Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Chrome is infected with an Add-On called Search Engage (possible PUP)


  • This topic is locked This topic is locked
32 replies to this topic

#1 Durred

Durred

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 PM

Posted 22 June 2016 - 05:14 PM

Hi, everyone.  I am always grateful for having BleepingComputer staff members assist me with issues.

 

I am here because my Google Chrome is infected with this unknown add-in called Search Engage.

Attached File  Capture.PNG   70.95KB   0 downloads

Every time I open a new tab on Google Chrome, I am directed to Search Engage.

 

Also, I am given the option to "Disable" the extension, but Search Engage is not actually being disabled.

Attached File  Capture1.PNG   86.67KB   0 downloads

Instead, it is considered as a built-in extension in Chrome and refuses to remove itself.

Attached File  Capture2.PNG   398.78KB   0 downloads

I also noticed that Search Engage is run by another company called Cro-Bit Ltd.

Attached File  Capture3.PNG   308.39KB   0 downloads

Anyways, here are my two logs: FRST.txt and Addition.txt logs.

Attached File  FRST.txt   31.36KB   3 downloads

Attached File  Addition.txt   36.39KB   3 downloads

 

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-06-2016 01
Ran by ShellShock (administrator) on SHELLSHOCK-PC (22-06-2016 14:57:49)
Running from C:\Users\ShellShock\Desktop
Loaded Profiles: ShellShock (Available Profiles: ShellShock)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Enigma Software Group USA, LLC.) C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter3.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\Drivers\APOService\LogiRegistryService.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_22_0_0_192.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_22_0_0_192.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500936 2015-04-28] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176952 2016-06-01] (Apple Inc.)
HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [15818872 2016-04-28] (Logitech Inc.)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [13653232 2016-06-16] (Zemana Ltd.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-20] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-08-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1961654962-3049007436-3560005251-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8698584 2016-04-15] (Piriform Ltd)
HKU\S-1-5-21-1961654962-3049007436-3560005251-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-1961654962-3049007436-3560005251-1000\...\Run: [CCleaner] => C:\Program Files\CCleaner\CCleaner64.exe [8698584 2016-04-15] (Piriform Ltd)
HKU\S-1-5-21-1961654962-3049007436-3560005251-1000\...\MountPoints2: {4c6594c7-b651-11e5-9df6-806e6f6e6963} - D:\Bin\ASSETUP.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2016-03-24]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-1961654962-3049007436-3560005251-1000\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{DCBA0B83-97E3-47F5-B80F-E934195DEA48}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2012-10-01] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-10-22] (Hewlett-Packard Co.)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-10-22] (Hewlett-Packard Co.)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
Toolbar: HKLM - BitCro Social 10.0.0 - {B81BF46A-B455-48FB-A81B-40DFFF66786F} - C:\Users\ShellShock\AppData\Local\Microsoft\Internet Explorer\seu64.dll [2016-06-16] (Bit-cro Ltd.)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - BitCro Social 10.0.0 - {B81BF46A-B455-48FB-A81B-40DFFF66786F} - C:\Users\ShellShock\AppData\Local\Microsoft\Internet Explorer\seu.dll [2016-06-16] (Bit-cro Ltd.)
Toolbar: HKU\S-1-5-21-1961654962-3049007436-3560005251-1000 -> Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\ShellShock\AppData\Roaming\Mozilla\Firefox\Profiles\jgaqsag3.default-1466131280332
FF Homepage: www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_192.dll [2016-06-16] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-03-09] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_192.dll [2016-06-16] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-12-18] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-06-22] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-06-22] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2014-09-12] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-03-09] (Adobe Systems)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2012-10-01] (Microsoft Corporation)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2016-01-08] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2016-03-24] [not signed]
FF HKU\S-1-5-21-1961654962-3049007436-3560005251-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

Chrome:
=======
CHR Profile: C:\Users\ShellShock\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\ShellShock\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-06-22]
CHR Extension: (Google Docs) - C:\Users\ShellShock\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-06-22]
CHR Extension: (Google Drive) - C:\Users\ShellShock\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-22]
CHR Extension: (YouTube) - C:\Users\ShellShock\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-06-22]
CHR Extension: (Search Solutions) - C:\Users\ShellShock\AppData\Local\Google\Chrome\User Data\Default\Extensions\codbdfjjjgeaecahmhihkpjbadffccob [2016-06-22]
CHR Extension: (Google Sheets) - C:\Users\ShellShock\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-06-22]
CHR Extension: (Google Docs Offline) - C:\Users\ShellShock\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ShellShock\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-22]
CHR Extension: (Gmail) - C:\Users\ShellShock\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-06-22]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [28552 2016-04-26] (Hewlett-Packard Company)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 LogiRegistryService; C:\Program Files\Logitech Gaming Software\Drivers\APOService\LogiRegistryService.exe [193656 2016-04-28] (Logitech Inc.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [13653232 2016-06-16] (Zemana Ltd.)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-06-21] ()
R3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [46960 2016-06-22] ()
S3 kinonivd; C:\Windows\System32\DRIVERS\kinonivd.sys [2782848 2014-11-12] (Windows ® Win 7 DDK provider)
S3 KINONI_Wave; C:\Windows\System32\drivers\kinonivad.sys [23040 2014-11-12] (Windows ® Win 7 DDK provider) [File not signed]
S2 LGCoreTemp; C:\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\lgcoretemp.sys [14184 2015-06-21] (Logitech)
R3 LGJoyXlCore; C:\Windows\System32\drivers\LGJoyXlCore.sys [85160 2016-04-18] (Logitech Inc.)
R3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [64280 2013-05-30] (Logitech Inc.)
R3 LGSUsbFilt; C:\Windows\System32\DRIVERS\LGSUsbFilt.Sys [41752 2013-05-30] (Logitech Inc.)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2016-06-22] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2016-06-22] (Zemana Ltd.)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-22 14:57 - 2016-06-22 14:58 - 00017281 _____ C:\Users\ShellShock\Desktop\FRST.txt
2016-06-22 14:56 - 2016-06-22 14:56 - 02387456 _____ (Farbar) C:\Users\ShellShock\Desktop\FRST64.exe
2016-06-22 14:45 - 2016-06-22 14:45 - 00016170 _____ C:\Users\ShellShock\Desktop\My T-Mobile _ Billing _ Payment Confirmation.pdf
2016-06-22 14:29 - 2016-06-22 14:29 - 00002271 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-22 14:29 - 2016-06-22 14:29 - 00002259 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-22 14:28 - 2016-06-22 14:39 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-22 14:28 - 2016-06-22 14:39 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-22 14:28 - 2016-06-22 14:34 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-06-22 14:28 - 2016-06-22 14:34 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-06-22 14:28 - 2016-06-22 14:28 - 00987728 _____ (Google Inc.) C:\Users\ShellShock\Desktop\ChromeSetup.exe
2016-06-22 14:22 - 2016-06-22 14:22 - 00046960 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2016-06-22 14:20 - 2016-06-22 14:20 - 00001264 _____ C:\Windows\system32\.crusader
2016-06-22 13:55 - 2016-06-22 14:21 - 00000000 ____D C:\ProgramData\HitmanPro
2016-06-22 13:49 - 2016-06-22 13:51 - 00000000 ____D C:\AdwCleaner
2016-06-22 13:29 - 2016-06-22 13:56 - 11438608 _____ (SurfRight B.V.) C:\Users\ShellShock\Desktop\HitmanPro_x64.exe
2016-06-22 13:28 - 2016-06-22 13:28 - 03703360 _____ C:\Users\ShellShock\Desktop\AdwCleaner.exe
2016-06-22 13:27 - 2016-06-22 14:57 - 00250309 _____ C:\Windows\ZAM.krnl.trace
2016-06-22 13:27 - 2016-06-22 14:57 - 00036302 _____ C:\Windows\ZAM_Guard.krnl.trace
2016-06-22 13:27 - 2016-06-22 13:51 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2016-06-22 13:27 - 2016-06-22 13:27 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2016-06-22 13:27 - 2016-06-22 13:27 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2016-06-22 13:27 - 2016-06-22 13:27 - 00001076 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2016-06-22 13:27 - 2016-06-22 13:27 - 00000000 ____D C:\Users\ShellShock\AppData\Local\Zemana
2016-06-22 13:27 - 2016-06-22 13:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2016-06-22 13:23 - 2016-06-22 13:23 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\ShellShock\Desktop\iExplore.exe
2016-06-22 13:23 - 2016-06-22 13:23 - 00002566 _____ C:\Users\ShellShock\Desktop\Rkill.txt
2016-06-22 13:21 - 2016-06-22 13:21 - 00946210 _____ C:\Users\ShellShock\Desktop\Remove the Youndoo.pdf
2016-06-21 23:39 - 2016-06-21 23:39 - 00003368 _____ C:\Windows\System32\Tasks\SpyHunter3
2016-06-21 23:39 - 2016-06-21 23:39 - 00001256 _____ C:\ProgramData\Microsoft\Windows\Start Menu\SpyHunter.lnk
2016-06-21 23:39 - 2016-06-21 23:39 - 00001250 _____ C:\Users\Public\Desktop\SpyHunter.lnk
2016-06-21 23:39 - 2016-06-21 23:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpyHunter
2016-06-21 23:39 - 2016-06-21 23:39 - 00000000 ____D C:\Program Files (x86)\Enigma Software Group
2016-06-21 23:35 - 2016-06-21 23:35 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-06-21 23:35 - 2016-06-21 23:35 - 00000000 ____D C:\Program Files\Common Files\AV
2016-06-21 23:34 - 2016-06-21 23:54 - 00000000 ____D C:\ProgramData\AVAST Software
2016-06-21 22:44 - 2016-06-21 22:44 - 14856368 _____ (Enigma Software Group USA, LLC.) C:\Users\ShellShock\Downloads\RegHunter-Installer.exe
2016-06-21 22:42 - 2016-06-21 22:42 - 00000000 _____ C:\autoexec.bat
2016-06-21 22:41 - 2016-06-21 22:41 - 03482800 _____ (Enigma Software Group USA, LLC.) C:\Users\ShellShock\Downloads\SpyHunter-Installer.exe
2016-06-21 22:41 - 2016-06-21 22:41 - 00022704 _____ C:\Windows\system32\Drivers\EsgScanner.sys
2016-06-21 22:31 - 2016-06-22 14:28 - 00000000 ____D C:\Program Files (x86)\Google
2016-06-17 16:33 - 2016-06-17 16:33 - 00987728 _____ (Google Inc.) C:\Users\ShellShock\Downloads\ChromeSetup.exe
2016-06-16 19:50 - 2016-06-16 19:50 - 00000000 ____D C:\Users\ShellShock\AppData\Local\Deployment
2016-06-16 19:50 - 2016-06-16 19:50 - 00000000 ____D C:\Users\ShellShock\AppData\Local\Apps\2.0
2016-06-16 19:39 - 2016-06-21 23:25 - 00000560 __RSH C:\Users\ShellShock\ntuser.pol
2016-06-16 19:23 - 2016-06-16 19:23 - 09717952 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2016-06-10 22:36 - 2016-06-17 23:31 - 00000120 _____ C:\Users\ShellShock\Desktop\sadfasdf.txt
2016-06-10 01:32 - 2016-06-10 01:32 - 00000000 ____D C:\Users\ShellShock\AppData\Local\Logitech
2016-06-10 01:32 - 2016-06-10 01:32 - 00000000 ____D C:\ProgramData\LogiShrd
2016-06-10 01:31 - 2016-06-12 12:58 - 00018960 _____ (Logitech, Inc.) C:\Windows\system32\Drivers\LNonPnP.sys
2016-06-10 01:31 - 2016-06-10 01:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logitech
2016-06-10 01:30 - 2016-06-10 01:31 - 00000000 ____D C:\Program Files\Logitech Gaming Software
2016-06-10 01:29 - 2016-06-10 01:29 - 00000000 ____D C:\Users\ShellShock\AppData\Roaming\Logitech
2016-06-10 01:29 - 2016-06-10 01:29 - 00000000 ____D C:\Users\ShellShock\AppData\Roaming\Logishrd
2016-06-08 12:09 - 2016-06-08 12:09 - 00000000 ____D C:\Users\ShellShock\Desktop\Study skills
2016-06-08 11:59 - 2016-06-08 11:59 - 00001753 _____ C:\Users\Public\Desktop\iTunes.lnk
2016-06-08 11:59 - 2016-06-08 11:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2016-06-08 11:59 - 2016-06-08 11:59 - 00000000 ____D C:\Program Files\iTunes
2016-06-08 11:59 - 2016-06-08 11:59 - 00000000 ____D C:\Program Files\iPod
2016-06-08 11:59 - 2016-06-08 11:59 - 00000000 ____D C:\Program Files (x86)\iTunes
2016-06-03 20:02 - 2016-06-10 00:41 - 00000000 ____D C:\Users\ShellShock\Desktop\SC2Scrapbook%202.6.0
2016-06-02 14:53 - 2016-06-22 14:29 - 00000000 ____D C:\Users\ShellShock\AppData\Local\Google
2016-06-01 13:30 - 2016-06-01 13:30 - 00000000 ____D C:\Program Files (x86)\Raptr Inc
2016-05-24 01:39 - 2016-05-24 01:39 - 00196528 ____H C:\Windows\SysWOW64\mlfcache.dat
2016-05-24 01:30 - 2016-06-21 23:33 - 00000000 ____D C:\Program Files (x86)\vShare Helper
2016-05-24 01:30 - 2016-05-24 01:30 - 00002519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2016-05-24 01:30 - 2016-05-24 01:30 - 00000000 ____D C:\Windows\System32\Tasks\Apple
2016-05-24 01:30 - 2016-05-24 01:30 - 00000000 ____D C:\Users\ShellShock\Documents\vShareUserData
2016-05-24 01:30 - 2016-05-24 01:30 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2016-05-23 02:57 - 2016-05-23 02:57 - 00001790 _____ C:\Users\ShellShock\Desktop\Adobe Premiere Pro.exe - Shortcut.lnk
2016-05-23 02:51 - 2016-05-23 02:51 - 00000000 ____D C:\Users\ShellShock\Documents\Adobe
2016-05-23 02:50 - 2016-05-23 02:50 - 00001106 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Premiere Pro CC 2015.lnk
2016-05-23 02:50 - 2016-05-23 02:50 - 00000000 ____D C:\Program Files\Adobe
2016-05-23 02:49 - 2016-05-23 02:51 - 00000000 ____D C:\Program Files\Common Files\Adobe
2016-05-23 02:47 - 2016-05-23 02:47 - 00001534 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Application Manager.lnk
2016-05-23 02:40 - 2016-05-23 02:42 - 00000000 ____D C:\Users\ShellShock\Desktop\Adobe Premiere Pro CC 2015 v9.0 + Crack
2016-05-23 01:35 - 2016-05-23 01:35 - 00000000 ____D C:\Users\ShellShock\AppData\Roaming\Publish Providers
2016-05-23 01:33 - 2016-05-23 02:44 - 00008158 _____ C:\Windows\system32\--traceoff
2016-05-23 01:33 - 2016-05-23 02:44 - 00000000 ____D C:\Users\ShellShock\AppData\Local\Sony
2016-05-23 01:33 - 2016-05-23 01:33 - 00000000 _____ C:\Windows\system32\--debugoff
2016-05-23 01:31 - 2016-05-23 01:35 - 00000000 ____D C:\Users\ShellShock\AppData\Roaming\Sony
2016-05-23 00:33 - 2016-05-23 00:33 - 00000000 ____D C:\Users\ShellShock\dwhelper

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-22 14:57 - 2015-06-20 11:05 - 00000000 ____D C:\FRST
2016-06-22 14:44 - 2016-03-24 22:07 - 00004996 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for ShellShock-PC-ShellShock ShellShock-PC
2016-06-22 14:31 - 2009-07-13 21:45 - 00021072 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-22 14:31 - 2009-07-13 21:45 - 00021072 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-22 14:29 - 2009-07-13 22:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-22 14:29 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2016-06-22 14:24 - 2016-01-08 14:58 - 00000000 ____D C:\Users\ShellShock
2016-06-22 14:23 - 2016-01-10 04:04 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-06-22 14:22 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-22 14:20 - 2016-02-20 13:57 - 00000000 ____D C:\Windows\AutoKMS
2016-06-22 13:51 - 2016-03-24 21:12 - 00000000 ____D C:\Users\ShellShock\AppData\Local\Battle.net
2016-06-22 13:34 - 2016-03-24 21:13 - 00000000 ____D C:\Program Files (x86)\StarCraft II
2016-06-22 13:30 - 2016-03-24 21:11 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-06-21 23:51 - 2016-01-08 15:44 - 00000000 ____D C:\Users\ShellShock\AppData\Roaming\uTorrent
2016-06-21 23:50 - 2016-01-12 18:38 - 00000000 ____D C:\Users\ShellShock\Desktop\HP c310
2016-06-21 23:50 - 2016-01-08 15:48 - 00000000 ___SD C:\Users\ShellShock\AppData\LocalLow\Temp
2016-06-21 23:41 - 2016-03-29 14:28 - 00000000 ____D C:\Users\ShellShock\AppData\Roaming\Skype
2016-06-21 23:41 - 2016-01-29 15:30 - 00000000 ____D C:\Program Files (x86)\iMobie
2016-06-21 23:38 - 2016-03-29 14:28 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-06-21 23:38 - 2016-03-29 14:28 - 00000000 ____D C:\ProgramData\Skype
2016-06-21 23:25 - 2016-03-05 21:38 - 00000344 __RSH C:\ProgramData\ntuser.pol
2016-06-21 22:21 - 2014-07-29 12:30 - 00000000 ____D C:\Users\ShellShock\Desktop\MPC classes so far
2016-06-20 19:15 - 2016-03-19 02:03 - 00000000 ____D C:\Users\ShellShock\Desktop\purchased stuff
2016-06-16 20:23 - 2016-02-11 17:38 - 00000000 ____D C:\Users\ShellShock\Desktop\comcast payments
2016-06-16 19:23 - 2016-01-10 04:04 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-06-16 19:23 - 2016-01-10 04:04 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-06-16 19:23 - 2016-01-10 04:04 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-06-16 18:34 - 2016-01-08 15:06 - 00000000 ___HD C:\Program Files (x86)\Temp
2016-06-16 18:34 - 2016-01-08 15:06 - 00000000 ____D C:\Program Files (x86)\Realtek
2016-06-16 00:40 - 2014-04-14 20:57 - 00000000 ____D C:\Users\ShellShock\Desktop\Simple pickup!
2016-06-11 21:43 - 2016-03-19 02:04 - 00000000 ____D C:\Users\ShellShock\Desktop\Strength
2016-06-10 10:41 - 2016-05-05 14:50 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-06-10 10:41 - 2016-01-08 15:20 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-06-09 12:06 - 2016-01-08 15:48 - 00000000 ____D C:\ProgramData\Package Cache
2016-06-08 20:53 - 2016-01-08 16:16 - 00000000 ____D C:\Users\ShellShock\AppData\Local\ElevatedDiagnostics
2016-06-08 20:53 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF
2016-06-08 15:25 - 2016-01-12 16:32 - 00000000 ____D C:\Users\ShellShock\Desktop\bleep you hartnell
2016-06-08 11:59 - 2016-01-12 20:20 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-06-07 23:59 - 2016-01-24 00:30 - 00002194 _____ C:\Users\ShellShock\Desktop\Discord.lnk
2016-06-07 23:59 - 2016-01-24 00:30 - 00000000 ____D C:\Users\ShellShock\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Hammer & Chisel, Inc
2016-06-07 23:59 - 2016-01-24 00:30 - 00000000 ____D C:\Users\ShellShock\AppData\Local\Discord
2016-06-07 23:58 - 2016-01-20 20:12 - 00000000 ____D C:\Users\ShellShock\AppData\Local\SquirrelTemp
2016-06-04 23:56 - 2016-04-14 20:40 - 00000000 ____D C:\Program Files (x86)\Heroes of Newerth
2016-06-03 20:01 - 2016-03-24 21:13 - 00000000 ____D C:\Users\ShellShock\Documents\StarCraft II
2016-05-24 03:38 - 2016-01-08 15:19 - 00000000 ____D C:\Users\ShellShock\Desktop\Journey
2016-05-23 12:48 - 2009-07-13 21:45 - 05110592 _____ C:\Windows\system32\FNTCACHE.DAT
2016-05-23 03:02 - 2016-01-08 16:09 - 00000000 ____D C:\Users\ShellShock\AppData\Local\Adobe
2016-05-23 02:51 - 2016-01-08 16:09 - 00000000 ____D C:\Users\ShellShock\AppData\Roaming\Adobe
2016-05-23 02:51 - 2016-01-08 16:09 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2016-05-23 02:50 - 2016-01-08 15:35 - 00113424 _____ C:\Users\ShellShock\AppData\Local\GDIPFONTCACHEV1.DAT

==================== Files in the root of some directories =======

2016-01-12 16:22 - 2016-03-28 12:49 - 0031528 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
C:\Users\ShellShock\AppData\Local\Temp\libeay32.dll
C:\Users\ShellShock\AppData\Local\Temp\msvcr120.dll
C:\Users\ShellShock\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-06-19 21:52

==================== End of FRST.txt ============================

 

Addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01
Ran by ShellShock (2016-06-22 14:58:12)
Running from C:\Users\ShellShock\Desktop
Windows 7 Ultimate Service Pack 1 (X64) (2016-01-08 21:58:41)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1961654962-3049007436-3560005251-500 - Administrator - Disabled)
Guest (S-1-5-21-1961654962-3049007436-3560005251-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1961654962-3049007436-3560005251-1002 - Limited - Enabled)
ShellShock (S-1-5-21-1961654962-3049007436-3560005251-1000 - Administrator - Enabled) => C:\Users\ShellShock

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-1961654962-3049007436-3560005251-1000\...\uTorrent) (Version: 3.4.7.42330 - BitTorrent Inc.)
64 Bit HP CIO Components Installer (Version: 7.2.8 - Hewlett-Packard) Hidden
Adobe Acrobat XI Pro (HKLM-x32\...\{AC76BA86-1033-FFFF-7760-000000000006}) (Version: 11.0.09 - Adobe Systems)
Adobe Flash Player 22 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 22.0.0.192 - Adobe Systems Incorporated)
Adobe Photoshop CC 2014 (32 Bit) (HKLM-x32\...\{7C25E7A0-A0A1-4B87-BB30-BF0FBDC37878}) (Version: 15.0 - Adobe Systems Incorporated)
Adobe Premiere Pro CC 2015 (HKLM-x32\...\{38C72D42-0672-43B1-9E05-E7631684F9A1}) (Version: 9.0.0 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{7E5DC2C5-115A-322B-976C-219237FAED66}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Apple Application Support (32-bit) (HKLM-x32\...\{26356515-5821-40FA-9C3D-9785052A1062}) (Version: 4.3.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{C2651553-6CA3-4822-B2E6-BC4ACA6E0EA2}) (Version: 4.3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2E4AF2A6-50EA-4260-9BA4-5E582D11879A}) (Version: 9.3.0.15 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.16.2.0 - Asmedia Technology)
ASUS Product Register Program (HKLM-x32\...\{49BE9B8A-E858-4533-A74A-64306C13DB59}) (Version: 1.0.014 - ASUS)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
BufferChm (x32 Version: 140.0.212.000 - Hewlett-Packard) Hidden
C310 (x32 Version: 140.0.304.000 - Hewlett-Packard) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.17 - Piriform)
Defraggler (HKLM\...\Defraggler) (Version: 2.21 - Piriform)
Destinations (x32 Version: 140.0.77.000 - Hewlett-Packard) Hidden
DeviceDiscovery (x32 Version: 140.0.212.000 - Hewlett-Packard) Hidden
Discord (HKU\S-1-5-21-1961654962-3049007436-3560005251-1000\...\Discord) (Version: 0.0.291 - Hammer & Chisel, Inc.)
EBook Codec 1.0.0.0 (HKLM-x32\...\EBookCodec) (Version: 1.0.0.0 - Free Time)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.103 - Google Inc.)
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
GPBaseService2 (x32 Version: 140.0.211.000 - Hewlett-Packard) Hidden
Heroes of Newerth (HKLM-x32\...\hon) (Version: 2.3.0 - S2 Games)
HP Imaging Device Functions 14.0 (HKLM\...\HP Imaging Device Functions) (Version: 14.0 - HP)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.2024 - HP Photo Creations Powered by RocketLife)
HP Photosmart Prem C310 All-In-One Driver Software 14.0 Rel. 7 (HKLM\...\{4E484899-4F93-4086-88BA-56BDDF47A776}) (Version: 14.0 - HP)
HP Smart Web Printing 4.60 (HKLM\...\HP Smart Web Printing) (Version: 4.60 - HP)
HP Solution Center 14.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 14.0 - HP)
HP Support Solutions Framework (HKLM-x32\...\{55065080-504F-43BB-BE00-36B80D7D39A5}) (Version: 12.4.18.7 - Hewlett-Packard Company)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPAppStudio (x32 Version: 140.0.95.000 - Hewlett-Packard) Hidden
HPDiagnosticAlert (x32 Version: 1.00.0001 - Microsoft) Hidden
HPPhotoGadget (x32 Version: 140.0.524.000 - Hewlett-Packard) Hidden
HPProductAssistant (x32 Version: 140.0.212.000 - Hewlett-Packard) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.5.235 - Intel Corporation)
iTunes (HKLM\...\{9F4BF859-C3A4-4AB6-BDD1-9C5D58188598}) (Version: 12.4.1.6 - Apple Inc.)
League of Legends (HKLM-x32\...\League of Legends 3.0.1) (Version: 3.0.1 - Riot Games)
League of Legends (x32 Version: 3.0.1 - Riot Games) Hidden
Logitech Gaming Software 8.83 (HKLM\...\Logitech Gaming Software) (Version: 8.83.85 - Logitech Inc.)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM\...\Office15.PROPLUS) (Version: 15.0.4420.1017 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23506 (HKLM-x32\...\{3ee5e5bb-b7cc-4556-8861-a00a82977d6c}) (Version: 14.0.23506.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23506 (HKLM-x32\...\{23daf363-3020-4059-b3ae-dc4ad39fed19}) (Version: 14.0.23506.0 - Microsoft Corporation)
Mozilla Firefox 47.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 47.0 (x86 en-US)) (Version: 47.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 47.0.0.5999 - Mozilla)
Network64 (Version: 140.0.215.000 - Hewlett-Packard) Hidden
Outils de vérification linguistique 2013 de Microsoft Office - Français (Version: 15.0.4420.1017 - Microsoft Corporation) Hidden
PowerISO (HKLM-x32\...\PowerISO) (Version: 6.0 - Power Software Ltd)
PS_AIO_07_C310_SW_Min (x32 Version: 140.0.304.000 - Hewlett-Packard) Hidden
QuickTransfer (x32 Version: 140.0.98.000 - Hewlett-Packard) Hidden
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.61.612.2012 - Realtek)
Realtek Ethernet Diagnostic Utility (HKLM-x32\...\{DADC7AB0-E554-4705-9F6A-83EA82ED708E}) (Version: 1.00.0000 - Realtek)
Scan (x32 Version: 140.0.80.000 - Hewlett-Packard) Hidden
Skype™ 7.25 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.25.103 - Skype Technologies S.A.)
SmartWebPrinting (x32 Version: 140.0.186.000 - Hewlett-Packard) Hidden
SolutionCenter (x32 Version: 140.0.214.000 - Hewlett-Packard) Hidden
SpyHunter (HKLM-x32\...\{03CE1BCB-03F5-4C6A-B37E-69799AA3C544}) (Version: 3.7 - Enigma Software Group USA, LLC)
StarCraft II (HKLM-x32\...\StarCraft II) (Version:  - Blizzard Entertainment)
Status (x32 Version: 140.0.256.000 - Hewlett-Packard) Hidden
TalonRO Client 1.0.0 (HKLM-x32\...\TalonRO_is1) (Version: 1.0.0 - TalonRO)
Toolbox (x32 Version: 140.0.428.000 - Hewlett-Packard) Hidden
TrayApp (x32 Version: 140.0.212.000 - Hewlett-Packard) Hidden
WebReg (x32 Version: 140.0.212.017 - Hewlett-Packard) Hidden
WinRAR 5.10 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.10.0 - win.rar GmbH)
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.21.15 - Zemana Ltd.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0BE7BC63-118B-4705-8B67-6CC2EB84A04F} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [2016-05-09] (Hewlett-Packard)
Task: {32F88CFA-CF0C-41A5-A15C-A197DCA7E7EF} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {4903689F-1DC2-4EB1-B6FE-8E22E2871B3A} - System32\Tasks\{E8E6E65F-6761-4ACA-B299-CED4A5C5BC0C} => pcalua.exe -a C:\Users\SHELLS~1\AppData\Local\Temp\7zS0D72\util\ccc\CCC_Uninstaller.exe -d C:\Users\SHELLS~1\AppData\Local\Temp\7zS0D72\util\ccc -c Uninstall_L4 /datfile uninstall.dat
Task: {4E6AA2D3-0DCA-4F65-BBD7-49B69D2A77F7} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2012-10-01] (Microsoft Corporation)
Task: {57DA0B7A-BBBA-4C1A-8676-4F41B702E8B6} - System32\Tasks\Microsoft Office 15 Sync Maintenance for ShellShock-PC-ShellShock ShellShock-PC => C:\Program Files\Microsoft Office\Office15\MsoSync.exe [2012-10-01] (Microsoft Corporation)
Task: {5D65BAA3-D891-4015-A130-F4129EC92C20} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2012-10-01] (Microsoft Corporation)
Task: {5FC780F0-83B9-4EC8-9A33-89280A506B8F} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-06-16] (Adobe Systems Incorporated)
Task: {60E5CAA9-92F6-4B66-9E0E-0F28B84A1FC8} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-06-22] (Google Inc.)
Task: {8553312E-970F-498C-A134-D4AB501F9A9E} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-06-21] (AVAST Software)
Task: {BB953E29-3953-47F6-8FEA-D3CD0428179C} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe [2012-10-01] (Microsoft Corporation)
Task: {BDBBB738-6A04-41FB-ABAF-FBEE88C92EEF} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-04-15] (Piriform Ltd)
Task: {CAB77EBB-8A49-4104-AEF7-76E328276A1A} - System32\Tasks\SpyHunter3 => C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter3.exe [2008-09-10] (Enigma Software Group USA, LLC.)
Task: {CF6EB1A6-9C35-47BD-A57B-29EAC32408DC} - System32\Tasks\ASUS\i-Setup => C:\Windows\Chipset\AsusSetup.exe [2010-09-07] (ASUSTeK Computer Inc.)
Task: {D1E8E298-B77D-42C5-ACCC-577AD1D0BA99} - \AutoKMS -> No File <==== ATTENTION
Task: {DF3727A9-7EBE-4778-9F22-C8CE35375814} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-05-04] (Hewlett-Packard)
Task: {F45A46A3-7A9B-4133-A8AC-01340ECA4242} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-06-22] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2012-10-01 21:36 - 2012-10-01 21:36 - 06522480 _____ () C:\Program Files\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2016-06-22 13:27 - 2016-06-22 13:27 - 00121200 _____ () C:\Program Files (x86)\Zemana AntiMalware\ZAMShellExt64.dll
2016-03-18 22:56 - 2016-03-18 22:56 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2016-04-22 01:07 - 2016-04-22 01:07 - 01337144 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2015-03-06 17:07 - 2015-03-06 17:07 - 00908568 _____ () C:\Program Files\Logitech Gaming Software\libGLESv2.dll
2016-04-28 15:49 - 2016-04-28 15:49 - 01095448 _____ () C:\Program Files\Logitech Gaming Software\platforms\qwindows.dll
2015-03-06 17:07 - 2015-03-06 17:07 - 00060184 _____ () C:\Program Files\Logitech Gaming Software\libEGL.dll
2016-04-28 15:49 - 2016-04-28 15:49 - 00240408 _____ () C:\Program Files\Logitech Gaming Software\imageformats\qjpeg.dll
2008-06-19 13:42 - 2008-06-19 13:42 - 00225280 _____ () C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
2003-05-14 22:07 - 2003-05-14 22:07 - 00389120 _____ () C:\Windows\SysWow64\actskn43.ocx
2016-01-08 15:05 - 2012-06-25 11:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
2012-10-01 21:37 - 2012-10-01 21:37 - 06522480 _____ () C:\Program Files (x86)\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2016-06-16 19:23 - 2016-06-16 19:23 - 19455168 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_192.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:34 - 2016-06-22 13:49 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1961654962-3049007436-3560005251-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\ShellShock\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: ASUSPRP => "C:\Program Files (x86)\ASUS\APRP\APRP.EXE"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{2145222A-3F3C-4585-BB6D-2E40F06389EA}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{E9A7768C-2BF8-484E-AABC-EBE65C6474D6}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{2AE7C0E5-A937-44F4-BBA6-A9172B5C38AB}] => (Allow) C:\Users\ShellShock\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{7E221339-7DDC-4351-A5B6-AB014E9512A6}] => (Allow) C:\Users\ShellShock\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{32F350C4-4061-415C-8DCB-BCE80BC13C5F}] => (Allow) C:\Users\ShellShock\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{071EC769-E296-4651-A05E-320932634B71}] => (Allow) C:\Users\ShellShock\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{72B99B04-D288-4C1B-AA56-1F8146158D0E}] => (Allow) C:\Users\ShellShock\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{3CF6B8DD-406C-4041-A0C1-36D9D80B6894}] => (Allow) C:\Users\ShellShock\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{F90959EF-BBE8-4E73-B4A1-A9419DA96CC2}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{91A15713-9625-4C33-82E8-742BCBC7109C}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{1C35F808-3764-469B-856C-27EE863E74C6}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{CE801850-9341-4DBC-B19E-3C23BEBC83C0}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{402879BA-8739-4887-AFE3-0D5C53E6A93B}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{BB0162CE-2F1D-40FE-BD87-D17B1BE7B268}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{CC4AA139-0DC8-4659-A320-217BF84D995B}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{A2185439-0658-466C-B660-F0EC2A7591F9}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{1166AD6D-BBC6-43E9-9E94-1C739E645A63}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{87B96982-EE1F-4CD6-A923-734B7565FA35}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{7AA29120-EEB1-4C4F-9B91-CA086595DBE6}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{38EA2D62-0944-4582-9972-A0C8F67DE13B}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{E574F8AF-00F6-429F-9F8F-72701E2D04CF}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
FirewallRules: [{18C0B8F2-9682-472C-BDB6-DBB3D600797E}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
FirewallRules: [{5C9FC9B8-6324-417B-8F63-1E890FD036F0}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hposid01.exe
FirewallRules: [{492DAAA3-AEA0-4EA8-A487-D7343EE3EE74}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqkygrp.exe
FirewallRules: [{65597353-202E-4A4B-8C0A-6DAF0CAF70EC}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpfccopy.exe
FirewallRules: [{04D3C748-B874-403D-9D84-ED2599382816}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpoews01.exe
FirewallRules: [{FE6F62FF-0650-4B68-B7AF-963E025BD4BD}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe
FirewallRules: [{63B223E8-5E7E-471E-9FDF-2BB1D2886FB1}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgplgtupl.exe
FirewallRules: [{AABA1C5A-5CFB-4407-93AF-5C43CCDAA048}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
FirewallRules: [{F59E506B-3A0D-4FBA-84EC-C53EAECB9410}] => (Allow) C:\Program Files (x86)\HP\hp software update\hpwucli.exe
FirewallRules: [{BA3E9D31-C59F-443F-B5D5-BFEFAD0996A7}] => (Allow) C:\Program Files (x86)\HP\digital imaging\smart web printing\smartwebprintexe.exe
FirewallRules: [{DEBFE0DA-926E-46F4-BDE5-8C108E09F6D1}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [TCP Query User{00593874-8D80-4887-9DC7-6E3819767D9B}C:\program files (x86)\heroes of newerth\hon.exe] => (Allow) C:\program files (x86)\heroes of newerth\hon.exe
FirewallRules: [UDP Query User{2AAD4D35-569D-483C-A583-8068084D5EE3}C:\program files (x86)\heroes of newerth\hon.exe] => (Allow) C:\program files (x86)\heroes of newerth\hon.exe
FirewallRules: [{B2AAE5BF-FAC2-403F-801A-68DED00A7365}] => (Allow) LPort=135
FirewallRules: [{6CD2045F-91B5-473C-B8E7-EE603BA4C212}] => (Allow) LPort=5000
FirewallRules: [{5574C297-D167-4F66-A902-FDF145563EED}] => (Allow) LPort=5001
FirewallRules: [{7A2BBE38-32BE-4797-A6C9-7AAAE4635F7C}] => (Allow) LPort=5002
FirewallRules: [{7C8AAD67-5AB7-40B4-B3B7-1182DC6B3433}] => (Allow) LPort=5003
FirewallRules: [{1992FD8D-3A22-4257-8546-07910DD9B356}] => (Allow) LPort=5004
FirewallRules: [{97249533-CA85-44A5-A979-9D7ABA4811F5}] => (Allow) LPort=5005
FirewallRules: [{44A9E845-087F-49E7-AE55-6776245F79CB}] => (Allow) LPort=5006
FirewallRules: [{EDBFBD30-138F-4272-96D3-0ABE73EF6D7C}] => (Allow) LPort=5007
FirewallRules: [{CB0C936F-A900-4149-A273-911EE0D98FA7}] => (Allow) LPort=5008
FirewallRules: [{7A414AAD-026C-4DFC-B412-134193A21A8A}] => (Allow) LPort=5009
FirewallRules: [{3EB20C3B-B9E9-4A03-8D65-51377BDC74F6}] => (Allow) LPort=5010
FirewallRules: [{8D16B46C-2FAD-4595-8901-6CFB4B87F819}] => (Allow) LPort=5011
FirewallRules: [{9D225391-70C9-494C-A66D-DB554BABE104}] => (Allow) LPort=5012
FirewallRules: [{E2278664-9A5D-4883-A355-11F8F8C41A5E}] => (Allow) LPort=5013
FirewallRules: [{D28D3D08-6246-400C-B061-8848E09F2CD0}] => (Allow) LPort=5014
FirewallRules: [{8D1B2FAB-BE16-430A-98D7-9B80D2845094}] => (Allow) LPort=5015
FirewallRules: [{BC04D998-3392-4C6A-8CF9-4E772319EE68}] => (Allow) LPort=5016
FirewallRules: [{AE26C961-A1AD-4810-857F-1855BD7D5E1A}] => (Allow) LPort=5017
FirewallRules: [{D65AFA35-D230-4AF0-854F-35E4D0D573C7}] => (Allow) LPort=5018
FirewallRules: [{CB4FAA19-3363-40EB-803F-BF99145ED750}] => (Allow) LPort=5019
FirewallRules: [{D7A29847-E24B-4F8C-B03D-FA138C06CBBF}] => (Allow) LPort=5020
FirewallRules: [{0CF5AE50-BF2D-4D77-99B9-F6C6BE2559E9}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [TCP Query User{DDEC3FDE-38A6-4608-A613-7D9523F455B8}C:\program files\logitech gaming software\lcore.exe] => (Allow) C:\program files\logitech gaming software\lcore.exe
FirewallRules: [UDP Query User{67C46CCA-C0BD-459D-A109-B1ADFE747F07}C:\program files\logitech gaming software\lcore.exe] => (Allow) C:\program files\logitech gaming software\lcore.exe
FirewallRules: [TCP Query User{9EE33ACD-DAC6-4F63-B2E6-A228733649C6}C:\program files\logitech gaming software\lcore.exe] => (Allow) C:\program files\logitech gaming software\lcore.exe
FirewallRules: [UDP Query User{DACC8ED4-AD8B-482E-AA06-114A11887F4B}C:\program files\logitech gaming software\lcore.exe] => (Allow) C:\program files\logitech gaming software\lcore.exe
FirewallRules: [TCP Query User{6FA24F35-E175-4DF8-82C6-C6BBF849555B}C:\program files (x86)\starcraft ii\versions\base43478\sc2.exe] => (Allow) C:\program files (x86)\starcraft ii\versions\base43478\sc2.exe
FirewallRules: [UDP Query User{C6FD2485-B848-4A7B-9AFF-2573A3128553}C:\program files (x86)\starcraft ii\versions\base43478\sc2.exe] => (Allow) C:\program files (x86)\starcraft ii\versions\base43478\sc2.exe
FirewallRules: [{0F2FC893-53F3-438D-ACE8-E2882F150F59}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

21-06-2016 13:19:55 Scheduled Checkpoint
21-06-2016 23:35:22 Device Driver Package Install: Avast Network Service
21-06-2016 23:36:51 ASU_MSI_TRAN
21-06-2016 23:39:47 Device Driver Package Install: Avast Network Service
22-06-2016 14:16:49 Checkpoint by HitmanPro
22-06-2016 14:18:57 Checkpoint by HitmanPro
22-06-2016 14:19:37 Checkpoint by HitmanPro

==================== Faulty Device Manager Devices =============

Name: Photosmart Prem C310 series
Description: Photosmart Prem C310 series
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Photosmart Prem C310 series
Description: Photosmart Prem C310 series
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Photosmart Prem C310 series
Description: Photosmart Prem C310 series
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: HP
Service: StillCam
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (06/22/2016 02:23:49 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/22/2016 02:23:26 PM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/22/2016 02:23:26 PM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/22/2016 02:23:26 PM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/22/2016 02:23:26 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    Element not found.  (HRESULT : 0x80070490) (0x80070490)

Error: (06/22/2016 02:23:16 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/22/2016 02:23:16 PM) (Source: Windows Search Service) (EventID: 9002) (User: )
Description: The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index database is corrupt.  (HRESULT : 0xc0041800) (0xc0041800)

Error: (06/22/2016 02:23:16 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/22/2016 02:23:16 PM) (Source: Windows Search Service) (EventID: 7040) (User: )
Description: The search service has detected corrupted data files in the index {id=4700}. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/22/2016 02:23:16 PM) (Source: Windows Search Service) (EventID: 9000) (User: )
Description: The Windows Search Service cannot open the Jet property store.

Details:
    0x%08x (0xc0041800 - The content index database is corrupt.  (HRESULT : 0xc0041800))


System errors:
=============
Error: (06/22/2016 02:28:32 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.

Error: (06/22/2016 02:23:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (06/22/2016 02:23:26 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Search service terminated with service-specific error %%-1073473535.

Error: (06/22/2016 02:23:04 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Logitech CPU Core Tempurature service failed to start due to the following error:
%%577 = Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


Error: (06/22/2016 02:22:28 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The HitmanPro 3.7 Crusader (Boot) service terminated with service-specific error %%0 = The operation completed successfully.
.

Error: (06/22/2016 01:58:36 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.

Error: (06/22/2016 01:52:23 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Logitech CPU Core Tempurature service failed to start due to the following error:
%%577 = Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


Error: (06/22/2016 01:51:09 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Management and Security Application User Notification Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/22/2016 01:51:09 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The HP Support Solutions Framework Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/22/2016 01:51:09 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.


CodeIntegrity:
===================================
  Date: 2016-06-22 14:23:04.667
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\LgCoreTemp.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-22 14:23:04.651
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\LgCoreTemp.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-22 13:52:23.517
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\LgCoreTemp.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-22 13:52:23.501
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\LgCoreTemp.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-22 13:01:04.692
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\LgCoreTemp.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-22 13:01:04.676
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\LgCoreTemp.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-21 23:55:05.790
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\LgCoreTemp.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-21 23:55:05.780
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\LgCoreTemp.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-21 23:42:22.076
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\LgCoreTemp.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-21 23:42:22.060
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\LgCoreTemp.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Core™ i7-2600K CPU @ 3.40GHz
Percentage of memory in use: 31%
Total physical RAM: 16326.48 MB
Available physical RAM: 11117.59 MB
Total Virtual: 32651.13 MB
Available Virtual: 27704.63 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.41 GB) (Free:767.63 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 8230D13F)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.4 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================


Edited by Durred, 22 June 2016 - 05:30 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:11 AM

Posted 23 June 2016 - 09:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-1961654962-3049007436-3560005251-1000\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
Toolbar: HKLM - BitCro Social 10.0.0 - {B81BF46A-B455-48FB-A81B-40DFFF66786F} - C:\Users\ShellShock\AppData\Local\Microsoft\Internet Explorer\seu64.dll [2016-06-16] (Bit-cro Ltd.)
Toolbar: HKLM-x32 - BitCro Social 10.0.0 - {B81BF46A-B455-48FB-A81B-40DFFF66786F} - C:\Users\ShellShock\AppData\Local\Microsoft\Internet Explorer\seu.dll [2016-06-16] (Bit-cro Ltd.)
CHR Extension: (Chrome Web Store Payments) - C:\Users\ShellShock\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-22]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\ShellShock\AppData\Local\Microsoft\Internet Explorer\seu64.dll
C:\Users\ShellShock\AppData\Local\Microsoft\Internet Explorer\seu.dll
C:\Users\ShellShock\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.
===

Please post the logs and let me know what problem persists with this computer.

#3 Durred

Durred
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 PM

Posted 23 June 2016 - 10:59 PM

Hello, NasDaq!  Nice of you to help me out once again :)

 

The only problem I have is the Search Engine Extension inside Google Chrome.

 

The problem still persists even after following the instructions.

 

Attached File  Fixlog.txt   3.77KB   2 downloads

Attached File  AdwCleanerS2.txt   1.15KB   3 downloads


Edited by Durred, 23 June 2016 - 11:01 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:11 AM

Posted 24 June 2016 - 09:25 AM

Lets check the registry.

Please download SystemLook if your system is a 64bit system, then download the SystemLook_x64.exe save it to your Desktop.
SystemLook.exe
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :regfind
    BitCro
    B81BF46A-B455-48FB-A81B-40DFFF66786F
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
  • ===

    Temporarily you may be able to disable the Chrome Start page.
    Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
     
    Click "Settings" under the start page remove every unwanted links.

    Until we remove everything from the Registry the settings may comeback.



#5 Durred

Durred
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 PM

Posted 24 June 2016 - 04:44 PM

Attached File  SystemLook.txt   4.89KB   3 downloads



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:11 AM

Posted 25 June 2016 - 06:59 AM

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\bitcro.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{44A322B2-E6B2-403D-8C3B-D5A867C7C27B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AS.BHOToolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AS.BHOToolbar.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\bitcro.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{44A322B2-E6B2-403D-8C3B-D5A867C7C27B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\bitcro.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{44A322B2-E6B2-403D-8C3B-D5A867C7C27B}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration{B81BF46A-B455-48FB-A81B-40DFFF66786F}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B81BF46A-B455-48FB-A81B-40DFFF66786F}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B81BF46A-B455-48FB-A81B-40DFFF66786F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AS.BHOToolbar\CLSID]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AS.BHOToolbar.1\CLSID]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B81BF46A-B455-48FB-A81B-40DFFF66786F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{B81BF46A-B455-48FB-A81B-40DFFF66786F}]
[-HKEY_USERS\S-1-5-21-1961654962-3049007436-3560005251-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration{B81BF46A-B455-48FB-A81B-40DFFF66786F}]
[-HKEY_USERS\S-1-5-21-1961654962-3049007436-3560005251-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B81BF46A-B455-48FB-A81B-40DFFF66786F}]
[-HKEY_USERS\S-1-5-21-1961654962-3049007436-3560005251-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B81BF46A-B455-48FB-A81B-40DFFF66786F}]


Restart the computer when completed.

You can delete the fixme.reg file when done.

===

Please run the Farbar tool one more time and post the logs for my review.

Let me know if the problem persists.

#7 Durred

Durred
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 PM

Posted 26 June 2016 - 03:34 AM

I opened Notepad and copy + pasted the information you supplied.

 

I rebooted my computer and I still see the "Search Engage" in my Google Chrome :(

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:11 AM

Posted 26 June 2016 - 08:43 AM


It may just be that this extension is installed by Enterprise Policy.

Refer to this page.
http://forums.anvisoft.com/viewtopic-51-8494-0.html

Check if you have an extension installed by the Enterprise policy.

If you do please write down the ID number and post the name of the extension and the ID number in your next reply.

You may not be at easy modifying the registry. I will provide a removal fix.

#9 Durred

Durred
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 PM

Posted 27 June 2016 - 06:26 PM

I do not see Enterprise Policy, but I did manage to find the ID number that is provided below:

 

ID: codbdfjjjgeaecahmhihkpjbadffccob

Search Solutions 1.8

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:11 AM

Posted 28 June 2016 - 08:05 AM

Let see what we can find.

Please download SystemLook if your system is a 64bit system, then download the SystemLook_x64.exe save it to your Desktop.
SystemLook.exe
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :regfind
    codbdfjjjgeaecahmhihkpjbadffccob
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled [b]SystemLook.txt.
  • ===


#11 Durred

Durred
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 PM

Posted 29 June 2016 - 02:38 AM

Attached File  SystemLook.txt   474bytes   3 downloads



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:11 AM

Posted 29 June 2016 - 06:30 AM

Nothing was found.

If you disable the Extension does is it enabled when your restart the computer?

#13 Durred

Durred
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 PM

Posted 30 June 2016 - 04:11 PM

The Extension has the option to "Disable Extension," but nothing is actually being disabled.  The odd thing about this extension is that it can not be uninstalled or removed from my Chrome because it is considered as a built-in extension.

 

Attached File  Capture.PNG   66.25KB   0 downloads



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:11 AM

Posted 01 July 2016 - 07:55 AM

Download and run the Chrome Cleanup Tool
https://www.google.com/chrome/cleanup-tool/

===

Run the Farbar tool.
Copy and paste codbdfjjjgeaecahmhihkpjbadffccobinto the Search box and click the Search Registry button.

When the scan is complete a notepad window will open with the results. The file should be saved on your desktop named Search.txt.

Rename the file Search_1.txt

Repeat the search for this string.

Engage
A Search.txt file will be created.

Please past the contents of both files for my review.

#15 Durred

Durred
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 PM

Posted 01 July 2016 - 05:52 PM

Attached File  Search.txt   249bytes   4 downloads

Attached File  Search_1.txt   275bytes   3 downloads






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users