Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.trashes trojan/malware.


  • This topic is locked This topic is locked
20 replies to this topic

#1 jerik47

jerik47

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 06 April 2016 - 03:03 PM

Hi I'm currently infected with this trojan malware. I have no idea what it is. I'm currently running on safe mode. Can't launch most anti-virus and scanning programs/apps on normal mode. A friend plugged in her flashdrive and got my laptop infected. I thought it didn't do anything to my laptop. I tried to clean her flashdrive and reformat it but still won't do anything. The virus is still there. Now my laptop is infected. I only discovered this when I plugged my external drive. It is now infected too. Here is a screen shot of the drive. Please help! I am new to this forum. If I'm breaking any rules please do tell. Thank you!

12472302_10206407496047261_1300682569890

 

 

I also scanned with FRST like what I have found in other similar threads.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by Jerik (administrator) on CIPHER47 (07-04-2016 03:44:15)
Running from C:\Users\Jerik\Downloads
Loaded Profiles: Jerik (Available Profiles: Jerik & UpdatusUser)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12459112 2012-03-27] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2598696 2012-02-29] (ELAN Microelectronics Corp.)
HKLM\...\Run: [THXCfg64] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
HKLM\...\Run: [IntelTBRunOnce] => wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs"
HKLM\...\Run: [IntelConnectCenter] => C:\Program Files\Intel\ConnectCenter\bin\ICCLauncher.exe [90112 2015-03-16] (Intel® Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-27] (Intel Corporation)
HKLM-x32\...\Run: [THX Audio Control Panel] => C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe [1517056 2011-08-29] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6111312 2015-11-07] (AVAST Software)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1694048 2014-10-23] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [DriveUtilitiesHelper] => C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1852264 2014-05-23] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5564784 2015-07-20] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4169181859-1323723485-1632056074-1000\...\Run: [uTorrent] => C:\Users\Jerik\AppData\Roaming\uTorrent\uTorrent.exe [1959424 2016-04-06] (BitTorrent Inc.)
HKU\S-1-5-21-4169181859-1323723485-1632056074-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8455960 2015-08-20] (Piriform Ltd)
HKU\S-1-5-21-4169181859-1323723485-1632056074-1000\...\Run: [PCLink] => C:\Program Files (x86)\ASUS\PC Link\PCLink.exe [640272 2015-10-29] (ASUSTek Computer Inc.)
HKU\S-1-5-21-4169181859-1323723485-1632056074-1000\...\Run: [Spotify Web Helper] => C:\Users\Jerik\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1524336 2016-03-17] (Spotify Ltd)
HKU\S-1-5-21-4169181859-1323723485-1632056074-1000\...\Run: [Spotify] => C:\Users\Jerik\AppData\Roaming\Spotify\Spotify.exe [6805616 2016-03-17] (Spotify Ltd)
HKU\S-1-5-21-4169181859-1323723485-1632056074-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-4169181859-1323723485-1632056074-1000\...\Run: [MCShield Monitor] => C:\Program Files (x86)\MCShield\mcshieldrtm.exe [650816 2014-04-12] (MyCity)
HKU\S-1-5-21-4169181859-1323723485-1632056074-1000\...\Policies\Explorer: [] 
HKU\S-1-5-21-4169181859-1323723485-1632056074-1000\...\MountPoints2: {4045130e-21a1-11e5-a612-8c89a5075f73} - E:\Setup.exe
HKU\S-1-5-21-4169181859-1323723485-1632056074-1000\...\MountPoints2: {60986da3-2b6d-11e5-95c1-8c89a5075f73} - "E:\WD Drive Unlock.exe" autoplay=true
HKU\S-1-5-21-4169181859-1323723485-1632056074-1000\...\MountPoints2: {ec1d7156-0fe5-11e5-b307-8c89a5075f73} - F:\AutoRun.exe
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2015-10-03] (Microsoft Corporation)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [260928 2012-02-23] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [215360 2012-02-23] (NVIDIA Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-09-13] (AVAST Software)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2012-02-07] (Autodesk, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NI Error Reporting.lnk [2015-07-16]
ShortcutTarget: NI Error Reporting.lnk -> C:\Program Files (x86)\National Instruments\Shared\NI Error Reporting\nierserver.exe (National Instruments Corporation)
Startup: C:\Users\Jerik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atajo.lnk [2016-04-07]
ShortcutTarget: atajo.lnk -> C:\Users\Jerik\AppData\Roaming\mcgwg\sftejrq.exe (Microsoft Corporation)
Startup: C:\Users\Jerik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive for Business.lnk [2015-09-30]
ShortcutTarget: OneDrive for Business.lnk -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVE.EXE (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 06 C:\Program Files (x86)\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll [26512 2013-05-11] (National Instruments Corporation)
Winsock: Catalog5-x64 06 C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll [28560 2013-05-11] (National Instruments Corporation)
Tcpip\..\Interfaces\{CFC14A41-3858-4C81-BBC2-394EA8B7890C}: [DhcpNameServer] 192.168.8.1 192.168.8.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2015-08-12] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-09-13] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-22] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2015-08-12] (Microsoft Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-09-13] (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Jerik\AppData\Roaming\Mozilla\Firefox\Profiles\1slj3k2h.default
FF Homepage: google.com
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-08-12] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-13] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nplv2012win32.dll [2013-05-29] (National Instruments)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nplv2013win32.dll [2013-06-20] (National Instruments)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2015-08-12] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-12-16]
 
Chrome: 
=======
CHR HomePage: Default -> hxxps://www.google.com/
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR Profile: C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-05-05]
CHR Extension: (Google Docs) - C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-06]
CHR Extension: (Google Drive) - C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-25]
CHR Extension: (YouTube) - C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-29]
CHR Extension: (Google Search) - C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Avast SafePrice) - C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-02-16]
CHR Extension: (Google Sheets) - C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-05-05]
CHR Extension: (Google Docs Offline) - C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-17]
CHR Extension: (Avast Online Security) - C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-04-07]
CHR Extension: (IE Tab) - C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd [2016-03-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
CHR Extension: (Gmail) - C:\Users\Jerik\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-06]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-05-06]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-05-06]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 Autodesk Content Service; C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [19232 2012-01-31] (Autodesk, Inc.)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-09-13] (AVAST Software)
S3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [4047768 2015-09-13] (Avast Software)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [127320 2012-03-15] ()
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [162648 2012-03-15] (Intel Corporation)
S2 LkCitadelServer; C:\Windows\SysWOW64\lkcitdl.exe [695136 2010-10-27] (National Instruments, Inc.)
S2 lkClassAds; C:\Windows\SysWOW64\lkads.exe [53544 2013-06-12] (National Instruments Corporation)
S2 lkTimeSync; C:\Windows\SysWOW64\lktsrv.exe [63792 2013-06-12] (National Instruments Corporation)
S2 Micro Star SCM; C:\Windows\SysWOW64\MSIService.exe [160768 2009-07-09] (Micro-Star International Co., Ltd.) [File not signed]
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273168 2012-03-29] ()
S2 NIApplicationWebServer; C:\Program Files (x86)\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe [57696 2013-06-08] (National Instruments Corporation)
S4 NIApplicationWebServer64; C:\Program Files\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe [81248 2013-06-08] (National Instruments Corporation)
S2 NIDomainService; C:\Program Files (x86)\National Instruments\Shared\Security\nidmsrv.exe [380720 2013-06-12] (National Instruments Corporation)
S3 NILM License Manager; C:\Program Files (x86)\National Instruments\Shared\License Manager\Bin\lmgrd.exe [1427688 2010-08-02] (Macrovision Corporation)
S2 nimDNSResponder; C:\Program Files (x86)\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [260976 2013-05-11] (National Instruments Corporation)
S2 NiSvcLoc; C:\Program Files (x86)\National Instruments\Shared\niSvcLoc\nisvcloc.exe [90440 2013-06-07] (National Instruments Corporation)
S2 NISystemWebServer; C:\Program Files (x86)\National Instruments\Shared\NI WebServer\SystemWebServer.exe [57680 2013-06-08] (National Instruments Corporation)
S2 STCServ; C:\Program Files\Intel\STCServ\STCServ.exe [8095456 2015-03-16] (Intel Corporation)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2015-07-20] (Western Digital Technologies, Inc.)
S2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [306552 2015-07-20] (Western Digital Technologies, Inc.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2669840 2012-03-29] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AsusVBus; C:\Windows\System32\DRIVERS\AsusVBus.sys [39704 2015-04-23] (Windows ® Win 7 DDK provider)
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-09-13] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [90968 2015-09-13] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-09-13] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-09-13] (AVAST Software)
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1059656 2015-11-07] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [449992 2015-11-07] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [150672 2015-09-13] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [274808 2015-09-13] (AVAST Software)
R3 ATP; C:\Windows\System32\DRIVERS\AsusTP.sys [67352 2015-04-23] (ASUS Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)
R0 ngvss; C:\Windows\System32\Drivers\ngvss.sys [115152 2015-09-13] (AVAST Software)
S2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [273824 2015-09-13] (Avast Software)
S0 fhew; System32\drivers\evgw.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-07 03:44 - 2016-04-07 03:44 - 00019693 _____ C:\Users\Jerik\Downloads\FRST.txt
2016-04-07 03:44 - 2016-04-07 03:44 - 00000000 ____D C:\FRST
2016-04-07 03:40 - 2016-04-07 03:41 - 05523840 _____ (Tweaking.com) C:\Users\Jerik\Downloads\tweaking.com_registry_backup_setup.exe
2016-04-07 03:38 - 2016-04-07 03:38 - 00000000 ____D C:\Users\Jerik\Downloads\WINDOWS
2016-04-07 03:34 - 2016-04-07 03:35 - 11441744 _____ (SurfRight B.V.) C:\Users\Jerik\Downloads\HitmanPro_x64.exe
2016-04-07 03:33 - 2016-04-07 03:34 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\Jerik\Downloads\tdsskiller.exe
2016-04-07 03:33 - 2016-04-07 03:33 - 19765320 _____ C:\Users\Jerik\Downloads\RogueKiller.exe
2016-04-07 03:33 - 2016-04-07 03:33 - 02032072 _____ (Bleeping Computer, LLC) C:\Users\Jerik\Downloads\rkill.exe
2016-04-07 03:33 - 2016-04-07 03:33 - 01610352 _____ (Malwarebytes) C:\Users\Jerik\Downloads\JRT.exe
2016-04-07 03:31 - 2016-04-07 03:31 - 03119168 _____ C:\Users\Jerik\Downloads\AdwCleaner.exe
2016-04-07 03:29 - 2016-04-07 03:29 - 02374144 _____ (Farbar) C:\Users\Jerik\Downloads\FRST64.exe
2016-04-07 03:27 - 2016-04-07 03:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\USBDriveFresher
2016-04-07 03:27 - 2016-04-07 03:27 - 00000000 ____D C:\Program Files (x86)\USBDriveFresher
2016-04-07 03:14 - 2016-04-07 03:14 - 00000402 _____ C:\Windows\SysWOW64\firmar
2016-04-07 02:33 - 2016-04-07 03:22 - 00000000 ____D C:\ProgramData\MCShield
2016-04-07 02:33 - 2016-04-07 02:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MCShield
2016-04-07 02:33 - 2016-04-07 02:33 - 00000000 ____D C:\Program Files (x86)\MCShield
2016-04-07 02:32 - 2016-04-07 03:43 - 00392426 _____ C:\Windows\ntbtlog.txt
2016-04-07 02:12 - 2016-04-07 02:12 - 02856736 _____ (MyCity) C:\Users\Jerik\Downloads\MCShield-Setup.exe
2016-04-07 02:03 - 2016-04-07 02:03 - 01725440 _____ (Farbar) C:\Users\Jerik\Downloads\FRST.exe
2016-04-07 01:58 - 2016-04-07 01:59 - 07765281 _____ (Affinity-Tools.com ) C:\Users\Jerik\Downloads\usbfreshersetup.exe
2016-04-07 01:49 - 2016-04-07 01:53 - 00000000 ____D C:\Program Files\Registry Workshop
2016-04-07 01:49 - 2016-04-07 01:49 - 01121650 _____ C:\Users\Jerik\Downloads\RegistryWorkshop.exe
2016-04-07 01:49 - 2016-04-07 01:49 - 00001801 _____ C:\Users\UpdatusUser\Desktop\Registry Workshop.lnk
2016-04-07 01:49 - 2016-04-07 01:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Workshop
2016-04-07 01:32 - 2016-04-07 01:32 - 07186992 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x64 (7).exe
2016-04-07 01:32 - 2016-04-07 01:32 - 06554576 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x86 (7).exe
2016-04-07 01:32 - 2016-04-07 01:32 - 06554576 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x86 (6).exe
2016-04-07 01:32 - 2016-04-07 01:32 - 01453976 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_arm (2).exe
2016-04-07 01:31 - 2016-04-07 01:31 - 01453976 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_arm (1).exe
2016-04-07 01:29 - 2016-04-07 01:29 - 07194312 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x64 (6).exe
2016-04-07 01:29 - 2016-04-07 01:29 - 07186992 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x64 (5).exe
2016-04-07 01:29 - 2016-04-07 01:29 - 06503984 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x86 (5).exe
2016-04-07 01:29 - 2016-04-07 01:29 - 01420840 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_arm.exe
2016-04-07 01:22 - 2016-04-07 01:22 - 05673816 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x64 (4).exe
2016-04-07 01:21 - 2016-04-07 01:21 - 05718872 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x64 (3).exe
2016-04-07 01:21 - 2016-04-07 01:21 - 05073240 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x86 (3).exe
2016-04-07 01:21 - 2016-04-07 01:21 - 04995416 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x86 (4).exe
2016-04-07 01:21 - 2016-04-07 01:21 - 04961800 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x64 (2).exe
2016-04-07 01:20 - 2016-04-07 01:20 - 04216840 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x86 (2).exe
2016-04-07 01:20 - 2016-04-07 01:20 - 02373640 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x64 (1).exe
2016-04-07 01:20 - 2016-04-07 01:20 - 01821192 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x86 (1).exe
2016-04-07 01:19 - 2016-04-07 01:19 - 02686232 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x86.exe
2016-04-07 01:13 - 2016-04-07 01:13 - 00000034 _____ C:\Users\Jerik\Desktop\unhide.bat
2016-04-07 01:01 - 2016-04-07 01:01 - 00000000 ____D C:\Windows\system32\appmgmt
2016-04-07 00:46 - 2016-04-07 00:46 - 04286744 _____ (Microsoft Corporation) C:\Users\Jerik\Downloads\vcredist_x64.exe
2016-04-06 15:52 - 2016-04-06 15:52 - 00000000 ____D C:\Users\Jerik\Downloads\New folder
2016-04-05 21:11 - 2016-04-05 21:17 - 00000000 ____D C:\Users\Jerik\Desktop\FILES USB
2016-04-05 20:51 - 2016-04-07 03:19 - 00008192 _____ C:\Windows\SysWOW64\WDPABKP.dat
2016-04-05 19:14 - 2016-04-07 03:26 - 00000000 ___HD C:\Users\Jerik\AppData\Roaming\mcgwg
2016-04-02 03:50 - 2016-04-02 03:50 - 00000000 ____D C:\Users\Jerik\Desktop\COUPLE AND CREATIVE
2016-04-02 03:33 - 2016-04-02 03:33 - 00000000 ____D C:\Users\Jerik\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2016-04-02 03:08 - 2016-04-02 03:08 - 00000000 ____D C:\Users\Jerik\AppData\Roaming\NVIDIA
2016-04-02 02:08 - 2016-04-02 02:12 - 00000000 ____D C:\Program Files\Adobe
2016-04-02 02:08 - 2016-04-02 02:08 - 00001075 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS6 (64 Bit).lnk
2016-04-02 02:08 - 2016-04-02 02:08 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2016-04-02 02:07 - 2016-04-02 02:07 - 00001211 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS6.lnk
2016-04-02 02:05 - 2016-04-02 02:05 - 00001173 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS6.lnk
2016-04-02 02:03 - 2016-04-02 02:03 - 00001523 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ExtendScript Toolkit CS6.lnk
2016-04-02 02:03 - 2016-04-02 02:03 - 00001357 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Extension Manager CS6.lnk
2016-04-02 02:01 - 2016-04-02 02:08 - 00000000 ____D C:\Program Files\Common Files\Adobe
2016-04-02 02:01 - 2016-04-02 02:01 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-03-30 16:14 - 2016-03-30 16:14 - 00137031 _____ C:\Users\Jerik\Desktop\PUP Enrollment Payment Voucher.pdf
2016-03-30 11:13 - 2016-03-30 11:50 - 00519146 _____ C:\Users\Jerik\Desktop\Posadas, Justin Erik A..pdf
2016-03-24 14:51 - 2016-03-24 14:51 - 00142258 _____ C:\Users\Jerik\Desktop\JUSTIN POSADAS.rar
2016-03-24 14:48 - 2016-03-23 16:28 - 00285399 _____ C:\Users\Jerik\Desktop\JUSTIN POSADAS.mp4
2016-03-17 19:44 - 2016-03-17 19:45 - 00000000 ____D C:\Users\Jerik\Desktop\laws
2016-03-16 23:21 - 2016-03-16 23:21 - 00000000 ____D C:\Users\Jerik\Desktop\SAFETY PDF
2016-03-15 23:34 - 2016-03-18 07:28 - 00000000 ____D C:\Users\Jerik\Desktop\WTF
2016-03-14 23:25 - 2013-04-30 07:06 - 02920449 _____ C:\Users\Jerik\Desktop\How To Solve Word Problems In Calculus - Don&Don.pdf
2016-03-14 23:25 - 2012-09-11 09:08 - 63641304 _____ C:\Users\Jerik\Desktop\Calculator Trick.pdf
2016-03-14 22:55 - 2016-03-16 00:49 - 00000000 ____D C:\Users\Jerik\Desktop\REVIEWERS
2016-03-14 17:49 - 2016-03-14 17:49 - 00000000 ____D C:\Users\Jerik\AppData\Roaming\Macromedia
2016-03-14 15:00 - 2016-03-14 15:00 - 00000000 ____D C:\Users\Jerik\.thumbnails
2016-03-14 14:52 - 2016-03-14 14:58 - 00000000 ____D C:\Users\Jerik\Desktop\ZENFONE BACK UP
2016-03-14 14:52 - 2016-03-14 14:52 - 00000000 ____D C:\Users\Jerik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Blender
2016-03-14 14:52 - 2016-03-14 14:52 - 00000000 ____D C:\Program Files\Blender Foundation
2016-03-14 14:49 - 2016-03-14 15:56 - 00000000 ____D C:\Users\Jerik\Desktop\BLENDER
2016-03-14 14:47 - 2016-03-14 14:48 - 00000000 ____D C:\Users\Jerik\Desktop\CONTACTS IMPORTANTMATTERS
2016-03-14 14:45 - 2016-03-14 14:48 - 00000000 ____D C:\Users\Jerik\Desktop\TRABAHO
2016-03-14 14:45 - 2016-03-14 14:47 - 00000000 ____D C:\Users\Jerik\Desktop\ERIN'S FOLDER
2016-03-14 14:42 - 2016-03-14 14:48 - 00000000 ____D C:\Users\Jerik\Desktop\Resumes CV
2016-03-14 14:42 - 2016-03-14 14:42 - 00000000 ____D C:\Users\Jerik\Desktop\LOSS ID AFFIDAVIT
2016-03-14 14:40 - 2016-03-14 14:42 - 00000000 ____D C:\Users\Jerik\Desktop\USB
2016-03-14 14:39 - 2016-03-14 17:46 - 00000000 ____D C:\Users\Jerik\Desktop\Reads March
2016-03-12 17:03 - 2016-03-12 17:03 - 00000000 ____D C:\Users\Jerik\Desktop\Grad Pic
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-07 03:41 - 2015-05-06 00:47 - 00000000 ____D C:\Users\Jerik\AppData\Roaming\uTorrent
2016-04-07 03:32 - 2015-09-13 23:02 - 00000000 ____D C:\AdwCleaner
2016-04-07 03:27 - 2009-07-14 12:45 - 00020688 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-07 03:27 - 2009-07-14 12:45 - 00020688 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-07 03:22 - 2015-07-24 00:08 - 00000000 ____D C:\Users\Jerik\AppData\Roaming\Spotify
2016-04-07 03:20 - 2016-01-19 20:09 - 00000000 ____D C:\Users\Jerik\AppData\Local\Spotify
2016-04-07 03:19 - 2015-12-02 00:02 - 00000000 ____D C:\Users\Jerik\AppData\LocalLow\uTorrent
2016-04-07 03:19 - 2015-07-04 23:23 - 00000000 ____D C:\ProgramData\ASUS Smart Gesture
2016-04-07 03:18 - 2015-05-05 23:19 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-07 03:17 - 2015-05-05 22:23 - 00000828 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2016-04-07 03:16 - 2009-07-14 13:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-07 02:35 - 2015-09-14 08:12 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-07 02:35 - 2015-09-14 08:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-07 02:35 - 2015-09-14 08:12 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-04-07 02:12 - 2015-05-05 23:19 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-07 02:03 - 2009-07-14 13:13 - 00779724 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-07 02:03 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\inf
2016-04-07 01:47 - 2009-07-14 11:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-04-07 01:32 - 2015-05-06 21:58 - 00000000 ____D C:\ProgramData\Package Cache
2016-04-07 01:28 - 2009-07-14 11:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2016-04-06 15:52 - 2015-05-06 22:56 - 00000000 ____D C:\Users\Jerik\AppData\Roaming\vlc
2016-04-06 13:56 - 2016-02-23 22:27 - 00000000 ___SD C:\Users\Jerik\AppData\LocalLow\Temp
2016-04-06 12:22 - 2015-05-05 22:23 - 00000830 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2016-04-05 21:31 - 2015-09-12 02:02 - 00000000 ____D C:\Users\Jerik\Desktop\FILES
2016-04-05 19:22 - 2015-05-06 01:27 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-04-05 19:19 - 2009-07-14 12:45 - 05134136 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-02 03:33 - 2015-05-06 21:23 - 00000000 ____D C:\Users\Jerik\AppData\Roaming\Adobe
2016-04-02 03:33 - 2015-05-06 21:23 - 00000000 ____D C:\Users\Jerik\AppData\Local\Adobe
2016-04-02 03:07 - 2015-05-05 23:07 - 00143552 _____ C:\Users\Jerik\AppData\Local\GDIPFONTCACHEV1.DAT
2016-04-02 02:12 - 2015-07-03 02:15 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-04-02 02:08 - 2015-05-05 22:42 - 00000000 ____D C:\ProgramData\Adobe
2016-03-31 10:07 - 2015-05-05 23:32 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-03-30 11:46 - 2015-06-08 20:37 - 00000000 ____D C:\Users\Jerik\Desktop\june
2016-03-29 01:25 - 2016-01-20 02:03 - 00000000 ____D C:\Users\Jerik\Desktop\OJT
2016-03-15 00:00 - 2016-02-24 00:25 - 00000000 ____D C:\Users\Jerik\Desktop\PDFs
2016-03-14 15:00 - 2015-07-16 11:51 - 00000000 ____D C:\Users\Jerik\Desktop\installers
2016-03-14 15:00 - 2015-05-05 22:12 - 00000000 ____D C:\Users\Jerik
2016-03-14 14:59 - 2015-05-25 00:03 - 00000000 ____D C:\Users\Jerik\Desktop\notes
2016-03-14 14:58 - 2015-06-07 10:19 - 00000000 ____D C:\Users\Jerik\Desktop\ERIN
2016-03-14 14:57 - 2015-08-03 14:27 - 00000000 ____D C:\Users\Jerik\Desktop\July
2016-03-14 14:56 - 2015-11-07 00:49 - 00000000 ____D C:\Users\Jerik\Desktop\1st sem
2016-03-14 14:45 - 2015-10-20 00:30 - 00000000 ____D C:\Users\Jerik\Desktop\NEONIZER FOLDER
2016-03-14 14:43 - 2016-02-23 23:10 - 00000000 ____D C:\Users\Jerik\Desktop\5th year 2nd sem
2016-03-11 18:43 - 2015-07-03 02:15 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-03-10 14:09 - 2015-09-14 08:12 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-03-10 14:08 - 2015-09-14 08:12 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-03-10 14:08 - 2015-09-14 08:12 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
 
==================== Files in the root of some directories =======
 
2015-10-11 17:27 - 2016-02-08 13:47 - 0003926 _____ () C:\Users\Jerik\AppData\Roaming\LTspiceIV.ini
2016-01-22 11:02 - 2016-01-22 11:02 - 0000000 _____ () C:\Users\Jerik\AppData\Local\{4216D87C-5188-4407-BAC0-38C7BFCCDC45}
2016-01-19 04:59 - 2016-01-19 04:59 - 0000000 _____ () C:\Users\Jerik\AppData\Local\{B6B69F29-2537-40D4-84B4-9CD63110FB26}
2015-07-10 20:46 - 2015-07-10 21:05 - 0000094 _____ () C:\ProgramData\CameraRecorder.ini
2015-09-10 22:18 - 2015-09-10 22:18 - 0000153 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
2009-07-14 07:31 - 2009-07-14 09:14 - 92182784 ___SH () C:\ProgramData\msvquu.exe
 
Files to move or delete:
====================
C:\ProgramData\msvquu.exe
 
 
Some files in TEMP:
====================
C:\Users\Jerik\AppData\Local\Temp\cdo1759710846.dll
C:\Users\Jerik\AppData\Local\Temp\libeay32.dll
C:\Users\Jerik\AppData\Local\Temp\msvcr120.dll
C:\Users\Jerik\AppData\Local\Temp\PCLinkSetup.exe
C:\Users\Jerik\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-03-29 02:11
 
==================== End of FRST.txt ============================


 

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:27 PM

Posted 06 April 2016 - 07:48 PM

Hello jerik47 and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks / Regards

 

Please do the following,

Boot to Safemode with Networking

To Enter Safemode

  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
  • Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode
 
next....

  • Please download rkill (Courtesy of Bleepingcomputer.com).
  • There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
  • Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
  • Note: You only need to get one of the tools to run, not all of them.

1. rkill.exe

2. rkill.com

3. rkill.scr

4. WiNlOgOn.exe

5. uSeRiNiT.exe

 
next....

 

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.

next....
 
Scan with Malwarebytes Antimalware

  • Please update the database by clicking on the "Update Now" button.
  • Following the update and click "Settings" and go to "Detection and Protection"
  • Make sure "Scan for Rootkits" is checked.
  • Click on Dashboard, then click on Scan Now to start the scan.
  • If Malware or Potentially Unwanted Programs ''PUPs'' are found, you will receive a prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on "View Detailed Log".
  • After viewing the results, please click on the "Copy to Clipboard" button and then OK.
  • Return to our forum. Paste your log into your next reply.

Please restart now and normal mode.

 

ComboFix run:

Please be sure to run our tools with administrator rights.

* IMPORTAN: 1   Place ComboFix.exe on your Desktop

* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 

Have a nice day.
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 jerik47

jerik47
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 07 April 2016 - 09:37 AM

Hi again! Thanks for your quick reply. Really appreciate it.

Here is the Rkill log:

 

 

 

Rkill 2.8.3 by Lawrence Abrams (Grinler)
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 04/07/2016 10:07:52 PM in x64 mode. (Safe Mode)
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic
 
 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)
 
 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Disabled
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 04/07/2016 10:09:47 PM
Execution time: 0 hours(s), 1 minute(s), and 54 seconds(s)

Attached Files


Edited by jerik47, 07 April 2016 - 09:39 AM.


#4 jerik47

jerik47
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 07 April 2016 - 10:17 AM

Attached File  Malwarebytes.txt   1.17KB   1 downloadsCan't launch Zemana. A prompt message appears saying it can't be launched on safe mode

Skipped zemana and scanned with malware bytes.


Here's the log:
 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 4/7/2016
Scan Time: 10:35 PM
Logfile: Malwarebytes.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.04.07.03
Rootkit Database: v2016.04.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jerik
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 428535
Time Elapsed: 33 min, 19 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
Worm.Gamarue, C:\Users\Jerik\Desktop\FILES\guCWs2KY2KUq4MisAW4oEa8gAmOwQm4qCu8Mi8ucm0MCoE.saCWAKAike8MWcu8QmCgu0KgqEGcakeKywQCIk, , [c8377734e2b79f9729dd110a31d18e72], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)




Here's the XML file:






<?xml version="1.0" encoding="UTF-8" ?>
<logs>
   <record severity="debug" scantype="threat" LoggingEventType="6" starttime="2016-04-06T23:44:07+08:00" datetime="2016-04-07T00:05:53.225844+08:00" source="Manual" type="Scan" username="SYSTEM" systemname="CIPHER47" last_modified_tag="e8a60097-cb4f-4f77-8394-41a6f73acd8a" duration="1305" malwaredetections="0" nonmalwaredetections="0" scanresult="completed"></record>
   <record severity="debug" LoggingEventType="4" datetime="2016-04-07T00:08:09.475526+08:00" source="Protection" type="Error" username="SYSTEM" systemname="CIPHER47" code="13" last_modified_tag="d024ff25-1241-4585-8473-dfc0815887cc" message="IsLicensed"></record>
   <record severity="debug" LoggingEventType="2" datetime="2016-04-07T00:08:09.491126+08:00" source="Protection" type="Protection" username="SYSTEM" systemname="CIPHER47" last_modified_tag="7518c714-f0e4-4303-b968-51134a675cd4" result="Stopping" subtype="Malware Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2016-04-07T00:08:09.506726+08:00" source="Protection" type="Protection" username="SYSTEM" systemname="CIPHER47" last_modified_tag="690c1ce3-edb7-48c1-9cca-83903d955b4b" result="Stopped" subtype="Malware Protection"></record>
   <record severity="debug" LoggingEventType="1" datetime="2016-04-07T02:35:45.374144+08:00" source="Manual" type="Update" username="SYSTEM" systemname="CIPHER47" code="Unable to access update server" last_modified_tag="d926d14f-0c8f-495d-93ba-bdfba605f28f" message="Failed"></record>
   <record severity="debug" LoggingEventType="1" datetime="2016-04-07T02:35:50.553956+08:00" source="Manual" type="Update" username="SYSTEM" systemname="CIPHER47" code="Unable to access update server" last_modified_tag="eec9026c-3ff5-4642-ae7f-94f4ad2c6a3f" message="Failed"></record>
   <record severity="debug" LoggingEventType="1" datetime="2016-04-07T22:15:58.223687+08:00" source="Manual" type="Update" username="SYSTEM" systemname="CIPHER47" fromVersion="2016.2.12.1" last_modified_tag="4af4827d-f544-4419-87d6-d64bd7242291" name="Remediation Database" toVersion="2016.4.5.1"></record>
   <record severity="debug" LoggingEventType="1" datetime="2016-04-07T22:16:00.133692+08:00" source="Manual" type="Update" username="SYSTEM" systemname="CIPHER47" fromVersion="2016.2.8.1" last_modified_tag="97933b21-5685-4ef2-ac8b-7e87143aaa42" name="Rootkit Database" toVersion="2016.4.3.1"></record>
   <record severity="debug" LoggingEventType="1" datetime="2016-04-07T22:16:04.932315+08:00" source="Manual" type="Update" username="SYSTEM" systemname="CIPHER47" fromVersion="2016.2.8.1" last_modified_tag="71fd207f-67bb-4670-aec0-9943b5fdc57e" name="IP Database" toVersion="2016.4.4.1"></record>
   <record severity="debug" LoggingEventType="4" datetime="2016-04-07T22:16:36.799046+08:00" source="Manual" type="Error" username="SYSTEM" systemname="CIPHER47" last_modified_tag="3cec8f12-2cc7-4e71-820a-98b8e43922e9" code="0" message=""></record>
   <record severity="debug" LoggingEventType="1" datetime="2016-04-07T22:16:36.799046+08:00" source="Manual" type="Update" username="SYSTEM" systemname="CIPHER47" fromVersion="2016.2.16.6" last_modified_tag="742a05bc-c9cb-43a2-b6e3-2c5987006948" name="Malware Database" toVersion="2016.4.7.3" code="Unable to access update server" message="Failed"></record>
   <record severity="debug" LoggingEventType="1" datetime="2016-04-07T22:18:53.632484+08:00" source="Manual" type="Update" username="SYSTEM" systemname="CIPHER47" fromVersion="2016.2.16.8" last_modified_tag="bb5561cc-5fc3-4645-a9f6-46dbfc525711" name="Domain Database" toVersion="2016.4.7.4"></record>
   <record severity="debug" LoggingEventType="1" datetime="2016-04-07T22:19:16.414641+08:00" source="Manual" type="Update" username="SYSTEM" systemname="CIPHER47" fromVersion="2016.2.16.6" last_modified_tag="1ad5c3b7-ace0-41ef-a920-379215376b65" name="Malware Database" toVersion="2016.4.7.3"></record>
   <record severity="debug" nonmalwaredetections="0" LoggingEventType="6" scanresult="canceled" datetime="2016-04-07T22:34:56.570812+08:00" scantype="threat" source="Manual" starttime="2016-04-07T22:22:03+08:00" type="Scan" username="SYSTEM" systemname="CIPHER47" last_modified_tag="65fb70c8-dd6e-41b0-ad04-ef7028badddf" duration="772" malwaredetections="0"></record>
   <record severity="debug" nonmalwaredetections="0" LoggingEventType="6" scanresult="completed" datetime="2016-04-07T23:09:46.188945+08:00" scantype="threat" source="Manual" starttime="2016-04-07T22:35:16+08:00" type="Scan" username="SYSTEM" systemname="CIPHER47" last_modified_tag="430efc93-e3f7-400e-a5de-569a2ec5a0ec" duration="1999" malwaredetections="2"></record>
</logs>
 





 

 


Edited by jerik47, 07 April 2016 - 10:19 AM.


#5 jerik47

jerik47
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 07 April 2016 - 11:38 AM

Ran Zemana on Normal mode. Can not run ComboFix on normal mode. Will run on safemode

Zemana Log

 

Zemana AntiMalware 2.20.2.100 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/4/8
Operating System       : Windows 7 64-bit
Processor              : 4X Intel® Core™ i5-3210M CPU @ 2.50GHz
BIOS Mode              : Legacy
CUID                   : 0097B0FAD8544D41F364E8
Scan Type              : Smart Scan
Duration               : 33m 54s
Scanned Objects        : 69032
Detected Objects       : 4
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : ON
Detect All Extensions  : OFF
Scan Documents         : OFF
Domain Info            : WORKGROUP,0,2
 
Detected Objects
-------------------------------------------------------
 
EaseUS Android Universal Adb Driver
Status             : Scanned
Object             : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AB140CB5F43296FB25233C5B371895A020464C94\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AB140CB5F43296FB25233C5B371895A020464C94\Blob = 190000000100000010000000F057A2A45168C348D3461035EFCDDCC30F00000001000000140000006B7F291934B0E3F2C039098B4CDC83F985B34342030000000100000014000000AB140CB5F43296FB25233C5B371895A020464C9414000000010000001400000089841C2FA9676514D8494C21ED33BC566DC69A3D2000000001000000BC030000308203B8308202A00209008CFEA03B7A2E5407300D06092A864886F70D010105050030819D310B300906035504061302434E3110300E06035504080C075369436875616E3110300E06035504070C074368656E674475312A3028060355040A0C21456173655553205465636820446576656C6F70656D656E7420436F2C204C74642E3110300E060355040B0C07416E64726F6964312C302A06035504030C2345617365555320416E64726F696420556E6976657273616C2041646220447269766572301E170D3133313230333031333431345A170D3233313230313031333431345A30819D310B300906035504061302434E3110300E06035504080C075369436875616E3110300E06035504070C074368656E674475312A3028060355040A0C21456173655553205465636820446576656C6F70656D656E7420436F2C204C74642E3110300E060355040B0C07416E64726F6964312C302A06035504030C2345617365555320416E64726F696420556E6976657273616C204164622044726976657230820122300D06092A864886F70D01010105000382010F003082010A0282010100CE395971E182B661FAC90E65962FA01A2174E2E288EC6A83AE408CA7C3FB1595FA6A5C0F6E345B96E21DFA08137E8D4C754051EAC7973BABCF0D14A8959AA2D4A13A40E7CEDD25657E86BE6E0F6B431C6FC5C19B4D2DAD3984257DDF03ECFC1A297B9D6EF1607416ED27BD8C08BC6FA1049260E75B2AE34612C9906B7E65F71BB60008CAC832F1488A08FBF341E4F85CEBFA3F13D6F7A1579482184AAF9EB4A691ADA428B3FB793CE6FD12D2E6D61A7D2C917B9558756E61647C5ACDF637AB19E45232089ADDBD9F0CFCB97D7FD3417EE8FEB265B6D8A24C57FD903938F3BCC5A5A858D1A6FF3A8224E1C9F613C4B1F4FE9D7B88334343DAC00D10AB0A76859D0203010001300D06092A864886F70D01010505000382010100406B06184A1738AB37494277867C26CD7094BC52DE79B986B7704059D349A7D377843199E7CA4A7D725912AF52CD584633F07BEE004BB9FD6AC9E83D08A782212C81E19C5EE49794EB8B846D731F5C1D812874C8EADA3BF95DA25D336F2EF2777379B2E1BCBB6FAC26B8008A5F71DB750129EC9A54E6B6EC27CAB1D3909856796679ACFA7F19C03BAFC664FE4BAEE09B01403FF72FFFDF5336D8B3EE7D6CA3DAC99A78D74123229920499D5A0C6F82CD387E06B5F77B64B0F74BC41E0F0EC386B54A54E9F33CAB5304F367504A64955AD9C44B0BEA1A9C71B47B87B89638AA7F3546DB344FAA1A312A88BC42266CDE431C688C964673212B4A905FA72C872118
 
xf-autocad-kg_x64.exe
Status             : Scanned
Object             : %userprofile%\desktop\usb\usb march 4\new folder\ \files\papeles\crack\xf-autocad-kg_x64.exe
MD5                : C915C717919F5B28F5E343FDA16A84F6
Publisher          : -
Size               : 1867776
Version            : -
Detection          : PUA:Win32/SoftCrack.Gen
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\desktop\usb\usb march 4\new folder\ \files\papeles\crack\xf-autocad-kg_x64.exe
 
SaveFromNetHelper-Web-bee752632c.exe
Status             : Scanned
Object             : %userprofile%\desktop\installers\savefromnethelper-web-bee752632c.exe
MD5                : 30370882F39A50E05075DB2EF770D5C2
Publisher          : Magicbit, Inc
Size               : 789368
Version            : -
Detection          : Adware:Win32/YTD!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\desktop\installers\savefromnethelper-web-bee752632c.exe
 
FYTD_Setup_2.exe
Status             : Scanned
Object             : %userprofile%\desktop\installers\fytd_setup_2.exe
MD5                : 185A935D6E4A26863844DE1FACDADBB0
Publisher          : Bonjoy Software
Size               : 1180672
Version            : 4.0.0.0
Detection          : Adware:Win32/OpenCandy
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\desktop\installers\fytd_setup_2.exe
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 3
Reported as safe      : 1
Failed                : 0


Still no significant findings?

Attached Files


Edited by jerik47, 07 April 2016 - 11:40 AM.


#6 jerik47

jerik47
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 07 April 2016 - 12:13 PM

Combo Fix Log:

 

ComboFix 16-04-06.01 - Jerik 04/08/2016   0:52.1.4 - x64 NETWORK
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8089.7147 [GMT 8:00]
Running from: c:\users\Jerik\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\programdata\msvquu.exe
c:\programdata\Roaming
c:\users\Jerik\AppData\Local\Microsoft\Windows\Temporary Internet Files\{0E58A5B4-5594-4418-B1E1-BA3F11A064D6}.xps
.
.
(((((((((((((((((((((((((   Files Created from 2016-03-07 to 2016-04-07  )))))))))))))))))))))))))))))))
.
.
2016-04-07 16:59 . 2016-04-07 16:59 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2016-04-07 16:59 . 2016-04-07 16:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2016-04-07 15:29 . 2016-04-07 15:29 202144 ----a-w- c:\windows\system32\drivers\zam64.sys
2016-04-07 15:29 . 2016-04-07 15:29 202144 ----a-w- c:\windows\system32\drivers\zamguard64.sys
2016-04-07 15:29 . 2016-04-07 15:29 -------- d-----w- c:\program files (x86)\Zemana AntiMalware
2016-04-07 14:10 . 2016-04-07 14:10 -------- d-----w- c:\users\Jerik\AppData\Local\Zemana
2016-04-06 19:44 . 2016-04-06 19:46 -------- d-----w- C:\FRST
2016-04-06 19:27 . 2016-04-06 19:27 -------- d-----w- c:\program files (x86)\USBDriveFresher
2016-04-06 18:33 . 2016-04-07 15:26 -------- d-----w- c:\programdata\MCShield
2016-04-06 18:33 . 2016-04-06 18:33 -------- d-----w- c:\program files (x86)\MCShield
2016-04-06 17:49 . 2016-04-06 17:53 -------- d-----w- c:\program files\Registry Workshop
2016-04-06 17:37 . 2016-04-06 17:37 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{379ABA26-2393-4253-AE5F-48E855419D80}\offreg.6192.dll
2016-04-06 17:01 . 2016-04-06 17:01 -------- d-----w- c:\windows\system32\appmgmt
2016-04-05 11:14 . 2016-04-07 16:20 -------- d--h--w- c:\users\Jerik\AppData\Roaming\mcgwg
2016-04-01 19:33 . 2016-04-01 19:33 -------- d-----w- c:\users\Jerik\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2016-04-01 19:08 . 2016-04-01 19:08 -------- d-----w- c:\users\Jerik\AppData\Roaming\NVIDIA
2016-04-01 18:08 . 2016-04-01 18:08 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2016-04-01 18:08 . 2016-04-01 18:12 -------- d-----w- c:\program files\Adobe
2016-04-01 18:01 . 2016-04-01 18:01 -------- d-----w- c:\windows\SysWow64\Macromed
2016-04-01 18:01 . 2016-04-01 18:08 -------- d-----w- c:\program files\Common Files\Adobe
2016-03-25 12:24 . 2016-03-25 12:24 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{379ABA26-2393-4253-AE5F-48E855419D80}\offreg.8220.dll
2016-03-14 07:00 . 2016-03-14 07:00 -------- d-----w- c:\users\Jerik\.thumbnails
2016-03-14 06:52 . 2016-03-14 06:52 -------- d-----w- c:\program files\Blender Foundation
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-04-07 14:19 . 2015-09-14 00:12 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-03-10 06:09 . 2015-09-14 00:12 64896 ----a-w- c:\windows\system32\drivers\mwac.sys
2016-03-10 06:08 . 2015-09-14 00:12 140672 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2016-03-10 06:08 . 2015-09-14 00:12 27008 ----a-w- c:\windows\system32\drivers\mbam.sys
2016-03-03 20:47 . 2016-03-03 20:47 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{379ABA26-2393-4253-AE5F-48E855419D80}\offreg.6104.dll
2016-02-24 05:41 . 2016-02-24 05:41 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{379ABA26-2393-4253-AE5F-48E855419D80}\offreg.6988.dll
2016-02-16 20:58 . 2016-02-16 20:58 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{379ABA26-2393-4253-AE5F-48E855419D80}\offreg.7524.dll
2016-01-25 20:40 . 2016-01-25 20:40 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{379ABA26-2393-4253-AE5F-48E855419D80}\offreg.7660.dll
2016-01-17 08:10 . 2016-01-17 08:10 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{379ABA26-2393-4253-AE5F-48E855419D80}\offreg.7956.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive1]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2015-07-09 08:15 1605832 ----a-w- c:\users\Jerik\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive2]
@="{5AB7172C-9C11-405C-8DD5-AF20F3606282}"
[HKEY_CLASSES_ROOT\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}]
2015-07-09 08:15 1605832 ----a-w- c:\users\Jerik\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive3]
@="{A78ED123-AB77-406B-9962-2A5D9D2F7F30}"
[HKEY_CLASSES_ROOT\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}]
2015-07-09 08:15 1605832 ----a-w- c:\users\Jerik\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive4]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2015-07-09 08:15 1605832 ----a-w- c:\users\Jerik\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive5]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2015-07-09 08:15 1605832 ----a-w- c:\users\Jerik\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2015-07-14 04:57 1729752 ----a-w- c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2015-07-14 04:57 1729752 ----a-w- c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2015-07-14 04:57 1729752 ----a-w- c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\users\Jerik\AppData\Roaming\uTorrent\uTorrent.exe" [2016-04-06 1959424]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2015-08-19 8455960]
"PCLink"="c:\program files (x86)\ASUS\PC Link\PCLink.exe" [2015-10-29 640272]
"Spotify Web Helper"="c:\users\Jerik\AppData\Roaming\Spotify\SpotifyWebHelper.exe" [2016-04-07 1524336]
"Spotify"="c:\users\Jerik\AppData\Roaming\Spotify\Spotify.exe" [2016-04-07 6891120]
"MCShield Monitor"="c:\program files (x86)\MCShield\mcshieldrtm.exe" [2014-04-11 650816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" [2012-02-29 56088]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-02-26 291608]
"THX Audio Control Panel"="c:\program files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe" [2011-08-29 1517056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-11-06 6111312]
"WD Drive Unlocker"="c:\program files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe" [2014-10-23 1694048]
"DriveUtilitiesHelper"="c:\program files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe" [2014-05-23 1852264]
"WD Quick View"="c:\program files (x86)\Western Digital\WD Quick View\WDDMStatus.exe" [2015-07-20 5564784]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
.
c:\users\Jerik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
atajo.lnk - c:\users\Jerik\AppData\Roaming\mcgwg\apetn64.exe "c:\users\Jerik\AppData\Roaming\mcgwg\kkdaybr.js" [2016-4-7 168960]
OneDrive for Business.lnk - c:\program files (x86)\Microsoft Office\Office15\GROOVE.EXE /RunFolderSync /TrayOnly [2015-7-14 8736448]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NI Error Reporting.lnk - c:\program files (x86)\National Instruments\Shared\NI Error Reporting\nierserver.exe [2013-6-7 663896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
R0 aswRvrt;avast! Revert; [x]
R0 aswVmm;avast! VM Monitor; [x]
R0 fhew;fhew;c:\windows\System32\drivers\evgw.sys;c:\windows\SYSNATIVE\drivers\evgw.sys [x]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
R1 ZAM;ZAM Helper Driver;c:\windows\System32\drivers\zam64.sys;c:\windows\SYSNATIVE\drivers\zam64.sys [x]
R1 ZAM_Guard;ZAM Guard Driver;c:\windows\System32\drivers\zamguard64.sys;c:\windows\SYSNATIVE\drivers\zamguard64.sys [x]
R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [x]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
R2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [x]
R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE;c:\program files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE [x]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [x]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
R2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [x]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
R2 Micro Star SCM;Micro Star SCM;c:\windows\SysWOW64\MSIService.exe;c:\windows\SysWOW64\MSIService.exe [x]
R2 NIApplicationWebServer;NI Application Web Server;c:\program files (x86)\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe;c:\program files (x86)\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe [x]
R2 nimDNSResponder;NI mDNS Responder Service;c:\program files (x86)\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe;c:\program files (x86)\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [x]
R2 NISystemWebServer;NI System Web Server;c:\program files (x86)\National Instruments\Shared\NI WebServer\SystemWebServer.exe;c:\program files (x86)\National Instruments\Shared\NI WebServer\SystemWebServer.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 STCServ;Intel® Common Connectivity Framework;c:\program files\Intel\STCServ\STCServ.exe;c:\program files\Intel\STCServ\STCServ.exe [x]
R2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
R2 VBoxAswDrv;VBoxAsw Support Driver;c:\program files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys;c:\program files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [x]
R2 WDBackup;WD Backup;c:\program files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe;c:\program files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [x]
R2 WDDriveService;WD Drive Manager;c:\program files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe;c:\program files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [x]
R2 ZAMSvc;ZAM Controller Service;c:\program files (x86)\Zemana AntiMalware\ZAM.exe;c:\program files (x86)\Zemana AntiMalware\ZAM.exe [x]
R2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys;c:\windows\SYSNATIVE\DRIVERS\AMPPAL.sys [x]
R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys;c:\windows\SYSNATIVE\DRIVERS\amppal.sys [x]
R3 AvastVBoxSvc;AvastVBox COM Service;c:\program files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe;c:\program files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
R3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys;c:\windows\SYSNATIVE\drivers\MBfilt64.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsPStor.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.5;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R4 NIApplicationWebServer64;NI Application Web Server (64-bit);c:\program files\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe;c:\program files\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 ngvss;ngvss; [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S3 AsusVBus;AsusVBus;c:\windows\system32\DRIVERS\AsusVBus.sys;c:\windows\SYSNATIVE\DRIVERS\AsusVBus.sys [x]
S3 ATP;ASUS Touchpad;c:\windows\system32\DRIVERS\AsusTP.sys;c:\windows\SYSNATIVE\DRIVERS\AsusTP.sys [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NGVSS
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2015-12-18 15:42 286904 ----a-w- c:\program files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll
.
Contents of the 'Scheduled Tasks' folder
.
2016-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-05-05 15:19]
.
2016-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-05-05 15:19]
.
2016-04-07 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
- c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 05:41]
.
2016-04-07 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
- c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 05:41]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive1]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2015-07-09 08:15 1645256 ----a-w- c:\users\Jerik\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive2]
@="{5AB7172C-9C11-405C-8DD5-AF20F3606282}"
[HKEY_CLASSES_ROOT\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}]
2015-07-09 08:15 1645256 ----a-w- c:\users\Jerik\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive3]
@="{A78ED123-AB77-406B-9962-2A5D9D2F7F30}"
[HKEY_CLASSES_ROOT\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}]
2015-07-09 08:15 1645256 ----a-w- c:\users\Jerik\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive4]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2015-07-09 08:15 1645256 ----a-w- c:\users\Jerik\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive5]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2015-07-09 08:15 1645256 ----a-w- c:\users\Jerik\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2015-07-14 05:03 2335960 ----a-w- c:\progra~1\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2015-07-14 05:03 2335960 ----a-w- c:\progra~1\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2015-07-14 05:03 2335960 ----a-w- c:\progra~1\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-09-12 17:04 778056 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-03-30 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-03-30 398616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-03-30 439064]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-03-27 12459112]
"THXCfg64"="c:\windows\system32\THXCfg64.dll" [2010-09-14 25600]
"IntelTBRunOnce"="wscript.exe" [2009-07-14 168960]
"IntelConnectCenter"="c:\program files\Intel\ConnectCenter\bin\ICCLauncher.exe" [2015-03-16 90112]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-03 446392]
"ZAM"="c:\program files (x86)\Zemana AntiMalware\ZAM.exe" [2016-03-25 12832496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office15\ONBttnIE.dll/105
Trusted Zone: sharepoint.com\pupedu
Trusted Zone: sharepoint.com\pupedu-my
TCP: DhcpNameServer = 192.168.8.1 192.168.8.1
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Jerik\AppData\Roaming\Mozilla\Firefox\Profiles\1slj3k2h.default\
FF - prefs.js: browser.startup.homepage - google.com
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2016-04-08  01:01:45
ComboFix-quarantined-files.txt  2016-04-07 17:01
.
Pre-Run: 89,404,686,336 bytes free
Post-Run: 89,863,966,720 bytes free
.
- - End Of File - - D4252D9A85519A0B2732EC98CAB4DD6F
 

Attached Files



#7 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:27 PM

Posted 07 April 2016 - 04:07 PM

Hello,

 

Uninstall:Free YouTube Downloader
 ======================================
How to see hidden files in Windows:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/#winxp
 =======================
Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
 
c:\windows\System32\drivers\evgw.sys
c:\users\Jerik\AppData\Roaming\mcgwg\apetn64.exe
c:\users\Jerik\AppData\Roaming\mcgwg\kkdaybr.js
 
Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 jerik47

jerik47
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 08 April 2016 - 08:49 AM

Hi! Thank you again for your reply!

Can't find c:\windows\System32\drivers\evgw.sys

c:\users\Jerik\AppData\Roaming\mcgwg\apetn64.exe  -https://www.virustotal.com/en/file/d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f/analysis/1460121921/

c:\users\Jerik\AppData\Roaming\mcgwg\kkdaybr.js -
https://www.virustotal.com/en/file/d732915817c42dba85f4a5fe4ef9877a0adc35ee472faddf65c311439fc2e22f/analysis/1460122962/

Have a good day!



#9 jerik47

jerik47
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 08 April 2016 - 09:28 AM

Hi again! I was curious and scanned a couple of suspicious files in my external drive. Maybe it could be of help in solving my problem. Here are the links. Thank you! :)

https://www.virustotal.com/en/file/2f16d97f5cf1fc734f5a24e25c8a55cfb51cc3b928a0d545310c461a57df8e0c/analysis/1460124081/
https://www.virustotal.com/en/file/d732915817c42dba85f4a5fe4ef9877a0adc35ee472faddf65c311439fc2e22f/analysis/1460124591/



#10 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:27 PM

Posted 09 April 2016 - 03:42 PM

Hi again! I was curious and scanned a couple of suspicious files in my external drive. Maybe it could be of help in solving my problem. Here are the links. Thank you! :)

https://www.virustotal.com/en/file/2f16d97f5cf1fc734f5a24e25c8a55cfb51cc3b928a0d545310c461a57df8e0c/analysis/1460124081/
https://www.virustotal.com/en/file/d732915817c42dba85f4a5fe4ef9877a0adc35ee472faddf65c311439fc2e22f/analysis/1460124591/

Thank you.But I do not see them in the report. Can you send me the address ?

===============================================================================

EmsisoftEmergencyKit scan:

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close

===================================================

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

=======================================================================

Please run Farbar Service Scanner.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Edited by olgun52, 09 April 2016 - 03:49 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 jerik47

jerik47
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 10 April 2016 - 09:03 AM

Hello! What address are you pertaining to? I have slow internet connection right now. I'll try to download it tomorrow. Thank you!



#12 jerik47

jerik47
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 13 April 2016 - 01:40 AM

Hi! I'm very sorry. Still have bad internet connection. I'll get back to you later. Thank you!



#13 jerik47

jerik47
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 13 April 2016 - 12:14 PM

EmsisoftEmergencyKit sca


Emsisoft Emergency Kit, MiniToolBox, and Farbar Service Scanner results. Please see attached. Thank you very much for your patience and help! Godspeed!

Attached Files



#14 jerik47

jerik47
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 13 April 2016 - 12:38 PM

Some additionals:

I tried to scan again

Attached File  emisoft2 scan_160414-012155.txt   1.24KB   0 downloads
Attached File  virus folder.jpg   147.89KB   0 downloads
Attached File  virus folder2.jpg   113.01KB   0 downloads
 



#15 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:27 PM

Posted 13 April 2016 - 04:38 PM

I understand.

 

Step 1:
 FRST Script:
 Please download this attached  Attached File  Fixlist.txt   4.01KB   3 downloads   and save it in the same directory as FRST

  • Close any open browsers or any other programs that are open
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:
 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan then  Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 4:

Please download ZHPcleaner to your desktop.

  • Double click on ZHPCleaner to run the tool.
  • If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click ZHPCleaner and select "Run as Administrator".
  • Please klick Ashampoo_Snap_20140819_13h09m50s_001__zp
  • Then press ''Repair'' button.
  • Browsers will automatically shut down.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.

Step 5:

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

=========================================================================

How is the machine running now and any issues ? Please let me know.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users