Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something Is Possibly Filling up Laptop Hard Drive


  • This topic is locked This topic is locked
14 replies to this topic

#1 Without_A_Monitor

Without_A_Monitor

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:09:22 AM

Posted 13 May 2016 - 05:44 AM

I noticed my laptop's total amount of free gigabytes change the other day, although I've seen it happen before. During those past instances, it usually happened after I deleted large amounts of data/cleared space via ccleaner. I am highly questioning the decrease in gigabytes this time because I did not run ccleaner and perform the same aforesaid action. Maybe, it's just my laptop malfunctioning. It is somewhat old and runs on vista (64 bit.) With that said, I would be immensely appreciative with any help with in determining this matter.

I should note that I scanned with ESET, MBAM and EAM. All three programs found nothing. It is possible that I am just being paranoid, my laptop not working correctly, a combination of the aforementioned alternatives and so on.


Below is the FRST log from yesterday.










Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:09-05-2016
Ran by El Diego (administrator) on EL_DIEGO (12-05-2016 16:59:56)
Running from C:\Users\El Diego\Downloads\bastion
Loaded Profiles: El Diego (Available Profiles: El Diego)
Platform: Windows Vista ™ Home Premium Service Pack 2 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Realtek Semiconductor) C:\Windows\RTKAUDIOSERVICE.EXE
(Emsisoft Ltd) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\ehome\ehrecvr.exe
(Microsoft Corporation) C:\Windows\ehome\ehsched.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
(InterVideo) C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbae\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbae\Malwarebytes Anti-Exploit\mbae64.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Intel Corporation) C:\Program Files\Sony\VAIO Care\collsvc.exe
(ArcSoft, Inc.) C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Power Management\SPMService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio64.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
(Intel Corporation) C:\Program Files\Sony\VAIO Care\listener.exe
(Intel Corporation) C:\Program Files\Sony\VAIO Care\listener.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
(Sony Electronics, Inc.) C:\Program Files\Sony\VAIO Care\VCsystray.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apoint.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(AWS Convergence Technologies, Inc.) C:\Program Files (x86)\AWS\WeatherBug\Weather.exe
(Ruiware LLC) C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\ApMsgFwd.exe
(Sony Corporation) C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbae\Malwarebytes Anti-Exploit\mbae.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Emsisoft Ltd) C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\ApntEx.exe
(Sysinternals - www.sysinternals.com) C:\Users\El Diego\Downloads\bastion\ProcessExplorer\procexp.exe
(Sysinternals - www.sysinternals.com) C:\Users\El Diego\AppData\Local\Temp\procexp64.exe
(Sysinternals - www.sysinternals.com) C:\Users\El Diego\Downloads\bastion\TCPViewer\Tcpview.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\RacAgent.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Windows\RAVCpl64.exe [6453760 2008-10-17] (Realtek Semiconductor)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint\Apoint.exe [152576 2008-07-17] (Alps Electric Co., Ltd.)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [5595848 2015-07-08] (ESET)
HKLM-x32\...\Run: [ISBMgr.exe] => C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe [317280 2008-04-04] (Sony Corporation)
HKLM-x32\...\Run: [StartCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [61440 2008-01-21] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2011-07-05] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [453736 2013-02-19] (CANON INC.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbae\Malwarebytes Anti-Exploit\mbae.exe [2623456 2016-04-15] (Malwarebytes Corporation)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-09-09] (Apple Inc.)
HKLM-x32\...\Run: [emsisoft anti-malware] => c:\program files (x86)\emsisoft anti-malware\a2guard.exe [5836888 2015-09-30] (Emsisoft Ltd)
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: lsassw86s.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.js <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %systemdrive%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles(x86)%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: scsvserv.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Appdata\Roaming\Microsoft\Windows\IEUpdate\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.js <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: lsassvrtdbks.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.js <====== ATTENTION
Winlogon\Notify\!SASWinLogon: C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.DLL [2010-03-02] (SUPERAntiSpyware.com)
Winlogon\Notify\igfxcui:
HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\...\Run: [Weather] => C:\Program Files (x86)\AWS\WeatherBug\Weather.exe [1347584 2009-01-30] (AWS Convergence Technologies, Inc.)
HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1154112 2014-07-20] (Ruiware LLC)
HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Aurora.scr [1391616 2006-11-02] (Microsoft Corporation)
ShellExecuteHooks-x32: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files (x86)\SUPERAntiSpyware\SASSEH.DLL [77824 2008-05-13] (SuperAdBlocker.com)
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{03C25B0F-131B-42A2-A571-E9CB34374AFD}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{670074EA-CE4D-4E4E-A712-4D39ECDF5F74}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.aol.com/?src=aim
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1786916353-3864107569-3064167919-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7SNYR_en
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg64.dll [2011-04-26] (Google Inc.)
BHO-x32: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll [2011-04-26] (Google Inc.)
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\El Diego\AppData\Roaming\Mozilla\Firefox\Profiles\z7ozoluc.default
FF DefaultSearchEngine.US: Google
FF SelectedSearchEngine: Firefox Add-ons
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-08] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-08] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2012-08-08] ()
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @veetle.com/vbp;version=0.9.17 -> C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll [2010-03-22] (Veetle Inc)
FF Plugin-x32: @veetle.com/veetleCorePlugin,version=0.9.17 -> C:\Program Files (x86)\Veetle\plugins\npVeetle.dll [2010-03-17] (Veetle Inc)
FF Plugin-x32: @veetle.com/veetlePlayerPlugin,version=0.9.17 -> C:\Program Files (x86)\Veetle\Player\npvlc.dll [2010-03-22] (Veetle Inc)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2011-10-06] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2011-10-06] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2011-10-06] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2011-10-06] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2011-10-06] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll [2011-10-06] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll [2011-10-06] (Apple Inc.)
FF SearchPlugin: C:\Users\El Diego\AppData\Roaming\Mozilla\Firefox\Profiles\z7ozoluc.default\searchplugins\firefox-add-ons.xml [2011-11-10]
FF Extension: WOT - C:\Users\El Diego\AppData\Roaming\Mozilla\Firefox\Profiles\z7ozoluc.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2015-12-09]
FF Extension: QuickWiki - C:\Users\El Diego\AppData\Roaming\Mozilla\Firefox\Profiles\z7ozoluc.default\extensions\{EE223D7A-F30F-11DD-8F0A-D2AD55D89593}.xpi [2016-04-27]
FF Extension: HTTPS-Everywhere - C:\Users\El Diego\AppData\Roaming\Mozilla\Firefox\Profiles\z7ozoluc.default\extensions\https-everywhere@eff.org [2016-05-11]
FF Extension: Ghostery - C:\Users\El Diego\AppData\Roaming\Mozilla\Firefox\Profiles\z7ozoluc.default\Extensions\firefox@ghostery.com.xpi [2016-05-04]
FF Extension: TVU Web Player - C:\Users\El Diego\AppData\Roaming\Mozilla\Firefox\Profiles\z7ozoluc.default\Extensions\firefox@tvunetworks.com [2010-05-29] [not signed]
FF Extension: Microsoft .NET Framework Assistant - C:\Users\El Diego\AppData\Roaming\Mozilla\Firefox\Profiles\z7ozoluc.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011-07-05] [not signed]
FF Extension: Adblock Plus - C:\Users\El Diego\AppData\Roaming\Mozilla\Firefox\Profiles\z7ozoluc.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-28]
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-07-05] [not signed]
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR Profile: C:\Users\El Diego\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\El Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-05-31]
CHR Extension: (Google Docs) - C:\Users\El Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-31]
CHR Extension: (Google Drive) - C:\Users\El Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-24]
CHR Extension: (YouTube) - C:\Users\El Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Adblock Plus) - C:\Users\El Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-03-10]
CHR Extension: (Google Search) - C:\Users\El Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-02]
CHR Extension: (Google Sheets) - C:\Users\El Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-05-31]
CHR Extension: (Google Docs Offline) - C:\Users\El Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\El Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (ScriptSafe) - C:\Users\El Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\oiigbmnaadbkfbmpbfijlflahbdbdgdf [2016-02-26]
CHR Extension: (Gmail) - C:\Users\El Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-29]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [7084784 2015-09-30] (Emsisoft Ltd)
S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [1353720 2015-07-08] (ESET)
S4 EvtEng; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [1449984 2008-08-20] (Intel® Corporation) [File not signed]
R2 hmpalertsvc; C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [4383952 2016-04-27] (SurfRight B.V.)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbae\Malwarebytes Anti-Exploit\mbae-svc.exe [742368 2016-04-15] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 MSCSPTISRV; C:\Program Files (x86)\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [53248 2008-05-20] (Sony Corporation) [File not signed]
S3 PACSPTISVR; C:\Program Files (x86)\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [53248 2008-05-20] (Sony Corporation) [File not signed]
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2013-06-06] ()
S4 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [24576 2008-09-11] (Intuit) [File not signed]
S4 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2008-08-09] (Intuit Inc.) [File not signed]
R2 RegSrvc; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [826368 2008-08-20] (Intel® Corporation) [File not signed]
R2 RtkAudioService; C:\Windows\RtkAudioService.exe [134656 2008-10-17] (Realtek Semiconductor) [File not signed]
R2 SampleCollector; C:\Program Files\Sony\VAIO Care\collsvc.exe [167424 2008-09-29] (Intel Corporation) [File not signed]
S3 SOHCImp; C:\Program Files (x86)\Sony\VAIO Media plus\SOHCImp.exe [103712 2008-10-21] (Sony Corporation)
S3 SOHDms; C:\Program Files (x86)\Sony\VAIO Media plus\SOHDms.exe [353568 2008-10-21] (Sony Corporation)
S3 SOHDs; C:\Program Files (x86)\Sony\VAIO Media plus\SOHDs.exe [62752 2008-10-21] (Sony Corporation)
S3 SPTISRV; C:\Program Files (x86)\Common Files\Sony Shared\AVLib\SPTISRV.exe [77824 2008-05-20] (Sony Corporation) [File not signed]
R2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.)
S3 VAIO Entertainment TV Device Arbitration Service; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe [73728 2008-09-08] (Sony Corporation) [File not signed]
S4 VCFw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [446464 2008-09-03] (Sony Corporation) [File not signed]
S3 Vcsw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe [279848 2008-09-08] (Sony Corporation)
S4 VzCdbSvc; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe [192512 2008-09-08] (Sony Corporation) [File not signed]
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [383544 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27648 2008-01-20] (Microsoft Corporation)
R3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [19968 2008-04-24] (ArcSoft, Inc.)
S1 Beep; no ImagePath
S1 DMICall; C:\Windows\SysWOW64\DRIVERS\DMICall.sys [10216 2008-08-22] (Sony Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [255240 2015-07-13] (ESET)
U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [251632 2015-07-13] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [178520 2015-07-13] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [168208 2015-07-13] (ESET)
R1 epp64; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\epp64.sys [138504 2015-09-30] (Emsisoft GmbH)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbae\Malwarebytes Anti-Exploit\mbae64.sys [66080 2016-04-15] ()
R3 hmpalert; C:\Windows\system32\drivers\hmpalert.sys [177040 2016-04-27] (SurfRight B.V.)
R3 hmpnet; C:\Windows\system32\drivers\hmpnet.sys [84520 2016-04-27] (SurfRight B.V.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
S2 MxlW2k; C:\Windows\SysWow64\Drivers\MxlW2k.sys [27924 2016-02-19] (MusicMatch, Inc.)
R2 risdptsk; C:\Windows\System32\DRIVERS\risdsn64.sys [76288 2008-10-22] (REDC)
S1 SASDIFSV; C:\Program Files (x86)\SUPERAntiSpyware\SASDIFSV.SYS [12872 2010-03-02] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SASENUM; C:\Program Files (x86)\SUPERAntiSpyware\SASENUM.SYS [12872 2010-03-02] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files (x86)\SUPERAntiSpyware\SASKUTIL.sys [67656 2011-05-31] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 tizeqdrv; C:\Users\El Diego\AppData\Roaming\TZAC2\tizeq64.sys [171704 2012-07-17] ()

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-12 16:58 - 2016-05-12 16:58 - 04203840 _____ C:\Users\El Diego\Downloads\npp.6.9.1.Installer.exe
2016-05-11 14:21 - 2016-05-11 14:21 - 00016384 _____ C:\Windows\SysWOW64\دT
2016-05-11 00:20 - 2016-05-11 00:20 - 01292424 _____ (Ruiware) C:\Users\El Diego\Downloads\wpsetup new.exe
2016-05-08 13:25 - 2016-05-08 13:25 - 00016384 _____ C:\Windows\SysWOW64\دe
2016-05-07 00:20 - 2016-05-07 17:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-05-05 17:01 - 2016-05-05 17:01 - 00016384 _____ C:\Windows\SysWOW64\د_
2016-05-04 23:50 - 2016-05-04 23:50 - 00016384 _____ C:\Windows\SysWOW64\د$
2016-04-28 18:25 - 2016-04-28 18:25 - 00016384 _____ C:\Windows\SysWOW64\دD
2016-04-26 21:25 - 2016-04-26 21:25 - 00016384 _____ C:\Windows\SysWOW64\دK
2016-04-23 15:53 - 2016-04-23 15:53 - 00016384 _____ C:\Windows\SysWOW64\دV
2016-04-20 16:50 - 2016-04-20 16:50 - 00016384 _____ C:\Windows\SysWOW64\دN
2016-04-17 17:30 - 2016-04-17 17:30 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\El Diego\Desktop\rkill.exe
2016-04-16 14:29 - 2016-03-21 19:00 - 01589168 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-04-16 14:29 - 2016-03-21 19:00 - 01171488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2016-04-16 14:29 - 2016-03-18 14:15 - 01915392 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2016-04-16 14:29 - 2016-03-18 14:14 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2016-04-16 14:29 - 2016-03-18 13:10 - 01316864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2016-04-16 14:29 - 2016-03-18 13:10 - 00861696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2016-04-16 14:27 - 2016-03-18 12:44 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-04-16 14:27 - 2016-03-18 11:32 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-04-16 14:26 - 2016-03-29 17:48 - 02800640 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-04-16 14:24 - 2016-03-18 14:15 - 00660480 _____ (Microsoft Corporation) C:\Windows\system32\samsrv.dll
2016-04-16 14:24 - 2016-03-18 14:15 - 00258048 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-04-16 14:24 - 2016-03-18 14:15 - 00099328 _____ (Microsoft Corporation) C:\Windows\system32\samlib.dll
2016-04-16 14:24 - 2016-03-18 14:15 - 00094720 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-04-16 14:24 - 2016-03-18 14:14 - 01689600 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-04-16 14:24 - 2016-03-18 13:10 - 00206336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2016-04-16 14:24 - 2016-03-18 13:10 - 00077312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-04-16 14:24 - 2016-03-18 13:10 - 00057344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\samlib.dll
2016-04-16 14:24 - 2016-03-04 12:52 - 01253376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2016-04-16 14:24 - 2016-03-04 12:40 - 01875968 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2016-04-16 14:18 - 2016-03-24 17:17 - 18804736 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-04-16 14:18 - 2016-03-24 17:14 - 02351616 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-04-16 14:18 - 2016-03-24 17:09 - 10938880 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-04-16 14:18 - 2016-03-24 17:09 - 00448512 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-04-16 14:18 - 2016-03-24 17:08 - 01392128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-04-16 14:18 - 2016-03-24 17:08 - 01389056 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-04-16 14:18 - 2016-03-24 17:07 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-04-16 14:18 - 2016-03-24 17:07 - 02159104 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-04-16 14:18 - 2016-03-24 17:07 - 01494528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-04-16 14:18 - 2016-03-24 17:07 - 00816128 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-04-16 14:18 - 2016-03-24 17:07 - 00728576 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-04-16 14:18 - 2016-03-24 17:07 - 00579584 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-04-16 14:18 - 2016-03-24 17:07 - 00452608 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-04-16 14:18 - 2016-03-24 17:07 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-04-16 14:18 - 2016-03-24 17:07 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-04-16 14:18 - 2016-03-24 17:07 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2016-04-16 14:18 - 2016-03-24 17:07 - 00173568 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-04-16 14:18 - 2016-03-24 17:07 - 00096256 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-04-16 14:18 - 2016-03-24 17:07 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-04-16 14:18 - 2016-03-24 17:07 - 00055296 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2016-04-16 14:18 - 2016-03-24 17:07 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2016-04-16 14:18 - 2016-03-24 17:07 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2016-04-16 14:18 - 2016-03-24 16:40 - 01815552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-04-16 14:18 - 2016-03-24 16:38 - 12841472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-04-16 14:18 - 2016-03-24 16:36 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-04-16 14:18 - 2016-03-24 16:35 - 09753600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-04-16 14:18 - 2016-03-24 16:35 - 01140224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-04-16 14:18 - 2016-03-24 16:34 - 01129984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-04-16 14:18 - 2016-03-24 16:33 - 01804800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-04-16 14:18 - 2016-03-24 16:33 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-04-16 14:18 - 2016-03-24 16:33 - 00718848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-04-16 14:18 - 2016-03-24 16:33 - 00424960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-04-16 14:18 - 2016-03-24 16:33 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2016-04-16 14:18 - 2016-03-24 16:33 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-04-16 14:18 - 2016-03-24 16:33 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-04-16 14:18 - 2016-03-24 16:32 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-04-16 14:18 - 2016-03-24 16:32 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-04-16 14:18 - 2016-03-24 16:32 - 00354304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-04-16 14:18 - 2016-03-24 16:32 - 00223744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-04-16 14:18 - 2016-03-24 16:32 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-04-16 14:18 - 2016-03-24 16:32 - 00072704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-04-16 14:18 - 2016-03-24 16:32 - 00041472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2016-04-16 14:18 - 2016-03-24 16:32 - 00011776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2016-04-16 14:18 - 2016-03-24 16:32 - 00010752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2016-04-15 20:22 - 2016-04-15 20:22 - 00016384 _____ C:\Windows\SysWOW64\دR
2016-04-15 19:15 - 2016-04-15 19:15 - 00016384 _____ C:\Windows\SysWOW64\دP
2016-04-13 12:19 - 2016-04-13 12:19 - 00016384 _____ C:\Windows\SysWOW64\د�

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-12 16:59 - 2014-07-10 13:51 - 00000000 ____D C:\FRST
2016-05-12 16:59 - 2014-07-07 22:13 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
2016-05-12 16:59 - 2013-11-24 23:39 - 00000000 ____D C:\Users\El Diego\Downloads\bastion
2016-05-12 16:52 - 2014-07-09 01:00 - 00000000 ____D C:\Users\El Diego\AppData\Local\CrashDumps
2016-05-12 16:52 - 2012-04-30 17:38 - 00000000 ____D C:\Windows\Minidump
2016-05-12 16:49 - 2010-02-24 04:22 - 155575494 _____ C:\Windows\ntbtlog.txt
2016-05-12 16:46 - 2010-03-01 22:06 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-05-12 16:45 - 2006-11-02 11:07 - 00000000 ___RD C:\Users\Public\Recorded TV
2016-05-12 16:44 - 2015-05-06 02:14 - 00000000 ____D C:\ProgramData\HitmanPro.Alert
2016-05-12 16:44 - 2006-11-02 11:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-12 16:44 - 2006-11-02 11:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-05-12 16:44 - 2006-11-02 11:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-05-12 16:06 - 2008-10-30 22:17 - 00000012 _____ C:\Windows\bthservsdp.dat
2016-05-12 16:06 - 2006-11-02 11:42 - 00032554 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-05-12 15:26 - 2014-02-17 16:30 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-05-12 03:09 - 2014-07-03 22:20 - 00000000 ____D C:\Users\El Diego\AppData\Roaming\Skype
2016-05-12 03:00 - 2014-08-10 19:45 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2016-05-12 00:57 - 2006-11-02 09:33 - 00000000 ____D C:\Windows\inf
2016-05-12 00:57 - 2006-11-02 08:46 - 00703516 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-12 00:56 - 2010-02-24 00:56 - 00202008 _____ C:\Windows\SysWOW64\PnkBstrB.exe
2016-05-12 00:56 - 2010-02-24 00:56 - 00202008 _____ C:\Windows\SysWOW64\PnkBstrB.ex0
2016-05-11 14:34 - 2012-10-17 02:14 - 00001020 _____ C:\Users\El Diego\Documents\names.txt
2016-05-10 23:59 - 2010-03-01 22:06 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-05-09 14:25 - 2010-02-24 00:34 - 00000000 ___RD C:\Users\El Diego\Documents\my documents
2016-05-09 14:16 - 2014-01-03 18:20 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
2016-05-09 14:16 - 2011-07-04 21:30 - 00000000 ___HD C:\ProgramData\TEMP
2016-05-07 22:32 - 2012-04-25 06:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-05-05 19:08 - 2013-10-30 16:36 - 00000000 ____D C:\ProgramData\CanonIJPLM
2016-05-05 17:33 - 2011-08-25 16:00 - 00003134 _____ C:\Users\El Diego\Documents\tu info.txt
2016-05-05 17:04 - 2014-05-08 17:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2016-05-04 19:07 - 2014-09-27 02:27 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-05-04 19:07 - 2010-02-24 01:14 - 00000000 ____D C:\ProgramData\Skype
2016-04-27 22:13 - 2010-02-24 01:13 - 00000000 ___HD C:\Users\El Diego\AppData\Local\WeatherBug
2016-04-27 21:54 - 2015-05-06 02:14 - 00000000 ____D C:\Program Files (x86)\HitmanPro.Alert
2016-04-27 17:06 - 2015-05-06 02:14 - 00848592 _____ (SurfRight B.V.) C:\Windows\system32\hmpalert.dll
2016-04-27 17:06 - 2015-05-06 02:14 - 00767696 _____ (SurfRight B.V.) C:\Windows\SysWOW64\hmpalert.dll
2016-04-27 17:06 - 2015-05-06 02:14 - 00177040 _____ (SurfRight B.V.) C:\Windows\system32\Drivers\hmpalert.sys
2016-04-27 17:06 - 2015-05-06 02:14 - 00084520 _____ (SurfRight B.V.) C:\Windows\system32\Drivers\hmpnet.sys
2016-04-26 19:10 - 2013-10-07 14:55 - 00000000 ____D C:\Users\El Diego\Documents\grad school
2016-04-26 18:36 - 2015-07-18 01:27 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-04-16 17:31 - 2006-11-02 09:33 - 00000000 ____D C:\Windows\rescache
2016-04-16 15:34 - 2006-11-02 11:21 - 00332920 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-16 15:29 - 2006-11-02 11:07 - 00000000 ____D C:\Windows\SysWOW64\XPSViewer
2016-04-16 14:57 - 2013-11-25 01:08 - 00000000 ____D C:\Windows\system32\MRT
2016-04-16 14:32 - 2006-11-02 08:35 - 135176864 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2016-04-15 15:55 - 2011-06-22 01:59 - 00001356 _____ C:\Users\El Diego\AppData\Local\d3d9caps.dat

==================== Files in the root of some directories =======

2000-11-15 17:34 - 2000-11-15 17:34 - 0053248 _____ (RamPage Software.) C:\Program Files (x86)\ASCIIStudio.exe
2000-07-16 14:08 - 2000-07-16 14:08 - 0000012 ____H () C:\Program Files (x86)\name.dat
2000-11-15 21:15 - 2000-11-15 21:15 - 0011227 ____H () C:\Program Files (x86)\nms-help.html
2000-11-15 22:20 - 2010-02-24 02:22 - 0000033 _____ () C:\Program Files (x86)\nms.ini
2000-11-14 19:16 - 2000-11-14 19:16 - 0004186 ____H () C:\Program Files (x86)\nms.txt
2010-02-24 02:20 - 2010-02-24 02:20 - 0004822 ____H () C:\Program Files (x86)\ST6UNST.LOG
2014-06-19 14:14 - 2014-06-19 14:14 - 0000024 _____ () C:\Users\El Diego\AppData\Roaming\temp.ini
2011-05-31 23:48 - 2011-05-31 23:48 - 0000052 ____H () C:\Users\El Diego\AppData\Roaming\wklnhst.dat
2011-06-26 04:19 - 2011-06-26 04:52 - 0013604 ___SH () C:\Users\El Diego\AppData\Local\56f7srnue42q7hf4qx
2011-12-18 18:27 - 2011-12-18 18:47 - 0010118 ___SH () C:\Users\El Diego\AppData\Local\5o48ru8o10a702
2012-03-19 01:15 - 2012-03-19 01:15 - 0000552 _____ () C:\Users\El Diego\AppData\Local\d3d8caps.dat
2011-06-22 01:59 - 2016-04-15 15:55 - 0001356 _____ () C:\Users\El Diego\AppData\Local\d3d9caps.dat
2011-07-04 23:37 - 2014-03-26 17:32 - 0000732 _____ () C:\Users\El Diego\AppData\Local\d3d9caps64.dat
2010-06-27 22:40 - 2015-08-24 18:30 - 0159232 _____ () C:\Users\El Diego\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2010-02-24 01:37 - 2010-02-24 01:37 - 0420244 ____H () C:\Users\El Diego\AppData\Local\dd_vcredistMSI1085.txt
2011-12-17 17:17 - 2011-12-17 17:17 - 0001824 _____ () C:\Users\El Diego\AppData\Local\dd_vcredistMSI1DA8.txt
2010-02-24 01:37 - 2010-02-24 01:37 - 0014174 ____H () C:\Users\El Diego\AppData\Local\dd_vcredistUI1085.txt
2011-12-17 17:17 - 2011-12-17 17:17 - 0011432 _____ () C:\Users\El Diego\AppData\Local\dd_vcredistUI1DA8.txt
2011-12-17 17:17 - 2011-12-17 17:17 - 0010630 _____ () C:\Users\El Diego\AppData\Local\dd_vcredistUI1DA9.txt
2011-12-20 04:02 - 2011-12-20 04:12 - 0006562 ___SH () C:\Users\El Diego\AppData\Local\dludmg3l2bfw2rcw7feh0g832j1r
2011-10-22 06:02 - 2011-10-22 06:02 - 0000000 _____ () C:\Users\El Diego\AppData\Local\{044CE9BA-B5AF-4A74-BB72-E284A7F13294}
2015-05-02 00:44 - 2015-05-02 00:44 - 0000000 _____ () C:\Users\El Diego\AppData\Local\{C426F210-E191-4CE1-B966-BD6488C8DE82}
2011-06-26 04:19 - 2011-06-26 04:52 - 0013604 ___SH () C:\ProgramData\56f7srnue42q7hf4qx
2011-12-18 18:27 - 2011-12-18 18:47 - 0010118 ___SH () C:\ProgramData\5o48ru8o10a702
2011-12-20 04:02 - 2011-12-20 04:12 - 0006562 ___SH () C:\ProgramData\dludmg3l2bfw2rcw7feh0g832j1r

Some files in TEMP:
====================
C:\Users\El Diego\AppData\Local\Temp\procexp64.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-05-12 16:55

==================== End of FRST.txt ============================

Attached Files


Edited by Without_A_Monitor, 13 May 2016 - 05:50 AM.


BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,427 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:22 PM

Posted 14 May 2016 - 12:16 PM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


:step4: Copy FRST / FSRT64.exe to your desktop!

Log on to all your user accounts now - without restarting !

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt




Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:

File: C:\ProgramData\dludmg3l2bfw2rcw7feh0g832j1r
File: C:\ProgramData\5o48ru8o10a702
File: C:\ProgramData\56f7srnue42q7hf4qx
File: C:\Users\El Diego\AppData\Local\dludmg3l2bfw2rcw7feh0g832j1r
File: C:\Windows\SysWOW64\د
File: C:\Windows\SysWOW64\دP
File: C:\Windows\SysWOW64\دR
File: C:\Windows\SysWOW64\دT
File: C:\Windows\SysWOW64\دe
File: C:\Windows\SysWOW64\د_
File: C:\Windows\SysWOW64\د$
File: C:\Windows\SysWOW64\دD
File: C:\Windows\SysWOW64\دK
File: C:\Windows\SysWOW64\دV
File: C:\Windows\SysWOW64\دN
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34

Hosts:
End

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

---

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Without_A_Monitor

Without_A_Monitor
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:09:22 AM

Posted 14 May 2016 - 02:50 PM

If you speak German, danke für die Hilfe Jo. Ich spreche Deutsch ein bisschen, aber Mein Deutsch ist nicht so gut nicht mehr. Es tut mir leid. May I ask if you identified a current infection on my computer yet? Before I posted my FRST log, I noticed some of the files that you inputted into the FRST fix list. I uploaded some of the syswow64 files on virustotal.com. The scans did not detect any malware; however, a file could still be malware or part of an infection as you are more than aware.

Also, the latest version of adwcleaner does not open for me. I updated it to the latest version before I made this thread. After doing so, adwcleaner does not open. I attempt to open it, but there is no response. The older version opened and ran with no issues. With that said, should I move onto the FRST step and perform the fix list?

MBAR did not find anything. Below is the systemcheck results. Additionally, I will wait for your reply if I should run any other program/utility before I execute the frst fix list. I am much obliged for your help.




Results of screen317's Security Check version 1.014 --- 12/23/15
Windows Vista Service Pack 2 x64 (UAC is disabled!)
Internet Explorer 9
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
ESET NOD32 Antivirus 8.0
Emsisoft Anti-Malware
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SpywareBlaster 5.4
SUPERAntiSpyware Free Edition
Adobe Flash Player 21.0.0.242
Adobe Reader XI
Mozilla Firefox (46.0.1)
Google Chrome (49.0.2623.110)
Google Chrome (49.0.2623.112)
````````Process Check: objlist.exe by Laurent````````
WinPatrol winpatrol.exe
ESET NOD32 Antivirus egui.exe
ESET NOD32 Antivirus ekrn.exe
Emsisoft Anti-Malware a2service.exe
Malwarebytes' Anti-Malware mbae Malwarebytes Anti-Exploit mbae.exe
Emsisoft Anti-Malware a2guard.exe
Malwarebytes' Anti-Malware mbae Malwarebytes Anti-Exploit mbae-svc.exe
Malwarebytes' Anti-Malware mbae Malwarebytes Anti-Exploit mbae64.exe
Ruiware WinPatrol WinPatrol.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````

Edited by Without_A_Monitor, 14 May 2016 - 03:02 PM.


#4 Jo*

Jo*

  • Malware Response Team
  • 3,427 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:22 PM

Posted 14 May 2016 - 03:02 PM

move onto the FRST step and perform the fix list please.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 Without_A_Monitor

Without_A_Monitor
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:09:22 AM

Posted 14 May 2016 - 04:18 PM

Thanks for the prompt reply, Jo.

 

I performed the fixlist.  Below is the text from the fixlog.

 

 

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:09-05-2016
Ran by El Diego (2016-05-14 17:05:56) Run:2
Running from C:\Users\El Diego\Downloads\bastion
Loaded Profiles: El Diego (Available Profiles: El Diego)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:

File: C:\ProgramData\dludmg3l2bfw2rcw7feh0g832j1r
File: C:\ProgramData\5o48ru8o10a702
File: C:\ProgramData\56f7srnue42q7hf4qx
File: C:\Users\El Diego\AppData\Local\dludmg3l2bfw2rcw7feh0g832j1r
File: C:\Windows\SysWOW64\?
File: C:\Windows\SysWOW64\?P
File: C:\Windows\SysWOW64\?R
File: C:\Windows\SysWOW64\?T
File: C:\Windows\SysWOW64\?e
File: C:\Windows\SysWOW64\?_
File: C:\Windows\SysWOW64\?$
File: C:\Windows\SysWOW64\?D
File: C:\Windows\SysWOW64\?K
File: C:\Windows\SysWOW64\?V
File: C:\Windows\SysWOW64\?N
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34

Hosts:
End
*****************

Restore point was successfully created.
Processes closed successfully.

========================= File: C:\ProgramData\dludmg3l2bfw2rcw7feh0g832j1r ========================

====== End of File: ======


========================= File: C:\ProgramData\5o48ru8o10a702 ========================

====== End of File: ======


========================= File: C:\ProgramData\56f7srnue42q7hf4qx ========================

====== End of File: ======


========================= File: C:\Users\El Diego\AppData\Local\dludmg3l2bfw2rcw7feh0g832j1r ========================

====== End of File: ======


========================= File: C:\Windows\SysWOW64\? ========================

====== End of File: ======


========================= File: C:\Windows\SysWOW64\?P ========================

====== End of File: ======


========================= File: C:\Windows\SysWOW64\?R ========================

====== End of File: ======


========================= File: C:\Windows\SysWOW64\?T ========================

====== End of File: ======


========================= File: C:\Windows\SysWOW64\?e ========================

====== End of File: ======


========================= File: C:\Windows\SysWOW64\?_ ========================

====== End of File: ======


========================= File: C:\Windows\SysWOW64\?$ ========================

====== End of File: ======


========================= File: C:\Windows\SysWOW64\?D ========================

====== End of File: ======


========================= File: C:\Windows\SysWOW64\?K ========================

====== End of File: ======


========================= File: C:\Windows\SysWOW64\?V ========================

====== End of File: ======


========================= File: C:\Windows\SysWOW64\?N ========================

====== End of File: ======

"C:\ProgramData\TEMP" => "AlternateDataStreams: C:\ProgramData\TEMP:5C321E34" ADS not found.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 1.1 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 17:08:22 ====



#6 Jo*

Jo*

  • Malware Response Team
  • 3,427 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:22 PM

Posted 14 May 2016 - 04:30 PM

Hello,

:step1: Run Malwarebytes Anti-Rootkit again: Right-click mbar.exe and select Run As Administrator
  • Scan your system for malware
  • If malware is found, click on the Cleanup
  • button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.



***


:step3: Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt





Start
CreateRestorePoint:
CloseProcesses:

C:\ProgramData\dludmg3l2bfw2rcw7feh0g832j1r
C:\ProgramData\5o48ru8o10a702
C:\ProgramData\56f7srnue42q7hf4qx
C:\Users\El Diego\AppData\Local\dludmg3l2bfw2rcw7feh0g832j1r
C:\Windows\SysWOW64\د�
C:\Windows\SysWOW64\دP
C:\Windows\SysWOW64\دR
C:\Windows\SysWOW64\دT
C:\Windows\SysWOW64\دe
C:\Windows\SysWOW64\د_
C:\Windows\SysWOW64\د$
C:\Windows\SysWOW64\دD
C:\Windows\SysWOW64\دK
C:\Windows\SysWOW64\دV
C:\Windows\SysWOW64\دN

SearchScopes: HKU\S-1-5-21-1786916353-3864107569-3064167919-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7SNYR_en
S1 Beep; no ImagePath

End

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

---

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 Without_A_Monitor

Without_A_Monitor
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:09:22 AM

Posted 14 May 2016 - 06:01 PM

I thank you for your continued, great help, Jo.

 

I will note that the first fixlist deleted my recent documents list, my chrome history and other files/elements.

 

MBAR found nothing.  Below are both the logs from JRT and the new fixlog.

 

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows ™ Vista Home Premium x64
Ran by El Diego (Administrator) on Sat 05/14/2016 at 18:30:34.20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 25

Successfully deleted: C:\Users\El Diego\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1CKCZHVC (Temporary Internet Files Folder)
Successfully deleted: C:\Users\El Diego\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\22O0N5CK (Temporary Internet Files Folder)
Successfully deleted: C:\Users\El Diego\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\79LFAWC6 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\El Diego\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\81AD2LOQ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\El Diego\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CCAA53SS (Temporary Internet Files Folder)
Successfully deleted: C:\Users\El Diego\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CYT60TTS (Temporary Internet Files Folder)
Successfully deleted: C:\Users\El Diego\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QC6HF9QF (Temporary Internet Files Folder)
Successfully deleted: C:\Users\El Diego\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YGUY45TO (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARINSTALLER_UPDATE-1E261E10.pf (File)
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARINSTALLER_UPDATE-42245C48.pf (File)
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARINSTALLER_UPDATE-6B13DA93.pf (File)
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARINSTALLER_UPDATE-7E960975.pf (File)
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARINSTALLER_UPDATE-9A2C36E8.pf (File)
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARINSTALLER_UPDATE-B6B7FF15.pf (File)
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARINSTALLER_UPDATE-F3FEAF5C.pf (File)
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARMANAGER_A6282D74-E499780F.pf (File)
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARMANAGER_F3B2E431-434BCC1B.pf (File)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1CKCZHVC (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\22O0N5CK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\79LFAWC6 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\81AD2LOQ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CCAA53SS (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CYT60TTS (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QC6HF9QF (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YGUY45TO (Temporary Internet Files Folder)



Registry: 2

Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 05/14/2016 at 18:41:01.04
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:09-05-2016
Ran by El Diego (2016-05-14 18:50:27) Run:3
Running from C:\Users\El Diego\Downloads\bastion
Loaded Profiles: El Diego (Available Profiles: El Diego)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:

C:\ProgramData\dludmg3l2bfw2rcw7feh0g832j1r
C:\ProgramData\5o48ru8o10a702
C:\ProgramData\56f7srnue42q7hf4qx
C:\Users\El Diego\AppData\Local\dludmg3l2bfw2rcw7feh0g832j1r
C:\Windows\SysWOW64\??
C:\Windows\SysWOW64\?P
C:\Windows\SysWOW64\?R
C:\Windows\SysWOW64\?T
C:\Windows\SysWOW64\?e
C:\Windows\SysWOW64\?_
C:\Windows\SysWOW64\?$
C:\Windows\SysWOW64\?D
C:\Windows\SysWOW64\?K
C:\Windows\SysWOW64\?V
C:\Windows\SysWOW64\?N

SearchScopes: HKU\S-1-5-21-1786916353-3864107569-3064167919-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7SNYR_en
S1 Beep; no ImagePath

End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\ProgramData\dludmg3l2bfw2rcw7feh0g832j1r => moved successfully
C:\ProgramData\5o48ru8o10a702 => moved successfully
C:\ProgramData\56f7srnue42q7hf4qx => moved successfully
C:\Users\El Diego\AppData\Local\dludmg3l2bfw2rcw7feh0g832j1r => moved successfully

=========== "C:\Windows\SysWOW64\??" ==========

C:\Windows\SysWOW64\د$ => moved successfully
C:\Windows\SysWOW64\دD => moved successfully
C:\Windows\SysWOW64\دe => moved successfully
C:\Windows\SysWOW64\دK => moved successfully
C:\Windows\SysWOW64\دN => moved successfully
C:\Windows\SysWOW64\دP => moved successfully
C:\Windows\SysWOW64\دR => moved successfully
C:\Windows\SysWOW64\دT => moved successfully
C:\Windows\SysWOW64\دV => moved successfully
C:\Windows\SysWOW64\د_ => moved successfully
C:\Windows\SysWOW64\د� => moved successfully

========= End -> "C:\Windows\SysWOW64\??" ========


=========== "C:\Windows\SysWOW64\?P" ==========

not found

========= End -> "C:\Windows\SysWOW64\?P" ========


=========== "C:\Windows\SysWOW64\?R" ==========

not found

========= End -> "C:\Windows\SysWOW64\?R" ========


=========== "C:\Windows\SysWOW64\?T" ==========

not found

========= End -> "C:\Windows\SysWOW64\?T" ========


=========== "C:\Windows\SysWOW64\?e" ==========

not found

========= End -> "C:\Windows\SysWOW64\?e" ========


=========== "C:\Windows\SysWOW64\?_" ==========

not found

========= End -> "C:\Windows\SysWOW64\?_" ========


=========== "C:\Windows\SysWOW64\?$" ==========

not found

========= End -> "C:\Windows\SysWOW64\?$" ========


=========== "C:\Windows\SysWOW64\?D" ==========

not found

========= End -> "C:\Windows\SysWOW64\?D" ========


=========== "C:\Windows\SysWOW64\?K" ==========

not found

========= End -> "C:\Windows\SysWOW64\?K" ========


=========== "C:\Windows\SysWOW64\?V" ==========

not found

========= End -> "C:\Windows\SysWOW64\?V" ========


=========== "C:\Windows\SysWOW64\?N" ==========

not found

========= End -> "C:\Windows\SysWOW64\?N" ========

"HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => key removed successfully
HKCR\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => key not found.
Beep => service removed successfully


The system needed a reboot.

==== End of Fixlog 18:50:41 ====



#8 Jo*

Jo*

  • Malware Response Team
  • 3,427 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:22 PM

Posted 14 May 2016 - 06:17 PM

I will note that the first fixlist deleted my recent documents list, my chrome history and other files/elements.

The EmptyTemp: command deleted temp files and browser cache and history!

And to your other question:
Your logs show no malware!

---

We now will run ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Then Enable your anti virus program(s).

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 Without_A_Monitor

Without_A_Monitor
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:09:22 AM

Posted 15 May 2016 - 01:41 PM

Yes, I probably should have asked about that before I executed the fixlist. I apologize for not doing so, but it's no big deal about the deletion of temp files and so forth.

 

Oh, that is terrific.  Thank you very much for your continued help, taking the time to help and confirming that there is no malware.

 

I will most likely run combofix when I am home and able to be present for when I run it.  If it is ok, may I ask why I should run combofix if the logs show no malware?  I just ask because of how powerful combofix is and how problems can arise because of using it.  I apologize to question your instructions.  With that said, I will try to run it tomorrow.  Thanks once again, Jo.



#10 Jo*

Jo*

  • Malware Response Team
  • 3,427 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:22 PM

Posted 15 May 2016 - 02:53 PM

Some times Combofix or TDSSKiller detect things that other tools cannot find.

But no problem, as you do not like to run Combofix , we skip this step.

---

Please go on with these steps:

---


:step1: Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7/8/10 users need to right click and choose Run as Administrator
You only need to get one of them to run, not all of them.Do not reboot your computer after running rkill as the malware programs will start again.


---


:step2: Download Sophos Free Virus Removal Tool and save it to your desktop.
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program

***



:step3: ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Open the scan log and copy and paste the content to your next reply.
 

***


:step4: How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 Without_A_Monitor

Without_A_Monitor
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:09:22 AM

Posted 16 May 2016 - 04:52 PM

Hey, Jo.  I apologize if I was/am being averse about running combofix.  I also apologize for my delayed response.  I am currently following your latest instructions and will post as soon as it is completed.  A many thanks once again for all of your help and expertise.



#12 Without_A_Monitor

Without_A_Monitor
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:09:22 AM

Posted 16 May 2016 - 10:50 PM

I should have have realized that the scan for Sophos Virus Removal Tool could take some time.  I remember how ESET Online Scanner can require an hour or longer.  It was already installed on my laptop from some time ago when I needed assistance on here in the past.  I opened it from its file location and updated it.  Please tell me if that is ok/not ok.  If it is not ok, I am sorry in advance.

 

Only Sophos Virus Removal Tool found anything.  ESET Online Scanner did not detect anything.  Additionally, Rkill did not stop/terminate anything.

 

 

My laptop seems to be running well.  It is somewhat laggy and bogged down in general, but that is probably because of how Vista is (a pos) and how old my laptop is.  I genuinely thank you for your ongoing assistance.

 

 

 

2016-05-16 18:55:40.314    Sophos Virus Removal Tool version 2.5.5
2016-05-16 18:55:40.314    Copyright © 2009-2014 Sophos Limited. All rights reserved.

2016-05-16 18:55:40.314    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-05-16 18:55:40.314    Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 WOW64
2016-05-16 18:55:40.329    Checking for updates...
2016-05-16 18:55:53.995    Update progress: proxy server not available
2016-05-16 18:55:59.143    Option all = no
2016-05-16 18:55:59.143    Option recurse = yes
2016-05-16 18:55:59.143    Option archive = no
2016-05-16 18:55:59.143    Option service = yes
2016-05-16 18:55:59.143    Option confirm = yes
2016-05-16 18:55:59.143    Option sxl = yes
2016-05-16 18:55:59.143    Option max-data-age = 35
2016-05-16 18:55:59.143    Option EnableSafeClean = yes
2016-05-16 18:56:00.344    Option vdl-logging = yes
2016-05-16 18:56:00.375    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-05-16 18:56:00.375    Machine ID:    c92d0c72a8be4b2d9ab2d753bdb816df
2016-05-16 18:56:00.391    Component SVRTcli.exe version 2.5.5
2016-05-16 18:56:00.391    Component control.dll version 2.5.5
2016-05-16 18:56:00.391    Component SVRTservice.exe version 2.5.5
2016-05-16 18:56:00.391    Component engine\osdp.dll version 1.44.1.2250
2016-05-16 18:56:00.391    Component engine\veex.dll version 3.65.0.2250
2016-05-16 18:56:00.391    Component engine\savi.dll version 9.0.1.2250
2016-05-16 18:56:00.391    Component rkdisk.dll version 1.5.30.0
2016-05-16 18:56:00.391    Version info:    Product version    2.5.5
2016-05-16 18:56:00.391    Version info:    Detection engine    3.65.0
2016-05-16 18:56:00.391    Version info:    Detection data    5.26
2016-05-16 18:56:00.391    Version info:    Build date    4/5/2016
2016-05-16 18:56:00.391    Version info:    Data files added    320
2016-05-16 18:56:00.391    Version info:    Last successful update    (not yet updated)
2016-05-16 18:56:10.016    Downloading updates...
2016-05-16 18:56:10.016    Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0
2016-05-16 18:56:10.016    Update progress: [I49502] Found supplement SAVIW32 LATEST
2016-05-16 18:56:10.016    Update progress: [I49502] Found supplement IDE527 LATEST
2016-05-16 18:56:10.016    Update progress: [I49502] Found supplement IDE528 LATEST
2016-05-16 18:56:10.016    Update progress: [I49502] Found supplement IDE529 LATEST
2016-05-16 18:56:10.016    Update progress: [I49502] Found supplement IDE530 LATEST
2016-05-16 18:56:10.016    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-05-16 18:56:10.016    Update progress: [I19463] Syncing product SAVIW32 70
2016-05-16 18:56:15.149    Update progress: [I19463] Syncing product IDE527 142
2016-05-16 18:56:16.693    Installing updates...
2016-05-16 18:56:17.504    Error level 1
2016-05-16 18:56:17.691    Update progress: [I19463] Syncing product IDE528 127
2016-05-16 18:56:17.691    Update progress: [I19463] Syncing product IDE529 55
2016-05-16 18:56:17.691    Update progress: [I19463] Syncing product IDE530 1
2016-05-16 18:56:28.783    Update successful
2016-05-16 18:56:47.911    Option all = no
2016-05-16 18:56:47.911    Option recurse = yes
2016-05-16 18:56:47.911    Option archive = no
2016-05-16 18:56:47.911    Option service = yes
2016-05-16 18:56:47.911    Option confirm = yes
2016-05-16 18:56:47.911    Option sxl = yes
2016-05-16 18:56:47.911    Option max-data-age = 35
2016-05-16 18:56:47.911    Option EnableSafeClean = yes
2016-05-16 18:56:47.973    Option vdl-logging = yes
2016-05-16 18:56:47.989    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-05-16 18:56:47.989    Machine ID:    c92d0c72a8be4b2d9ab2d753bdb816df
2016-05-16 18:56:47.989    Component SVRTcli.exe version 2.5.5
2016-05-16 18:56:47.989    Component control.dll version 2.5.5
2016-05-16 18:56:47.989    Component SVRTservice.exe version 2.5.5
2016-05-16 18:56:47.989    Component engine\osdp.dll version 1.44.1.2250
2016-05-16 18:56:47.989    Component engine\veex.dll version 3.65.0.2250
2016-05-16 18:56:47.989    Component engine\savi.dll version 9.0.1.2250
2016-05-16 18:56:47.989    Component rkdisk.dll version 1.5.30.0
2016-05-16 18:56:47.989    Version info:    Product version    2.5.5
2016-05-16 18:56:47.989    Version info:    Detection engine    3.65.0
2016-05-16 18:56:47.989    Version info:    Detection data    5.26
2016-05-16 18:56:47.989    Version info:    Build date    4/5/2016
2016-05-16 18:56:47.989    Version info:    Data files added    320
2016-05-16 18:56:47.989    Version info:    Last successful update    5/16/2016 2:56:28 PM

2016-05-16 20:55:24.447    Could not open C:\hiberfil.sys
2016-05-16 20:55:27.661    Could not open C:\pagefile.sys
2016-05-16 21:30:41.618    Could not open C:\System Volume Information\{07f20fbb-1951-11e6-99c0-c57ef2339a4d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-05-16 21:30:41.619    Could not open C:\System Volume Information\{2194edda-1a18-11e6-99a4-c5c7539d9a0f}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-05-16 21:30:41.620    Could not open C:\System Volume Information\{2194ede0-1a18-11e6-99a4-c5c7539d9a0f}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-05-16 21:30:41.621    Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-05-16 21:30:41.622    Could not open C:\System Volume Information\{8b79f743-1a15-11e6-abea-b1490bf96038}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-05-16 21:30:41.623    Could not open C:\System Volume Information\{d01891c0-1b93-11e6-ac0c-a98edbf41c6b}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-05-16 21:30:56.032    >>> Virus 'Mal/FakeAvCn-C' found in file C:\Users\El Diego\AppData\Local\56f7srnue42q7hf4qx
2016-05-16 21:30:56.032    >>> Virus 'Mal/FakeAvCn-C' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
2016-05-16 21:30:56.033    >>> Virus 'Mal/FakeAvCn-C' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
2016-05-16 21:30:56.033    >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2016-05-16 21:30:56.033    >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2016-05-16 21:30:56.034    >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-05-16 21:30:56.034    >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-05-16 21:30:56.034    >>> Virus 'Mal/FakeAvCn-C' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-05-16 21:38:01.916    >>> Virus 'Mal/FakeAvCn-C' found in file C:\Users\El Diego\AppData\Roaming\Microsoft\Windows\Templates\56f7srnue42q7hf4qx
2016-05-16 21:38:01.916    >>> Virus 'Mal/FakeAvCn-C' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
2016-05-16 21:38:01.916    >>> Virus 'Mal/FakeAvCn-C' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
2016-05-16 21:38:01.916    >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2016-05-16 21:38:01.916    >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2016-05-16 21:38:01.916    >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-05-16 21:38:01.916    >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-05-16 21:38:01.916    >>> Virus 'Mal/FakeAvCn-C' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-05-16 21:38:11.729    >>> Virus 'Mal/FakeAvCn-C' found in file C:\Users\El Diego\AppData\Roaming\Microsoft\Windows\Templates\dludmg3l2bfw2rcw7feh0g832j1r
2016-05-16 21:38:11.729    >>> Virus 'Mal/FakeAvCn-C' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
2016-05-16 21:38:11.729    >>> Virus 'Mal/FakeAvCn-C' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
2016-05-16 21:38:11.729    >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2016-05-16 21:38:11.729    >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2016-05-16 21:38:11.729    >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-05-16 21:38:11.729    >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-1786916353-3864107569-3064167919-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-05-16 21:38:11.729    >>> Virus 'Mal/FakeAvCn-C' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-05-16 22:07:01.543    Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2016-05-16 22:07:01.574    Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2016-05-16 22:07:07.205    Could not open C:\Windows\System32\config\components
2016-05-16 22:07:07.361    Could not open C:\Windows\System32\config\RegBack\COMPONENTS
2016-05-16 22:07:07.408    Could not open C:\Windows\System32\config\RegBack\DEFAULT
2016-05-16 22:07:07.502    Could not open C:\Windows\System32\config\RegBack\SAM
2016-05-16 22:07:07.549    Could not open C:\Windows\System32\config\RegBack\SECURITY
2016-05-16 22:07:07.595    Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2016-05-16 22:07:07.658    Could not open C:\Windows\System32\config\RegBack\SYSTEM
2016-05-16 23:07:50.859    Could not open LOGICAL:0003:00000000
2016-05-16 23:07:50.859    Could not open D:\
2016-05-16 23:07:50.859    Could not open LOGICAL:0004:00000000
2016-05-16 23:07:50.859    Could not open E:\
2016-05-16 23:07:50.952    Could not open PHYSICAL:0081:0000:0000:0001
2016-05-16 23:07:50.968    Could not open PHYSICAL:0082:0000:0000:0001
2016-05-16 23:07:50.999    The following items will be cleaned up:
2016-05-16 23:07:50.999    Mal/FakeAvCn-C

 



#13 Jo*

Jo*

  • Malware Response Team
  • 3,427 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:22 PM

Posted 17 May 2016 - 05:41 AM

It Appears That Your Pc Is Clean!


***


Clean up:


***


Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Clean up with delfix:
  • please download delfix to your desktop.
  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.


***


Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Browse more secure :step2: Make sure you keep your Windows OS current.
  • Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
  • Windows Vista / 7 / 8 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
:step3: Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
:step4: Use only one anti-virus software and keep it up-to-date.

:step5: Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

:step6: Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

:step7: Use Strong passwords!

:step8: Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#14 Without_A_Monitor

Without_A_Monitor
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:09:22 AM

Posted 17 May 2016 - 09:48 PM

I am immensely appreciative to you, Jo, for being so kind as to help and taking the time to do so.



#15 Jo*

Jo*

  • Malware Response Team
  • 3,427 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:22 PM

Posted 18 May 2016 - 12:20 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users