Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"FunAcce" folder refuses to stay deleted


  • This topic is locked This topic is locked
13 replies to this topic

#1 daffy1234

daffy1234

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 02 June 2016 - 05:40 PM

Forgive me if this is in the wrong section. This is my first post.

 

I have a computer that got some pretty nasty stuff on it, and I did my best to clean it out myself with the best advice from google, and it's just about clean but this one stubborn folder refuses to stay deleted after a reboot. The folder is C:\Users\Public\FunAcce and it has 3 subfolders, "BaseData", "LogData", and "RepData". BaseData has one file in it, which seems to be [current date yyyymmdd].daw and inside is a URL to a website called stat.funshion.net/tools/radaraction, with a lot of extra GET arguments at the end. The other two folders are empty. The URL leads me to believe this is related to the adware funshion.

 

MalwareBytes always detects these folders and the file, and then it deletes them and reboots the computer. The strange thing is, I always get a popup saying that MalwareBytes must reboot again to repair network connectivity. It then reboots within a few seconds. I don't have enough time to do much snooping, but I found the dialog was coming from a process named wrlmdr.exe. After this second reboot happens, I look again and the FunAcce folder is back in its entirety with every subfolder and file still in place.

 

Here's a screenshot of the dialog: http://i.imgur.com/kQQfT9p.png

 

If I run another MalwareBytes scan, it will find the exact same items and do the exact same thing.

 

I've run MalwareBytes, SAS, ADWCleaner, HitmanPro, and now ZHPCleaner, and this is still happening. I see nothing weird in task manager, services list, msconfig, or task scheduler, so I'm at a total loss.

 

No amount of googling has helped me figure out what's causing this. Nor have I found any record anywhere of MalwareBytes deciding to reboot twice after a scan.


Edited by daffy1234, 02 June 2016 - 05:41 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 03 June 2016 - 08:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs for my review.

#3 daffy1234

daffy1234
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 03 June 2016 - 01:34 PM

I keep getting an error saying I do not have permission when I try to post it.


Edited by daffy1234, 03 June 2016 - 01:35 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 04 June 2016 - 07:03 AM

Please try again.

If you can't then send me a personal message and attach your logs.

If that does not work I will contact an administrator.

#5 daffy1234

daffy1234
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 04 June 2016 - 01:17 PM

Again it's saying I don't have permission. I've private messaged you both logs.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 04 June 2016 - 01:28 PM

copied from a PM message.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:03-06-2016
Ran by Daniel (administrator) on DANIEL-PC (30-05-2016 08:51:08)
Running from C:\Users\Daniel\Desktop
Loaded Profiles: Daniel (Available Profiles: Daniel)
Platform: Windows 7 Home Premium (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(IObit) C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

ShellIconOverlayIdentifiers: [.RBCShellExternal] -> {30C5E658-70B6-4570-A780-D362A5BE2049} => C:\Users\Public\Video Legend\RBC\Addins\RBCShellExternal64.dll [2016-05-27] (Shenzhen Video Legend Network Technology Co.,Ltd.)
ShellIconOverlayIdentifiers: [.XLKKDesktopIcon] -> {4DB0021B-1EC2-4C31-BD79-FEA2892EEB43} => C:\Users\Public\Thunder Network\KKVideo\Addins\KKVIconHandler64.dll No File
ShellIconOverlayIdentifiers: [AAADesktopTips] -> {4562B511-62E9-4533-B7B2-56A8BB10B482} => C:\Users\Public\Thunder Network\KanKan\reghelper\xappex.1.1.1.85.(887).dll [2015-07-13] (深圳市迅雷网络技术有限公司)
ShellIconOverlayIdentifiers: [Areformer] -> {05B7CE18-5459-4577-9555-30984D71AA62} => C:\Users\Daniel\AppData\Roaming\Abaroet\Areformer.dll [2016-05-30] (Accelerate )
ShellIconOverlayIdentifiers-x32: [.RBCShellExternal] -> {30C5E658-70B6-4570-A780-D362A5BE2049} => C:\Users\Public\Video Legend\RBC\Addins\RBCShellExternal.dll [2016-05-27] (Shenzhen Video Legend Network Technology Co.,Ltd.)
BootExecute: autocheck autochk * bootdelete

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 78.46.223.24 162.242.211.137 78.46.223.24 162.242.211.137 78.46.223.24 162.242.211.137 78.46.223.24 162.242.211.137 78.46.223.24 162.242.211.137
Tcpip\..\Interfaces\{83D295F3-ECAF-4BC5-B3AB-FA85713D5129}: [DhcpNameServer] 78.46.223.24 162.242.211.137 78.46.223.24 162.242.211.137 78.46.223.24 162.242.211.137 78.46.223.24 162.242.211.137 78.46.223.24 162.242.211.137

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
SearchScopes: HKU\S-1-5-21-473779465-2245731831-372512357-1001 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = hxxp://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=79081068_oem_dg&ch=33
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll [2015-12-23] (IObit)
BHO: No Name -> {8D0F6366-8F2E-4F7F-872E-5AB98554D78C} -> No File
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-13] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-13] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-13] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-13] (Microsoft Corporation)

FireFox:
========
FF Plugin-x32: @baidu.com/BaiduExpert-npplugin -> C:\Users\Daniel\AppData\Roaming\Baidu\BDWebAdapter\3.0.359.0\npBDExNP.dll [No File]
FF Plugin-x32: @baidu.com/npxbdcntb -> C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\npxbdcntb.dll [No File]
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\SysWOW64\npDeployJava1.dll [2016-05-30] (Oracle Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-29] (Google Inc.)

Chrome:
=======
CHR Profile: C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Chrome Web Store Payments) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-30]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
S2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2960672 2016-05-27] (IObit)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
S3 BaiduPinyinUpdater; "C:\Program Files (x86)\Baidu\BaiduPinyinUpdate\bdupdate.exe" [X]
S2 kdeskcore; "c:\program files (x86)\cmcm\kdesk\kdeskcore.exe" /service cmcore [X]
S2 pnphost; C:\Program Files (x86)\DTLSoft\USBBox\pnphost.dll [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 kesvc; C:\Windows\System32\Drivers\kesvc.sys [63672 2016-05-18] ()
U0 PROCMON23; C:\Windows\System32\Drivers\PROCMON23.SYS [84792 2016-05-30] (Sysinternals - www.sysinternals.com)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S2 kbasemgr; \systemroot\system32\drivers\kbasemgr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-30 08:51 - 2016-05-30 08:51 - 00006698 _____ C:\Users\Daniel\Desktop\FRST.txt
2016-05-30 08:49 - 2016-05-30 08:51 - 00000000 ____D C:\FRST
2016-05-30 08:49 - 2016-05-30 08:49 - 02384384 _____ (Farbar) C:\Users\Daniel\Desktop\FRST64.exe
2016-05-30 08:44 - 2016-05-30 08:44 - 03336810 _____ C:\Users\Daniel\AppData\Roaming\Abaroet.zip
2016-05-30 08:38 - 2016-05-30 08:38 - 00084792 ____H (Sysinternals - www.sysinternals.com) C:\Windows\system32\Drivers\PROCMON23.SYS
2016-05-30 08:36 - 2016-05-30 08:37 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\FunUninst
2016-05-30 08:35 - 2016-05-30 08:35 - 00967601 _____ C:\Users\Daniel\Downloads\ProcessMonitor.zip
2016-05-30 08:32 - 2016-05-30 08:32 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT
2016-05-30 07:56 - 2016-05-30 07:57 - 00000000 ____D C:\Users\Public\FunAcce
2016-05-30 07:14 - 2016-05-30 07:14 - 03482800 _____ (Enigma Software Group USA, LLC.) C:\Users\Daniel\Downloads\SpyHunter-Installer.exe
2016-05-30 07:02 - 2016-05-30 07:02 - 00000000 ____D C:\rsit
2016-05-30 07:02 - 2016-05-30 07:02 - 00000000 ____D C:\Program Files (x86)\trend micro
2016-05-30 07:00 - 2016-05-30 07:01 - 01107968 _____ C:\Users\Daniel\Downloads\RSIT.exe
2016-05-30 06:38 - 2016-05-30 08:04 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\ZHP
2016-05-30 06:38 - 2016-05-30 08:00 - 00000832 _____ C:\Users\Daniel\Desktop\ZHPCleaner.lnk
2016-05-30 06:38 - 2016-05-30 06:38 - 02265600 _____ C:\Users\Daniel\Downloads\ZHPCleaner.exe
2016-05-30 05:50 - 2016-05-30 05:50 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2016-05-30 05:50 - 2016-05-30 05:50 - 00003560 _____ C:\Windows\system32\bootdelete.lst
2016-05-30 05:41 - 2016-05-30 05:51 - 00000000 ____D C:\ProgramData\HitmanPro
2016-05-30 05:41 - 2016-05-30 05:41 - 11438608 _____ (SurfRight B.V.) C:\Users\Daniel\Downloads\hitmanpro_x64.exe
2016-05-30 05:39 - 2016-05-30 05:39 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2016-05-30 04:28 - 2016-05-30 04:28 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\Daniel\Downloads\revosetup.exe
2016-05-30 04:28 - 2016-05-30 04:28 - 00001264 _____ C:\Users\Daniel\Desktop\Revo Uninstaller.lnk
2016-05-30 04:28 - 2016-05-30 04:28 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
2016-05-30 04:28 - 2016-05-30 04:28 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
2016-05-30 03:56 - 2016-05-30 03:56 - 00000000 __SHD C:\$360Section
2016-05-30 03:48 - 2009-08-29 00:50 - 00046592 _____ (Microsoft Corporation) C:\Windows\system32\msasn1.dll
2016-05-30 03:48 - 2009-08-28 23:57 - 00034816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msasn1.dll
2016-05-30 03:41 - 2016-05-30 03:41 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\SystemSres
2016-05-30 03:39 - 2016-05-30 03:40 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Daniel\Downloads\rkill.exe
2016-05-30 03:34 - 2016-05-30 03:34 - 00000911 _____ C:\Users\Daniel\AppData\Roaming\coreavc.ini
2016-05-30 03:29 - 2016-05-30 08:23 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-05-30 03:29 - 2016-05-30 03:29 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-05-30 03:29 - 2016-05-30 03:29 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-05-30 03:29 - 2016-05-30 03:29 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-05-30 03:26 - 2016-05-18 19:38 - 00063672 _____ C:\Windows\system32\Drivers\kesvc.sys
2016-05-30 03:24 - 2016-05-30 03:27 - 00000000 ____D C:\Program Files (x86)\360
2016-05-30 03:20 - 2016-05-30 03:20 - 00097527 ____H C:\777.txt
2016-05-30 03:20 - 2016-05-30 03:20 - 00000032 __RSH C:\daohang1.txt
2016-05-30 03:20 - 2016-05-30 03:20 - 00000031 __RSH C:\daohang.txt
2016-05-30 03:20 - 2016-05-30 03:20 - 00000004 __RSH C:\tongji.txt
2016-05-30 03:19 - 2016-05-30 04:00 - 00000000 ____D C:\ProgramData\kdesk
2016-05-30 03:19 - 2016-05-30 03:19 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Maxthon3
2016-05-30 03:19 - 2016-05-30 03:19 - 00000000 ____D C:\ProgramData\DriveTheLife2013
2016-05-30 03:17 - 2016-05-30 04:02 - 00000000 ____D C:\Program Files (x86)\DTLSoft
2016-05-30 03:17 - 2016-05-30 03:17 - 00000000 ____D C:\ProgramData\Baidu
2016-05-30 02:50 - 2016-05-30 05:37 - 00000000 ____D C:\AdwCleaner
2016-05-30 02:48 - 2016-05-30 02:48 - 03677248 _____ C:\Users\Daniel\Downloads\AdwCleaner.exe
2016-05-30 02:46 - 2016-05-30 02:46 - 02085168 _____ C:\Users\Daniel\Downloads\Adaware_Installer.exe
2016-05-30 02:46 - 2016-05-30 02:46 - 00000000 ____D C:\ProgramData\Lavasoft
2016-05-30 02:39 - 2016-05-30 02:39 - 00279744 _____ C:\Users\Daniel\Documents\cc_20160530_023922.reg
2016-05-30 01:33 - 2016-05-30 01:33 - 00000000 ____D C:\SUPERDelete
2016-05-30 01:27 - 2016-05-30 07:36 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-05-30 01:13 - 2016-05-30 03:55 - 00000018 _____ C:\Users\Daniel\AppData\Roaming\rljmconfig.ini
2016-05-30 00:57 - 2016-05-30 08:30 - 00000000 ____D C:\Users\Daniel\AppData\Local\CrashDumps
2016-05-30 00:56 - 2016-05-30 08:41 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Abaroet
2016-05-30 00:55 - 2016-05-30 00:55 - 00480864 _____ (Baidu, Inc.) C:\Windows\system32\baiducn.ime
2016-05-30 00:55 - 2016-05-30 00:55 - 00409184 _____ (Baidu, Inc.) C:\Windows\SysWOW64\baiducn.ime
2016-05-30 00:55 - 2016-05-30 00:55 - 00000000 ____D C:\Users\Daniel\AppData\LocalLow\Baidu
2016-05-30 00:54 - 2016-05-30 00:54 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Macromedia
2016-05-30 00:54 - 2016-05-30 00:54 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Adobe
2016-05-30 00:51 - 2016-05-30 00:51 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-05-30 00:51 - 2016-05-30 00:51 - 00000000 ____D C:\Windows\system32\Macromed
2016-05-30 00:51 - 2016-05-30 00:50 - 00109656 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\kbaseapi.sys
2016-05-30 00:51 - 2016-05-30 00:50 - 00070744 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\kbaseapi64.sys
2016-05-30 00:51 - 2016-05-30 00:50 - 00023128 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\kbasefix.sys
2016-05-30 00:47 - 2016-05-30 00:52 - 00000000 ____D C:\Users\Daniel\AppData\Local\KDeskIntercept
2016-05-30 00:47 - 2016-05-30 00:47 - 00131672 _____ (Kingsoft Corporation) C:\Windows\SysWOW64\Drivers\kbasemgr.sys
2016-05-30 00:47 - 2016-05-30 00:47 - 00095976 _____ (Kingsoft Corporation) C:\Windows\SysWOW64\Drivers\kbasemgr64.sys
2016-05-30 00:47 - 2016-05-30 00:47 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Apple Computer
2016-05-30 00:47 - 2016-05-30 00:47 - 00000000 ____D C:\ProgramData\Kingsoft
2016-05-30 00:40 - 2016-05-30 02:31 - 00000258 __RSH C:\Users\Daniel\ntuser.pol
2016-05-30 00:40 - 2016-05-30 02:31 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-05-30 00:39 - 2015-05-14 00:13 - 00018557 _____ C:\Windows\default.cfg
2016-05-30 00:39 - 2015-04-25 02:18 - 00295424 _____ (Groom-A-Zebu ™ ) C:\Windows\system32\ysxja.exe
2016-05-30 00:39 - 2015-04-25 02:18 - 00053248 _____ C:\Windows\zlib.dll
2016-05-30 00:39 - 2013-01-06 04:43 - 00000074 _____ C:\Windows\system32\Drivers\healusb.sys
2016-05-30 00:39 - 2013-01-06 04:43 - 00000074 _____ C:\Windows\system32\cygwin.sys
2016-05-30 00:39 - 2012-07-09 08:02 - 00279552 _____ (Eric Lawrence) C:\Windows\FiddlerCore4.dll
2016-05-30 00:37 - 2015-10-20 13:46 - 00021504 _____ C:\Users\Daniel\AppData\Roaming\minizip.dll
2016-05-30 00:37 - 2015-10-20 13:35 - 00655872 _____ (Microsoft Corporation) C:\Users\Daniel\AppData\Roaming\msvcr90.dll
2016-05-30 00:37 - 2015-10-20 13:35 - 00568832 _____ (Microsoft Corporation) C:\Users\Daniel\AppData\Roaming\msvcp90.dll
2016-05-30 00:37 - 2015-10-20 13:35 - 00159032 _____ (Microsoft Corporation) C:\Users\Daniel\AppData\Roaming\atl90.dll
2016-05-30 00:33 - 2016-05-30 01:14 - 00000000 ___HD C:\Users\Public\Video Legend
2016-05-30 00:27 - 2016-05-30 00:27 - 00000000 ____D C:\ProgramData\Sun
2016-05-30 00:26 - 2016-05-30 01:24 - 00000000 ____D C:\Program Files (x86)\Java
2016-05-30 00:26 - 2016-05-30 00:26 - 00867240 _____ (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2016-05-30 00:26 - 2016-05-30 00:26 - 00789416 _____ (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2016-05-30 00:22 - 2016-05-30 03:56 - 00000000 ____D C:\Program Files (x86)\Thunder Network
2016-05-30 00:22 - 2016-05-30 00:22 - 00000020 _____ C:\Windows\system32\pub_store.dat
2016-05-30 00:22 - 2016-05-30 00:22 - 00000000 ____D C:\Program Files\Common Files\Thunder Network
2016-05-30 00:22 - 2015-10-20 13:35 - 00503808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2016-05-30 00:22 - 2015-10-20 13:35 - 00348160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2016-05-30 00:22 - 2015-10-20 13:35 - 00090112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\atl71.dll
2016-05-30 00:22 - 2015-10-20 13:34 - 00080264 _____ (深圳市迅雷技术有限公司) C:\Windows\xinstaller.1.3.0.22.dll
2016-05-30 00:22 - 2015-10-20 13:34 - 00080264 _____ (深圳市迅雷技术有限公司) C:\Windows\SysWOW64\xinstaller.dll
2016-05-30 00:22 - 2015-10-20 13:34 - 00035208 _____ (深圳市迅雷技术有限公司) C:\Windows\xinstaller.1.3.0.22.exe
2016-05-30 00:22 - 2015-10-20 13:34 - 00035208 _____ (深圳市迅雷技术有限公司) C:\Windows\SysWOW64\xInstaller.exe
2016-05-30 00:21 - 2016-05-30 04:02 - 00000000 ____D C:\Users\Public\Thunder Network
2016-05-30 00:20 - 2016-05-30 00:23 - 00000000 ____D C:\ProgramData\Thunder Network
2016-05-30 00:20 - 2016-05-30 00:20 - 00000000 ____D C:\Users\Daniel\AppData\LocalLow\Sun
2016-05-30 00:14 - 2016-05-30 04:50 - 00002908 _____ C:\Windows\System32\Tasks\Uninstaller_SkipUac_Daniel
2016-05-30 00:14 - 2016-05-30 04:48 - 00000000 ____D C:\ProgramData\IObit
2016-05-30 00:14 - 2016-05-30 00:14 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\ProductData
2016-05-30 00:14 - 2016-05-30 00:14 - 00000000 ____D C:\Users\Daniel\AppData\LocalLow\IObit
2016-05-30 00:14 - 2016-05-30 00:14 - 00000000 ____D C:\ProgramData\ProductData
2016-05-30 00:13 - 2016-05-30 00:14 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\IObit
2016-05-30 00:13 - 2016-05-30 00:13 - 00002794 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-05-30 00:13 - 2016-05-30 00:13 - 00001366 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller.lnk
2016-05-30 00:13 - 2016-05-30 00:13 - 00001354 ____N C:\Users\Public\Desktop\IObit Uninstaller.lnk
2016-05-30 00:13 - 2016-05-30 00:13 - 00001102 ____N C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-05-30 00:13 - 2016-05-30 00:13 - 00000822 ____N C:\Users\Public\Desktop\CCleaner.lnk
2016-05-30 00:13 - 2016-05-30 00:13 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\SUPERAntiSpyware.com
2016-05-30 00:13 - 2016-05-30 00:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-05-30 00:13 - 2016-05-30 00:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller
2016-05-30 00:13 - 2016-05-30 00:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-05-30 00:13 - 2016-05-30 00:13 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-05-30 00:13 - 2016-05-30 00:13 - 00000000 ____D C:\Program Files\CCleaner
2016-05-30 00:13 - 2016-05-30 00:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-05-30 00:13 - 2016-05-30 00:13 - 00000000 ____D C:\Program Files (x86)\IObit
2016-05-30 00:13 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-05-30 00:13 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-05-30 00:13 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-05-30 00:12 - 2016-05-30 05:50 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-05-30 00:12 - 2016-05-30 00:12 - 00001808 ____N C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2016-05-30 00:12 - 2016-05-30 00:12 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2016-05-30 00:12 - 2016-05-30 00:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2016-05-30 00:09 - 2016-05-30 00:10 - 26037768 _____ (SUPERAntiSpyware) C:\Users\Daniel\Downloads\SUPERAntiSpyware.exe
2016-05-30 00:09 - 2016-05-30 00:10 - 22851472 _____ (Malwarebytes ) C:\Users\Daniel\Downloads\mbam-setup-2.2.1.1043.exe
2016-05-30 00:08 - 2016-05-30 00:10 - 13361952 _____ (IObit) C:\Users\Daniel\Downloads\iobituninstaller.exe
2016-05-30 00:08 - 2016-05-30 00:09 - 06893688 _____ (Piriform Ltd) C:\Users\Daniel\Downloads\ccsetup518.exe
2016-05-29 23:53 - 2016-05-30 00:36 - 00007601 _____ C:\Users\Daniel\AppData\Local\Resmon.ResmonCfg
2016-05-29 23:30 - 2016-05-29 23:30 - 00201234 _____ C:\Users\Daniel\Downloads\py2exe-0.6.9.win32-py2.7.exe
2016-05-29 23:26 - 2016-05-29 23:26 - 02936676 _____ C:\Users\Daniel\Downloads\resource_hacker.zip
2016-05-29 23:21 - 2016-05-29 23:22 - 04716608 _____ C:\Users\Daniel\Downloads\Bat_To_Exe_Converter.zip
2016-05-29 22:48 - 2016-05-29 22:52 - 00000000 ____D C:\Users\Daniel\.idlerc
2016-05-29 22:46 - 2016-05-30 05:50 - 00000000 ____D C:\Python27
2016-05-29 22:46 - 2016-05-29 22:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7
2016-05-29 22:45 - 2016-05-29 22:45 - 18636800 _____ C:\Users\Daniel\Downloads\python-2.7.11.msi
2016-05-29 15:25 - 2016-04-21 15:05 - 00453288 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-05-29 15:12 - 2016-05-29 15:35 - 00000000 ____D C:\EFSTMPWP
2016-05-22 13:27 - 2016-05-22 13:27 - 00000000 ____D C:\Users\Daniel\AppData\Local\Apps\2.0
2016-05-22 13:26 - 2016-05-22 10:28 - 00000000 ____D C:\Users\Daniel\AppData\Local\Deployment
2016-05-22 13:21 - 2016-05-30 00:47 - 00000000 ____D C:\Users\Daniel\AppData\Local\VirtualStore
2016-05-22 13:21 - 2016-05-22 13:21 - 00001443 _____ C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-05-22 13:21 - 2016-05-22 13:21 - 00001409 _____ C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2016-05-22 13:21 - 2016-05-22 13:21 - 00000020 ___SH C:\Users\Daniel\ntuser.ini
2016-05-22 13:21 - 2016-05-22 13:21 - 00000000 _SHDL C:\Users\Daniel\My Documents
2016-05-22 13:21 - 2016-05-22 13:21 - 00000000 _SHDL C:\Users\Daniel\Documents\My Videos
2016-05-22 13:21 - 2016-05-22 13:21 - 00000000 _SHDL C:\Users\Daniel\Documents\My Pictures
2016-05-22 13:21 - 2016-05-22 13:21 - 00000000 _SHDL C:\Users\Daniel\Documents\My Music
2016-05-22 13:21 - 2009-07-14 00:44 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Media Center Programs
2016-05-22 13:20 - 2016-05-30 04:14 - 00000000 ____D C:\Users\Daniel
2016-05-22 10:29 - 2016-05-30 04:36 - 00001031 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-05-22 10:29 - 2016-05-30 01:37 - 00002303 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-05-22 10:28 - 2016-05-30 08:32 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-05-22 10:28 - 2016-05-30 08:12 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-05-22 10:28 - 2016-05-29 18:07 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-05-22 10:28 - 2016-05-29 18:07 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-05-22 10:28 - 2016-05-22 10:29 - 00000000 ____D C:\Users\Daniel\AppData\Local\Google
2016-05-22 10:28 - 2016-05-22 10:28 - 00000000 ____D C:\Program Files (x86)\Google
2016-05-22 02:42 - 2016-05-30 00:16 - 00000000 ____D C:\Windows\Panther
2016-05-22 01:44 - 2016-05-22 01:44 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2016-05-22 01:44 - 2016-05-22 01:44 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-30 08:32 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-30 08:31 - 2009-07-13 21:45 - 00009776 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-05-30 08:31 - 2009-07-13 21:45 - 00009776 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-05-30 08:30 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2016-05-30 07:56 - 2009-07-13 21:45 - 00000000 ____D C:\Windows\Setup
2016-05-30 07:33 - 2009-07-13 22:32 - 00000000 ____D C:\Windows\Offline Web Pages
2016-05-30 06:56 - 2009-07-13 22:32 - 00000000 ____D C:\Windows\Downloaded Program Files
2016-05-30 05:51 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\migwiz
2016-05-30 05:22 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\DigitalLocker
2016-05-30 04:14 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-05-30 02:58 - 2009-07-13 22:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-30 00:39 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\GroupPolicy
2016-05-22 13:21 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2016-05-22 13:20 - 2009-07-13 20:20 - 00000000 __RHD C:\Users\Public\Libraries
2016-05-22 02:42 - 2009-07-13 22:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2016-05-22 01:44 - 2009-07-13 22:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-05-22 01:44 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\sysprep

==================== Files in the root of some directories =======

2016-05-30 08:44 - 2016-05-30 08:44 - 3336810 _____ () C:\Users\Daniel\AppData\Roaming\Abaroet.zip
2016-05-30 00:37 - 2015-10-20 13:35 - 0159032 _____ (Microsoft Corporation) C:\Users\Daniel\AppData\Roaming\atl90.dll
2016-05-30 03:34 - 2016-05-30 03:34 - 0000911 _____ () C:\Users\Daniel\AppData\Roaming\coreavc.ini
2016-05-30 00:37 - 2015-10-20 13:46 - 0021504 _____ () C:\Users\Daniel\AppData\Roaming\minizip.dll
2016-05-30 00:37 - 2015-10-20 13:35 - 0568832 _____ (Microsoft Corporation) C:\Users\Daniel\AppData\Roaming\msvcp90.dll
2016-05-30 00:37 - 2015-10-20 13:35 - 0655872 _____ (Microsoft Corporation) C:\Users\Daniel\AppData\Roaming\msvcr90.dll
2016-05-30 01:13 - 2016-05-30 03:55 - 0000018 _____ () C:\Users\Daniel\AppData\Roaming\rljmconfig.ini
2016-05-29 23:53 - 2016-05-30 00:36 - 0007601 _____ () C:\Users\Daniel\AppData\Local\Resmon.ResmonCfg
2015-07-23 20:35 - 2015-07-23 20:35 - 0067902 _____ () C:\ProgramData\572311.ico
2014-02-17 20:22 - 2014-02-17 20:22 - 0049334 _____ () C:\ProgramData\kpzm.ico
2013-10-16 03:11 - 2013-10-16 03:11 - 0099678 _____ () C:\ProgramData\wzdq.ico

Some files in TEMP:
====================
C:\Users\Daniel\AppData\Local\Temp\libeay32.dll
C:\Users\Daniel\AppData\Local\Temp\msvcr120.dll
C:\Users\Daniel\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-05-22 01:42

==================== End of FRST.txt ============================

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 04 June 2016 - 01:29 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version:03-06-2016
Ran by Daniel (2016-05-30 08:51:45)
Running from C:\Users\Daniel\Desktop
Windows 7 Home Premium (X64) (2016-05-22 20:20:50)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-473779465-2245731831-372512357-500 - Administrator - Disabled)
Daniel (S-1-5-21-473779465-2245731831-372512357-1001 - Administrator - Enabled) => C:\Users\Daniel
Guest (S-1-5-21-473779465-2245731831-372512357-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-473779465-2245731831-372512357-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

CCleaner (HKLM\...\CCleaner) (Version: 5.18 - Piriform)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 50.0.2661.102 - Google Inc.)
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
IObit Uninstaller (HKLM-x32\...\IObitUninstall) (Version: 5.4.0.119 - IObit)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Python 2.7 py2exe-0.6.9 (HKU\S-1-5-21-473779465-2245731831-372512357-1001\...\py2exe-py2.7) (Version: - )
Python 2.7.11 (HKLM-x32\...\{16E52445-1392-469F-9ADB-FC03AF00CD61}) (Version: 2.7.11150 - Python Software Foundation)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1220 - SUPERAntiSpyware.com)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {07EA3056-609A-46AC-9C62-0EEF4DC9B12E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-05-22] (Google Inc.)
Task: {203D49BD-691D-468B-9FF4-4D4020EDA552} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-05-30] (Adobe Systems Incorporated)
Task: {22F259FD-B046-43B8-BC3D-9CAB9A880A44} - \Installer_yta -> No File <==== ATTENTION
Task: {29C8760A-114A-420B-8DFC-0A80E490F9A4} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-05-13] (Piriform Ltd)
Task: {4BF18610-F02D-4940-AC01-ECCDA9A82942} - System32\Tasks\Uninstaller_SkipUac_Daniel => C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe [2016-06-01] (IObit)
Task: {D8F6E4B0-8F47-46DD-B163-8DD2269C1753} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-05-22] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

ShortcutWithArgument: C:\Users\Daniel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --disable-quic
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --disable-quic

==================== Loaded Modules (Whitelisted) ==============

2016-05-30 00:13 - 2015-12-23 16:27 - 00355616 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madExcept_.bpl
2016-05-30 00:13 - 2015-12-23 16:27 - 00190240 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madBasic_.bpl
2016-05-30 00:13 - 2015-12-23 16:27 - 00057632 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madDisAsm_.bpl

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:34 - 2009-06-10 14:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-473779465-2245731831-372512357-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 78.46.223.24 - 162.242.211.137
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{4CF1B17A-B764-456B-8D8A-2FD099BE3B45}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{A8BF67A0-D7AE-4AD5-BA3B-BC637976774E}] => (Allow) LPort=1886
FirewallRules: [{AD54A746-37A6-4121-8838-F841342E11DD}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{5A075F27-19DF-4583-9A4B-32D00E25266F}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{49AC84FA-79DF-4D6B-88ED-6891D2E6F6E5}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{C5F9C211-FA81-44A5-965C-23E96756E77A}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{8787FF98-90A6-4969-940C-B16A7527D2DE}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{D6FD0701-C2A6-4366-B3DF-86B0F09A8713}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{685F7597-617D-4F94-AA63-452B1B1DDF44}] => (Allow) C:\Users\Public\Video Legend\RBC\Program\KKPSAP.exe
FirewallRules: [{B022C0E5-8F36-466F-8717-9630204A4406}] => (Allow) C:\Users\Public\Video Legend\RBC\Program\XLBugReport.exe
FirewallRules: [{937B7A2F-20C0-486E-A4B5-B5EAE318BBE5}] => (Allow) C:\Users\Public\Video Legend\RBC\Program\KKTip.exe
FirewallRules: [{C39F51BF-C2FD-436A-BCC1-F749A4092911}] => (Allow) C:\Users\Public\Video Legend\RBC\Program\KKPSAP.exe
FirewallRules: [{446B35F9-A356-40F5-B5CE-F2537592D5A1}] => (Allow) C:\Users\Public\Video Legend\RBC\Program\XLBugReport.exe
FirewallRules: [{4A4333EE-3D68-4F73-B597-FFBC172CA907}] => (Allow) C:\Users\Public\Video Legend\RBC\Program\KKTip.exe
FirewallRules: [{E549F527-80E8-42F4-894C-D12F0612FD11}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{50934AE4-3059-4A37-948E-9F3AF0E6491C}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{03C3B3F0-52DF-449C-9641-06C307EFFDBD}] => (Allow) c:\program files (x86)\common files\thunder network\tp\ver1\1.1.2.256_1111\thunderplatform.exe
FirewallRules: [{11D5D185-9284-4F6F-9F00-902EB35F6A82}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{1F0B20E9-73B0-472C-8E4B-C2C0C0B63BC8}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{F0048527-603C-4196-9CD1-FCBA1B3F8BD1}] => (Allow) c:\program files (x86)\common files\thunder network\tp\ver1\1.1.2.256_1111\thunderplatform.exe
FirewallRules: [{BB7633DB-BCEA-4271-80C8-BF05AAE46BCC}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{78EA906B-38C6-435B-8DBE-F2ECA0F3455C}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{74C46035-FA91-4785-B24F-785264A8A340}] => (Allow) c:\program files (x86)\common files\thunder network\tp\ver1\1.1.2.256_1111\thunderplatform.exe
FirewallRules: [{5B91566A-4E77-4953-98C7-526E63EC9433}] => (Allow) c:\program files (x86)\common files\thunder network\tp\ver1\1.1.2.256_1111\thunderplatform.exe
FirewallRules: [{68734AAD-0922-41D3-9176-080B74F2B52A}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{6985CC82-144B-4D39-AFA3-5DB6475F3C16}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{2B2CA5A8-763B-4768-B98B-5BAE7AB8483E}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{15B1B861-6E72-4DF1-8FB0-D11DD63E70F9}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{08134782-E7BB-46B3-A24C-CEC691C9D43A}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{340100D3-18BA-4B46-B625-36703724CADB}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{8308E700-C931-44AA-8E76-0BBF99231130}] => (Allow) c:\program files (x86)\common files\thunder network\tp\ver1\1.1.2.256_1111\thunderplatform.exe
FirewallRules: [{3576EB94-4437-425C-B244-3F0813A32667}] => (Allow) c:\program files (x86)\common files\thunder network\tp\ver1\1.1.2.256_1111\thunderplatform.exe
FirewallRules: [{64FDF728-B69E-41F8-B792-5E364C8DA0FB}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{AA7063FB-495A-4ECE-8B0E-1133062EB40F}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{AF561419-2E3D-4149-B52B-3D68EBFC9DD6}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{7074AD5F-9013-4762-905C-3ECD0F46DC90}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{5854BA9E-3A24-4883-BC34-0B6EB791FBA3}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{ECBE4986-3B95-4A4A-B6C1-F46F14F1D116}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{7C97026D-17D8-4352-BAD1-328F085A3B16}] => (Allow) c:\program files (x86)\common files\thunder network\tp\ver1\1.1.2.256_1111\thunderplatform.exe
FirewallRules: [{F0B11BFE-3FC5-4ECF-B26C-6282AD4F4973}] => (Allow) c:\program files (x86)\common files\thunder network\tp\ver1\1.1.2.256_1111\thunderplatform.exe
FirewallRules: [{E0062E9D-FD75-46AD-A594-AD8EC7225651}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XLLiveUD.exe
FirewallRules: [{64E3E554-B536-4DD3-A53C-49A01F89145E}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XMP.exe
FirewallRules: [{75523C4F-87E5-4DEB-88D3-E268B4758742}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XLLiveUD.exe
FirewallRules: [{5F07C6A0-630E-4FE4-85FB-BA17DBD70910}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XMP.exe
FirewallRules: [{F5CFDA6E-2F84-4398-9D67-FEF8C50069C5}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XLBugReport.exe
FirewallRules: [{68E24A56-49BD-485D-9715-0AE7737DD1B4}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\DPInstX64.exe
FirewallRules: [{BEBC62D2-AD21-4942-B866-601889950570}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\aapt.exe
FirewallRules: [{0BFE0144-5D1F-41DD-85C5-131C39CF1FE9}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{DDF0B982-82AC-4F79-A567-8D247C35485F}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\adb.exe
FirewallRules: [{E7408E5B-829C-44FE-86C3-DDC399A3A1A2}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\PreInstall.exe
FirewallRules: [{8653029A-76E0-4043-908B-FA88ADCEFF9B}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XLBugReport.exe
FirewallRules: [{8C7A961B-E6C0-445D-8134-6846E1898ACE}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\XLBugReport.exe
FirewallRules: [{E37981E1-8FF0-4108-8583-66935D90E532}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\TP\ThunderPlatform.exe
FirewallRules: [{CBF32C47-0039-4A99-90A6-F3731C185343}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\ThunderServiceLite.exe
FirewallRules: [{F6585FEA-18A6-4228-91F8-1AE4965CC10D}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\KanKanLive.exe
FirewallRules: [{BCA194D7-43FF-4700-8DCF-EB8AA6A60946}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\DPInst.exe
FirewallRules: [{742728C4-1DD3-4EFE-9F1E-89165D662C8E}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\InstallDriver.exe
FirewallRules: [{2E08DFE8-ED08-4A3C-824B-34E672D8F179}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{80BE1684-AA48-477A-9EEC-54E9BEE9914D}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\DPInstX64.exe
FirewallRules: [{57356FDC-3426-4267-AF6F-B1DD3BA91578}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\aapt.exe
FirewallRules: [{4FB5C3D3-6C3A-4ED9-B74A-D7CDCD749D8C}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{88CF3FE4-CA9B-426C-99B5-F69D8C9B8C30}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\adb.exe
FirewallRules: [{A69843A8-12C3-441D-B451-27176359A006}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\PreInstall.exe
FirewallRules: [{41615984-47CA-4BC2-B1D4-2969CEED71F5}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\XLBugReport.exe
FirewallRules: [{DE136A56-E836-43CF-B3B2-7D8D1AEB41C6}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\TP\ThunderPlatform.exe
FirewallRules: [{0249B9B8-8441-40A7-8F6D-53BD62023A47}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\ThunderServiceLite.exe
FirewallRules: [{636FC19D-0779-4BCE-BCB1-813803B11CCD}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\KanKanLive.exe
FirewallRules: [{537CC9CA-73BD-4415-8AEF-3A82703D06C7}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\DPInst.exe
FirewallRules: [{7B6B99ED-7409-473D-B4D8-E6D1A437371A}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\InstallDriver.exe
FirewallRules: [{718B0D78-0006-4E94-9E33-DF37DCA8B4CB}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{0853772B-4979-469E-87FA-CDDA3889BFE0}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{70A36967-86FD-4BA9-BB78-5FD4D1EC1268}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{44191A67-0010-46DD-A31B-57C370B21CB1}] => (Allow) c:\program files (x86)\common files\thunder network\tp\ver1\1.1.2.256_1111\thunderplatform.exe
FirewallRules: [{BBB99941-3175-43EF-8E72-84ACE2A4B914}] => (Allow) c:\program files (x86)\common files\thunder network\tp\ver1\1.1.2.256_1111\thunderplatform.exe
FirewallRules: [{7853FEC4-8A98-4F93-ADA6-787F5D1F9E52}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\PreInstall.exe
FirewallRules: [{16492EDE-89A6-4543-8B93-6E4E13408855}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\DPInstX64.exe
FirewallRules: [{82AE3BF7-1AFF-4501-BF1F-87B39235246C}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\InstallDriver.exe
FirewallRules: [{80205C40-4548-4237-A7DD-EC0A1C7F54EC}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XMP.exe
FirewallRules: [{91052595-8F40-483E-AA2D-5FE40D2673F6}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XLLiveUD.exe
FirewallRules: [{462B7F98-BF3C-4E04-B5F7-333DDA9B1CCE}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\DPInst.exe
FirewallRules: [{CA6701DE-25DD-4157-BB12-84BAFABBA2D7}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\TP\ThunderPlatform.exe
FirewallRules: [{D823E9E7-F442-4276-AF50-818E0F217EE6}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\aapt.exe
FirewallRules: [{EF4B5397-E63D-451A-8491-75010667271C}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{8F33C8D6-B1CE-44F3-8765-43EE82BC2CE5}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{F952D9C4-1829-443E-AB63-5F7B456C0BBD}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\adb.exe
FirewallRules: [{B7AADDE1-B31D-43BA-A645-0C7BA06B7D62}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\XLBugReport.exe
FirewallRules: [{385C25E5-E59C-472C-8DC1-76796CD9ADEB}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\ThunderServiceLite.exe
FirewallRules: [{DB325A86-CEAD-4C99-B455-2AEEE5148086}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XLBugReport.exe
FirewallRules: [{B5F621C4-CA83-41B9-B3FA-E887781460D4}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\KanKanLive.exe
FirewallRules: [{6AE13DE1-72A5-481F-9AE1-2BF608AC4D2B}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\PreInstall.exe
FirewallRules: [{E86C5E5E-1331-45A4-9BFF-95CAC1D28CAD}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\DPInstX64.exe
FirewallRules: [{4A84F11E-0161-43FE-B020-CDDCF713802C}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\InstallDriver.exe
FirewallRules: [{5A37BC0E-10E2-419D-A0DE-6B271FEA3407}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XMP.exe
FirewallRules: [{C90B7147-2BDB-405F-934C-249AA6BFC9CE}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XLLiveUD.exe
FirewallRules: [{A279E372-7FCA-44D7-8A77-09D3F896592B}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\DPInst.exe
FirewallRules: [{0A1E2AEB-645E-49FD-AFCB-4DAFD4C41AB9}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\TP\ThunderPlatform.exe
FirewallRules: [{9D605367-CB32-481A-8032-9C5FF49174C9}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\aapt.exe
FirewallRules: [{33D94EC6-822D-410B-A7D2-E3448E8DD630}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{6D650A6C-EC01-4B42-B8BE-1F39DF36B3FB}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{CC16D3A4-95F1-486D-8732-963DF59ABD20}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\adb.exe
FirewallRules: [{2A34B85F-C1FA-4296-A461-382A53B0AFA0}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\XLBugReport.exe
FirewallRules: [{0AEAECD8-5612-4EE4-ACDD-BEF762409050}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\ThunderServiceLite.exe
FirewallRules: [{DAC9E082-ACAF-471B-BA27-10CCC101F400}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XLBugReport.exe
FirewallRules: [{0D13F079-B85B-4E78-955B-A177ACDF167E}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\KanKanLive.exe
FirewallRules: [{03BF3068-BA94-47C8-8BDE-A2BAB6B9C49A}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{F96E970C-B3B4-4A46-9C21-97E10835D1EE}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{CBE0F96D-635E-434A-89C1-4C7A76FA78F1}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\InstallDriver.exe
FirewallRules: [{D5A02B4C-5B63-4F51-AA7E-4CF43BC4F0DF}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\DPInst.exe
FirewallRules: [{A6FB9605-6EAD-47CC-BC41-AD6753B7DE8F}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\PreInstall.exe
FirewallRules: [{3DCA43B3-E401-4B30-B57A-2EA7B0FEA761}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\DPInstX64.exe
FirewallRules: [{1F91C640-5B05-48CE-BE19-096B8E506C69}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\adb.exe
FirewallRules: [{0B8FB75A-BD31-45E8-942F-D709D7811AB3}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\InstallDriver.exe
FirewallRules: [{6FCA7A32-7D7A-419E-9811-94F9962D42F9}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\DPInst.exe
FirewallRules: [{27944219-A1B3-47DF-8B3B-1E9C32BBD7A0}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\PreInstall.exe
FirewallRules: [{730E043F-824D-49F7-8B21-383AC60855C9}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\DPInstX64.exe
FirewallRules: [{359C4254-73A1-460D-99B2-FADA16604BF3}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\adb.exe
FirewallRules: [{A91DAD90-1EA9-4F9D-ACCA-04496F413544}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XLLiveUD.exe
FirewallRules: [{3F365751-C8A8-4A46-A992-31882D340895}] => (Allow) C:\Program Files (x86)\Thunder Network\XMP\V5.1.26.4324\Bin\XLBugReport.exe
FirewallRules: [{E57DC145-EE74-4C18-894A-070D583326B0}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\XLLiveUD.exe
FirewallRules: [{A1E0233E-1BF1-44AF-A1F3-C0EBFDA43CB5}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{EFE20FDC-E5EE-4535-9C2B-5B3502B72895}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\KanKanLive.exe
FirewallRules: [{0F2D750A-EE5D-42FC-9EFD-8BC6D02318AD}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\Kankan\ThunderServiceLite.exe
FirewallRules: [{F27B849A-24E9-42AC-AB82-C9415149F916}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\aapt.exe
FirewallRules: [{51933E61-F340-4A3B-8753-9EF176A9E2B7}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\APlayer.exe
FirewallRules: [{555B0B14-32A4-4259-98DA-426D51649C61}] => (Allow) C:\Users\Public\Thunder Network\XMP5\V5.1.26.4324\Program\aapt.exe
FirewallRules: [{FC23F5E4-4220-45E2-A7BD-CC3CF0FBDE56}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.256_1111\ThunderPlatform.exe
FirewallRules: [{6B838714-5657-4B6F-8784-8E17986E4D5C}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.256_1111\ThunderPlatform.exe
FirewallRules: [{2FBF2BA5-BCD5-4160-82AA-0B75A00A02AD}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.256_1111\ThunderLiveUD.exe
FirewallRules: [{CE4A7B18-238C-44A2-850D-2F23EE8DB786}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.256_1111\ThunderLiveUD.exe
FirewallRules: [{F93A753F-C9A7-404B-A16B-A7C682C870CE}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.256_1111\XLBugReport.exe
FirewallRules: [{888191BF-93E4-4601-ABD0-D1098E2183FE}] => (Allow) C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.256_1111\XLBugReport.exe
FirewallRules: [{13453109-2EE3-4B54-A322-5C022819E103}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{B3E7A5AB-FFCA-471B-8A6C-8CF52F26191C}] => (Allow) C:\Users\Public\Thunder Network\KanKan\Pusher\XmpTipWnd.1.0.0.85.exe
FirewallRules: [{B5F2C20E-654D-460A-A352-A8645DB8A00D}] => (Allow) C:\Program Files (x86)\360\360Safe\safemon\360tray.exe
FirewallRules: [{C84D56F3-E81E-4D66-BCAE-E3845CCF4B9B}] => (Allow) C:\Program Files (x86)\360\360Safe\safemon\360tray.exe

==================== Restore Points =========================

30-05-2016 05:48:13 Checkpoint by HitmanPro
30-05-2016 05:50:28 Checkpoint by HitmanPro

==================== Faulty Device Manager Devices =============

Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (05/30/2016 07:14:53 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SpyHunter-Installer.exe, version: 2.0.389.1328, time stamp: 0x57332992
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc000041d
Fault offset: 0x73df4cad
Faulting process id: 0x71c
Faulting application start time: 0xSpyHunter-Installer.exe0
Faulting application path: SpyHunter-Installer.exe1
Faulting module path: SpyHunter-Installer.exe2
Report Id: SpyHunter-Installer.exe3

Error: (05/30/2016 04:43:32 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="x86",type="win32",version="8.0.50727.762"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",type="win32",version="8.0.50727.762" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/30/2016 03:28:35 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC90.ATL,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Dependent Assembly Microsoft.VC90.ATL,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/30/2016 03:23:42 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC90.ATL,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Dependent Assembly Microsoft.VC90.ATL,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/30/2016 03:19:51 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: setup_20012.exe, version: 1.0.0.0, time stamp: 0x5336956b
Faulting module name: USER32.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdb3c
Exception code: 0xc0000005
Fault offset: 0x000410be
Faulting process id: 0xbf8
Faulting application start time: 0xsetup_20012.exe0
Faulting application path: setup_20012.exe1
Faulting module path: setup_20012.exe2
Report Id: setup_20012.exe3

Error: (05/30/2016 03:18:35 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC90.ATL,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Dependent Assembly Microsoft.VC90.ATL,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/30/2016 03:02:25 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC90.ATL,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Dependent Assembly Microsoft.VC90.ATL,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/30/2016 01:10:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: update_checker.exe, version: 4.3.0.0, time stamp: 0x525d9c67
Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdb3b
Exception code: 0xc0000005
Fault offset: 0x0002e23e
Faulting process id: 0xfa0
Faulting application start time: 0xupdate_checker.exe0
Faulting application path: update_checker.exe1
Faulting module path: update_checker.exe2
Report Id: update_checker.exe3

Error: (05/30/2016 12:56:43 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC90.ATL,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Dependent Assembly Microsoft.VC90.ATL,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/30/2016 12:56:21 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: 1-Setup_22012.exe, version: 1.0.0.0, time stamp: 0x5336956b
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00350049
Faulting process id: 0xb90
Faulting application start time: 0x1-Setup_22012.exe0
Faulting application path: 1-Setup_22012.exe1
Faulting module path: 1-Setup_22012.exe2
Report Id: 1-Setup_22012.exe3


System errors:
=============
Error: (05/30/2016 08:32:40 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Plug and Play Drivers Host service terminated with the following error:
%%126

Error: (05/30/2016 08:32:36 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The KDesk Core Service service failed to start due to the following error:
%%2

Error: (05/30/2016 08:32:32 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The kbasemgr service failed to start due to the following error:
%%1275

Error: (05/30/2016 08:32:32 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \systemroot\SysWow64\drivers\kbasemgr.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (05/30/2016 07:57:32 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Plug and Play Drivers Host service terminated with the following error:
%%126

Error: (05/30/2016 07:57:26 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The KDesk Core Service service failed to start due to the following error:
%%2

Error: (05/30/2016 07:57:25 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The kbasemgr service failed to start due to the following error:
%%1275

Error: (05/30/2016 07:57:25 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \systemroot\SysWow64\drivers\kbasemgr.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (05/30/2016 07:56:25 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Plug and Play Drivers Host service terminated with the following error:
%%126

Error: (05/30/2016 07:56:20 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The KDesk Core Service service failed to start due to the following error:
%%2


CodeIntegrity:
===================================
Date: 2016-05-30 01:06:01.392
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ShopperPro3\spbiw.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2016-05-30 01:06:01.392
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ShopperPro3\spbiw.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2016-05-30 01:05:59.908
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\ShopperPro3\JSDriver\1.42.1.10657\jsdrv.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2016-05-30 01:05:59.908
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\ShopperPro3\JSDriver\1.42.1.10657\jsdrv.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2016-05-30 00:41:03.724
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ShopperPro3\spbiw.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2016-05-30 00:41:03.724
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ShopperPro3\spbiw.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2016-05-30 00:39:21.458
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ShopperPro3\spbiw.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2016-05-30 00:39:21.443
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ShopperPro3\spbiw.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2016-05-30 00:38:26.255
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ShopperPro3\spbiw.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2016-05-30 00:38:26.255
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ShopperPro3\spbiw.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: AMD Athlon™ II X3 460 Processor
Percentage of memory in use: 51%
Total physical RAM: 1023.55 MB
Available physical RAM: 494.77 MB
Total Virtual: 2047.55 MB
Available Virtual: 1293.99 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:24.9 GB) (Free:15.12 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 25 GB) (Disk ID: E60CAACA)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=24.9 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 04 June 2016 - 01:38 PM

I copied your logs to to new posts and all went well.
There is a limit on the number of characters per post. Were you trying to post both logs in one post only?

===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [.XLKKDesktopIcon] -> {4DB0021B-1EC2-4C31-BD79-FEA2892EEB43} => C:\Users\Public\Thunder Network\KKVideo\Addins\KKVIconHandler64.dll No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-473779465-2245731831-372512357-1001 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = hxxp://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=79081068_oem_dg&ch=33
BHO: No Name -> {8D0F6366-8F2E-4F7F-872E-5AB98554D78C} -> No File
FF Plugin-x32: @baidu.com/BaiduExpert-npplugin -> C:\Users\Daniel\AppData\Roaming\Baidu\BDWebAdapter\3.0.359.0\npBDExNP.dll [No File]
FF Plugin-x32: @baidu.com/npxbdcntb -> C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\npxbdcntb.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-30]
S3 BaiduPinyinUpdater; "C:\Program Files (x86)\Baidu\BaiduPinyinUpdate\bdupdate.exe" [X]
S2 kdeskcore; "c:\program files (x86)\cmcm\kdesk\kdeskcore.exe" /service cmcore [X]
S2 pnphost; C:\Program Files (x86)\DTLSoft\USBBox\pnphost.dll [X]
S2 kbasemgr; \systemroot\system32\drivers\kbasemgr.sys [X]
C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please let me know what problem persists with this computer.

#9 daffy1234

daffy1234
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 04 June 2016 - 09:30 PM

I was doing as you said. I copied and pasted the first log, while attaching the second log. Though the first log alone was around 27KB, so maybe that was too much to simply paste. I've followed all of your instructions, restarted the computer, tried to delete the FunAcce folder, restarted again, and yet again the folder is back. Using SysInternals Process Monitor, I've managed to trace it down to rundll32 running C:\Users\Daniel\AppData\Roaming\Abaroet\AptNail.dll. I don't know the significance of this, though. I suspect simply deleting this file wouldn't be enough, since there's probably something somewhere telling rundll32 to use the dll in the first place. I don't know how to track this down, though.

 

Attached is the two logs.

 

Attached File  Fixlog.txt   3.26KB   2 downloads

Attached File  AdwCleanerC5.txt   1.78KB   3 downloads



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 05 June 2016 - 08:25 AM

Before you try anything lets see what we can find.

Please download SystemLook if your system is a 64bit system, then download the SystemLook_x64.exe save it to your Desktop.
SystemLook.exe
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :regfind
    FunAcce
    AptNail.dll

    :folderfind
    FunAcce
    Abaroet
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
  • ===

    When this is completed boot to safe mode and rename the file in bold below to AptNail.dll.old
    C:\Users\Daniel\AppData\Roaming\Abaroet\AptNail.dll

    If it's really needed you will be able to restore it's original name.

    Restart the computer normally

    How is it now?


#11 daffy1234

daffy1234
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 06 June 2016 - 02:05 PM

Interesting, I didn't think to search the registry. Here's the SystemLook log

 

SystemLook 30.07.11 by jpshortstuff
Log created at 10:01 on 30/05/2016 by Daniel
Administrator - Elevation successful

========== regfind ==========

Searching for "FunAcce"
[HKEY_CURRENT_USER\Software\SystemSres]
"accedir"="C:\Users\Public\FunAcce"
[HKEY_USERS\S-1-5-21-473779465-2245731831-372512357-1001\Software\SystemSres]
"accedir"="C:\Users\Public\FunAcce"

Searching for "AptNail.dll"
No data found.

========== folderfind ==========

Searching for "FunAcce"
C:\Users\Public\FunAcce    d------    [16:41 30/05/2016]

Searching for "Abaroet"
C:\Users\Daniel\AppData\Roaming\Abaroet    d------    [07:56 30/05/2016]

-= EOF =-

 

Renaming the file didn't help, but renaming the whole folder seems to stop that folder from appearing again. My only concern now is that whatever is running this dll file is still on my computer, and I'm not sure how to hunt down the root cause of it.



#12 daffy1234

daffy1234
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 06 June 2016 - 02:08 PM

In the Abaroet folder, there's a lot of other dlls, a few unknown files, and apparently an uninstall exe file. Since this whole thing came from adware, I don't know how much I can trust the uninstaller.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 07 June 2016 - 07:02 AM

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\SystemSres]
"accedir"=-
[HKEY_USERS\S-1-5-21-473779465-2245731831-372512357-1001\Software\SystemSres]
"accedir"=-


Restart the computer when completed.

You can delete the fixme.reg file when done.
===

Now delete these folders in bold.

C:\Users\Public\FunAcce
C:\Users\Daniel\AppData\Roaming\Abaroet

You can also delete the fixme.reg file.

How is it running now?

#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 13 June 2016 - 07:27 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users