiare with mail.ru?
Did you set any User Restrictions?
Does WpsUpdateTask_raj.job look familiar?

 

 

 

 

No, I'm not familiar with mail.ru

Yes, I have set user restrictions on the other (kids) user accounts - like screen time restrictions, program restrictions, and internet restrictions.

I think WpsUpdateTask_raj.job is the updater program for Kingsoft free office suite. I'm not sure though. I can remove it and update manually from time to time if you think it has been corrupted.

 

Addition.txt report:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by raj (2016-04-06 08:19:09)
Running from D:\Downloads
Windows 7 Ultimate (X64) (2016-02-05 07:05:16)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1409686930-1291303467-1380052953-500 - Administrator - Disabled)
Code (S-1-5-21-1409686930-1291303467-1380052953-1006 - Limited - Enabled) => C:\Users\Code
DefaultAccount (S-1-5-21-1409686930-1291303467-1380052953-503 - Limited - Disabled)
Guest (S-1-5-21-1409686930-1291303467-1380052953-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1409686930-1291303467-1380052953-1003 - Limited - Enabled)
Jazz (S-1-5-21-1409686930-1291303467-1380052953-1004 - Limited - Enabled) => C:\Users\Jazz
Jovi (S-1-5-21-1409686930-1291303467-1380052953-1005 - Limited - Enabled) => C:\Users\Jovi
raj (S-1-5-21-1409686930-1291303467-1380052953-1001 - Administrator - Enabled) => C:\Users\raj
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Photoshop Elements 12 (HKLM-x32\...\Adobe Photoshop Elements 12) (Version: 12.0 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.13) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.13 - Adobe Systems Incorporated)
Aiseesoft Total Video Converter Platinum 7.1.30 (HKLM-x32\...\{3661F243-518C-4d05-8BDF-7B10CC22689F}_is1) (Version: 7.1.30 - Aiseesoft Studio)
CCleaner (HKLM\...\CCleaner) (Version: 5.02 - Piriform)
Chrome Remote Desktop Host (HKLM-x32\...\{C230A275-D2A0-446B-ACE5-06BF067D50F2}) (Version: 50.0.2661.22 - Google Inc.)
ComicRack v0.9.176 (HKLM\...\ComicRack) (Version: v0.9.176 - cYo Soft)
CyberLink PowerDirector 11 (HKLM-x32\...\InstallShield_{551F492A-01B0-4DC4-866F-875EC4EDC0A8}) (Version: 11.0.0.4310 - CyberLink Corp.)
DAZ Install Manager (HKLM-x32\...\DAZ Install Manager 1.1.0.41) (Version: 1.1.0.41 - DAZ 3D)
DriverTools 1.0 (HKLM-x32\...\DriverTools) (Version: 1.0 - Huawei Technologies Co.,Ltd)
Elements 12 Organizer (x32 Version: 12.0 - Adobe Systems Incorporated) Hidden
Eureka Plus 3 (HKLM-x32\...\5ABC2524-EC94-4774-8209-D9B7D4E6A4D0) (Version: 1.0 - Macmillan Publishers India Ltd.)
Far Cry 4 version 1.0.0 (HKLM-x32\...\Far Cry 4_is1) (Version: 1.0.0 - Ubisoft)
FlashGet3.7 (HKLM-x32\...\FlashGet3.7) (Version: 3.7.0.1220 - hxxp://www.FlashGet.com)
Free Download Manager 3.9.6 (HKLM-x32\...\Free Download Manager_is1) (Version:  - FreeDownloadManager.ORG)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 49.0.2623.110 - Google Inc.)
Google Earth Pro (HKLM-x32\...\{FBAA5E9E-8614-11E1-B079-B8AC6F97B88E}) (Version: 6.2.2.6613 - Google)
Google Photos Backup (HKU\S-1-5-21-1409686930-1291303467-1380052953-1001\...\Google Photos Backup) (Version: 1.1.1.276 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.29.5 - Google Inc.) Hidden
Helium (HKLM-x32\...\{9A781940-AC41-4D5E-8E1E-76A04B916FB9}) (Version: 1.0.0 - ClockworkMod)
iClone v6.42 PRO (HKLM-x32\...\{9FDDEF0B-4D60-4A36-981B-269C787DB23E}) (Version: 6.42.2725.1 - Reallusion Inc.)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3960 - Intel Corporation)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.36 - Irfan Skiljan)
Java 8 Update 51 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218051F0}) (Version: 8.0.510 - Oracle Corporation)
LEGO MARVEL Super Heroes (HKLM-x32\...\LEGO MARVEL Super Heroes_is1) (Version:  - Warner Bros. Games)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 15.0.4805.1003 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 (HKLM-x32\...\{e46eca4f-393b-40df-9f49-076faf788d83}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM-x32\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Minecraft1.8 (HKLM-x32\...\Minecraft1.8) (Version:  - )
Minimal ADB and Fastboot version 1.2 (HKLM-x32\...\{06C90FCC-4C95-4142-A0AF-D3A4C12882DE}_is1) (Version: 1.2 - Sam Rodberg)
MotionDV STUDIO 6.0E LE for DV (HKLM-x32\...\{4C41DF54-F78D-404E-9E71-29EF5A00F1E9}) (Version:  - Matsubleepa Electric Industrial Co., Ltd.)
Nitro Pro 9 (HKLM\...\{540D0A57-FA6A-45DA-976D-9E40D9753508}) (Version: 9.5.2.29 - Nitro)
NVIDIA 3D Vision Controller Driver 352.65 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 352.65 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 359.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 359.06 - NVIDIA Corporation)
NVIDIA Graphics Driver 359.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 359.06 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.4 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.4 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.15.0428 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0428 - NVIDIA Corporation)
Office 15 Click-to-Run Extensibility Component (Version: 15.0.4805.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4805.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (Version: 15.0.4805.1003 - Microsoft Corporation) Hidden
paint.net (HKLM\...\{19BD2C33-16A8-4ED1-B9EA-D9E35B21EC42}) (Version: 4.0.5 - dotPDN LLC)
PSE12 STI Installer (x32 Version: 12.0 - Adobe Systems Incorporated) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7200 - Realtek Semiconductor Corp.)
Recolored 1.1.0 (HKLM-x32\...\{6C9C70B9-4FDC-4D47-915B-84C4CE91C704}_is1) (Version: 1.1.0 - Bertheussen IT)
Skype Click to Call (HKLM-x32\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 8.0.0.9103 - Microsoft Corporation)
Skype™ 7.6 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.6.103 - Skype Technologies S.A.)
The Adventures of Tintin - The Secret of the Unicorn 1.0 (HKLM-x32\...\{3CC49D98-2914-4444-88F1-6739EBBD140E}_is1) (Version: 1.0 - Ubisoft Montpellier)
The Witness (HKLM\...\dGhld2l0bmVzcw_is1) (Version: 1 - )
TreeSize Free V2.7 (HKLM-x32\...\TreeSize Free_is1) (Version: 2.7 - JAM Software)
Trelby (HKLM-x32\...\Trelby) (Version: 2.2.0.0 - Trelby.org)
Tresorit (HKLM-x32\...\{CD0A00DB-66D3-4085-AEE5-2FB19D49380E}) (Version: 2.1.672.422 - Tresorit)
Tux Paint 0.9.22 (HKLM-x32\...\Tux Paint_is1) (Version:  - New Breed Software)
Ubisoft Game Launcher (HKLM-x32\...\{888F1505-C2B3-4FDE-835D-36353EBD4754}) (Version: 1.0.0.0 - UBISOFT)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.0 - VideoLAN)
VLC media player 2.0.7 (HKLM-x32\...\VLC media player) (Version: 2.0.7 - VideoLAN)
Windows 7 USB/DVD Download Tool (HKLM-x32\...\{CCF298AF-9CE1-4B26-B251-486E98A34789}) (Version: 1.0.30 - Microsoft Corporation)
WPS Office (9.1.0.4674) (HKU\S-1-5-21-1409686930-1291303467-1380052953-1001\...\WPS Office) (Version: 9.1.0.4674 - Kingsoft Corp.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {071B712E-72CD-41EB-8331-C66F8A829107} - System32\Tasks\WpsNotifyTask_raj => C:\Users\raj\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4674\wtoolex\wpsnotify.exe [2015-06-16] (Zhuhai Kingsoft Office Software Co.,Ltd)
Task: {11CDF3D0-3BB0-4DA8-8718-4BC9B6E374AC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {146DA7DD-3A04-4191-963B-343088709239} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-01-21] (Piriform Ltd)
Task: {4866A01B-4103-47BB-A71F-3B806ACD45B5} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-06] (Google Inc.)
Task: {4AE99F13-26E0-491C-B293-D4F16E1A6D3A} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2016-03-15] (Microsoft Corporation)
Task: {4E8C9B62-C826-4ECC-AD32-E69AB64B5B48} - System32\Tasks\WpsUpdateTask_raj => C:\Users\raj\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4674\wtoolex\wpsupdate.exe [2016-03-28] (Zhuhai Kingsoft Office Software Co.,Ltd)
Task: {50FB7D3D-4C73-4763-8206-EFDF8FFA9917} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-02-09] (Microsoft Corporation)
Task: {5B3FE65A-7A22-4741-BB77-32040014272B} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe Systems Incorporated)
Task: {743D2631-EE0B-41BF-BF61-0EF1DC372C4E} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1409686930-1291303467-1380052953-1001Core => C:\Users\raj\AppData\Local\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {862EA003-A626-4E51-83BC-586535A8590B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {8F0D4C06-3774-4B30-B626-D76335ACF143} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {A1EF44C0-5823-4803-94FB-638891C86CF8} - System32\Tasks\{DA76F3BD-D64F-4BEF-B7D9-6903643B3E16} => pcalua.exe -a "C:\Program Files (x86)\Google\Google Earth Pro\googleearth.exe" -d "C:\Program Files (x86)\Google\Google Earth Pro\"
Task: {A974CB82-E3F6-4985-B93F-8886A84A73B1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {B9BEBB14-E377-491E-A54A-24779A7C6993} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {BB859CF8-E966-4301-9450-41613C87CED5} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {C3114A03-8D62-47B9-AEF1-6D4F3B3909DA} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1409686930-1291303467-1380052953-1001UA => C:\Users\raj\AppData\Local\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {CAD4D6B7-E67D-420E-B02F-38E0603429D5} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {DBE1BB74-0AC0-4C47-BAC9-E305A11A0E19} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {EFCD6B16-2A66-43E8-90FF-B4219B25DE48} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-02-09] (Microsoft Corporation)
Task: {F59C52F4-4E3C-4765-ABBD-70CF904A0612} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {F6A2D9D7-AD88-43DD-ADDC-E0D130C7CB4D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-06] (Google Inc.)
Task: {F94B20B0-E1BA-4BE7-BF93-F90CF5BEF8D1} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2016-03-09] (Microsoft Corporation)
Task: {F9B385CE-B280-427D-B912-B1AF38D7A08B} - System32\Tasks\AdobeAAMUpdater-1.0-MicrosoftAccount-rajvasant@hotmail.com => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2013-06-03] (Adobe Systems Incorporated)
Task: {FB1F4238-BEDE-4B7F-B4E2-18525AA63117} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {FC8D0133-54D7-4AE8-A31D-80DBB918E3A5} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1409686930-1291303467-1380052953-1001Core.job => C:\Users\raj\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1409686930-1291303467-1380052953-1001UA.job => C:\Users\raj\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\WpsNotifyTask_raj.job => C:\Users\raj\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4674\wtoolex\wpsnotify.exe
Task: C:\WINDOWS\Tasks\WpsUpdateTask_raj.job => C:\Users\raj\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4674\wtoolex\wpsupdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-10-30 12:48 - 2015-10-30 12:48 - 00185856 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-02-05 12:09 - 2015-11-25 01:02 - 00116344 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2015-09-10 18:44 - 2015-10-13 04:34 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2014-07-16 15:08 - 2014-07-16 15:08 - 00417800 _____ () C:\Program Files\Nitro\Pro 9\Nitro_UpdateService.exe
2015-01-07 22:07 - 2013-03-06 14:42 - 00253776 _____ () C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
2016-03-02 12:34 - 2016-02-23 16:57 - 02654872 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-02-06 01:31 - 2016-02-06 01:31 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-02-05 13:28 - 2016-02-05 13:28 - 00144384 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbwe\SkypeHost.exe
2016-03-02 12:34 - 2016-02-23 16:57 - 02654872 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2016-02-06 01:31 - 2016-02-06 01:31 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
2016-03-02 12:33 - 2016-02-23 14:06 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2016-02-06 01:31 - 2016-02-06 01:31 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-02-06 01:31 - 2016-02-06 01:31 - 00936960 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2016-02-06 01:31 - 2016-02-06 01:31 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-02-06 01:31 - 2016-02-06 01:31 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2016-02-25 18:35 - 2016-02-25 18:35 - 00402624 _____ () C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE15\AppVIsvStream64.dll
2016-02-05 13:28 - 2016-02-05 13:28 - 00141312 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbwe\SkypeBackgroundTasks.dll
2016-02-05 13:28 - 2016-02-05 13:28 - 22330368 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbwe\SkyWrap.dll
2016-03-30 00:47 - 2016-03-27 13:28 - 01675928 _____ () C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.110\libglesv2.dll
2016-03-30 00:47 - 2016-03-27 13:28 - 00086168 _____ () C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.110\libegl.dll
2016-04-06 07:34 - 2016-04-05 12:27 - 17532096 _____ () C:\Users\raj\AppData\Local\Google\Chrome\User Data\PepperFlash\21.0.0.213\pepflashplayer.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Windows:nlsPreferences [386]
AlternateDataStreams: C:\Users\raj\.DS_Store:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\raj\20150315-710930756.jpg:com.apple.quarantine [22]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 18:55 - 2014-12-26 08:42 - 00001132 ____A C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1                   activate.adobe.com
127.0.0.1                   practivate.adobe.com
127.0.0.1                   lmlicenses.wip4.adobe.com
127.0.0.1                   lm.licenses.adobe.com
127.0.0.1                   na1r.services.adobe.com
127.0.0.1                   hlrcv.stage.adobe.com
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1409686930-1291303467-1380052953-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\raj\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
HKU\S-1-5-21-1409686930-1291303467-1380052953-1004\Control Panel\Desktop\\Wallpaper -> C:\Users\Jazz\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
HKU\S-1-5-21-1409686930-1291303467-1380052953-1005\Control Panel\Desktop\\Wallpaper -> C:\Users\Jovi\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
HKU\S-1-5-21-1409686930-1291303467-1380052953-1006\Control Panel\Desktop\\Wallpaper -> C:\Users\Code\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
HKLM\...\StartupApproved\Run: => "NvBackend"
HKLM\...\StartupApproved\Run: => "ShadowPlay"
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "NvBackend"
HKLM\...\StartupApproved\Run32: => "AdobeAAMUpdater-1.0"
HKU\S-1-5-21-1409686930-1291303467-1380052953-1001\...\StartupApproved\Run: => "Google Update"
HKU\S-1-5-21-1409686930-1291303467-1380052953-1001\...\StartupApproved\Run: => "Google Photos Backup"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{5F840FCC-1C6C-4806-A5B3-2F33D8B9529D}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{46C6B1A9-36DE-4975-8C9D-BE658AF01E7E}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{23DD0FDF-2DB3-4AAC-BA53-7539B7BE87CF}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [UDP Query User{22943B7C-9C70-429A-8994-D18D620E1BD9}C:\program files (x86)\free download manager\fdmwi.exe] => (Block) C:\program files (x86)\free download manager\fdmwi.exe
FirewallRules: [TCP Query User{431D89DB-193C-4BDA-9353-49DA2DED3061}C:\program files (x86)\free download manager\fdmwi.exe] => (Block) C:\program files (x86)\free download manager\fdmwi.exe
FirewallRules: [UDP Query User{10971213-1779-482F-B6A5-6D543C89C5B8}C:\program files (x86)\java\jre1.8.0_51\bin\javaw.exe] => (Block) C:\program files (x86)\java\jre1.8.0_51\bin\javaw.exe
FirewallRules: [TCP Query User{4108B654-0AC1-4C8E-AA87-86D895D0C42F}C:\program files (x86)\java\jre1.8.0_51\bin\javaw.exe] => (Block) C:\program files (x86)\java\jre1.8.0_51\bin\javaw.exe
FirewallRules: [TCP Query User{AAE7B724-DF1A-4C22-B162-E40DF9E598E6}C:\program files (x86)\flashget network\flashget 3\flashget3.exe] => (Allow) C:\program files (x86)\flashget network\flashget 3\flashget3.exe
FirewallRules: [UDP Query User{6BAF9135-DDCF-4DAB-85E4-D02CCA563DEE}C:\program files (x86)\flashget network\flashget 3\flashget3.exe] => (Allow) C:\program files (x86)\flashget network\flashget 3\flashget3.exe
FirewallRules: [TCP Query User{260CD175-66F7-4E28-9152-FCFA175C2BB8}D:\downloads\trinusgyreserver\trinus gyre server.exe] => (Allow) D:\downloads\trinusgyreserver\trinus gyre server.exe
FirewallRules: [UDP Query User{1DFE3CBE-6315-4FB7-9DE9-40D742AAC959}D:\downloads\trinusgyreserver\trinus gyre server.exe] => (Allow) D:\downloads\trinusgyreserver\trinus gyre server.exe
FirewallRules: [{01E56892-7E14-4AAA-ADA5-D42D1A8B4363}] => (Allow) C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe
FirewallRules: [{979EA786-FF5E-476F-939D-263E86BDAD28}] => (Allow) C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe
FirewallRules: [{CFC3EF4C-5BB5-4329-BC09-45911C57314C}] => (Allow) C:\Program Files (x86)\Ubisoft\The Adventures of Tintin - The Secret of the Unicorn\TINTIN.exe
FirewallRules: [{EAACEEEA-ADD4-48CF-AC0B-6A51FD45FECF}] => (Allow) C:\Program Files (x86)\Ubisoft\The Adventures of Tintin - The Secret of the Unicorn\TINTIN.exe
FirewallRules: [{E959990F-0A1B-42AD-8EA5-B27E28130572}] => (Allow) C:\Program Files\Nitro\Pro 9\NitroPDF.exe
FirewallRules: [{30FF18A1-4FA0-405A-998F-DF42DEE9A465}] => (Allow) C:\Program Files\Nitro\Pro 9\NitroPDF.exe
FirewallRules: [{EC626ED9-0FAA-4DC0-BCC4-C7C368024D2E}] => (Allow) C:\Program Files\Nitro\Pro 9\NitroPDF.exe
FirewallRules: [{09FA1855-C1B2-41D5-90C3-17EC9347A0B6}] => (Allow) C:\Program Files\Nitro\Pro 9\NitroPDF.exe
FirewallRules: [TCP Query User{59AE3773-8514-4BCD-A6C1-71CBAFA1E90F}V:\far cry 4\bin\farcry4.exe] => (Block) V:\far cry 4\bin\farcry4.exe
FirewallRules: [UDP Query User{78355940-B6AA-4AA3-8DE6-F63004D7EB31}V:\far cry 4\bin\farcry4.exe] => (Block) V:\far cry 4\bin\farcry4.exe
FirewallRules: [TCP Query User{6AB8EA75-C764-427E-B430-CE6097DCDF0B}C:\program files\comicrack\comicrack.exe] => (Allow) C:\program files\comicrack\comicrack.exe
FirewallRules: [UDP Query User{46BDDBDD-1549-47E1-AC52-63045DAE6BD8}C:\program files\comicrack\comicrack.exe] => (Allow) C:\program files\comicrack\comicrack.exe
FirewallRules: [{85DD1D79-C226-46A6-B2C6-9280C3C70A85}] => (Allow) C:\Users\raj\AppData\Local\Microsoft\OneDrive\OneDrive.exe
FirewallRules: [TCP Query User{2BB5F340-3BCC-446C-8534-BA44B1A11E28}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{830BCDF1-0E13-4A7C-8EAC-3D9679898311}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [TCP Query User{1FF1B231-CF08-4F60-9749-16F2952191AE}C:\program files\videolan\vlc\vlc.exe] => (Allow) C:\program files\videolan\vlc\vlc.exe
FirewallRules: [UDP Query User{C0FB5637-503E-4F87-9772-63D2F497D3C9}C:\program files\videolan\vlc\vlc.exe] => (Allow) C:\program files\videolan\vlc\vlc.exe
FirewallRules: [TCP Query User{CFE5FB19-A3EC-4A5C-A2D6-F364E57DDF64}C:\program files (x86)\videolan\vlc\vlc.exe] => (Block) C:\program files (x86)\videolan\vlc\vlc.exe
FirewallRules: [UDP Query User{1E78CD76-B015-4CD0-9DC9-2FEE0848A4F4}C:\program files (x86)\videolan\vlc\vlc.exe] => (Block) C:\program files (x86)\videolan\vlc\vlc.exe
FirewallRules: [{BBE8E094-1661-434C-B0EF-F58B8CD80F8E}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{28A706D1-4E9C-4FB9-8B6A-0DDFF7B0AAE9}] => (Allow) C:\Program Files (x86)\Google\Chrome Remote Desktop\50.0.2661.22\remoting_host.exe
FirewallRules: [TCP Query User{7D6C9314-3966-4659-ADC0-3A541637BAF7}C:\program files\transmission\transmission-qt.exe] => (Allow) C:\program files\transmission\transmission-qt.exe
FirewallRules: [UDP Query User{5C9BD8DF-6F60-46C1-B04B-92708A0E585A}C:\program files\transmission\transmission-qt.exe] => (Allow) C:\program files\transmission\transmission-qt.exe
FirewallRules: [{990A3049-CEF2-4D42-A90F-81A7B5BDF1A3}] => (Allow) C:\Program Files\Reallusion\iClone 6\Bin64\iClone.exe
FirewallRules: [{E5EB6305-B9B1-4210-A2D2-21F9531E0765}] => (Allow) C:\Program Files\Reallusion\iClone 6\Bin64\iClone.exe
FirewallRules: [{F102D17C-06C8-4F94-BDBF-DBE3223911E3}] => (Block) %ProgramFiles%\Reallusion\iClone 6\Bin64\iClone.exe
FirewallRules: [{A901AC2E-7848-44A5-AF28-CB696E65854F}] => (Block) %ProgramFiles%\Reallusion\iClone 6\Bin64\iClone.exe
FirewallRules: [TCP Query User{D1A33D78-EAC4-44DA-9C2B-8A64AFC17782}C:\program files\videolan\vlc\vlc.exe] => (Block) C:\program files\videolan\vlc\vlc.exe
FirewallRules: [UDP Query User{1AF3D462-A080-4020-89F1-03F36DA00B67}C:\program files\videolan\vlc\vlc.exe] => (Block) C:\program files\videolan\vlc\vlc.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\FlashGet Network\FlashGet 3\FlashGet3.exe] => Enabled:Flashget3
 
==================== Restore Points =========================
 
31-03-2016 08:53:41 Scheduled Checkpoint
02-04-2016 15:34:44 Installed Transmission 2.92 (14714) (x64)
06-04-2016 08:15:04 Removed Transmission 2.92 (14714) (x64)
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/06/2016 08:15:16 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (04/05/2016 07:24:07 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.10586.0, time stamp: 0x5632d8f0
Faulting module name: Cortana.Core.dll, version: 0.0.0.0, time stamp: 0x568b1b1b
Exception code: 0xc0000005
Fault offset: 0x000000000001325d
Faulting process id: 0x3488
Faulting application start time: 0xbackgroundTaskHost.exe0
Faulting application path: backgroundTaskHost.exe1
Faulting module path: backgroundTaskHost.exe2
Report Id: backgroundTaskHost.exe3
Faulting package full name: backgroundTaskHost.exe4
Faulting package-relative application ID: backgroundTaskHost.exe5
 
Error: (04/05/2016 12:18:55 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: nvcplui.exe, version: 8.1.850.0, time stamp: 0x5654b7af
Faulting module name: NVCPL.DLL, version: 8.17.13.5906, time stamp: 0x5654aeef
Exception code: 0xc0000005
Fault offset: 0x0000000000258588
Faulting process id: 0x2bd4
Faulting application start time: 0xnvcplui.exe0
Faulting application path: nvcplui.exe1
Faulting module path: nvcplui.exe2
Report Id: nvcplui.exe3
Faulting package full name: nvcplui.exe4
Faulting package-relative application ID: nvcplui.exe5
 
Error: (04/05/2016 12:18:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: nvxdsync.exe, version: 8.17.13.5906, time stamp: 0x5654aa60
Faulting module name: nvxdapix.dll, version: 8.17.13.5906, time stamp: 0x5654af24
Exception code: 0xc0000005
Fault offset: 0x000000000006f968
Faulting process id: 0x2200
Faulting application start time: 0xnvxdsync.exe0
Faulting application path: nvxdsync.exe1
Faulting module path: nvxdsync.exe2
Report Id: nvxdsync.exe3
Faulting package full name: nvxdsync.exe4
Faulting package-relative application ID: nvxdsync.exe5
 
Error: (04/03/2016 10:22:10 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Desktop)
Description: Activation of app Microsoft.WindowsStore_8wekyb3d8bbwe!App failed with error: -2147024550 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (04/03/2016 09:36:56 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Desktop)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2147024891 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (04/03/2016 09:22:10 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Desktop)
Description: Activation of app Microsoft.WindowsStore_8wekyb3d8bbwe!App failed with error: -2147024550 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (04/03/2016 08:22:26 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Desktop)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2147024891 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (04/03/2016 08:22:10 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Desktop)
Description: Activation of app Microsoft.WindowsStore_8wekyb3d8bbwe!App failed with error: -2147024550 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (04/03/2016 08:22:07 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Desktop)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2147024891 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
 
System errors:
=============
Error: (04/06/2016 07:28:29 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DesktoprajS-1-5-21-1409686930-1291303467-1380052953-1001LocalHost (Using LRPC)Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (04/06/2016 07:28:29 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DesktoprajS-1-5-21-1409686930-1291303467-1380052953-1001LocalHost (Using LRPC)Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (04/06/2016 07:28:20 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DesktoprajS-1-5-21-1409686930-1291303467-1380052953-1001LocalHost (Using LRPC)Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (04/06/2016 07:28:20 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DesktoprajS-1-5-21-1409686930-1291303467-1380052953-1001LocalHost (Using LRPC)Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (04/06/2016 07:28:20 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DesktoprajS-1-5-21-1409686930-1291303467-1380052953-1001LocalHost (Using LRPC)Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (04/06/2016 07:28:19 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DesktoprajS-1-5-21-1409686930-1291303467-1380052953-1001LocalHost (Using LRPC)Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (04/06/2016 07:28:19 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DesktoprajS-1-5-21-1409686930-1291303467-1380052953-1001LocalHost (Using LRPC)Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (04/06/2016 07:28:19 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DesktoprajS-1-5-21-1409686930-1291303467-1380052953-1001LocalHost (Using LRPC)Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (04/06/2016 07:05:40 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 5:13:54 PM on ‎4/‎5/‎2016 was unexpected.
 
Error: (04/05/2016 11:02:38 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable
 
 
CodeIntegrity:
===================================
  Date: 2016-04-02 22:08:38.512
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-03-30 01:14:14.749
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-03-24 03:47:31.205
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-03-12 13:36:13.591
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-03-11 17:42:59.529
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-03-11 13:53:03.129
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-03-10 10:44:14.404
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-03-03 08:19:24.210
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-02-12 17:42:41.464
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-02-11 10:30:21.097
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-4440 CPU @ 3.10GHz
Percentage of memory in use: 43%
Total physical RAM: 8084.22 MB
Available physical RAM: 4527.5 MB
Total Virtual: 9364.22 MB
Available Virtual: 5689.55 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:100 GB) (Free:15.66 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (Documents) (Fixed) (Total:50 GB) (Free:6.87 GB) NTFS
Drive e: (OneDrive) (Fixed) (Total:150.02 GB) (Free:9.24 GB) NTFS
Drive f: (Films & TV) (Fixed) (Total:200 GB) (Free:58.79 GB) NTFS
Drive g: (Editing) (Fixed) (Total:82.86 GB) (Free:81.4 GB) NTFS
Drive m: (Music) (Fixed) (Total:50 GB) (Free:36.07 GB) NTFS
Drive p: (Photos) (Fixed) (Total:200 GB) (Free:88.07 GB) NTFS
Drive s: (Software) (Fixed) (Total:100 GB) (Free:6.72 GB) NTFS
Drive v: (Videos) (Fixed) (Total:231.51 GB) (Free:58.62 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 1D4E0A63)
Partition 1: (Active) - (Size=100 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=50 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=200 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=581.5 GB) - (Type=OF Extended)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: FD12FD12)
Partition 1: (Not Active) - (Size=150 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=82.9 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 PM

Posted 06 April 2016 - 08:50 PM

Hi Raj.

Unfortunately there is evidence of illegal software on your computer. I am going to request you completely uninstall Adobe Photoshop Elements 12 and all other products for which you do not have a valid Product Key. If you are willing to do that please rerun a FRST scan with Addition.txt and post both logs. If you prefer to leave the programs on your computer let me know that and I will be closing the Topic.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"For unto us a Child is born, Unto us a Son is given;"

#5 whatsinaname

whatsinaname
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 06 April 2016 - 11:20 PM

Hi Gary,

 

Thanks for your help. I have done as you asked. The rerun logs are attached.

 

 

Attached Files



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 PM

Posted 07 April 2016 - 08:56 AM

Hi Raj.

Thank you for your understanding. The Addition.txt report confirms WpsUpdateTask_raj.job is legitimate, just as you said.

If you could copy and paste the reports in your reply unless I ask for it to be attached that would help me a lot.

Please do the following.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format and check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it to your Desktop as fixlist.txt. If FRST.exe is not on your Deskptop please move it to that location. (<<<Important)
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Winlogon: [Userinit]  [X]
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
Winsock: Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
Winsock: Catalog5-x64 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
CHR StartupUrls: Default -> "hxxp://mail.ru/cnt/7993/"
S2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [X]
C:\Users\Code\AppData\Local\Temp\ubi57E9.tmp.exe
Task: {11CDF3D0-3BB0-4DA8-8718-4BC9B6E374AC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {862EA003-A626-4E51-83BC-586535A8590B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {8F0D4C06-3774-4B30-B626-D76335ACF143} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {A974CB82-E3F6-4985-B93F-8886A84A73B1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {B9BEBB14-E377-491E-A54A-24779A7C6993} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {BB859CF8-E966-4301-9450-41613C87CED5} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {CAD4D6B7-E67D-420E-B02F-38E0603429D5} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {DBE1BB74-0AC0-4C47-BAC9-E305A11A0E19} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {F59C52F4-4E3C-4765-ABBD-70CF904A0612} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {FB1F4238-BEDE-4B7F-B4E2-18525AA63117} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {FC8D0133-54D7-4AE8-A31D-80DBB918E3A5} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
AlternateDataStreams: C:\Windows:nlsPreferences [386]
AlternateDataStreams: C:\Users\raj\.DS_Store:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\raj\20150315-710930756.jpg:com.apple.quarantine [22]
Hosts:
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Copy/paste the following in the Search Field
wininit.exe
  • Click Search File(s) button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of that document your reply
===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • Right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • The program will conduct a prescan and when finished you wlll see Prescan Finished. Please hit the scan button
  • Click Scan
  • If, during the scan, you receive a request to upload a file to Virustotal please click Yes
  • A report should open and a copy of the report will be placed on your desktop. If not, hit the Report button.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

Farbar's MiniToolBox

--------------------
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure only the following options are checked:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries

  • Click Go and once the scan is completed a MTB.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • RogueKiller log
  • MTB log
  • System Summary Information
  • Update on computer behavior

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"For unto us a Child is born, Unto us a Son is given;"

#7 whatsinaname

whatsinaname
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 07 April 2016 - 11:23 AM

Hi Gary,
 
Thank you for your help and patience. About the computer behavior, I noticed that since a couple of days ago (the redirects have been going on for longer) I have no longer been able to access my modem config page in the browser - I used to be able to get there by typing 192.168.1.1 in chrome or Edge. This is the message I get in Chrome:
 
This site can’t be reached

192.168.1.1 refused to connect.

ERR_CONNECTION_REFUSED
 
This is still there. Otherwise, the devices on my network seem to be cured of the redirect problem, at least on initial evidence. Thanks again and please advice on further steps.
 
The logs you asked for are below:
 
Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by raj (2016-04-07 20:48:44) Run:1
Running from C:\Users\raj\Desktop
Loaded Profiles: raj (Available Profiles: raj & Jazz & Jovi & Code)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Winlogon: [Userinit]  [X]
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
Winsock: Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
Winsock: Catalog5-x64 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
CHR StartupUrls: Default -> "hxxp://mail.ru/cnt/7993/"
S2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [X]
C:\Users\Code\AppData\Local\Temp\ubi57E9.tmp.exe
Task: {11CDF3D0-3BB0-4DA8-8718-4BC9B6E374AC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {862EA003-A626-4E51-83BC-586535A8590B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {8F0D4C06-3774-4B30-B626-D76335ACF143} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {A974CB82-E3F6-4985-B93F-8886A84A73B1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {B9BEBB14-E377-491E-A54A-24779A7C6993} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {BB859CF8-E966-4301-9450-41613C87CED5} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {CAD4D6B7-E67D-420E-B02F-38E0603429D5} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {DBE1BB74-0AC0-4C47-BAC9-E305A11A0E19} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {F59C52F4-4E3C-4765-ABBD-70CF904A0612} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {FB1F4238-BEDE-4B7F-B4E2-18525AA63117} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {FC8D0133-54D7-4AE8-A31D-80DBB918E3A5} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
AlternateDataStreams: C:\Windows:nlsPreferences [386]
AlternateDataStreams: C:\Users\raj\.DS_Store:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\raj\20150315-710930756.jpg:com.apple.quarantine [22]
Hosts:
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => value not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1" => key removed successfully
"HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2" => key removed successfully
"HKCR\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3" => key removed successfully
"HKCR\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4" => key removed successfully
"HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5" => key removed successfully
"HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000007" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000007" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000008" => key removed successfully
Chrome StartupUrls => removed successfully
Update service => service not found.
C:\Users\Code\AppData\Local\Temp\ubi57E9.tmp.exe => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{11CDF3D0-3BB0-4DA8-8718-4BC9B6E374AC}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{11CDF3D0-3BB0-4DA8-8718-4BC9B6E374AC}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{862EA003-A626-4E51-83BC-586535A8590B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{862EA003-A626-4E51-83BC-586535A8590B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8F0D4C06-3774-4B30-B626-D76335ACF143}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8F0D4C06-3774-4B30-B626-D76335ACF143}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A974CB82-E3F6-4985-B93F-8886A84A73B1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A974CB82-E3F6-4985-B93F-8886A84A73B1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B9BEBB14-E377-491E-A54A-24779A7C6993}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B9BEBB14-E377-491E-A54A-24779A7C6993}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BB859CF8-E966-4301-9450-41613C87CED5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BB859CF8-E966-4301-9450-41613C87CED5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CAD4D6B7-E67D-420E-B02F-38E0603429D5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CAD4D6B7-E67D-420E-B02F-38E0603429D5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DBE1BB74-0AC0-4C47-BAC9-E305A11A0E19}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DBE1BB74-0AC0-4C47-BAC9-E305A11A0E19}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F59C52F4-4E3C-4765-ABBD-70CF904A0612}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F59C52F4-4E3C-4765-ABBD-70CF904A0612}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FB1F4238-BEDE-4B7F-B4E2-18525AA63117}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FB1F4238-BEDE-4B7F-B4E2-18525AA63117}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FC8D0133-54D7-4AE8-A31D-80DBB918E3A5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FC8D0133-54D7-4AE8-A31D-80DBB918E3A5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
C:\Windows => ":nlsPreferences" ADS removed successfully.
C:\Users\raj\.DS_Store => ":AFP_AfpInfo" ADS removed successfully.
C:\Users\raj\20150315-710930756.jpg => ":com.apple.quarantine" ADS removed successfully.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
 
The system needed a reboot.
 
==== End of Fixlog 20:49:06 ====
 
Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by raj (2016-04-07 20:55:21)
Running from C:\Users\raj\Desktop
Boot Mode: Normal
 
================== Search Files: "wininit.exe" =============
 
C:\Windows\WinSxS\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.10586.0_none_bd785127aea7d9d3\wininit.exe
[2015-10-30 12:47][2015-10-30 12:47] 0290856 ____A (Microsoft Corporation) CAD491DD9EC00BB841EA407D9C498C4A [File is digitally signed]
 
C:\Windows\System32\wininit.exe
[2015-10-30 12:47][2015-10-30 12:47] 0290856 ____A (Microsoft Corporation) CAD491DD9EC00BB841EA407D9C498C4A [File is digitally signed]
 
====== End of Search ======
 
 
RogueKiller V12.1.1.0 [Apr  4 2016] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : raj [Administrator]
Started from : C:\Users\raj\Desktop\RogueKiller.exe
Mode : Delete -- Date : 04/07/2016 21:27:46
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 2 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EZRX-00DC0B0 +++++
--- User ---
[MBR] 749950b32c4596af251b0bf49d5bc5a5
[BSP] ed39a9aef549982c225574efa90ba6de : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 102400 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 209717248 | Size: 51199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 314574848 | Size: 204799 MB [Windows XP Bootstrap | Windows XP Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 734005185 | Size: 595466 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: ST3250310AS +++++
--- User ---
[MBR] 82d3276300e901a8066e986107b21318
[BSP] d71674fdeeb239c32bb8d3d1b6819013 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 153619 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 314615808 | Size: 84852 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
====================================
 
 
MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by raj (administrator) on 07-04-2016 at 21:32:55
Running from "C:\Users\raj\Desktop"
Microsoft Windows 10 Pro  (X64)
Model: B85M-D3H Manufacturer: Gigabyte Technology Co., Ltd.
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================
 
Realtek PCIe GBE Family Controller = Ethernet (Connected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="other_0" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : Desktop
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Ethernet:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : FC-AA-14-2D-01-44
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1013:33a:1a9:584b%3(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.0.124(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 07 April 2016 08:50:00 PM
   Lease Expires . . . . . . . . . . : 15 May 2152 04:01:12 AM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 268216852
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-06-3A-53-FC-AA-14-2D-01-44
   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:34bb:9c7b:8555:6d12(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::34bb:9c7b:8555:6d12%7(Preferred) 
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 117440512
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-06-3A-53-FC-AA-14-2D-01-44
   NetBIOS over Tcpip. . . . . . . . : Disabled
 
Tunnel adapter isatap.{04E71261-DD5D-4DA2-9FFA-956F6B73F9DE}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  dlinkrouter
Address:  192.168.0.1
 
Name:    google.com
Addresses:  2404:6800:4009:807::200e
 216.58.220.14
 
 
Pinging google.com [216.58.220.14] with 32 bytes of data:
Reply from 216.58.220.14: bytes=32 time=21ms TTL=56
Reply from 216.58.220.14: bytes=32 time=21ms TTL=56
 
Ping statistics for 216.58.220.14:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 21ms, Maximum = 21ms, Average = 21ms
Server:  dlinkrouter
Address:  192.168.0.1
 
Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
 2001:4998:58:c02::a9
 2001:4998:c:a06::2:4008
 98.138.253.109
 206.190.36.45
 98.139.183.24
 
 
Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=290ms TTL=50
Reply from 206.190.36.45: bytes=32 time=290ms TTL=50
 
Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 290ms, Maximum = 290ms, Average = 290ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
  3...fc aa 14 2d 01 44 ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
  7...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
  4...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.124     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link     192.168.0.124    276
    192.168.0.124  255.255.255.255         On-link     192.168.0.124    276
    192.168.0.255  255.255.255.255         On-link     192.168.0.124    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.0.124    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.0.124    276
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  7    306 ::/0                     On-link
  1    306 ::1/128                  On-link
  7    306 2001::/32                On-link
  7    306 2001:0:5ef5:79fb:34bb:9c7b:8555:6d12/128
                                    On-link
  3    276 fe80::/64                On-link
  7    306 fe80::/64                On-link
  3    276 fe80::1013:33a:1a9:584b/128
                                    On-link
  7    306 fe80::34bb:9c7b:8555:6d12/128
                                    On-link
  1    306 ff00::/8                 On-link
  3    276 ff00::/8                 On-link
  7    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\WINDOWS\SysWOW64\NLAapi.dll [65024] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\napinsp.dll [55808] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [23552] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [80896] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31744] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
 
**** End of log ****
 
 
 

 

Attached Files



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 PM

Posted 07 April 2016 - 03:11 PM

Greetings Raj,

Glad we are making progress.
 

I have no longer been able to access my modem config page

Type 192.168.0.1 and you should be able to access the modem.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
Reg: reg add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit /t REG_SZ /d userinit.exe /f
emptytemp:
  • Launch FRST and press the Fix button just once
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Can you access your modem?
  • Fixlog
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"For unto us a Child is born, Unto us a Son is given;"

#9 whatsinaname

whatsinaname
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 07 April 2016 - 09:28 PM

Hi Gary,

 

I should have mentioned I have a separate modem and router. So I get to the router config page by typing 192.168.0.1, and to the modem config by typing 192.168.1.1. I can get to the router okay, but still can't access the modem. Otherwise, the redirect seems to have been cured, thanks to you.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by raj (2016-04-08 07:46:10) Run:2
Running from C:\Users\raj\Desktop
Loaded Profiles: raj (Available Profiles: raj & Jazz & Jovi & Code)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Reg: reg add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit /t REG_SZ /d userinit.exe /f
emptytemp:
*****************
 
 
========= reg add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit /t REG_SZ /d userinit.exe /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
EmptyTemp: => 648.2 MB temporary data Removed.
 
 
The system needed a reboot.
 

==== End of Fixlog 07:46:51 ==== 



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 PM

Posted 07 April 2016 - 10:01 PM

What is the model number of your modem. Try 192.168.100.1.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"For unto us a Child is born, Unto us a Son is given;"

#11 whatsinaname

whatsinaname
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 07 April 2016 - 10:37 PM

Hi Gary,

 

192.168.100.1 does not work either. My modem is a D-Link DSL-2520U. I used to be able to configure this modem fine with 192.168.1.1 until about a couple of days ago. 

 

Thanks,

Raj


Edited by whatsinaname, 07 April 2016 - 10:39 PM.


#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 PM

Posted 08 April 2016 - 08:05 AM

Hi Raj,

I think you will have to reset the device.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"For unto us a Child is born, Unto us a Son is given;"

#13 whatsinaname

whatsinaname
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 09 April 2016 - 01:04 AM

Hi Raj,

I think you will have to reset the device.

Hi Gary,

 

I have reset the device and I can access the modem again!!  :bananas:  :bounce: 

 

The redirect virus also seems to have been eradicated from my computer and network!  :thumbsup:

 

You have been a lifesaver, words cannot even begin to express my gratitude to you. 

 

A million thanks,

 

Raj



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:25 PM

Posted 09 April 2016 - 10:39 AM

Very nice.

A couple more things to do please.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Check Uninstall application on close
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ESET log
  • Security Check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"For unto us a Child is born, Unto us a Son is given;"

#15 whatsinaname

whatsinaname
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 10 April 2016 - 12:59 AM

Hi Gary,
 
Looks like I jumped the gun a bit there. Here are the logs:
 

C:\Users\raj\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4674\wtoolex\desktoptip.exe a variant of Win32/KingSoft.D potentially unwanted application cleaned by deleting
C:\Users\raj\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4674\wtoolex\wpsnotify.exe a variant of Win32/KingSoft.D potentially unwanted application cleaned by deleting
C:\Users\raj\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4674\wtoolex\wpsupdate.exe a variant of Win32/KingSoft.D potentially unwanted application cleaned by deleting
C:\Users\raj\AppData\Roaming\Kingsoft\office6\update\down\wpsupdate.exe a variant of Win32/KingSoft.D potentially unwanted application cleaned by deleting
 
 
 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7  x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 51  
 Java version 32-bit out of Date!
 Adobe Reader XI  
 Google Chrome (49.0.2623.110) 
 Google Chrome (49.0.2623.87) 
````````Process Check: objlist.exe by Laurent````````
 Windows Defender MSMpEng.exe 
 Windows Defender MSASCui.exe 
 Windows Defender MpCmdRun.exe   
 Windows Defender MSASCui.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 7% 
````````````````````End of Log``````````````````````
============
 
Computer is okay now, no redirects as suchbut I checked the DNS and it seems to have changed by itself again 
2jAm0wM.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users