Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Xifs.exe and Firefox wont stop crashing


  • This topic is locked This topic is locked
19 replies to this topic

#1 Tamimwm

Tamimwm

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyprus
  • Local time:07:26 AM

Posted 17 July 2016 - 01:23 PM

Good day

 

I happened to get get my pc infected with xifs trojan . My antivirus microsoft security had not shown any detection. I noticed when my FF crashed and adwarecleaner showed positive results but it couldn't cleean the infection.

I added FRST logs .Mod Edit:  Pasted FRST data into post - Hamluis.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:22-11-2015
Ran by Wael (administrator) on WAEL-PC (17-07-2016 21:19:31)
Running from C:\Users\Wael\Desktop\Desktop\apps\cleaning
Loaded Profiles: Wael (Available Profiles: Wael)
Platform: Windows 8.1 Single Language (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
() C:\Program Files (x86)\TOSHIBA\PasswordUtility\GFNEXSrv.exe
() C:\Program Files\BitTorrent\BitTorrent.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(NVIDIA Corporation) C:\Users\Wael\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Teco\TecoService.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-04] ()
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [170848 2013-01-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2717176 2013-01-04] (TOSHIBA Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2787264 2016-01-12] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40336 2015-09-24] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [374784 2013-01-16] (Alcor Micro Corp.)
HKLM-x32\...\Run: [1.TPUReg] => C:\Program Files (x86)\TOSHIBA\PasswordUtility\readLM.exe [2216800 2013-03-27] (TOSHIBA)
HKLM-x32\...\Run: [TSVU] => c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe [467360 2013-03-08] (TOSHIBA)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1694080 2013-06-18] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5524336 2013-06-19] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [DriveUtilitiesHelper] => C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1890664 2015-07-31] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597040 2015-11-09] (Oracle Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\...\Run: [DAEMON Tools Pro Agent] => C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe [3125280 2013-10-17] (Disc Soft Ltd)
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\...\Run: [CCleaner Monitoring] => E:\Program Files\ccleaner\CCleaner64.exe [6501656 2014-10-23] (Piriform Ltd)
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\...\Run: [Steam] => E:\Program Files\Darksiders 1\steam.exe [2851408 2016-07-09] (Valve Corporation)
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\...\Run: [CyberGhost] => "C:\Program Files\CyberGhost 6\CyberGhost.exe" /autostart /min
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\...\MountPoints2: {0fc2b0dc-fa3b-11e5-bfdc-24fd52474573} - "G:\Startme.exe"
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\...\MountPoints2: {94759438-bc48-11e5-bf89-24fd52474573} - "G:\LenovoUsbDriver.exe"
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\...\MountPoints2: {9475947b-bc48-11e5-bf89-24fd52474573} - "G:\LenovoUsbDriver.exe"
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\...\MountPoints2: {c4c5ab1a-fbdf-11e3-be97-7c05078c0ca3} - "G:\Startme.exe"
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\EYEQSC~1.SCR [4141056 2002-02-20] ()
AppInit_DLLs: C:\ProgramData\xifs\Solplus.dll => C:\ProgramData\xifs\Solplus.dll [363008 2016-07-17] ()
AppInit_DLLs: ,C:\WINDOWS\system32\nvinitx.dll => C:\WINDOWS\system32\nvinitx.dll [175368 2015-12-16] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\ProgramData\xifs\ZonRon.dll => C:\ProgramData\xifs\ZonRon.dll [257536 2016-07-17] ()
AppInit_DLLs-x32: ,C:\WINDOWS\SysWOW64\nvinit.dll => C:\WINDOWS\SysWOW64\nvinit.dll [153392 2015-12-16] (NVIDIA Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk [2016-01-13]
ShortcutTarget: MiniEYE-MiniREAD Launch.lnk -> E:\Program Files\Speed Reader\ARLaunch.exe ()
Startup: C:\Users\Wael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [2015-11-10]
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Wael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utorrent_2.2.1_build_25302 - Shortcut.lnk [2015-11-10]
ShortcutTarget: utorrent_2.2.1_build_25302 - Shortcut.lnk -> C:\Users\Wael\Downloads\utorrent\utorrent_2.2.1_build_25302.exe (BitTorrent, Inc.)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{86EAC931-9510-42EF-BB9A-08455B60045D}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{A5F20ECA-9ED0-4E21-B87B-0B988ACB939E}: [DhcpNameServer] 7.254.254.254
Tcpip\..\Interfaces\{C818B02B-334C-48E1-B260-CD71FCF5B0FE}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.toshibamea.com
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.toshibamea.com
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7qvDVPPjeVnqjpBUi1kS9FBGc0tNyIx2WqMEU4wg3K8RHn2GVJ6E7G12q_V_u51NnNs0UXiB0xmCkSBXibYU2e-E8DRLs8,
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4189553729-4105879948-3113528959-1002 -> DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4189553729-4105879948-3113528959-1002 -> {FAD8527E-A1BB-434B-B9F6-6CD22B998C4B} URL = hxxp://yandex.ru/yandsearch?win=140&clid=1989274&text={searchTerms}
SearchScopes: HKU\S-1-5-21-4189553729-4105879948-3113528959-1002 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_66\bin\ssv.dll [2015-12-26] (Oracle Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-12-26] (Oracle Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\ssv.dll [2015-10-30] (Oracle Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\jp2ssv.dll [2015-10-30] (Oracle Corporation)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Wael\AppData\Roaming\Mozilla\Firefox\Profiles\z0i8aw2w.default-1468758973204
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-12] ()
FF Plugin: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-12-26] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-12-26] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-12] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.65.2 -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\dtplugin\npDeployJava1.dll [2015-10-30] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.65.2 -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\plugin2\npjp2.dll [2015-10-30] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4189553729-4105879948-3113528959-1002: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [2012-12-07] (Ubisoft)

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 BitTorrent; C:\Program Files\BitTorrent\BitTorrent.exe [383488 2016-07-17] () [File not signed]
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1364096 2016-05-25] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1687680 2016-05-25] (Microsoft Corporation)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1163200 2016-01-12] (NVIDIA Corporation)
R2 GFNEXSrv; C:\Program Files (x86)\TOSHIBA\PasswordUtility\GFNEXSrv.exe [163168 2013-03-27] ()
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-07-05] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-08-21] (Intel Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1879488 2016-01-12] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [6308288 2016-01-12] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [4812736 2016-01-12] (NVIDIA Corporation)
S3 Origin Client Service; E:\Program Files\ea games\Origin\OriginClientService.exe [2078216 2015-10-05] (Electronic Arts)
S2 SkypeUpdate; C:\Skype\Updater\Updater.exe [324224 2016-05-23] (Skype Technologies)
R2 STacSV; C:\Program Files\IDT\WDM\STacSV64.exe [339456 2013-08-16] (IDT, Inc.) [File not signed]
S4 THAccelSvc; C:\Program Files\TOSHIBA\HDD Accelerator\THAccelSvc.exe [216976 2013-03-26] (TOSHIBA CORPORATION)
S3 TunngleService; C:\Program Files (x86)\Tunngle\TnglCtrl.exe [818672 2016-05-11] (Tunngle.net GmbH)
S2 uodateao; C:\WINDOWS\system32\config\systemprofile\AppData\Local\Kontripzap.exe [28160 2016-07-17] () [File not signed]
R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2013-06-19] (Western Digital Technologies, Inc.)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [307064 2015-07-31] (Western Digital Technologies, Inc.)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
S2 xifs; C:\ProgramData\\xifs\\xifs.exe [400896 2016-07-17] () [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [4226560 2014-10-27] (Qualcomm Atheros Communications, Inc.)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
S3 DFX11_1; C:\Windows\system32\drivers\dfx11_1x64.sys [28008 2012-12-13] (Windows ® Win 7 DDK provider)
R1 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283064 2014-11-01] (Disc Soft Ltd)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 Hamachi; C:\Windows\system32\DRIVERS\Hamdrv.sys [45680 2016-05-04] (LogMeIn Inc.)
R1 HssDRV6; C:\Windows\system32\DRIVERS\hssdrv6.sys [44744 2014-05-17] (AnchorFree Inc.)
S3 leusbser; C:\Windows\system32\DRIVERS\leusbser.sys [238080 2013-08-01] (QUALCOMM Incorporated) [File not signed]
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [26560 2016-01-12] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [47760 2015-12-18] (NVIDIA Corporation)
R2 PEGAGFN; C:\Program Files (x86)\TOSHIBA\PasswordUtility\PEGAGFN.sys [14344 2009-09-11] (PEGATRON)
R0 pwdrvio; C:\Windows\System32\pwdrvio.sys [19152 2013-09-30] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [12504 2013-09-30] ()
S4 secdrv; C:\Windows\SysWow64\Drivers\secdrv.sys [163644 2016-03-21] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [File not signed]
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2014-08-06] (Synaptics Incorporated)
S3 tap-tb-0901; C:\Windows\system32\DRIVERS\tap-tb-0901.sys [38656 2014-08-12] (The OpenVPN Project)
R3 tap0901t; C:\Windows\system32\DRIVERS\tap0901t.sys [39464 2016-04-27] (Tunngle.net GmbH)
S3 taphss6; C:\Windows\system32\DRIVERS\taphss6.sys [42184 2014-05-17] (Anchorfree Inc.)
R0 THAccel; C:\Windows\System32\DRIVERS\THAccel.sys [110976 2013-03-25] (TOSHIBA Corporation)
R3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [32624 2013-08-19] (Windows ® Win 7 DDK provider)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-07-17 15:33 - 2016-07-17 15:33 - 00002397 _____ C:\WINDOWS\SysWOW64\findit.xml
2016-07-17 15:33 - 2016-07-17 15:33 - 00000000 ____D C:\ProgramData\xifss
2016-07-17 15:33 - 2016-07-17 15:33 - 00000000 ____D C:\ProgramData\xifs
2016-07-17 15:31 - 2016-07-17 21:13 - 00000154 _____ C:\WINDOWS\setupact.log
2016-07-17 15:31 - 2016-07-17 15:31 - 00481208 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-07-17 15:31 - 2016-07-17 15:31 - 00002698 _____ C:\WINDOWS\PFRO.log
2016-07-17 15:31 - 2016-07-17 15:31 - 00000000 _____ C:\WINDOWS\setuperr.log
2016-07-17 15:26 - 2016-07-17 15:27 - 03712064 _____ C:\Users\Wael\Downloads\AdwCleaner.exe
2016-07-17 15:20 - 2016-07-17 21:14 - 00042212 _____ C:\WINDOWS\WindowsUpdate.log
2016-07-17 15:16 - 2016-07-17 15:36 - 00000000 ____D C:\Users\Wael\Desktop\Old Firefox Data
2016-07-17 15:06 - 2016-07-17 15:06 - 00003388 _____ C:\WINDOWS\System32\Tasks\yj5wfmcv
2016-07-17 15:06 - 2016-07-17 15:06 - 00000000 ____D C:\Program Files\Common Files\vto4j2lb
2016-07-17 14:06 - 2016-07-17 14:06 - 00003388 _____ C:\WINDOWS\System32\Tasks\qil5uhrj
2016-07-17 14:06 - 2016-07-17 14:06 - 00000000 ____D C:\Program Files\Common Files\uxruzd3j
2016-07-17 13:06 - 2016-07-17 13:06 - 00003388 _____ C:\WINDOWS\System32\Tasks\bn4utuwb
2016-07-17 13:06 - 2016-07-17 13:06 - 00000000 ____D C:\Program Files\Common Files\dswjx4pl
2016-07-17 12:06 - 2016-07-17 12:06 - 00003388 _____ C:\WINDOWS\System32\Tasks\iu21o44z
2016-07-17 12:06 - 2016-07-17 12:06 - 00000000 ____D C:\Program Files\Common Files\w4c0yuj0
2016-07-17 11:06 - 2016-07-17 14:06 - 00000000 ____D C:\Program Files\BitTorrent
2016-07-16 20:00 - 2016-07-16 20:00 - 00000907 _____ C:\Users\Wael\Desktop\Forward to the Sky.lnk
2016-07-16 15:48 - 2016-07-16 15:48 - 00000000 ____D C:\Users\Wael\AppData\Roaming\Mangagamer
2016-07-16 14:20 - 2016-07-16 14:20 - 00004141 _____ C:\Users\Wael\Downloads\Senran Kagura Shinovi Versus Save Game.rar
2016-07-16 11:57 - 2016-07-16 12:06 - 00233472 _____ C:\WINDOWS\acm32.exe
2016-07-16 11:57 - 2016-07-16 11:57 - 00003324 _____ C:\WINDOWS\System32\Tasks\MemoryDiagnostic
2016-07-15 04:15 - 2016-07-15 05:39 - 00000000 ____D C:\Users\Wael\AppData\Local\Jigoku_Kisetsukan
2016-07-15 03:52 - 2016-07-15 04:27 - 00000000 ____D C:\Users\Wael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2016-07-15 01:49 - 2016-07-15 01:49 - 00002029 _____ C:\Users\Wael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberGhost 6.lnk
2016-07-15 01:47 - 2016-07-17 15:29 - 00000000 ____D C:\Program Files\CyberGhost 6
2016-07-14 17:01 - 2016-05-25 16:22 - 00875712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvcr120_clr0400.dll
2016-07-14 17:01 - 2016-05-25 16:22 - 00536768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvcp120_clr0400.dll
2016-07-14 17:01 - 2016-05-25 16:12 - 00869576 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcr120_clr0400.dll
2016-07-14 17:01 - 2016-05-25 16:12 - 00678600 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcp120_clr0400.dll
2016-07-14 16:58 - 2016-06-11 21:14 - 00572416 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-07-14 16:58 - 2016-06-11 21:11 - 02895360 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-07-14 16:58 - 2016-06-11 20:56 - 25812992 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-07-14 16:58 - 2016-06-11 20:56 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2016-07-14 16:58 - 2016-06-11 20:42 - 06047744 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-07-14 16:58 - 2016-06-11 20:23 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2016-07-14 16:58 - 2016-06-11 20:22 - 00497664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2016-07-14 16:58 - 2016-06-11 20:22 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
2016-07-14 16:58 - 2016-06-11 20:21 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2016-07-14 16:58 - 2016-06-11 20:20 - 00315392 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
2016-07-14 16:58 - 2016-06-11 20:13 - 02287104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2016-07-14 16:58 - 2016-06-11 20:12 - 20348928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-07-14 16:58 - 2016-06-11 20:12 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2016-07-14 16:58 - 2016-06-11 20:07 - 00663552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2016-07-14 16:58 - 2016-06-11 20:03 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2016-07-14 16:58 - 2016-06-11 20:01 - 00378880 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2016-07-14 16:58 - 2016-06-11 20:00 - 00806400 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-07-14 16:58 - 2016-06-11 20:00 - 00724992 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2016-07-14 16:58 - 2016-06-11 19:57 - 02131456 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2016-07-14 16:58 - 2016-06-11 19:44 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2016-07-14 16:58 - 2016-06-11 19:43 - 00279040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
2016-07-14 16:58 - 2016-06-11 19:38 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2016-07-14 16:58 - 2016-06-11 19:33 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2016-07-14 16:58 - 2016-06-11 19:31 - 04608000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-07-14 16:58 - 2016-06-11 19:31 - 00692736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2016-07-14 16:58 - 2016-06-11 19:31 - 00330752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2016-07-14 16:58 - 2016-06-11 19:30 - 15409664 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-07-14 16:58 - 2016-06-11 19:29 - 02055680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2016-07-14 16:58 - 2016-06-11 19:26 - 02869248 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2016-07-14 16:58 - 2016-06-11 19:15 - 13806080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-07-14 16:58 - 2016-06-11 19:12 - 01550848 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-07-14 16:58 - 2016-06-11 19:02 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2016-07-14 16:58 - 2016-06-11 18:59 - 02392576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2016-07-14 16:58 - 2016-06-11 18:56 - 01315840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-07-14 16:58 - 2016-06-11 18:56 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2016-07-14 16:56 - 2016-06-25 23:05 - 00050368 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2016-07-14 16:56 - 2016-06-25 21:13 - 00165376 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetpp.dll
2016-07-14 16:56 - 2016-06-25 19:24 - 00345600 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntprint.dll
2016-07-14 16:56 - 2016-06-25 19:15 - 01094656 _____ (Microsoft Corporation) C:\WINDOWS\system32\localspl.dll
2016-07-14 16:56 - 2016-06-25 19:13 - 00864256 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32spl.dll
2016-07-14 16:56 - 2016-06-25 19:05 - 00306176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntprint.dll
2016-07-14 16:56 - 2016-06-22 16:48 - 00268800 _____ (Microsoft Corporation) C:\WINDOWS\system32\centel.dll
2016-07-14 16:56 - 2016-06-21 21:32 - 00146432 _____ (Microsoft Corporation) C:\WINDOWS\system32\poqexec.exe
2016-07-14 16:56 - 2016-06-21 17:12 - 00129536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\poqexec.exe
2016-07-14 16:56 - 2016-06-21 16:48 - 01490432 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-07-14 16:56 - 2016-06-21 16:48 - 01208320 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-07-14 16:56 - 2016-06-21 16:48 - 00571904 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2016-07-14 16:56 - 2016-06-21 16:48 - 00544256 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-07-14 16:56 - 2016-06-21 16:48 - 00294912 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-07-14 16:56 - 2016-06-21 16:48 - 00219136 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2016-07-14 16:56 - 2016-06-21 16:48 - 00076800 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2016-07-14 16:56 - 2016-06-11 22:45 - 07445856 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-07-14 16:56 - 2016-01-30 22:50 - 00477184 _____ (Microsoft Corporation) C:\WINDOWS\system32\puiobj.dll
2016-07-14 16:56 - 2016-01-30 22:00 - 00192512 _____ (Microsoft Corporation) C:\WINDOWS\system32\puiapi.dll
2016-07-14 16:56 - 2016-01-30 21:48 - 00269312 _____ (Microsoft Corporation) C:\WINDOWS\system32\DafPrintProvider.dll
2016-07-14 16:56 - 2016-01-30 21:18 - 00367104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\puiobj.dll
2016-07-14 16:56 - 2016-01-30 20:48 - 00167424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\puiapi.dll
2016-07-14 16:56 - 2016-01-30 20:41 - 00203776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DafPrintProvider.dll
2016-07-14 16:55 - 2016-06-11 00:35 - 04167680 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2016-07-12 11:24 - 2016-07-12 11:24 - 00000000 ____D C:\Users\Wael\AppData\Roaming\Child of Light
2016-07-11 10:49 - 2016-07-11 10:50 - 00532726 _____ C:\Users\Wael\Downloads\house-m-d-english-885911.zip
2016-07-11 10:49 - 2016-07-11 10:49 - 00524133 _____ C:\Users\Wael\Downloads\(SUBDL.com)house.md.third.season1125389.zip
2016-07-06 02:06 - 2016-07-06 02:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Life Is Strange Complete Season (EP. 1-5)
2016-07-04 23:25 - 2016-07-04 23:25 - 00000000 ____D C:\Users\Wael\AppData\Roaming\11bitstudios
2016-07-04 23:21 - 2016-07-04 23:22 - 00000000 ____D C:\Users\Wael\Documents\This War of Mine
2016-07-01 20:41 - 2016-07-01 20:41 - 00028042 _____ C:\Users\Wael\Documents\cc_20160701_204058.reg
2016-06-27 19:41 - 2016-06-03 20:11 - 00472576 _____ (Microsoft Corporation) C:\WINDOWS\system32\pcasvc.dll
2016-06-27 19:41 - 2016-05-12 21:38 - 00135336 _____ (Microsoft Corporation) C:\WINDOWS\system32\gpapi.dll
2016-06-27 19:41 - 2016-05-12 20:43 - 00115704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gpapi.dll
2016-06-27 19:41 - 2016-05-12 19:17 - 00331776 _____ (Microsoft Corporation) C:\WINDOWS\system32\polstore.dll
2016-06-27 19:41 - 2016-05-12 19:08 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\FwRemoteSvr.dll
2016-06-27 19:41 - 2016-05-12 19:07 - 01360896 _____ (Microsoft Corporation) C:\WINDOWS\system32\gpsvc.dll
2016-06-27 19:41 - 2016-05-12 18:59 - 00398848 _____ (Microsoft Corporation) C:\WINDOWS\system32\IPSECSVC.DLL
2016-06-27 19:41 - 2016-05-12 18:43 - 00291328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\polstore.dll
2016-06-27 19:41 - 2016-05-12 18:37 - 00050176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\FwRemoteSvr.dll
2016-06-27 19:41 - 2016-05-10 00:35 - 07075328 _____ (Microsoft Corporation) C:\WINDOWS\system32\glcndFilter.dll
2016-06-27 19:41 - 2016-05-09 23:56 - 05270016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\glcndFilter.dll
2016-06-27 19:41 - 2016-05-09 23:45 - 07793152 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2016-06-27 19:41 - 2016-05-09 23:23 - 05265920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2016-06-27 19:41 - 2016-04-14 18:25 - 02778624 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2016-06-27 19:41 - 2016-04-14 18:11 - 02464768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2016-06-27 19:41 - 2016-04-12 18:46 - 14467584 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2016-06-27 19:41 - 2016-04-12 18:30 - 12879872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll
2016-06-27 19:41 - 2016-01-31 22:17 - 00118624 _____ (Microsoft Corporation) C:\WINDOWS\system32\consent.exe
2016-06-27 19:41 - 2016-01-31 21:07 - 00110080 _____ (Microsoft Corporation) C:\WINDOWS\system32\appinfo.dll
2016-06-27 19:41 - 2016-01-31 20:42 - 03320832 _____ (Microsoft Corporation) C:\WINDOWS\system32\msi.dll
2016-06-27 19:41 - 2016-01-31 20:14 - 03607040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msi.dll
2016-06-27 19:40 - 2016-05-19 02:15 - 01379040 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2016-06-27 19:40 - 2016-05-18 23:35 - 01097216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2016-06-27 19:40 - 2016-05-18 08:31 - 00372568 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2016-06-27 19:40 - 2016-05-18 08:31 - 00315224 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2016-06-27 19:40 - 2016-05-17 00:13 - 00563016 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2016-06-27 19:40 - 2016-05-17 00:13 - 00397224 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcryptprimitives.dll
2016-06-27 19:40 - 2016-05-17 00:13 - 00340872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\bcryptprimitives.dll
2016-06-27 19:40 - 2016-05-17 00:13 - 00178008 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2016-06-27 19:40 - 2016-05-14 23:01 - 00363104 _____ (Microsoft Corporation) C:\WINDOWS\system32\ws2_32.dll
2016-06-27 19:40 - 2016-05-14 23:01 - 00320720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ws2_32.dll
2016-06-27 19:40 - 2016-05-14 02:07 - 00675328 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv2.sys
2016-06-27 19:40 - 2016-05-14 02:07 - 00416768 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv.sys
2016-06-27 19:40 - 2016-05-14 02:07 - 00281088 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\netbt.sys
2016-06-27 19:40 - 2016-05-14 02:06 - 00243712 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srvnet.sys
2016-06-27 19:40 - 2016-05-14 02:04 - 00044032 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2016-06-27 19:40 - 2016-05-14 01:34 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2016-06-27 19:40 - 2016-05-14 01:19 - 00035840 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2016-06-27 19:40 - 2016-05-14 00:58 - 00339456 _____ (Microsoft Corporation) C:\WINDOWS\system32\mswsock.dll
2016-06-27 19:40 - 2016-05-14 00:58 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2016-06-27 19:40 - 2016-05-14 00:45 - 00802816 _____ (Microsoft Corporation) C:\WINDOWS\system32\winhttp.dll
2016-06-27 19:40 - 2016-05-14 00:35 - 00286208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mswsock.dll
2016-06-27 19:40 - 2016-05-14 00:26 - 00631808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winhttp.dll
2016-06-27 19:40 - 2016-05-06 18:45 - 00748544 _____ (Microsoft Corporation) C:\WINDOWS\system32\StructuredQuery.dll
2016-06-27 19:40 - 2016-05-06 18:23 - 00503808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\StructuredQuery.dll
2016-06-24 08:52 - 2016-06-24 08:52 - 00000000 ___RD C:\Skype
2016-06-24 08:52 - 2016-06-24 08:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2016-06-20 00:29 - 2016-06-20 00:29 - 00000000 ____D C:\Users\Wael\AppData\Roaming\MPC-HC

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-07-17 21:19 - 2015-11-12 22:06 - 00000000 ____D C:\FRST
2016-07-17 21:19 - 2013-11-04 23:14 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4189553729-4105879948-3113528959-1002
2016-07-17 21:17 - 2014-09-05 16:36 - 00003918 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{8C1ED494-AD21-4356-A499-9FDBBA8DBACC}
2016-07-17 21:14 - 2014-10-13 22:10 - 00008192 _____ C:\WINDOWS\SysWOW64\WDPABKP.dat
2016-07-17 21:13 - 2013-08-22 17:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-07-17 18:21 - 2015-06-08 07:16 - 00000000 ____D C:\Users\Wael\Desktop\things
2016-07-17 17:05 - 2015-10-07 12:47 - 00000000 ____D C:\file E  is full =_=
2016-07-17 15:40 - 2016-01-15 12:58 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-07-17 15:33 - 2013-07-10 14:32 - 00001433 _____ C:\Users\Wael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-07-17 15:30 - 2015-01-24 10:53 - 00000000 ____D C:\Users\Wael\AppData\Roaming\uTorrent
2016-07-17 15:28 - 2015-11-10 18:41 - 00000000 ____D C:\AdwCleaner
2016-07-17 15:25 - 2015-09-20 14:10 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-07-17 15:17 - 2014-06-21 10:48 - 00000000 ____D C:\Users\Wael\AppData\Roaming\Skype
2016-07-17 15:15 - 2016-01-16 15:29 - 00000000 ____D C:\Users\Wael\AppData\Local\CrashDumps
2016-07-17 15:15 - 2014-11-01 16:21 - 00000000 ____D C:\Users\Wael\AppData\Roaming\DAEMON Tools Pro
2016-07-17 15:00 - 2013-08-22 18:36 - 00000000 ____D C:\WINDOWS\system32\sru
2016-07-17 05:38 - 2013-08-22 18:36 - 00000000 ____D C:\WINDOWS\rescache
2016-07-16 20:06 - 2013-08-22 16:25 - 01048576 ___SH C:\WINDOWS\system32\config\BBI
2016-07-16 19:18 - 2014-12-17 08:54 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-07-16 19:18 - 2013-08-22 18:36 - 00000000 ___RD C:\WINDOWS\ToastData
2016-07-16 10:29 - 2015-01-28 08:00 - 00000000 ____D C:\Users\Wael\Downloads\utorrent
2016-07-15 18:34 - 2013-08-22 18:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-07-15 01:49 - 2013-07-10 14:31 - 00000000 ____D C:\Users\Wael\AppData\Local\VirtualStore
2016-07-14 17:06 - 2013-11-06 14:41 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-07-14 17:06 - 2012-07-26 10:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-07-14 17:03 - 2013-07-12 00:15 - 144749672 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-07-14 17:03 - 2013-07-10 15:31 - 00000000 ____D C:\ProgramData\Microsoft Help
2016-07-14 17:01 - 2014-03-18 12:38 - 00000000 ____D C:\Program Files\Windows Journal
2016-07-13 12:55 - 2014-06-20 16:35 - 00000000 ____D C:\ProgramData\Skype
2016-07-12 19:40 - 2016-03-24 19:40 - 06079168 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerInstaller.exe
2016-07-12 19:40 - 2016-01-15 12:58 - 00003718 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2016-07-12 19:40 - 2013-08-22 18:36 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2016-07-12 19:40 - 2013-08-22 18:36 - 00000000 ____D C:\WINDOWS\system32\Macromed
2016-07-12 11:26 - 2014-12-13 17:21 - 00000000 ____D C:\Users\Wael\Documents\My Games
2016-07-12 11:26 - 2014-11-01 17:07 - 00000000 ____D C:\ProgramData\Orbit
2016-07-12 11:02 - 2014-03-18 12:53 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-07-07 15:13 - 2014-12-24 08:11 - 00000000 ____D C:\Users\Wael\Downloads\Pics
2016-07-07 03:39 - 2014-06-14 16:34 - 00485032 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2016-07-07 00:52 - 2015-04-04 02:11 - 00000000 ____D C:\Users\Wael\Downloads\hacks
2016-07-06 01:16 - 2014-10-19 15:10 - 00000000 ____D C:\Users\Wael\AppData\Roaming\vlc
2016-07-04 23:20 - 2015-03-01 22:07 - 00000000 ____D C:\ProgramData\Package Cache
2016-07-04 23:19 - 2015-09-02 13:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\This War of Mine [GOG.com]
2016-07-04 00:37 - 2014-06-14 16:44 - 00000000 ____D C:\The KMPlayer
2016-07-02 07:29 - 2013-08-22 18:38 - 00828408 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-07-02 07:29 - 2013-08-22 18:38 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-06-28 13:27 - 2015-07-01 11:14 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-06-28 13:27 - 2015-07-01 11:14 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-06-27 19:47 - 2015-07-01 11:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-06-24 08:52 - 2014-08-08 18:24 - 00000000 ____D C:\Program Files (x86)\Skype
2016-06-24 08:52 - 2014-06-20 16:36 - 00000000 ____D C:\Users\Wael\AppData\Local\Skype
2016-06-20 00:29 - 2016-06-16 12:42 - 00000816 _____ C:\Users\Wael\Desktop\MPC-HC x64.lnk

==================== Files in the root of some directories =======

2014-09-05 12:47 - 2014-09-05 12:47 - 0616256 _____ (ClickMeIn Limited) C:\Users\Wael\AppData\Local\nsu428D.tmp
2014-06-22 08:11 - 2015-11-08 13:21 - 0007605 _____ () C:\Users\Wael\AppData\Local\Resmon.ResmonCfg

Some files in TEMP:
====================
C:\Users\Wael\AppData\Local\Temp\libeay32.dll
C:\Users\Wael\AppData\Local\Temp\msvcr120.dll
C:\Users\Wael\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-07-16 21:11

==================== End of FRST.txt ============================

Attached Files


Edited by hamluis, 17 July 2016 - 03:11 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 AM

Posted 18 July 2016 - 09:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

AppInit_DLLs: C:\ProgramData\xifs\Solplus.dll => C:\ProgramData\xifs\Solplus.dll [363008 2016-07-17] ()
AppInit_DLLs-x32: C:\ProgramData\xifs\ZonRon.dll => C:\ProgramData\xifs\ZonRon.dll [257536 2016-07-17] ()
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7qvDVPPjeVnqjpBUi1kS9FBGc0tNyIx2WqMEU4wg3K8RHn2GVJ6E7G12q_V_u51NnNs0UXiB0xmCkSBXibYU2e-E8DRLs8,
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4189553729-4105879948-3113528959-1002 -> DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4189553729-4105879948-3113528959-1002 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
Task: {334FB2A2-CE56-4049-896D-6BC9E52D2F4C} - \Update Service GoForFiles -> No File <==== ATTENTION
Task: {4C6342FB-5C29-4A59-AC45-FC5AC4C0BE00} - System32\Tasks\bn4utuwb => C:\Program Files\Common Files\dswjx4pl\06452vzmzmuxv.exe [2016-07-17] () <==== ATTENTION
Task: {5C5CDF54-0EBF-47ED-8C92-8F3F563D0589} - System32\Tasks\qil5uhrj => C:\Program Files\Common Files\uxruzd3j\b59393o04gidg.exe [2016-07-17] () <==== ATTENTION
Task: {D05F2C7E-1F4E-4AFD-A580-8F285FBF169B} - System32\Tasks\yj5wfmcv => C:\Program Files\Common Files\vto4j2lb\da831wwygpl2z.exe [2016-07-17] () <==== ATTENTION
Task: {E5AB1710-C1FD-4304-B5A9-A93EACF97FE4} - System32\Tasks\iu21o44z => C:\Program Files\Common Files\w4c0yuj0\71befgbepgzc2.exe [2016-07-17] () <==== ATTENTION
S2 uodateao; C:\WINDOWS\system32\config\systemprofile\AppData\Local\Kontripzap.exe [28160 2016-07-17] () [File not signed]
S2 xifs; C:\ProgramData\\xifs\\xifs.exe [400896 2016-07-17] () [File not signed]
C:\ProgramData\xifs
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Kontripzap.exe
C:\Program Files\Common Files\dswjx4pl
C:\Program Files\Common Files\uxruzd3j
C:\Program Files\Common Files\vto4j2lb
C:\Program Files\Common Files\w4c0yuj0

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#3 Tamimwm

Tamimwm
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyprus
  • Local time:07:26 AM

Posted 18 July 2016 - 11:55 AM

Hey thanks Nasdaq I placed the notepad file with the content and labeled it as mentioned . I applied the fix and the computer restarted after pressing OK in the new window.

 

My Firefox browser is still showing me a redirected search page. , shall I reset it ? or better wait ?

 

I was wondering if there is a way to find out from what source did I get this virus or why didn't microsoft antivirus  react .

 

Anyways I shall copy and paste the log and I also attached it which ever is better I shall do that onwards.

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:22-11-2015
Ran by Wael (2016-07-18 19:36:51) Run:2
Running from C:\Users\Wael\Desktop\Desktop\apps\cleaning
Loaded Profiles: Wael (Available Profiles: Wael)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

AppInit_DLLs: C:\ProgramData\xifs\Solplus.dll => C:\ProgramData\xifs\Solplus.dll [363008 2016-07-17] ()
AppInit_DLLs-x32: C:\ProgramData\xifs\ZonRon.dll => C:\ProgramData\xifs\ZonRon.dll [257536 2016-07-17] ()
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7qvDVPPjeVnqjpBUi1kS9FBGc0tNyIx2WqMEU4wg3K8RHn2GVJ6E7G12q_V_u51NnNs0UXiB0xmCkSBXibYU2e-E8DRLs8,
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4189553729-4105879948-3113528959-1002 -> DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4189553729-4105879948-3113528959-1002 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-T6JIzIH_4i4wqiKKKEUX_K1Td6V5KXOVD_HdwoVBGcz6WjJgtmdMNNDD2TVsGd1n7bwYeIQPUY-m9i-6pI3RQOHb59y818eadSW18STGSZQUaCXftH4NVWzkpyVLy3_l4CfN961MsKy31sYraPFwNNtFY6_Swk,&q={searchTerms}
Task: {334FB2A2-CE56-4049-896D-6BC9E52D2F4C} - \Update Service GoForFiles -> No File <==== ATTENTION
Task: {4C6342FB-5C29-4A59-AC45-FC5AC4C0BE00} - System32\Tasks\bn4utuwb => C:\Program Files\Common Files\dswjx4pl\06452vzmzmuxv.exe [2016-07-17] () <==== ATTENTION
Task: {5C5CDF54-0EBF-47ED-8C92-8F3F563D0589} - System32\Tasks\qil5uhrj => C:\Program Files\Common Files\uxruzd3j\b59393o04gidg.exe [2016-07-17] () <==== ATTENTION
Task: {D05F2C7E-1F4E-4AFD-A580-8F285FBF169B} - System32\Tasks\yj5wfmcv => C:\Program Files\Common Files\vto4j2lb\da831wwygpl2z.exe [2016-07-17] () <==== ATTENTION
Task: {E5AB1710-C1FD-4304-B5A9-A93EACF97FE4} - System32\Tasks\iu21o44z => C:\Program Files\Common Files\w4c0yuj0\71befgbepgzc2.exe [2016-07-17] () <==== ATTENTION
S2 uodateao; C:\WINDOWS\system32\config\systemprofile\AppData\Local\Kontripzap.exe [28160 2016-07-17] () [File not signed]
S2 xifs; C:\ProgramData\\xifs\\xifs.exe [400896 2016-07-17] () [File not signed]
C:\ProgramData\xifs
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Kontripzap.exe
C:\Program Files\Common Files\dswjx4pl
C:\Program Files\Common Files\uxruzd3j
C:\Program Files\Common Files\vto4j2lb
C:\Program Files\Common Files\w4c0yuj0

End
*****************

Restore point was successfully created.
Processes closed successfully.
"C:\ProgramData\xifs\Solplus.dll" => Value data removed successfully.
"C:\ProgramData\xifs\ZonRon.dll" => Value data removed successfully.
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main\\Search Bar => value removed successfully
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\Software\Microsoft\Internet Explorer\Main\\SearchAssistant => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\ielnksrch" => key removed successfully
HKCR\Wow6432Node\CLSID\ielnksrch => key not found.
HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-4189553729-4105879948-3113528959-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}" => key removed successfully
HKCR\CLSID\{ielnksrch} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{334FB2A2-CE56-4049-896D-6BC9E52D2F4C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{334FB2A2-CE56-4049-896D-6BC9E52D2F4C}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Update Service GoForFiles => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4C6342FB-5C29-4A59-AC45-FC5AC4C0BE00}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C6342FB-5C29-4A59-AC45-FC5AC4C0BE00}" => key removed successfully
C:\WINDOWS\System32\Tasks\bn4utuwb => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bn4utuwb" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5C5CDF54-0EBF-47ED-8C92-8F3F563D0589}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C5CDF54-0EBF-47ED-8C92-8F3F563D0589}" => key removed successfully
C:\WINDOWS\System32\Tasks\qil5uhrj => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\qil5uhrj" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D05F2C7E-1F4E-4AFD-A580-8F285FBF169B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D05F2C7E-1F4E-4AFD-A580-8F285FBF169B}" => key removed successfully
C:\WINDOWS\System32\Tasks\yj5wfmcv => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\yj5wfmcv" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E5AB1710-C1FD-4304-B5A9-A93EACF97FE4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5AB1710-C1FD-4304-B5A9-A93EACF97FE4}" => key removed successfully
C:\WINDOWS\System32\Tasks\iu21o44z => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\iu21o44z" => key removed successfully
uodateao => service removed successfully
xifs => service removed successfully
C:\ProgramData\xifs => moved successfully
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Kontripzap.exe => moved successfully
C:\Program Files\Common Files\dswjx4pl => moved successfully
C:\Program Files\Common Files\uxruzd3j => moved successfully
C:\Program Files\Common Files\vto4j2lb => moved successfully
C:\Program Files\Common Files\w4c0yuj0 => moved successfully
EmptyTemp: => 298.1 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 19:37:56 ====

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 AM

Posted 19 July 2016 - 07:06 AM

It's not possible to know when and where you got this infection.

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#5 Tamimwm

Tamimwm
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyprus
  • Local time:07:26 AM

Posted 20 July 2016 - 08:14 AM

Good Afternoon Nasdaq,

 

Sorry for the delay.

 

I think all is clear, but I ran adwarecleaner today and it redetected the xifs. files again. I also reset Firefox and it seems it is running OK with not redirect or anything unsusual.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 AM

Posted 20 July 2016 - 08:28 AM

I will leave the topic open for 5 days.

If you have any issues let me know.

#7 Tamimwm

Tamimwm
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyprus
  • Local time:07:26 AM

Posted 20 July 2016 - 08:48 AM

But It seems the xifs reoccured.

 

I thought the files are leftover files from the removal process you did though Farbar. SO I just ran adware cleaner to remove those leftovers.

 

Unfortunately it seems that the xifs reoccured and got to firefox



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 AM

Posted 20 July 2016 - 10:47 AM

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

#9 Tamimwm

Tamimwm
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyprus
  • Local time:07:26 AM

Posted 20 July 2016 - 11:32 AM

I reset my router. Reset to factory setting  I got a new password  and a new network name. I secured it using WPA2 password, which was randomly generated.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 AM

Posted 20 July 2016 - 12:04 PM

Let me know if the problem persists.

#11 Tamimwm

Tamimwm
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyprus
  • Local time:07:26 AM

Posted 20 July 2016 - 12:52 PM

It seems this program is really stubborn. I looked into the program data file and at the task manager, it is still there.

 

I posted 2 screenshots of them.

 

 

Edit:

 

I was looking online and found that I should uninstall xifs.exe as a program by using the control panel. I didn't find it, But I happened to find  a program called snapdo.

Attached Files


Edited by Tamimwm, 20 July 2016 - 01:35 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 AM

Posted 21 July 2016 - 07:07 AM

Let clean with this tool. Will take it from there.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#13 Tamimwm

Tamimwm
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyprus
  • Local time:07:26 AM

Posted 21 July 2016 - 08:20 AM

Alright I did what you mentioned  I ran zoek it seems to have stopped responding so I restarted my pc and re ran the scan.

 

Zoek Results

 

 

Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by Wael on Thu 07/21/2016 at 17:39:42.81.
Microsoft Windows 8.1 Single Language 6.3.9600  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Wael\Desktop\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2015-11-13-132302.log    17005 bytes
C:\zoek-results2016-07-21-123606.log    3910 bytes

==== System Restore Info ======================

7/21/2016 5:40:47 PM Zoek.exe System Restore Point Created Successfully.

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xifs deleted successfully

==== FireFox Fix ======================

Deleted from C:\Users\Wael\AppData\Roaming\Mozilla\Firefox\Profiles\y172bc9c.default-1468959715206\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

Added to C:\Users\Wael\AppData\Roaming\Mozilla\Firefox\Profiles\y172bc9c.default-1468959715206\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

"C:\windows\Installer\17892.msi" not found
C:\Users\Wael\AppData\Roaming\Mozilla\Firefox\Profiles\y172bc9c.default-1468959715206\jetpack deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Wael\AppData\Roaming\Mozilla\Firefox\Profiles\y172bc9c.default-1468959715206
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Firefox Extensions ======================

ProfilePath: C:\Users\Wael\AppData\Roaming\Mozilla\Firefox\Profiles\y172bc9c.default-1468959715206
- Adblock Plus Pop-up Addon - %ProfilePath%\extensions\adblockpopups@jessehakanen.net.xpi
- Download YouTube Videos as MP4 - %ProfilePath%\extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi
- Video DownloadHelper - %ProfilePath%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\Wael\AppData\Roaming\Mozilla\Firefox\Profiles\y172bc9c.default-1468959715206
62D98B286C805E193568037B70D936D2    - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll -    Shockwave Flash


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
lifbcibllhkdhoafpjfnlhfpfgnpldfl - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx[07/14/2014 06:22 PM]

==== Chromium Startpages ======================

C:\Users\Wael\AppData\Local\Chromium\User Data\Default\Preferences
"homepage": "http://www.google.com/",


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-TQTnEliR_3xPP5zYJ2ohaTm9Bcjv-1P8pHuA0ulhwelCVxXTmcyueEf9rhBAyIw66RZV4aS_ZVxJc2WnwVJwkRedFzv5fusdYkmdhRunolUO_7l_RFlZtf7OukmnyaqvONjGlKz5nlCdKlTCwMPl5Q_6QRwxqo,"
"Search Page"="http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-TQTnEliR_3xPP5zYJ2ohaTm9Bcjv-1P8pHuA0ulhwelCVxXTmcyueEf9rhBAyIw66hxn-_FaOSBYWrPia5NiLuca2UaAt3uJ6z3amKf2_qddwlKDXsRBLG2y4zcDpMHX9Fu-6ADKa570DkJt0NuDE3Fl9NTNLM,&q={searchTerms}"
"Default_Page_URL"="http://www.google.com"
"Search Bar"="http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-TQTnEliR_3xPP5zYJ2ohaTm9Bcjv-1P8pHuA0ulhwelCVxXTmcyueEf9rhBAyIw66hxn-_FaOSBYWrPia5NiLuca2UaAt3uJ6z3amKf2_qddwlKDXsRBLG2y4zcDpMHX9Fu-6ADKa570DkJt0NuDE3Fl9NTNLM,&q={searchTerms}"
"SearchAssistant"="http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-TQTnEliR_3xPP5zYJ2ohaTm9Bcjv-1P8pHuA0ulhwelCVxXTmcyueEf9rhBAyIw66hxn-_FaOSBYWrPia5NiLuca2UaAt3uJ6z3amKf2_qddwlKDXsRBLG2y4zcDpMHX9Fu-6ADKa570DkJt0NuDE3Fl9NTNLM,&q={searchTerms}"
"Use Search Asst"="yes"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl]
"Default"="http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-TQTnEliR_3xPP5zYJ2ohaTm9Bcjv-1P8pHuA0ulhwelCVxXTmcyueEf9rhBAyIw66hxn-_FaOSBYWrPia5NiLuca2UaAt3uJ6z3amKf2_qddwlKDXsRBLG2y4zcDpMHX9Fu-6ADKa570DkJt0NuDE3Fl9NTNLM,&q={searchTerms}"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl]
"Default"="http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-TQTnEliR_3xPP5zYJ2ohaTm9Bcjv-1P8pHuA0ulhwelCVxXTmcyueEf9rhBAyIw66hxn-_FaOSBYWrPia5NiLuca2UaAt3uJ6z3amKf2_qddwlKDXsRBLG2y4zcDpMHX9Fu-6ADKa570DkJt0NuDE3Fl9NTNLM,&q={searchTerms}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
"Default"="http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-TQTnEliR_3xPP5zYJ2ohaTm9Bcjv-1P8pHuA0ulhwelCVxXTmcyueEf9rhBAyIw66hxn-_FaOSBYWrPia5NiLuca2UaAt3uJ6z3amKf2_qddwlKDXsRBLG2y4zcDpMHX9Fu-6ADKa570DkJt0NuDE3Fl9NTNLM,&q={searchTerms}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\y]
@="http://yandex.ru/yandsearch?win=140&clid=1989277&text=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"Default_Search_URL"="http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-TQTnEliR_3xPP5zYJ2ohaTm9Bcjv-1P8pHuA0ulhwelCVxXTmcyueEf9rhBAyIw66hxn-_FaOSBYWrPia5NiLuca2UaAt3uJ6z3amKf2_qddwlKDXsRBLG2y4zcDpMHX9Fu-6ADKa570DkJt0NuDE3Fl9NTNLM,&q={searchTerms}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{ielnksrch}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}] not found

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Search Bar"="http://go.microsoft.com/fwlink/?LinkId=54896"
"SearchAssistant"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157"
"Start Page"="http://www.google.com"
"Use Search Asst"="no"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl]
"(Default)"="http://search.msn.com/results.asp?q=%s"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl]
"(Default)"="http://search.msn.com/results.asp?q=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
"(Default)"="http://search.msn.com/results.asp?q=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"

==== All HKLM and HKCU SearchScopes ======================

HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\SearchScopes\{F4ED0519-C584-4DDA-BE93-FA0B93D040F6} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MATMJS
HKLM\SearchScopes\{FAD8527E-A1BB-434B-B9F6-6CD22B998C4B} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MATMJS
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{ielnksrch}"
HKLM\Wow6432Node\SearchScopes\ielnksrch - http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNfrvSIIWKUzia-TQTnEliR_3xPP5zYJ2ohaTm9Bcjv-1P8pHuA0ulhwelCVxXTmcyueEf9rhBAyIw66hxn-_FaOSBYWrPia5NiLuca2UaAt3uJ6z3amKf2_qddwlKDXsRBLG2y4zcDpMHX9Fu-6ADKa570DkJt0NuDE3Fl9NTNLM,&q={searchTerms}
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes\{F4ED0519-C584-4DDA-BE93-FA0B93D040F6} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MATMJS
HKLM\Wow6432Node\SearchScopes\{FAD8527E-A1BB-434B-B9F6-6CD22B998C4B} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MATMJS
HKCU\SearchScopes "DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
HKCU\SearchScopes\{F4ED0519-C584-4DDA-BE93-FA0B93D040F6} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MATMJS
HKCU\SearchScopes\{FAD8527E-A1BB-434B-B9F6-6CD22B998C4B} - http://yandex.ru/yandsearch?win=140&clid=1989274&text={searchTerms}

==== Reset Google Chrome ======================

C:\Users\Wael\AppData\Local\Chromium\User Data\Default\Preferences was reset successfully
C:\Users\Wael\AppData\Local\Chromium\User Data\Default\Web Data was reset successfully

==== shortcuts on Users Desktops ======================

C:\Users\Wael\Desktop\MPC-HC x64.lnk - E:\Program Files\MPC-HC\mpc-hc64.exe
C:\Users\Wael\Desktop\Studies - Shortcut.lnk - C:\Users\Wael\Desktop\things\Studies
C:\Users\Wael\Desktop\UnHackMe.lnk - C:\Program Files (x86)\UnHackMe\Unhackme.exe
C:\Users\Wael\Desktop\Desktop\AKIBAS TRIP Undead Undressed.lnk - E:\Program Files\Akihabara's undeadd and undressed\AKIBAS TRIP Undead Undressed\AkibaUU.exe
C:\Users\Wael\Desktop\Desktop\Alice Madness Returns.lnk - E:\Program Files\alice madness\Alice Madness Returns\Alice2\Binaries\Win32\AliceMadnessReturns.exe
C:\Users\Wael\Desktop\Desktop\AnimaGateOfMemories - Shortcut.lnk - E:\Program Files\Anima - Gate of Memories\Anima - Gate of Memories\AnimaGateOfMemories.exe
C:\Users\Wael\Desktop\Desktop\Blades of Time.lnk - E:\Program Files\blades of time\Blades of Time\bladesoftime.exe
C:\Users\Wael\Desktop\Desktop\Botanicula.lnk - E:\Program Files\botanicula\Botanicula\Botanicula.exe
C:\Users\Wael\Desktop\Desktop\CCleaner.lnk - E:\Program Files\ccleaner\CCleaner64.exe
C:\Users\Wael\Desktop\Desktop\Child of Light.lnk - E:\Program Files\Child of Light\Child of Light\Launcher.exe
C:\Users\Wael\Desktop\Desktop\Command and Conquer Red Alert 2.lnk - E:\Program Files (x86)\Origin Games\Command and Conquer Red Alert II\RA2Launcher.exe
C:\Users\Wael\Desktop\Desktop\DarksidersPC - Shortcut.lnk - E:\Program Files\Darksiders 1\SteamApps\DarksidersPC.exe
C:\Users\Wael\Desktop\Desktop\Dragon Nest Europe.lnk - E:\Program Files\Draguno nesuto\Dragon Nest Europe\dnlauncher.exe
C:\Users\Wael\Desktop\Desktop\Drunken Robot Pornography.lnk - E:\Program Files\Dunken robot Pornography\Drunken Robot Pornography\DRP.exe
C:\Users\Wael\Desktop\Desktop\eyeQ.lnk - E:\Program Files\Speed Reader\eyeQ.exe
C:\Users\Wael\Desktop\Desktop\Forward to the Sky.lnk - E:\Program Files\Forward to the Sky\ForwardToTheSky.exe
C:\Users\Wael\Desktop\Desktop\JetClean.lnk - C:\JetClean\JetClean.exe
C:\Users\Wael\Desktop\Desktop\Life Is Strange Complete Season.lnk - E:\Program Files\life is strange\Life Is Strange Complete Season (EP. 1-5)\Binaries\Win32\LifeIsStrange.exe
C:\Users\Wael\Desktop\Desktop\Magical Battle Festa.lnk - E:\Program Files\Magical Battle Fiesta\magical Fiesta DX T^T\Magical Battle Festa\MBF.exe
C:\Users\Wael\Desktop\Desktop\Might & Magic Heroes VI - Shortcut.lnk - E:\Program Files\might and magic\Might & Magic Heroes VI.exe
C:\Users\Wael\Desktop\Desktop\Mitsurugi Kamui Hikae.lnk - E:\Program Files\Mitsurugi Kamui Hikae\Mitsurugi Kamui Hikae\mitsurugi.exe
C:\Users\Wael\Desktop\Desktop\Naruto Shippuden Ultimate Ninja Storm Revolution.lnk - E:\Program Files\naruto 4\Naruto Shippuden Ultimate Ninja Storm Revolution\NSUNSR_launcher.exe
C:\Users\Wael\Desktop\Desktop\Nevermind.lnk - E:\Program Files\nevermind\Nevermind\Nevermind.exe
C:\Users\Wael\Desktop\Desktop\NS3FB_launcher.lnk - E:\Program Files\Naruto Shippuden Ultimate Ninja Storm 3 Full Burst  [StarDima Repack]\NS3FB_launcher.exe
C:\Users\Wael\Desktop\Desktop\Origin.lnk - E:\Program Files\ea games\Origin\Origin.exe
C:\Users\Wael\Desktop\Desktop\Play Worms Forts Under Siege.lnk - E:\Program Files\worms\WF.exe
C:\Users\Wael\Desktop\Desktop\Red Alert 2.lnk - E:\Program Files\ra2\Ra2.exe
C:\Users\Wael\Desktop\Desktop\Remember Me.lnk - E:\Program Files\Remember me\Remember Me\Binaries\Win32\RememberMe.exe
C:\Users\Wael\Desktop\Desktop\Revenge of the Titans.lnk - E:\Program Files\titans revenge\Revenge of the Titans\RevengeOfTheTitans.exe
C:\Users\Wael\Desktop\Desktop\RWBY Grimm Eclipse.lnk - E:\Program Files\RWBY\RWBY Grimm Eclipse\rwby-ge.exe
C:\Users\Wael\Desktop\Desktop\Skype - Shortcut.lnk - C:\Skype\Phone\Skype.exe
C:\Users\Wael\Desktop\Desktop\SpeedFan.lnk - E:\Program Files\fan prog\SpeedFan\speedfan.exe
C:\Users\Wael\Desktop\Desktop\The Legend of Heroes - Trails in the Sky.lnk - E:\Program Files\legend of heroes trails in the sky\The Legend of Heroes - Trails in the Sky\ed6_win.exe
C:\Users\Wael\Desktop\Desktop\The Legend of Korra.lnk - E:\Program Files\Legend of Korra\The Legend of Korra\LoK.exe
C:\Users\Wael\Desktop\Desktop\This War of Mine v2.lnk - E:\Program Files\This war of mine V2\This War of Mine\This War of Mine.exe
C:\Users\Wael\Desktop\Desktop\This War of Mine V3.lnk - E:\Program Files\This war of mine V3\This War of Mine\This War of Mine.exe
C:\Users\Wael\Desktop\Desktop\Tiny and Big - Grandpa's Leftovers.lnk - E:\Program Files\tiny and big\Tiny and Big\tinyandbig.exe
C:\Users\Wael\Desktop\Desktop\Total War - Shogun 2 - Gold Edition.lnk - E:\Program Files\Shojun total War\Total War - Shogun 2 - Gold Edition\Shogun2.exe
C:\Users\Wael\Desktop\Desktop\Valkyria Chronicles 2.lnk - E:\Program Files\valkyria chronicles 2\Valkyria Chronicles\Launcher.exe
C:\Users\Wael\Desktop\Desktop\Valkyria Chronicles.lnk - E:\Program Files\Valkyria Chronicles\Valkyria Chronicles\Launcher.exe
C:\Users\Wael\Desktop\Desktop\Vanguard Princess.lnk - E:\Program Files\Vangaurd Princess\Vanguard Princess\Vanguard Princess.exe
C:\Users\Wael\Desktop\Desktop\War World 1.09.lnk - E:\Program Files\robots wars\War World - Tactical Combat 1.09\War World.exe
C:\Users\Wael\Desktop\Desktop\Windows Defender.lnk -  
C:\Users\Wael\Desktop\Desktop\Yuri's Revenge.lnk - E:\Program Files\ra2\RA2MD.exe
C:\Users\Wael\Desktop\Desktop\zenran kagura.lnk - E:\Program Files\Senran.Kagura.Shinovi.Versus\Application.exe
C:\Users\Wael\Desktop\Desktop\µTorrent.lnk -  
C:\Users\Wael\Desktop\Desktop\apps\A-PDF Merger.lnk - E:\Program Files\autohotkey macro\A-PDF Merger\PdfMerger.exe
C:\Users\Wael\Desktop\Desktop\apps\Adobe Reader X.lnk - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Users\Wael\Desktop\Desktop\apps\Battery Check Utility.lnk - C:\Program Files\TOSHIBA\Battery Check Utility\TosBatCheckTool.exe
C:\Users\Wael\Desktop\Desktop\apps\Calculator.lnk - C:\WINDOWS\system32\calc.exe
C:\Users\Wael\Desktop\Desktop\apps\Cheat Engine.lnk - E:\Program Files\cheat engine\Cheat Engine 6.4\Cheat Engine.exe
C:\Users\Wael\Desktop\Desktop\apps\COED11.lnk - C:\dictoinary\coed11.exe
C:\Users\Wael\Desktop\Desktop\apps\DAEMON Tools Pro.lnk - C:\Program Files (x86)\DAEMON Tools Pro\DTPro.exe
C:\Users\Wael\Desktop\Desktop\apps\Darksiders Comic.lnk - C:\Program Files (x86)\THQ\Darksiders\Comic\Darksiders_Comic.pdf
C:\Users\Wael\Desktop\Desktop\apps\Darksiders Soundtrack.lnk - C:\Program Files (x86)\THQ\Darksiders\SoundTrack
C:\Users\Wael\Desktop\Desktop\apps\Data Lifeguard Diagnostic for Windows.lnk - E:\Program Files\Data Lifeguard Diagnostic for Windows\WinDlg.exe
C:\Users\Wael\Desktop\Desktop\apps\Desktop Assist.lnk - C:\Program Files (x86)\TOSHIBA\TOSHIBA Desktop Assist\TosDesktopAssist.exe
C:\Users\Wael\Desktop\Desktop\apps\GeForce Experience.lnk - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\GFExperience.exe
C:\Users\Wael\Desktop\Desktop\apps\KMPlayer.lnk - C:\The KMPlayer\KMPlayer.exe
C:\Users\Wael\Desktop\Desktop\apps\Malwarebytes Anti-Malware.lnk - E:\Program Files\malwarebytes antimalware\Malwarebytes Anti-Malware\mbam.exe
C:\Users\Wael\Desktop\Desktop\apps\Manual.lnk - C:\Program Files (x86)\TOSHIBA\Manuals\TREXLauncher.exe
C:\Users\Wael\Desktop\Desktop\apps\Math Input Panel.lnk -  
C:\Users\Wael\Desktop\Desktop\apps\MiniTool Partition Wizard Free.lnk - C:\Program Files\MiniTool Partition Wizard Free 9.1\loader.exe
C:\Users\Wael\Desktop\Desktop\apps\Mp3tag.lnk - E:\Program Files\mp3tag\Mp3tag.exe
C:\Users\Wael\Desktop\Desktop\apps\MPC-HC x64.lnk - E:\Program Files\MPC-HC\mpc-hc64.exe
C:\Users\Wael\Desktop\Desktop\apps\Paint.lnk - C:\WINDOWS\system32\mspaint.exe
C:\Users\Wael\Desktop\Desktop\apps\Remote Desktop Connection.lnk - C:\WINDOWS\system32\mstsc.exe
C:\Users\Wael\Desktop\Desktop\apps\Snipping Tool.lnk -  
C:\Users\Wael\Desktop\Desktop\apps\Sony PC Companion 2.1.lnk - C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe
C:\Users\Wael\Desktop\Desktop\apps\Sound Recorder.lnk -  
C:\Users\Wael\Desktop\Desktop\apps\Speccy64 - Shortcut.lnk - E:\Program Files\speccy\Speccy64.exe
C:\Users\Wael\Desktop\Desktop\apps\Steam.lnk - E:\Program Files\Darksiders 1\Steam.exe
C:\Users\Wael\Desktop\Desktop\apps\Steps Recorder.lnk - C:\WINDOWS\system32\psr.exe
C:\Users\Wael\Desktop\Desktop\apps\Sticky Notes.lnk -  
C:\Users\Wael\Desktop\Desktop\apps\Synthesia.lnk - C:\Program Files (x86)\Synthesia\Synthesia.exe
C:\Users\Wael\Desktop\Desktop\apps\Tunngle.lnk - C:\Program Files (x86)\Tunngle\Tunngle.exe
C:\Users\Wael\Desktop\Desktop\apps\Uplay.lnk - C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uplay.exe
C:\Users\Wael\Desktop\Desktop\apps\VLC media player.lnk - E:\Program Files\vlc\vlc.exe
C:\Users\Wael\Desktop\Desktop\apps\WD Drive Utilities.lnk - C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilities.exe
C:\Users\Wael\Desktop\Desktop\apps\WD Security.lnk - C:\Program Files (x86)\Western Digital\WD Security\WDDriveSecurity.exe
C:\Users\Wael\Desktop\Desktop\apps\WD SmartWare.lnk - C:\Program Files (x86)\Western Digital\WD SmartWare\WDSmartWare.exe
C:\Users\Wael\Desktop\Desktop\apps\Win32DiskImager.lnk - C:\Program Files (x86)\ImageWriter\Win32DiskImager.exe
C:\Users\Wael\Desktop\Desktop\apps\WinDirStat.lnk - E:\Program Files\Wirdirstat\WinDirStat\windirstat.exe
C:\Users\Wael\Desktop\Desktop\apps\Windows Fax and Scan.lnk -  
C:\Users\Wael\Desktop\Desktop\apps\Windows Media Player.lnk - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Users\Wael\Desktop\Desktop\apps\Wordpad.lnk - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
C:\Users\Wael\Desktop\Desktop\apps\XPS Viewer.lnk - C:\WINDOWS\system32\xpsrchvw.exe

==== shortcuts on All Users Desktop ======================

C:\Users\Public\Desktop\Arslan - The Warriors of Legend.lnk - E:\Program Files\Arslan- The Warriors of Legend\Arslan - The Warriors of Legend\Config.exe

==== shortcuts in Users Start Menu ======================

C:\Users\Wael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk - C:\Program Files\Internet Explorer\iexplore.exe http://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D?publisher=apsnapdoam&co=TR&userid=2c3fc38f-d39c-d1b7-d806-367b26f0ade2&searchtype=sc&installDate=20/07/2016&barcodeid=50046888&channelid=888&av=windows
C:\Users\Wael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam\Steam.lnk - E:\Program Files\Darksiders 1\Steam.exe

==== shortcuts in All Users Start Menu ======================

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk - C:\WINDOWS\Installer\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\SC_Reader.ico
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Life Is Strange Complete Season (EP. 1-5)\Desinstalar Life Is Strange Complete Season (EP. 1-5).lnk - E:\Program Files\life is strange\Life Is Strange Complete Season (EP. 1-5)\unins000.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Life Is Strange Complete Season (EP. 1-5)\Life Is Strange Complete Season.lnk - E:\Program Files\life is strange\Life Is Strange Complete Season (EP. 1-5)\Binaries\Win32\LifeIsStrange.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight\Microsoft Silverlight.lnk - C:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\Silverlight.Configuration.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype\Skype.lnk - C:\Skype\Phone\Skype.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam\Steam Support Center.lnk - C:\WINDOWS\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C92.url
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam\Steam.lnk - E:\Program Files\Darksiders 1\Steam.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\This War of Mine [GOG.com]\Modding Tool.lnk - E:\Program Files\This war of mine V3\This War of Mine\StorytellerNS.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\This War of Mine [GOG.com]\This War of Mine.lnk - E:\Program Files\This war of mine V3\This War of Mine\This War of Mine.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\This War of Mine [GOG.com]\Uninstall This War of Mine.lnk - E:\Program Files\This war of mine V3\This War of Mine\unins000.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\This War of Mine [GOG.com]\Documents\Modding Instructions.lnk - E:\Program Files\This war of mine V3\This War of Mine\Modding Instructions.pdf
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\THQ\DarksidersInstaller\Darksiders Comic.lnk - C:\Program Files (x86)\THQ\Darksiders\Comic\Darksiders_Comic.pdf
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\THQ\DarksidersInstaller\Darksiders Soundtrack.lnk - C:\Program Files (x86)\THQ\Darksiders\SoundTrack
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tunngle\Tunngle.lnk - C:\Program Files (x86)\Tunngle\Tunngle.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tunngle\Uninstall Tunngle.lnk - C:\Program Files (x86)\Tunngle\unins000.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe\Check for UnHackMe updates.lnk - C:\Program Files (x86)\UnHackMe\GWebUpdate.exe http://greatis.com/unhackme.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe\How to register.lnk - C:\Program Files (x86)\UnHackMe\order.txt
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe\Read me.lnk - C:\Program Files (x86)\UnHackMe\readme.txt
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe\Reanimator.lnk - C:\Program Files (x86)\UnHackMe\reanimator.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe\Start UnHackMe.lnk - C:\Program Files (x86)\UnHackMe\Unhackme.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe\UnHackMe Monitor.lnk - C:\Program Files (x86)\UnHackMe\hackmon.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe\Uninstall UnHackMe.lnk - C:\Program Files (x86)\UnHackMe\unins000.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\Documentation.lnk - E:\Program Files\vlc\Documentation.url
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\Release Notes.lnk - E:\Program Files\vlc\NEWS.txt
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\VideoLAN Website.lnk - E:\Program Files\vlc\VideoLAN Website.url
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\VLC media player - reset preferences and cache files.lnk - E:\Program Files\vlc\vlc.exe --reset-config --reset-plugins-cache vlc://quit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\VLC media player skinned.lnk - E:\Program Files\vlc\vlc.exe -Iskins
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\VLC media player.lnk - E:\Program Files\vlc\vlc.exe

==== shortcuts in Quick Launch ======================

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk -  
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk -  
C:\Users\Default User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk -  
C:\Users\Default User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk -  
C:\Users\Wael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk - C:\Program Files\Internet Explorer\iexplore.exe http://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D?publisher=apsnapdoam&co=TR&userid=2c3fc38f-d39c-d1b7-d806-367b26f0ade2&searchtype=sc&installDate=20/07/2016&barcodeid=50046888&channelid=888&av=windows
C:\Users\Wael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk -  
C:\Users\Wael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Tunngle.lnk - C:\Program Files (x86)\Tunngle\Tunngle.exe
C:\Users\Wael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk -  
C:\Users\Wael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Concise Oxford English Dictionary (Eleventh Edition).lnk - C:\dictoinary\coed11.exe
C:\Users\Wael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk -  
C:\Users\Wael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk - C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Wael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Office OneNote 2007.lnk - C:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
C:\Users\Wael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Pangolin Screen Brightness.lnk - C:\Users\Wael\Desktop\Desktop\apps\PangoBright.exe
C:\Users\Wael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\SumatraPDF.lnk - E:\Program Files\sumatra pdf\SumatraPDF\SumatraPDF.exe

==== shortcuts After Repair ======================

C:\Users\Wael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk - C:\Program Files\Internet Explorer\iexplore.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe\Check for UnHackMe updates.lnk - C:\Program Files (x86)\UnHackMe\GWebUpdate.exe
C:\Users\Wael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk - C:\Program Files\Internet Explorer\iexplore.exe

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\E40670FF068C9E042A033EF74AF101A3 deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Policies\Chromium deleted successfully
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FF07604E-C860-40E9-A230-E37FA41F103A} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A13CC536-7D79-45FE-99FF-06AA34AC3667} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E40670FF068C9E042A033EF74AF101A3 deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Wael\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Wael\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\Users\Wael\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Wael\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Wael\AppData\Local\Mozilla\Firefox\Profiles\y172bc9c.default-1468959715206\cache2 emptied successfully
C:\Users\Wael\AppData\Roaming\Mozilla\Firefox\Profiles\mq08akzr.default-1463215426900\storage\default\https+++www.flypgs.com\cache emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Wael\AppData\Local\Chromium\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=85 folders=44 61460194 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Wael\AppData\Local\Temp will be emptied at reboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp will be emptied at reboot
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\Wael\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\PROGRA~3\xifs\xifs.d.dat"  not found
"C:\PROGRA~3\xifs\xifs.dat"  not found
"C:\PROGRA~3\xifs"  not found
"C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp\Low" not deleted

==== EOF on Thu 07/21/2016 at 17:54:29.61 ======================
 

 

Firefox didnot redirect me when I started it. But if i try to open anything in a new tab a yahoo random search comes up in that new tab.

Memory CPU and Disk values are normal.


Edited by Tamimwm, 21 July 2016 - 10:01 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 AM

Posted 21 July 2016 - 01:17 PM

But if i try to open anything in a new tab a yahoo random search comes up in that new tab.
Memory CPU and Disk values are normal


Is this activity with all the browsers?

Edited by nasdaq, 22 July 2016 - 08:01 AM.


#15 Tamimwm

Tamimwm
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyprus
  • Local time:07:26 AM

Posted 21 July 2016 - 01:52 PM

I can't say yes exactly because just now I open internet explorer and it instantly redirected me  to  http://search.safefinder.com/?st=sc&q=

 

but before that it showed some short link to my program data file and them I got redirected.

 

My CPU and memory and disk values are OK , but Xifs is still running in the background processes.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users