Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus or Trojan in my system


  • This topic is locked This topic is locked
91 replies to this topic

#1 leo009

leo009

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 22 July 2016 - 12:32 PM

Hi guys im having a problem with malware (don't know what type). there is someone helping me out in my other post(http://www.bleepingcomputer.com/forums/t/620585/malware-in-my-computer/). he sent me to the malware removal topic where I followed from step 6. so now I have to post my FRST log here so you guys can help me out, thanks.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-07-2016
Ran by Top Gamers (administrator) on CUSTOMER (22-07-2016 13:07:57)
Running from C:\Users\Customer1\Downloads
Loaded Profiles: Top Gamers (Available Profiles: Top Gamers)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Program Files\BitTorrent\BitTorrent.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Nero AG) C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
() C:\Users\Customer1\AppData\Roaming\gplyra\gplyra.exe
(BitTorrent Inc.) C:\Users\Customer1\AppData\Roaming\uTorrent\uTorrent.exe
(Dropbox, Inc.) C:\Users\Customer1\AppData\Local\Dropbox\Update\DropboxUpdate.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Wondershare) C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
() C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Ipksoft\apsdl64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [112512 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)
HKLM\...\Run: [gplyra] => C:\Users\Customer1\AppData\Roaming\gplyra\gplyra.exe [1400320 2016-06-10] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2087264 2014-09-11] (Wondershare)
HKLM-x32\...\Run: [Ipksoft] => C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Local\Ipksoft\apsdl64.exe [112377 2016-06-15] ()
HKLM-x32\...\Run: [YkPack] => regsvr32.exe C:\WINDOWS\system32\config\systemprofile\AppData\Local\YkPack\RoverMapClock90.dll <===== ATTENTION
HKLM-x32\...\Run: [Ufmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ipksoft\AaShell16.dll
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [595992 2016-05-20] (Oracle Corporation)
HKLM\...\RunOnce: [Java Update Controller] => C:\ProgramData\Java Update Controller\7kam5qmw77.exe [596992 2016-07-22] ()
HKLM-x32\...\RunOnce: [Java Update Controller] => C:\ProgramData\Java Update Controller\7kam5qmw77.exe [596992 2016-07-22] ()
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3675352 2013-10-28] (Disc Soft Ltd)
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [uTorrent] => C:\Users\Customer1\AppData\Roaming\uTorrent\uTorrent.exe [2133504 2016-05-20] (BitTorrent Inc.)
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [Dropbox Update] => C:\Users\Customer1\AppData\Local\Dropbox\Update\DropboxUpdate.exe [134512 2015-06-19] (Dropbox, Inc.)
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [Ipksoft] => C:\Users\Customer1\AppData\Local\Ipksoft\7197.exe [0 2016-07-17] ()
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [Ufmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ipksoft\AaShell16.dll
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [YkPack] => regsvr32.exe C:\WINDOWS\system32\config\systemprofile\AppData\Local\YkPack\RoverMapClock90.dll <===== ATTENTION
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [ProxyGate] => C:\Users\Customer1\AppData\Roaming\ProxyGate\MainService.exe
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [Java Update Controller] => C:\ProgramData\Java Update Controller\7kam5qmw77.exe [596992 2016-07-22] ()
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\RunOnce: [b612084a] => C:\ProgramData\Java Update Controller\7kam5qmw77.exe [596992 2016-07-22] ()
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Policies\Explorer: [NoInstrumentation] 1
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\MountPoints2: {8c6423fc-7ee8-11e3-be86-d43d7ebced8d} - "E:\setup.exe"
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\Mystify.scr [133632 2014-10-28] (Microsoft Corporation)
AppInit_DLLs: C:\ProgramData\Airtostrong\Truelex.dll => No File
AppInit_DLLs-x32: C:\ProgramData\Airtostrong\SilverSololab.dll => No File
IFEO\MRT.exe: [Debugger] cddzxllhmiw.exe
IFEO\mrtstub.exe: [Debugger] ndbppoiwsuj.exe
IFEO\rstrui.exe: [Debugger] mlrhkdrlclh.exe
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Customer1\AppData\Roaming\Dropbox\bin\DropboxExt64.34.dll [2016-07-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Customer1\AppData\Roaming\Dropbox\bin\DropboxExt64.34.dll [2016-07-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Customer1\AppData\Roaming\Dropbox\bin\DropboxExt64.34.dll [2016-07-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Customer1\AppData\Roaming\Dropbox\bin\DropboxExt64.34.dll [2016-07-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Customer1\AppData\Roaming\Dropbox\bin\DropboxExt64.34.dll [2016-07-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Customer1\AppData\Roaming\Dropbox\bin\DropboxExt64.34.dll [2016-07-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Customer1\AppData\Roaming\Dropbox\bin\DropboxExt64.34.dll [2016-07-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Customer1\AppData\Roaming\Dropbox\bin\DropboxExt64.34.dll [2016-07-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
Startup: C:\Users\Customer1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2016-07-21]
ShortcutTarget: Dropbox.lnk ->  (No File)
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 190.112.224.35 190.112.224.36
Tcpip\..\Interfaces\{1CED5B35-A434-4035-A4A1-9B2C2B13FF71}: [DhcpNameServer] 190.112.224.35 190.112.224.36

Internet Explorer:
==================
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXjxx2YAbMnESB7-vlrn1PjGz9ICL2vzM_ih-VxTLV92LIyjEVYZu2s349iNYOpqRFHoY1zi-R87GN2lgbW-okrUy7WvMHA,
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
SearchScopes: HKLM-x32 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKU\S-1-5-21-4058035717-616954772-1676694511-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
BHO: AllSaover -> {02b3c8ea-677c-44f8-8348-333f2839ec51} -> C:\ProgramData\AllSaover\YbH4yYsyhDEYud.x64.dll => No File
BHO: No Name -> {2ce0ed48-9204-4dda-b303-d05517c70521} -> No File
BHO: No Name -> {6204b53d-873f-4f87-a115-bfe5eb4394e5} -> No File
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO: No Name -> {dd0cba33-7a8a-4a8d-857d-7e8a5d56a7d6} -> No File
BHO: No Name -> {e93ed9c5-f4d5-4fb8-bd14-56035800d183} -> No File
BHO-x32: No Name -> {2ce0ed48-9204-4dda-b303-d05517c70521} -> No File
BHO-x32: No Name -> {6204b53d-873f-4f87-a115-bfe5eb4394e5} -> No File
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-07-16] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-07-16] (Oracle Corporation)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_19_0_0_226.dll [2015-10-16] ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll [2015-10-16] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-07-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-07-16] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [fcgnigmofekcllgbiejhmigggmgehkip] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 Airtostrong; C:\ProgramData\\Airtostrong\\Airtostrong.exe [0 2016-07-20] () <==== ATTENTION (zero byte File/Folder)
S2 backlh; C:\ProgramData\Logic Handler\set.exe [0 2016-07-17] () <==== ATTENTION (zero byte File/Folder)
R2 BitTorrent; C:\Program Files\BitTorrent\BitTorrent.exe [383488 2016-06-15] () [File not signed] <==== ATTENTION
S2 CloudPrinter; C:\ProgramData\\CloudPrinter\\CloudPrinter.exe [0 2016-07-17] () <==== ATTENTION (zero byte File/Folder)
S3 EasyAntiCheat; C:\WINDOWS\SysWOW64\EasyAntiCheat.exe [236840 2016-05-09] (EasyAntiCheat Ltd)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S2 Ronzap; C:\ProgramData\\Ronzap\\Ronzap.exe [0 2016-07-17] () <==== ATTENTION (zero byte File/Folder)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)
S2 xifs; C:\ProgramData\\xifs\\xifs.exe [0 2016-07-17] () <==== ATTENTION (zero byte File/Folder)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [102912 2015-07-15] (Advanced Micro Devices)
R1 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283064 2014-06-29] (Disc Soft Ltd)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [46568 2013-01-19] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-07-22] (Malwarebytes)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
S4 secdrv; C:\Windows\SysWow64\Drivers\secdrv.sys [11616 2000-06-24] () [File not signed]
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [34760 2013-08-22] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [265056 2013-08-22] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-07-22 13:07 - 2016-07-22 13:08 - 00016820 _____ C:\Users\Customer1\Downloads\FRST.txt
2016-07-22 13:05 - 2016-07-22 13:07 - 00000000 ____D C:\FRST
2016-07-22 13:05 - 2016-07-22 13:05 - 02393600 _____ (Farbar) C:\Users\Customer1\Downloads\FRST64.exe
2016-07-21 13:35 - 2016-07-21 13:35 - 00003636 _____ C:\Users\Customer1\Documents\number 7.txt
2016-07-21 13:33 - 2016-07-21 13:33 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Customer1\Downloads\rkill.exe
2016-07-21 13:33 - 2016-07-21 13:33 - 00000000 ____D C:\Users\Customer1\Desktop\rkill
2016-07-21 13:32 - 2016-07-21 13:27 - 00071022 _____ C:\Users\Customer1\Documents\number 6.txt
2016-07-21 13:32 - 2016-07-21 13:27 - 00010792 _____ C:\Users\Customer1\Documents\number 5.txt
2016-07-21 13:24 - 2016-07-21 13:24 - 02927263 _____ () C:\Program Files\Common Files\iyhhuvgj.exe
2016-07-21 13:07 - 2016-07-22 12:16 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-07-21 13:06 - 2016-07-21 13:27 - 00000000 ____D C:\Users\Customer1\Desktop\mbar
2016-07-21 13:06 - 2016-07-21 13:06 - 02919652 _____ () C:\Program Files\Common Files\allvqnq4.exe
2016-07-21 13:05 - 2016-07-21 13:05 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Customer1\Downloads\mbar-1.09.3.1001.exe
2016-07-21 12:54 - 2016-07-21 12:54 - 00030013 _____ C:\Users\Customer1\Documents\number 4.txt
2016-07-21 12:32 - 2016-07-22 12:17 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-07-21 12:32 - 2016-07-21 13:06 - 00109272 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-07-21 12:32 - 2016-07-21 12:32 - 00001130 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-07-21 12:32 - 2016-07-21 12:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-07-21 12:32 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-07-21 12:32 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-07-21 12:30 - 2016-07-21 12:30 - 00036007 _____ C:\Users\Customer1\Documents\number 3.txt
2016-07-21 12:29 - 2016-07-21 12:29 - 00892416 _____ (Farbar) C:\Users\Customer1\Downloads\MiniToolBox.exe
2016-07-21 12:16 - 2016-07-21 12:16 - 00003948 _____ C:\Users\Customer1\Documents\number 2.txt
2016-07-21 12:15 - 2016-07-21 12:15 - 00899584 _____ (Farbar) C:\Users\Customer1\Downloads\FSS.exe
2016-07-21 12:14 - 2016-07-21 12:14 - 00000925 _____ C:\Users\Customer1\Documents\number 1.txt
2016-07-21 12:12 - 2016-07-21 12:12 - 00852798 _____ C:\Users\Customer1\Downloads\SecurityCheck.exe
2016-07-21 12:06 - 2016-07-21 11:45 - 00936960 ___SH (AutoIt Team) C:\Users\Customer1\AppData\Roaming\aLIGCRXRWWdbcRMbgRaKe.cmd
2016-07-21 12:06 - 2016-07-21 11:45 - 00533520 ___SH C:\Users\Customer1\AppData\Roaming\gURgIIdCafiA
2016-07-21 12:06 - 2016-07-21 11:45 - 00036337 ___SH C:\Users\Customer1\AppData\Roaming\VaZNdVNBRFfREKdFIcF
2016-07-21 12:06 - 2015-12-28 10:02 - 00524288 ___SH (Simon Tatham) C:\Users\Customer1\AppData\Roaming\putty.exe
2016-07-21 12:02 - 2016-07-21 12:02 - 02931957 _____ () C:\Program Files\Common Files\wkztugsb.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\tqbfifva.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\s3l00dkj.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\nqpmuq2v.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\hth3jn3l.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\31spbmat.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\31cuk5ac.exe
2016-07-20 20:26 - 2016-07-20 20:26 - 02929852 _____ () C:\Program Files\Common Files\gqmt4jwd.exe
2016-07-20 20:06 - 2016-07-20 20:06 - 02917546 _____ () C:\Program Files\Common Files\lxfo2pzf.exe
2016-07-20 17:49 - 2016-07-19 22:43 - 00936960 ___SH (AutoIt Team) C:\Users\Customer1\AppData\Roaming\BgdeYfGFPXRhZiHZbGYVL.cmd
2016-07-20 17:49 - 2016-07-19 22:43 - 00533520 ___SH C:\Users\Customer1\AppData\Roaming\JMUfLdCJbBFY
2016-07-20 17:49 - 2016-07-19 22:43 - 00036363 ___SH C:\Users\Customer1\AppData\Roaming\eLLCQifYKHTXBbYDDQD
2016-07-20 17:14 - 2016-07-20 17:14 - 02913768 _____ () C:\Program Files\Common Files\m32tbm1r.exe
2016-07-20 17:02 - 2016-07-20 17:02 - 02916601 _____ () C:\Program Files\Common Files\m3h0t5dd.exe
2016-07-20 16:56 - 2016-07-20 16:56 - 02916601 _____ () C:\Program Files\Common Files\l3gmtoyj.exe
2016-07-20 15:32 - 2016-07-20 15:34 - 00000000 ____D C:\Users\Customer1\Downloads\Malwarebytes Anti-Malware v2.1.8.1057 + Serial
2016-07-20 15:27 - 2016-07-20 15:27 - 00000000 ____D C:\Users\Customer1\Downloads\Malwarebytes Anti-Malware Premium 2.1.8.1057 + KeyGen
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\xlve4xvz.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\xiihwhfk.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\x4hkefsa.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\ucr2xksq.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\pdjy21ch.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\mdlmtgbl.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\lywxswhm.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\iqzepgsk.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\gjbbi3ey.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\ga3h5ttn.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\cnzdeinj.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\b0u551ie.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\ac0jlcwd.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\3q0lfak1.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\1advcofw.exe
2016-07-20 14:22 - 2016-07-21 12:32 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-07-19 13:52 - 2016-07-19 13:52 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\AVAST Software
2016-07-19 13:51 - 2016-07-19 13:51 - 00000000 ____D C:\Program Files\Common Files\AV
2016-07-19 13:51 - 2016-07-19 13:51 - 00000000 ____D C:\Program Files\AVAST Software
2016-07-19 13:42 - 2016-07-19 13:42 - 00000000 ____D C:\Users\Customer1\AppData\Local\Avg
2016-07-19 13:41 - 2016-07-20 15:10 - 00000000 ____D C:\ProgramData\MFAData
2016-07-19 13:41 - 2016-07-19 13:41 - 00000000 ____D C:\Users\Customer1\AppData\Local\MFAData
2016-07-19 13:41 - 2016-07-19 13:41 - 00000000 ____D C:\Users\Customer1\AppData\Local\Avg2015
2016-07-19 13:10 - 2016-07-22 12:17 - 00000000 ____D C:\Users\Customer1\AppData\LocalLow\uTorrent
2016-07-19 12:53 - 2016-07-19 02:29 - 00533520 ___SH C:\Users\Customer1\AppData\Roaming\cAWSZFFKZUZT
2016-07-19 12:53 - 2016-07-19 02:29 - 00036363 ___SH C:\Users\Customer1\AppData\Roaming\cUPNebdgPiZQWUISfXT
2016-07-19 11:52 - 2016-07-19 11:52 - 00003570 _____ C:\WINDOWS\System32\Tasks\{0CC4B521-ED2F-445F-A99A-C8AF57FA0675}
2016-07-19 11:46 - 2016-07-19 11:46 - 02921548 _____ () C:\Program Files\Common Files\qomcx3fe.exe
2016-07-19 11:44 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\tsc5hkj3
2016-07-19 11:44 - 2016-07-19 11:44 - 00003388 _____ C:\WINDOWS\System32\Tasks\1vsni2a0
2016-07-19 11:39 - 2016-07-21 13:28 - 00003752 _____ C:\WINDOWS\System32\Tasks\AutoKMS
2016-07-19 11:39 - 2016-07-21 13:28 - 00000000 ____D C:\WINDOWS\AutoKMS
2016-07-19 11:36 - 2016-07-19 11:36 - 00000000 ____D C:\ProgramData\Microsoft Toolkit
2016-07-19 11:35 - 2016-07-17 14:55 - 00000000 ____D C:\Users\Customer1\Downloads\Microsoft Toolkit
2016-07-19 11:08 - 2016-07-19 11:08 - 02936366 _____ () C:\Program Files\Common Files\px4gekgu.exe
2016-07-19 11:08 - 2016-07-19 11:08 - 02936366 _____ () C:\Program Files\Common Files\nnul2eip.exe
2016-07-19 11:06 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\dlalruym
2016-07-19 11:06 - 2016-07-19 11:06 - 00003388 _____ C:\WINDOWS\System32\Tasks\r4hvnjwf
2016-07-18 17:36 - 2016-07-18 18:31 - 00936960 ___SH (AutoIt Team) C:\Users\Customer1\AppData\Roaming\QfZUFVKaGXPMCTWQFcSAU.cmd
2016-07-18 17:36 - 2016-07-18 18:31 - 00533520 ___SH C:\Users\Customer1\AppData\Roaming\YONCbdWAdRhT
2016-07-18 17:36 - 2016-07-18 18:31 - 00036363 ___SH C:\Users\Customer1\AppData\Roaming\QfZUFVKaGXPMCTWQFcS
2016-07-18 14:02 - 2016-07-18 14:07 - 00000000 ____D C:\Users\Customer1\Downloads\IGG-Arma.3.v1.60.Hotfix
2016-07-18 13:55 - 2016-07-18 14:00 - 00000000 ____D C:\Program Files (x86)\ARMA 3
2016-07-17 20:26 - 2016-07-21 12:45 - 00000000 ____D C:\ProgramData\Airtostrong
2016-07-17 20:26 - 2016-07-17 20:26 - 02926389 _____ () C:\Program Files\Common Files\yndczsgd.exe
2016-07-17 20:26 - 2016-07-17 20:26 - 00000000 ____D C:\ProgramData\Airtostrongs
2016-07-17 20:08 - 2016-07-17 20:08 - 02937401 _____ () C:\Program Files\Common Files\f5c13ioa.exe
2016-07-17 13:31 - 2016-07-17 18:16 - 181288373 _____ C:\Users\Customer1\Downloads\IGG-Arma.3.v1.60.Hotfix.zip
2016-07-17 13:22 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\newzaboa
2016-07-17 13:22 - 2016-07-17 13:22 - 00003388 _____ C:\WINDOWS\System32\Tasks\yzkpeumf
2016-07-17 09:14 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\yhcdpile
2016-07-17 09:14 - 2016-07-17 09:14 - 00003388 _____ C:\WINDOWS\System32\Tasks\t0coqnay
2016-07-16 16:58 - 2016-07-16 16:58 - 00000936 _____ C:\Users\Customer1\Desktop\Counter-Strike Global Offensive WaRzOnE.lnk
2016-07-16 16:58 - 2016-07-16 16:58 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Counter-Strike Global Offensive
2016-07-16 16:15 - 2016-07-20 15:10 - 00000000 ____D C:\Users\Customer1\Downloads\Counter-Strike Global Offensive - WaRzOnE
2016-07-16 15:57 - 2016-07-16 15:58 - 00000000 ____D C:\ProgramData\Oracle
2016-07-16 15:57 - 2016-07-16 15:57 - 00097344 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2016-07-16 15:57 - 2016-07-16 15:57 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\Sun
2016-07-16 15:57 - 2016-07-16 15:57 - 00000000 ____D C:\Users\Customer1\AppData\LocalLow\Sun
2016-07-16 15:57 - 2016-07-16 15:57 - 00000000 ____D C:\Users\Customer1\.oracle_jre_usage
2016-07-16 15:57 - 2016-07-16 15:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-07-16 15:57 - 2016-07-16 15:57 - 00000000 ____D C:\Program Files (x86)\Java
2016-07-16 15:56 - 2016-07-16 15:56 - 00000000 ____D C:\Users\Customer1\AppData\LocalLow\Oracle
2016-07-16 15:15 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Online.IO
2016-07-16 15:13 - 2016-07-20 15:29 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\gplyra
2016-07-16 11:28 - 2016-07-16 11:28 - 75459834 _____ C:\Users\Customer1\Downloads\wetransfer-2beb9a.zip
2016-07-16 11:27 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\hc3fq403
2016-07-16 11:27 - 2016-07-16 11:27 - 00003388 _____ C:\WINDOWS\System32\Tasks\byztoj0a
2016-07-15 17:12 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\a22c5bdy
2016-07-15 17:12 - 2016-07-15 17:12 - 00003388 _____ C:\WINDOWS\System32\Tasks\ex32bk3z
2016-07-14 16:54 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\4gwajam3
2016-07-14 16:54 - 2016-07-14 16:54 - 00003388 _____ C:\WINDOWS\System32\Tasks\b0grw2rz
2016-07-14 11:50 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\geegzgch
2016-07-14 11:50 - 2016-07-14 11:50 - 00003388 _____ C:\WINDOWS\System32\Tasks\ifkos2fa
2016-07-13 11:59 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\2xgdmfnr
2016-07-13 11:59 - 2016-07-13 11:59 - 00003388 _____ C:\WINDOWS\System32\Tasks\sjczxijc
2016-07-12 20:24 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\wfcj4rps
2016-07-12 20:24 - 2016-07-12 20:24 - 00003388 _____ C:\WINDOWS\System32\Tasks\222djcpz
2016-07-12 11:40 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\3jvj5tqy
2016-07-12 11:40 - 2016-07-12 11:40 - 00003388 _____ C:\WINDOWS\System32\Tasks\ef340mhq
2016-07-11 18:03 - 2016-07-11 18:03 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-07-08 12:08 - 2016-07-22 12:34 - 00000000 __SHD C:\ProgramData\Java Update Controller
2016-07-04 13:30 - 2016-07-04 13:30 - 00280808 _____ C:\WINDOWS\Minidump\070416-16671-01.dmp
2016-07-04 13:30 - 2016-07-04 13:30 - 00000000 ____D C:\WINDOWS\Minidump
2016-06-29 13:35 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\cvzgfvdm
2016-06-29 13:35 - 2016-06-29 13:35 - 00003388 _____ C:\WINDOWS\System32\Tasks\r5b5wel0
2016-06-25 16:38 - 2000-06-24 14:16 - 00011616 _____ C:\WINDOWS\SysWOW64\Drivers\SECDRV.SYS
2016-06-23 17:00 - 2016-06-23 17:00 - 00003388 _____ C:\WINDOWS\System32\Tasks\oheupk0q
2016-06-23 16:59 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\f1vmwudl

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-07-22 13:07 - 2014-01-21 18:51 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\uTorrent
2016-07-22 12:24 - 2015-10-16 20:56 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-07-22 12:22 - 2015-09-28 21:20 - 00003946 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{B8ABD6A3-1D98-4003-BE3C-AA70A5F17F6A}
2016-07-22 12:17 - 2015-10-03 12:51 - 00000000 __RDO C:\Users\Customer1\OneDrive
2016-07-22 12:16 - 2013-08-22 10:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-07-21 22:53 - 2016-02-18 16:03 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\ProxyGate
2016-07-21 17:44 - 2014-09-09 21:19 - 00000000 ____D C:\Users\Customer1\AppData\LocalLow\Heroes and Generals
2016-07-21 17:44 - 2013-07-27 22:07 - 00000000 ____D C:\Program Files (x86)\Steam
2016-07-21 17:42 - 2015-09-27 18:55 - 00000000 ____D C:\Users\Customer1
2016-07-21 13:54 - 2013-06-27 05:09 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4058035717-616954772-1676694511-1001
2016-07-21 13:41 - 2012-07-26 04:12 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2016-07-21 13:27 - 2016-04-25 12:18 - 00000000 ____D C:\Program Files (x86)\Total War ATTILA
2016-07-21 13:27 - 2016-02-18 16:03 - 00000000 ____D C:\Users\Customer1\AppData\Local\YkPack
2016-07-21 13:27 - 2015-12-16 19:02 - 00000000 ____D C:\Users\Customer1\AppData\Local\Ipksoft
2016-07-21 13:12 - 2016-06-18 12:51 - 00000000 ____D C:\Program Files\Common Files\tykxu0bm
2016-07-21 12:45 - 2013-08-22 09:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2016-07-20 16:03 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-07-20 15:21 - 2016-06-15 19:04 - 00002393 _____ C:\WINDOWS\SysWOW64\findit.xml
2016-07-20 15:10 - 2016-06-15 22:04 - 00000000 ____D C:\ProgramData\xifs
2016-07-20 15:10 - 2016-06-15 20:04 - 00000000 ____D C:\Program Files\Common Files\bfius4x1
2016-07-20 15:10 - 2016-06-15 19:04 - 00000000 ____D C:\ProgramData\Ronzap
2016-07-20 15:10 - 2016-06-15 19:04 - 00000000 ____D C:\ProgramData\Logic Handler
2016-07-20 15:10 - 2016-06-15 19:04 - 00000000 ____D C:\ProgramData\CloudPrinter
2016-07-20 15:10 - 2016-06-15 19:04 - 00000000 ____D C:\Program Files\BitTorrent
2016-07-20 15:10 - 2015-10-03 17:03 - 00000000 ___SD C:\WINDOWS\system32\GWX
2016-07-20 15:10 - 2015-09-20 19:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2016-07-20 15:10 - 2015-09-20 19:11 - 00000000 ____D C:\Program Files\7-Zip
2016-07-20 15:10 - 2014-12-25 22:29 - 00000000 ____D C:\ProgramData\8624337292199723864
2016-07-20 15:10 - 2014-01-24 07:12 - 00000000 ____D C:\Program Files (x86)\Assassins Creed IV Black Flag
2016-07-20 15:10 - 2014-01-22 14:31 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-07-20 15:10 - 2014-01-21 18:51 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-07-20 15:10 - 2014-01-21 18:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-07-20 15:10 - 2014-01-21 18:50 - 00000000 ____D C:\Program Files\WinRAR
2016-07-20 15:10 - 2013-08-22 11:36 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2016-07-20 15:10 - 2013-08-22 11:36 - 00000000 ____D C:\Program Files\Windows Defender
2016-07-20 15:09 - 2013-08-22 11:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-07-20 15:07 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2016-07-20 15:07 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\registration
2016-07-20 15:06 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\system32\Macromed
2016-07-20 14:22 - 2014-01-22 14:31 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\Malwarebytes
2016-07-20 14:22 - 2014-01-22 14:30 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2016-07-19 13:51 - 2014-12-27 14:39 - 00000000 ____D C:\ProgramData\AVAST Software
2016-07-19 13:33 - 2015-03-28 11:57 - 00000000 ____D C:\AdwCleaner
2016-07-17 17:35 - 2015-03-10 21:59 - 00000000 ___RD C:\Users\Customer1\Dropbox
2016-07-16 16:53 - 2016-03-25 12:28 - 00000000 ____D C:\Games
2016-07-16 15:13 - 2014-01-21 18:54 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\DAEMON Tools Lite
2016-07-15 12:02 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\Inf
2016-07-14 12:52 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-07-11 18:03 - 2015-03-10 21:55 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\Dropbox
2016-07-04 13:30 - 2015-08-08 21:40 - 629116963 _____ C:\WINDOWS\MEMORY.DMP
2016-06-23 11:24 - 2015-05-31 23:01 - 00000000 ____D C:\Program Files\Rockstar Games
2016-06-23 11:24 - 2015-05-31 23:01 - 00000000 ____D C:\Program Files (x86)\Rockstar Games
2016-06-23 11:21 - 2016-02-16 22:04 - 00000000 ____D C:\Program Files (x86)\NCH Software
2016-06-23 11:21 - 2016-02-16 20:33 - 00000000 ____D C:\Program Files (x86)\Wondershare
2016-06-23 11:20 - 2015-07-20 19:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeBlocks
2016-06-23 11:19 - 2013-10-24 13:57 - 00000000 ____D C:\Program Files (x86)\DSPRobotics
2016-06-23 11:18 - 2013-10-24 13:57 - 00000000 ____D C:\Program Files (x86)\VstPlugins

==================== Files in the root of some directories =======

2014-12-24 20:18 - 2014-12-24 20:20 - 0000011 _____ () C:\Program Files (x86)\RealFlight.INI
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\1advcofw.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 2931957 _____ () C:\Program Files\Common Files\31cuk5ac.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 2931957 _____ () C:\Program Files\Common Files\31spbmat.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\3q0lfak1.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\ac0jlcwd.exe
2016-07-21 13:06 - 2016-07-21 13:06 - 2919652 _____ () C:\Program Files\Common Files\allvqnq4.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\b0u551ie.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\cnzdeinj.exe
2016-07-17 20:08 - 2016-07-17 20:08 - 2937401 _____ () C:\Program Files\Common Files\f5c13ioa.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\ga3h5ttn.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\gjbbi3ey.exe
2016-07-20 20:26 - 2016-07-20 20:26 - 2929852 _____ () C:\Program Files\Common Files\gqmt4jwd.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 2931957 _____ () C:\Program Files\Common Files\hth3jn3l.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\iqzepgsk.exe
2016-07-21 13:24 - 2016-07-21 13:24 - 2927263 _____ () C:\Program Files\Common Files\iyhhuvgj.exe
2016-07-20 16:56 - 2016-07-20 16:56 - 2916601 _____ () C:\Program Files\Common Files\l3gmtoyj.exe
2016-07-20 20:06 - 2016-07-20 20:06 - 2917546 _____ () C:\Program Files\Common Files\lxfo2pzf.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\lywxswhm.exe
2016-07-20 17:14 - 2016-07-20 17:14 - 2913768 _____ () C:\Program Files\Common Files\m32tbm1r.exe
2016-07-20 17:02 - 2016-07-20 17:02 - 2916601 _____ () C:\Program Files\Common Files\m3h0t5dd.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\mdlmtgbl.exe
2016-07-19 11:08 - 2016-07-19 11:08 - 2936366 _____ () C:\Program Files\Common Files\nnul2eip.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 2931957 _____ () C:\Program Files\Common Files\nqpmuq2v.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\pdjy21ch.exe
2016-07-19 11:08 - 2016-07-19 11:08 - 2936366 _____ () C:\Program Files\Common Files\px4gekgu.exe
2016-07-19 11:46 - 2016-07-19 11:46 - 2921548 _____ () C:\Program Files\Common Files\qomcx3fe.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 2931957 _____ () C:\Program Files\Common Files\s3l00dkj.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 2931957 _____ () C:\Program Files\Common Files\tqbfifva.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\ucr2xksq.exe
2016-07-21 12:02 - 2016-07-21 12:02 - 2931957 _____ () C:\Program Files\Common Files\wkztugsb.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\x4hkefsa.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\xiihwhfk.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 2935133 _____ () C:\Program Files\Common Files\xlve4xvz.exe
2016-07-17 20:26 - 2016-07-17 20:26 - 2926389 _____ () C:\Program Files\Common Files\yndczsgd.exe
2014-12-01 17:42 - 2014-12-01 17:42 - 0000225 _____ () C:\Users\Customer1\AppData\Roaming\10-sub-pixel-rgb.conf
2016-01-13 17:48 - 2016-01-13 17:48 - 0001157 _____ () C:\Users\Customer1\AppData\Roaming\20-unhint-small-vera.conf
2016-01-13 17:48 - 2016-01-13 17:48 - 0000672 _____ () C:\Users\Customer1\AppData\Roaming\69-unifont.conf
2002-11-03 20:00 - 2002-11-03 20:00 - 0002367 _____ () C:\Users\Customer1\AppData\Roaming\Aeroplane.BcT
2015-05-19 21:28 - 2015-05-19 21:28 - 0004689 _____ () C:\Users\Customer1\AppData\Roaming\alert_2.png
2016-07-21 12:06 - 2016-07-21 11:45 - 0936960 ___SH (AutoIt Team) C:\Users\Customer1\AppData\Roaming\aLIGCRXRWWdbcRMbgRaKe.cmd
2016-05-15 18:33 - 2016-05-15 18:33 - 0077824 _____ (IDT, Inc.) C:\Users\Customer1\AppData\Roaming\AnimGif.dll
2015-07-04 18:18 - 2015-07-04 18:18 - 0004205 _____ () C:\Users\Customer1\AppData\Roaming\back.png
2013-10-01 22:55 - 2013-10-01 22:55 - 0003177 _____ () C:\Users\Customer1\AppData\Roaming\barcode.fo
2014-05-08 00:05 - 2014-05-08 00:05 - 0000524 _____ () C:\Users\Customer1\AppData\Roaming\BCY green 4.ADO
2013-10-01 22:54 - 2013-10-01 22:54 - 0000513 _____ () C:\Users\Customer1\AppData\Roaming\Belize
2016-07-20 17:49 - 2016-07-19 22:43 - 0936960 ___SH (AutoIt Team) C:\Users\Customer1\AppData\Roaming\BgdeYfGFPXRhZiHZbGYVL.cmd
2013-10-01 22:56 - 2013-10-01 22:56 - 0003426 _____ () C:\Users\Customer1\AppData\Roaming\BinaryRank.mm
2016-02-12 19:30 - 2016-02-12 19:30 - 0025600 _____ () C:\Users\Customer1\AppData\Roaming\bucker.dll
2001-03-19 20:00 - 2001-03-19 20:00 - 0046125 _____ () C:\Users\Customer1\AppData\Roaming\Bulletin.Gvg
2016-07-19 12:53 - 2016-07-19 02:29 - 0533520 ___SH () C:\Users\Customer1\AppData\Roaming\cAWSZFFKZUZT
2016-02-13 13:41 - 2016-02-13 13:41 - 0049832 _____ () C:\Users\Customer1\AppData\Roaming\Ceramics - Satin Black.3PP
2016-02-19 16:18 - 2016-02-19 16:18 - 0049740 _____ () C:\Users\Customer1\AppData\Roaming\column.count.front.xml
1992-01-05 20:00 - 1992-01-05 20:00 - 0001525 _____ () C:\Users\Customer1\AppData\Roaming\CoteDreck.s
2006-09-25 19:00 - 2006-09-25 19:00 - 0049859 _____ () C:\Users\Customer1\AppData\Roaming\Crucible.Y
2016-06-06 20:54 - 2016-06-06 20:54 - 0022528 _____ () C:\Users\Customer1\AppData\Roaming\Crypto.dll
2013-10-01 22:56 - 2013-10-01 22:56 - 0000998 _____ () C:\Users\Customer1\AppData\Roaming\css.stylesheet.xml
2013-10-01 22:54 - 2013-10-01 22:54 - 0002288 _____ () C:\Users\Customer1\AppData\Roaming\CST6CDT
2016-07-19 12:53 - 2016-07-19 02:29 - 0036363 ___SH () C:\Users\Customer1\AppData\Roaming\cUPNebdgPiZQWUISfXT
2013-10-01 22:55 - 2013-10-01 22:55 - 0002625 _____ () C:\Users\Customer1\AppData\Roaming\data.vec
2013-10-13 12:01 - 2015-09-27 15:04 - 0000234 _____ () C:\Users\Customer1\AppData\Roaming\default.rss
2013-10-01 22:56 - 2013-10-01 22:56 - 0001477 _____ () C:\Users\Customer1\AppData\Roaming\default.units.xml
2015-05-19 21:28 - 2015-05-19 21:28 - 0001387 _____ () C:\Users\Customer1\AppData\Roaming\dell_certfile.cer
2010-10-14 16:38 - 2010-10-14 16:38 - 0000033 _____ () C:\Users\Customer1\AppData\Roaming\description.txt
1989-06-07 19:00 - 1989-06-07 19:00 - 0049831 _____ () C:\Users\Customer1\AppData\Roaming\Deutzia.r
2015-05-19 21:28 - 2015-05-19 21:28 - 0000410 _____ () C:\Users\Customer1\AppData\Roaming\diagnostics_na.png
2014-05-08 00:05 - 2014-05-08 00:05 - 0002096 _____ () C:\Users\Customer1\AppData\Roaming\Display Camera Maker.jsx
2015-05-19 21:28 - 2015-05-19 21:28 - 0000212 _____ () C:\Users\Customer1\AppData\Roaming\down.png
2016-05-17 22:46 - 2016-05-17 22:46 - 0054272 _____ () C:\Users\Customer1\AppData\Roaming\DumpLog.dll
2013-06-16 19:00 - 2013-06-16 19:00 - 0049875 _____ () C:\Users\Customer1\AppData\Roaming\Earbash.hAS
2016-07-20 17:49 - 2016-07-19 22:43 - 0036363 ___SH () C:\Users\Customer1\AppData\Roaming\eLLCQifYKHTXBbYDDQD
1994-07-16 19:00 - 1994-07-16 19:00 - 0049910 _____ () C:\Users\Customer1\AppData\Roaming\Escudo.b
2013-10-01 22:55 - 2013-10-01 22:55 - 0004699 _____ () C:\Users\Customer1\AppData\Roaming\ExampleFO2PDFUsingSAXParser.java
2015-05-19 21:28 - 2015-05-19 21:28 - 0001404 _____ () C:\Users\Customer1\AppData\Roaming\exit.png
2013-10-01 22:55 - 2013-10-01 22:55 - 0000071 _____ () C:\Users\Customer1\AppData\Roaming\external-link.gif
2014-05-08 01:44 - 2014-05-08 01:44 - 0001464 _____ () C:\Users\Customer1\AppData\Roaming\f4.png
2015-05-19 21:28 - 2015-05-19 21:28 - 0003722 _____ () C:\Users\Customer1\AppData\Roaming\faqs_icon.png
2013-06-10 19:00 - 2013-06-10 19:00 - 0001799 _____ () C:\Users\Customer1\AppData\Roaming\FishgigShrink.p
2016-02-24 14:38 - 2016-02-24 14:38 - 0049708 _____ () C:\Users\Customer1\AppData\Roaming\Godthab
2014-05-08 00:05 - 2014-05-08 00:05 - 0000524 _____ () C:\Users\Customer1\AppData\Roaming\green 349 bl 1.ADO
2016-07-21 12:06 - 2016-07-21 11:45 - 0533520 ___SH () C:\Users\Customer1\AppData\Roaming\gURgIIdCafiA
2009-06-10 16:36 - 2009-06-10 16:36 - 0000518 _____ () C:\Users\Customer1\AppData\Roaming\handler.reg
2016-02-19 16:18 - 2016-02-19 16:18 - 0002123 _____ () C:\Users\Customer1\AppData\Roaming\IncorrigibleCreamCampodeid
2016-02-24 14:38 - 2016-02-24 14:38 - 0002278 _____ () C:\Users\Customer1\AppData\Roaming\IncreaseSayso
2014-08-01 07:49 - 2014-08-01 07:49 - 0000392 _____ () C:\Users\Customer1\AppData\Roaming\index.html
2013-10-01 22:55 - 2013-10-01 22:55 - 0000057 _____ () C:\Users\Customer1\AppData\Roaming\inherit.gif
2013-10-01 22:56 - 2013-10-01 22:56 - 0001192 _____ () C:\Users\Customer1\AppData\Roaming\itemizedlist.label.properties.xml
2016-07-20 17:49 - 2016-07-19 22:43 - 0533520 ___SH () C:\Users\Customer1\AppData\Roaming\JMUfLdCJbBFY
2014-05-08 00:05 - 2014-05-08 00:05 - 0001142 _____ () C:\Users\Customer1\AppData\Roaming\JPEG High.irs
2002-09-15 19:00 - 2002-09-15 19:00 - 0049696 _____ () C:\Users\Customer1\AppData\Roaming\Kolinsky.v
1986-02-04 20:00 - 1986-02-04 20:00 - 0001905 _____ () C:\Users\Customer1\AppData\Roaming\LarynxHunky.V
2016-02-19 16:18 - 2016-02-19 16:18 - 0064673 _____ () C:\Users\Customer1\AppData\Roaming\LightBlueRectangle.PNG
2013-10-01 22:56 - 2013-10-01 22:56 - 0001419 _____ () C:\Users\Customer1\AppData\Roaming\list.block.spacing.xml
2015-05-19 21:28 - 2015-05-19 21:28 - 0000904 _____ () C:\Users\Customer1\AppData\Roaming\log4netcfg.xml
2016-02-13 13:41 - 2016-02-13 13:41 - 0001522 _____ () C:\Users\Customer1\AppData\Roaming\LunetteUkiyoeAboutfacePamphlet
2013-10-01 22:54 - 2013-10-01 22:54 - 0001568 _____ () C:\Users\Customer1\AppData\Roaming\Luxembourg
1993-11-02 20:00 - 1993-11-02 20:00 - 0002252 _____ () C:\Users\Customer1\AppData\Roaming\Maisonnette.b
2013-10-01 22:56 - 2013-10-01 22:56 - 0002817 _____ () C:\Users\Customer1\AppData\Roaming\make.index.markup.xml
2013-10-01 22:54 - 2013-10-01 22:54 - 0001440 _____ () C:\Users\Customer1\AppData\Roaming\Malta
2013-10-01 22:54 - 2013-10-01 22:54 - 0002991 _____ () C:\Users\Customer1\AppData\Roaming\messages_pt_BR.properties
2013-10-01 22:54 - 2013-10-01 22:54 - 0000447 _____ () C:\Users\Customer1\AppData\Roaming\meta-index
2013-10-01 22:56 - 2013-10-01 22:56 - 0001176 _____ () C:\Users\Customer1\AppData\Roaming\monospace.verbatim.properties.xml
2013-10-01 22:54 - 2013-10-01 22:54 - 0000581 _____ () C:\Users\Customer1\AppData\Roaming\Novokuznetsk
2015-05-19 21:28 - 2015-05-19 21:28 - 0001881 _____ () C:\Users\Customer1\AppData\Roaming\no_usb_dongle.png
2016-05-17 22:46 - 2016-05-17 22:46 - 0028160 _____ () C:\Users\Customer1\AppData\Roaming\NsResize.dll
2016-02-13 13:45 - 2016-02-13 13:45 - 0001433 _____ () C:\Users\Customer1\AppData\Roaming\OchlophobiaTherapsid
2016-03-04 06:09 - 2016-03-04 06:09 - 0002022 _____ () C:\Users\Customer1\AppData\Roaming\OmophagiaVespiary
2016-06-13 16:03 - 2016-06-13 16:03 - 0017920 _____ (Dell Inc.) C:\Users\Customer1\AppData\Roaming\OpenCandy.dll
2014-05-08 01:44 - 2014-05-08 01:44 - 0000095 _____ () C:\Users\Customer1\AppData\Roaming\package-description.txt
2014-05-08 01:44 - 2014-05-08 01:44 - 0002511 _____ () C:\Users\Customer1\AppData\Roaming\palm_alpha_0.png
2016-02-19 16:18 - 2016-02-19 16:18 - 0001654 _____ () C:\Users\Customer1\AppData\Roaming\PentarchBourguignon
2013-10-01 22:56 - 2013-10-01 22:56 - 0001654 _____ () C:\Users\Customer1\AppData\Roaming\PriorityQueue.tst
2016-07-21 12:06 - 2015-12-28 10:02 - 0524288 ___SH (Simon Tatham) C:\Users\Customer1\AppData\Roaming\putty.exe
2016-07-18 17:36 - 2016-07-18 18:31 - 0036363 ___SH () C:\Users\Customer1\AppData\Roaming\QfZUFVKaGXPMCTWQFcS
2016-07-18 17:36 - 2016-07-18 18:31 - 0936960 ___SH (AutoIt Team) C:\Users\Customer1\AppData\Roaming\QfZUFVKaGXPMCTWQFcSAU.cmd
2015-03-12 03:37 - 2015-03-12 03:37 - 0001102 _____ () C:\Users\Customer1\AppData\Roaming\race.js
2014-02-13 20:00 - 2014-02-13 20:00 - 0002244 _____ () C:\Users\Customer1\AppData\Roaming\RageeEuphroe.N6k
2013-10-01 22:54 - 2013-10-01 22:54 - 0000377 _____ () C:\Users\Customer1\AppData\Roaming\Recife
2002-02-12 20:00 - 2002-02-12 20:00 - 0049687 _____ () C:\Users\Customer1\AppData\Roaming\Rhamphotheca.Fcf
2014-05-08 01:44 - 2014-05-08 01:44 - 0001492 _____ () C:\Users\Customer1\AppData\Roaming\s18.png
2012-02-22 16:54 - 2012-02-22 16:54 - 0002596 _____ () C:\Users\Customer1\AppData\Roaming\SampleUnmanagedApp5.cpp
2014-01-19 20:00 - 2014-01-19 20:00 - 0049750 _____ () C:\Users\Customer1\AppData\Roaming\Scruple.Ld6
2016-02-13 03:52 - 2016-02-13 03:52 - 0036864 _____ (Dell Inc.) C:\Users\Customer1\AppData\Roaming\scrutators.dll
2015-05-19 21:28 - 2015-05-19 21:28 - 0004421 _____ () C:\Users\Customer1\AppData\Roaming\sensor_generic.png
2013-10-01 22:56 - 2013-10-01 22:56 - 0002008 _____ () C:\Users\Customer1\AppData\Roaming\side.float.properties.xml
2016-02-13 13:45 - 2016-02-13 13:45 - 0308290 _____ () C:\Users\Customer1\AppData\Roaming\slide.font.family.xml
1994-05-16 19:00 - 1994-05-16 19:00 - 0054970 _____ () C:\Users\Customer1\AppData\Roaming\Splotch.V
2015-05-19 21:28 - 2015-05-19 21:28 - 0000382 _____ () C:\Users\Customer1\AppData\Roaming\static.xml
1989-10-22 19:00 - 1989-10-22 19:00 - 0049764 _____ () C:\Users\Customer1\AppData\Roaming\Stick.e
2009-05-23 19:00 - 2009-05-23 19:00 - 0001848 _____ () C:\Users\Customer1\AppData\Roaming\StoatEild.r
1998-04-30 19:00 - 1998-04-30 19:00 - 0001993 _____ () C:\Users\Customer1\AppData\Roaming\StretchQuassia.E
2016-03-04 06:09 - 2016-03-04 06:09 - 0049737 _____ () C:\Users\Customer1\AppData\Roaming\suggested.png
2014-10-07 00:39 - 2014-10-07 00:39 - 0011264 _____ () C:\Users\Customer1\AppData\Roaming\System.dll
2013-10-01 22:56 - 2013-10-01 22:56 - 0001279 _____ () C:\Users\Customer1\AppData\Roaming\table.properties.xml
2015-05-19 21:14 - 2015-05-19 21:14 - 0000755 _____ () C:\Users\Customer1\AppData\Roaming\tweakBIOSDriversFirmwareUpdate_tr.p5p
2015-05-19 21:14 - 2015-05-19 21:14 - 0000570 _____ () C:\Users\Customer1\AppData\Roaming\tweakBIOSDriversFirmwareUpdate_zh-cn.p5p
2015-05-19 21:14 - 2015-05-19 21:14 - 0000090 _____ () C:\Users\Customer1\AppData\Roaming\tweakChkDsk_es.p5p
2013-10-01 22:54 - 2013-10-01 22:54 - 0001592 _____ () C:\Users\Customer1\AppData\Roaming\Vancouver
2016-07-21 12:06 - 2016-07-21 11:45 - 0036337 ___SH () C:\Users\Customer1\AppData\Roaming\VaZNdVNBRFfREKdFIcF
1998-03-14 20:00 - 1998-03-14 20:00 - 0002105 _____ () C:\Users\Customer1\AppData\Roaming\Vermicide.W
2015-05-19 21:28 - 2015-05-19 21:28 - 0002620 _____ () C:\Users\Customer1\AppData\Roaming\windows_system_restore.png
2013-10-01 22:59 - 2013-10-01 22:59 - 0003364 _____ () C:\Users\Customer1\AppData\Roaming\xml-apis-ext.LICENSE.dom-software.txt
2016-07-18 17:36 - 2016-07-18 18:31 - 0533520 ___SH () C:\Users\Customer1\AppData\Roaming\YONCbdWAdRhT
2012-10-18 19:00 - 2012-10-18 19:00 - 0005080 _____ () C:\Users\Customer1\AppData\Roaming\Zirconia.k
2014-06-07 21:20 - 2014-06-07 21:17 - 5310224 _____ (PC Cleaners) C:\ProgramData\pclunst.exe

Files to move or delete:
====================
C:\ProgramData\pclunst.exe

Some files in TEMP:
====================
C:\Users\Customer1\AppData\Local\Temp\7aaeei7u1g3g17_1.exe
C:\Users\Customer1\AppData\Local\Temp\7kam5qmw77_1.exe
C:\Users\Customer1\AppData\Local\Temp\ads.exe
C:\Users\Customer1\AppData\Local\Temp\appstart.exe
C:\Users\Customer1\AppData\Local\Temp\CodecFixDivx.exe
C:\Users\Customer1\AppData\Local\Temp\dxdiag.exe
C:\Users\Customer1\AppData\Local\Temp\frag.exe
C:\Users\Customer1\AppData\Local\Temp\k57w5om371iu5.exe
C:\Users\Customer1\AppData\Local\Temp\MediaPlayer__11426.exe
C:\Users\Customer1\AppData\Local\Temp\musq1mcimc.exe
C:\Users\Customer1\AppData\Local\Temp\nvcuda.exe
C:\Users\Customer1\AppData\Local\Temp\Online.IO-installer.exe
C:\Users\Customer1\AppData\Local\Temp\oyuw9ayegwm3wy.exe
C:\Users\Customer1\AppData\Local\Temp\u75w91aqa339ug_1.exe
C:\Users\Customer1\AppData\Local\Temp\weee5qok.exe
C:\Users\Customer1\AppData\Local\Temp\y33we15e75iq93.exe
C:\Users\Customer1\AppData\Local\Temp\yickmm1wuwu.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-07-22 12:28

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 22 July 2016 - 01:17 PM

Hi leo009 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
  • Since I'm still a trainee, all my posts have to be reviewed by an instructor prior to be posted to make sure that you receive the best assistance possible. Sorry for the inconvenience. This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan.

Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password before connecting again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:

  • Reimaging the system
  • Restoring the entire system using a full system backup from before the backdoor infection
  • Reformatting and reinstalling the system
Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


Now you have two options: either a "nuke and pave", which is a clean reinstall of Windows, or we can go forward with the clean-up. I'll assist you no matter what decision you take :)

Edited by Aura, 22 July 2016 - 01:19 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 leo009

leo009
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 23 July 2016 - 01:29 PM

Hello yoan , I would like to go with the clean up, thanks.



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 24 July 2016 - 09:18 AM

Alright :) I won't lie to you, your system is heavily infected so in order to clean it up as efficiently as possible, I'll ask you to follow my instructions to the letter, without skipping any steps, alright?
 
warning.gifP2P Program Warning!
Going over your logs I noticed that you have µTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.
 
warning.gifMalicious Programs Warning!

I noticed that you have malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.
  • My Program version 1.5
  • ProxyGate version 3.0.0.1163
  • SnapDo
If you have an issue when uninstalling a program, please let me know.
 
Now we'll run a first fix using FRST, but I suspect that we'll have to run more since there's a lot of things to clean up. We'll follow up with a sweep using JRT, AdwCleaner and Malwarebytes.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    CloseProcesses:
    CreateRestorePoint:
    
    HKLM\...\Run: [gplyra] => C:\Users\Customer1\AppData\Roaming\gplyra\gplyra.exe [1400320 2016-06-10] ()
    HKLM-x32\...\Run: [Ipksoft] => C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Local\Ipksoft\apsdl64.exe [112377 2016-06-15] ()
    HKLM-x32\...\Run: [YkPack] => regsvr32.exe C:\WINDOWS\system32\config\systemprofile\AppData\Local\YkPack\RoverMapClock90.dll <===== ATTENTION
    HKLM-x32\...\Run: [Ufmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ipksoft\AaShell16.dll
    HKLM\...\RunOnce: [Java Update Controller] => C:\ProgramData\Java Update Controller\7kam5qmw77.exe [596992 2016-07-22] ()
    HKLM-x32\...\RunOnce: [Java Update Controller] => C:\ProgramData\Java Update Controller\7kam5qmw77.exe [596992 2016-07-22] ()
    HKLM\...\Policies\Explorer: [HideSCAHealth] 1
    HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [Ipksoft] => C:\Users\Customer1\AppData\Local\Ipksoft\7197.exe [0 2016-07-17] ()
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [Ufmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ipksoft\AaShell16.dll
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [YkPack] => regsvr32.exe C:\WINDOWS\system32\config\systemprofile\AppData\Local\YkPack\RoverMapClock90.dll <===== ATTENTION
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [ProxyGate] => C:\Users\Customer1\AppData\Roaming\ProxyGate\MainService.exe
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [Java Update Controller] => C:\ProgramData\Java Update Controller\7kam5qmw77.exe [596992 2016-07-22] ()
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\RunOnce: [b612084a] => C:\ProgramData\Java Update Controller\7kam5qmw77.exe [596992 2016-07-22] ()
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Policies\Explorer: [NoInstrumentation] 1
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Policies\Explorer: [TaskbarNoNotification] 1
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\MountPoints2: {8c6423fc-7ee8-11e3-be86-d43d7ebced8d} - "E:\setup.exe"
    AppInit_DLLs: C:\ProgramData\Airtostrong\Truelex.dll => No File
    AppInit_DLLs-x32: C:\ProgramData\Airtostrong\SilverSololab.dll => No File
    IFEO\MRT.exe: [Debugger] cddzxllhmiw.exe
    IFEO\mrtstub.exe: [Debugger] ndbppoiwsuj.exe
    IFEO\rstrui.exe: [Debugger] mlrhkdrlclh.exe
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
    Startup: C:\Users\Customer1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2016-07-21]
    ShortcutTarget: Dropbox.lnk ->  (No File)
    GroupPolicyScripts: Restriction <======= ATTENTION
    GroupPolicyScripts\User: Restriction <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXjxx2YAbMnESB7-vlrn1PjGz9ICL2vzM_ih-VxTLV92LIyjEVYZu2s349iNYOpqRFHoY1zi-R87GN2lgbW-okrUy7WvMHA,
    HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
    SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
    SearchScopes: HKLM-x32 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
    SearchScopes: HKU\S-1-5-21-4058035717-616954772-1676694511-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
    BHO: AllSaover -> {02b3c8ea-677c-44f8-8348-333f2839ec51} -> C:\ProgramData\AllSaover\YbH4yYsyhDEYud.x64.dll => No File
    BHO: No Name -> {2ce0ed48-9204-4dda-b303-d05517c70521} -> No File
    BHO: No Name -> {6204b53d-873f-4f87-a115-bfe5eb4394e5} -> No File
    BHO: No Name -> {dd0cba33-7a8a-4a8d-857d-7e8a5d56a7d6} -> No File
    BHO: No Name -> {e93ed9c5-f4d5-4fb8-bd14-56035800d183} -> No File
    BHO-x32: No Name -> {2ce0ed48-9204-4dda-b303-d05517c70521} -> No File
    BHO-x32: No Name -> {6204b53d-873f-4f87-a115-bfe5eb4394e5} -> No File
    
    CHR HKLM-x32\...\Chrome\Extension: [fcgnigmofekcllgbiejhmigggmgehkip] - hxxps://clients2.google.com/service/update2/crx
    
    S2 Airtostrong; C:\ProgramData\\Airtostrong\\Airtostrong.exe [0 2016-07-20] () <==== ATTENTION (zero byte File/Folder)
    S2 backlh; C:\ProgramData\Logic Handler\set.exe [0 2016-07-17] () <==== ATTENTION (zero byte File/Folder)
    R2 BitTorrent; C:\Program Files\BitTorrent\BitTorrent.exe [383488 2016-06-15] () [File not signed] <==== ATTENTION
    S2 CloudPrinter; C:\ProgramData\\CloudPrinter\\CloudPrinter.exe [0 2016-07-17] () <==== ATTENTION (zero byte File/Folder)
    S2 Ronzap; C:\ProgramData\\Ronzap\\Ronzap.exe [0 2016-07-17] () <==== ATTENTION (zero byte File/Folder)
    S2 xifs; C:\ProgramData\\xifs\\xifs.exe [0 2016-07-17] () <==== ATTENTION (zero byte File/Folder)
    
    Task: {151AC8B5-3211-4DF6-8972-598903F638EC} - System32\Tasks\ex32bk3z => C:\Program Files\Common Files\a22c5bdy\98da6zk4yhoke.exe <==== ATTENTION
    Task: {21001E1B-17C0-43A4-ABD7-187F37BDC066} - System32\Tasks\b0grw2rz => C:\Program Files\Common Files\4gwajam3\01a9bnfy4gcn0.exe <==== ATTENTION
    Task: {275563E8-7D92-4974-B04B-550CFFFC5E0B} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\WatTask => C:\Windows Activation Technologies\wat.exe
    Task: {366EA0CB-3D96-444E-A106-274A13FFA987} - System32\Tasks\byztoj0a => C:\Program Files\Common Files\hc3fq403\fa028laqpm3ek.exe [2016-07-16] () <==== ATTENTION
    Task: {3C3A80C3-D7F2-43CC-ABD5-F0B1A26FA552} - System32\Tasks\oheupk0q => C:\Program Files\Common Files\f1vmwudl\2ba3145qiwpjy.exe <==== ATTENTION
    Task: {5190905E-E66E-4507-98F6-351AA7B77079} - System32\Tasks\sjczxijc => C:\Program Files\Common Files\2xgdmfnr\62a06kplfqrsy.exe [2016-07-13] () <==== ATTENTION
    Task: {52153555-0BFE-4CF5-B06D-60315D31F87B} - System32\Tasks\{ABCBDC22-AF9C-4CD5-9A1F-39DD7844373B} => pcalua.exe -a E:\Autorun.exe -d E:\
    Task: {7165CDB1-7187-4068-B931-30F77EB6E1E6} - System32\Tasks\{1069B6A8-C9A4-4B85-AAEA-8B15E5446083} => pcalua.exe -a D:\RCAPlay.exe -d D:\ -c RealFlightAOV1~RealFlight~RealFlight Add-ons, Volume 2
    Task: {716FE40A-8C45-4BBE-8E3E-3E7CFF2DD257} - System32\Tasks\mrwqwt34 => C:\Program Files\Common Files\bfius4x1\bf3aaraufatgc.exe <==== ATTENTION
    Task: {72DD5B11-71B8-423D-A5C8-30F7619AAD14} - System32\Tasks\prouuct => C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ontotax <==== ATTENTION
    Task: {7543CE87-67B6-4308-9F01-7060B2CE1BB8} - System32\Tasks\g3wixho5 => C:\Program Files\Common Files\tykxu0bm\021370svrwl5u.exe <==== ATTENTION
    Task: {75EED9CB-7BBE-49F8-B4E6-A4DECE4916EC} - System32\Tasks\SystemSoundsService => C:\Users\CUSTOM~1\AppData\Local\Temp\nsisvc.exe <==== ATTENTION
    Task: {79E395A4-49CB-4738-BD42-7D44C054ECA8} - System32\Tasks\{0CC4B521-ED2F-445F-A99A-C8AF57FA0675} => pcalua.exe -a "C:\Program Files (x86)\Common Files\Apex\uninstall.exe" -c shuz -f "C:\Program Files (x86)\Common Files\Apex\uninstall.dat" -a uninstallme 677ED751-C29E-44E5-8D20-BAA3E91BBDC9 DeviceId=db7002f9-1b62-3ab0-04cb-6688fdab3933 BarcodeId=50027003 ChannelId=3 DistributerName=APSnapdoAMRev
    Task: {8908CEE9-2A24-4E64-ABE4-77B7D56B556B} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe
    Task: {9082C5B3-8251-4C20-987B-6FFB3991196C} - System32\Tasks\222djcpz => C:\Program Files\Common Files\wfcj4rps\2091azyde53gb.exe <==== ATTENTION
    Task: {9A01E967-EA15-472B-A733-F16599D3D1C3} - System32\Tasks\t0coqnay => C:\Program Files\Common Files\yhcdpile\81951r1lib3vx.exe [2016-07-17] () <==== ATTENTION
    Task: {A48E5746-19D1-43C2-9570-99BBF8DA6346} - System32\Tasks\1vsni2a0 => C:\Program Files\Common Files\tsc5hkj3\c878dlpphaxmg.exe [2016-07-19] () <==== ATTENTION
    Task: {A4E40685-92DE-43D5-9226-D409416A1914} - System32\Tasks\ifkos2fa => C:\Program Files\Common Files\geegzgch\d7e255vqtmx3r.exe [2016-07-14] () <==== ATTENTION
    Task: {A6E05CE1-3F2A-40AA-A1DE-C6701D9A4664} - System32\Tasks\yzkpeumf => C:\Program Files\Common Files\newzaboa\d5079tniixrym.exe [2016-07-17] () <==== ATTENTION
    Task: {B2566748-5486-43F3-957A-1C33641806F5} - System32\Tasks\ef340mhq => C:\Program Files\Common Files\3jvj5tqy\1f883txwjszxa.exe [2016-07-12] () <==== ATTENTION
    Task: {D3165A9E-57E2-4EB2-82EF-A1C495D179A0} - System32\Tasks\r4hvnjwf => C:\Program Files\Common Files\dlalruym\5cd61gqcygpe1.exe [2016-07-19] () <==== ATTENTION
    Task: {D4BAA4CC-D90D-4D63-94CB-31D10B7DB054} - System32\Tasks\{45078A4C-36F7-4FF2-B6E3-196FBCA7AD72} => pcalua.exe -a D:\setup.EXE -d D:\ -c /autorun
    Task: {D96C1DFE-3AF4-4040-A2FD-B999E63D26EF} - System32\Tasks\r5b5wel0 => C:\Program Files\Common Files\cvzgfvdm\77d0ez3kf4upz.exe <==== ATTENTION
    
    AlternateDataStreams: C:\Users\Customer1:Heroes & Generals [38]
    AlternateDataStreams: C:\ProgramData\TEMP:054203E4 [124]
    
    C:\Program Files\BitTorrent
    2016-07-16 15:15 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Online.IO
    2016-07-21 13:24 - 2016-07-21 13:24 - 02927263 _____ () C:\Program Files\Common Files\iyhhuvgj.exe
    2016-07-21 13:06 - 2016-07-21 13:06 - 02919652 _____ () C:\Program Files\Common Files\allvqnq4.exe
    2016-07-21 12:02 - 2016-07-21 12:02 - 02931957 _____ () C:\Program Files\Common Files\wkztugsb.exe
    2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\tqbfifva.exe
    2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\s3l00dkj.exe
    2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\nqpmuq2v.exe
    2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\hth3jn3l.exe
    2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\31spbmat.exe
    2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\31cuk5ac.exe
    2016-07-20 20:26 - 2016-07-20 20:26 - 02929852 _____ () C:\Program Files\Common Files\gqmt4jwd.exe
    2016-07-20 20:06 - 2016-07-20 20:06 - 02917546 _____ () C:\Program Files\Common Files\lxfo2pzf.exe
    2016-07-20 17:14 - 2016-07-20 17:14 - 02913768 _____ () C:\Program Files\Common Files\m32tbm1r.exe
    2016-07-20 17:02 - 2016-07-20 17:02 - 02916601 _____ () C:\Program Files\Common Files\m3h0t5dd.exe
    2016-07-20 16:56 - 2016-07-20 16:56 - 02916601 _____ () C:\Program Files\Common Files\l3gmtoyj.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\xlve4xvz.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\xiihwhfk.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\x4hkefsa.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\ucr2xksq.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\pdjy21ch.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\mdlmtgbl.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\lywxswhm.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\iqzepgsk.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\gjbbi3ey.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\ga3h5ttn.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\cnzdeinj.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\b0u551ie.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\ac0jlcwd.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\3q0lfak1.exe
    2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\1advcofw.exe
    2016-07-19 11:46 - 2016-07-19 11:46 - 02921548 _____ () C:\Program Files\Common Files\qomcx3fe.exe
    2016-07-19 11:08 - 2016-07-19 11:08 - 02936366 _____ () C:\Program Files\Common Files\px4gekgu.exe
    2016-07-19 11:08 - 2016-07-19 11:08 - 02936366 _____ () C:\Program Files\Common Files\nnul2eip.exe
    2016-07-17 20:26 - 2016-07-17 20:26 - 02926389 _____ () C:\Program Files\Common Files\yndczsgd.exe
    2016-07-17 20:08 - 2016-07-17 20:08 - 02937401 _____ () C:\Program Files\Common Files\f5c13ioa.exe
    2016-07-19 11:06 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\dlalruym
    2016-07-19 11:44 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\tsc5hkj3
    2016-07-17 13:22 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\newzaboa
    2016-07-17 09:14 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\yhcdpile
    2016-07-16 11:27 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\hc3fq403
    2016-07-15 17:12 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\a22c5bdy
    2016-07-14 11:50 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\geegzgch
    2016-07-14 16:54 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\4gwajam3
    2016-07-12 20:24 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\wfcj4rps
    2016-07-13 11:59 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\2xgdmfnr
    2016-06-29 13:35 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\cvzgfvdm
    2016-06-23 16:59 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\f1vmwudl
    2016-07-12 11:40 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\3jvj5tqy
    2016-07-20 15:10 - 2016-06-15 20:04 - 00000000 ____D C:\Program Files\Common Files\bfius4x1
    2016-07-21 13:12 - 2016-06-18 12:51 - 00000000 ____D C:\Program Files\Common Files\tykxu0bm
    2016-07-20 15:10 - 2014-12-25 22:29 - 00000000 ____D C:\ProgramData\8624337292199723864
    2016-07-17 20:26 - 2016-07-21 12:45 - 00000000 ____D C:\ProgramData\Airtostrong
    2016-07-17 20:26 - 2016-07-17 20:26 - 00000000 ____D C:\ProgramData\Airtostrongs
    2016-07-20 15:10 - 2016-06-15 19:04 - 00000000 ____D C:\ProgramData\CloudPrinter
    2016-07-08 12:08 - 2016-07-22 12:34 - 00000000 __SHD C:\ProgramData\Java Update Controller
    2016-07-20 15:10 - 2016-06-15 19:04 - 00000000 ____D C:\ProgramData\Logic Handler
    2016-07-19 11:36 - 2016-07-19 11:36 - 00000000 ____D C:\ProgramData\Microsoft Toolkit
    2016-07-20 15:10 - 2016-06-15 19:04 - 00000000 ____D C:\ProgramData\Ronzap
    2016-07-20 15:10 - 2016-06-15 22:04 - 00000000 ____D C:\ProgramData\xifs
    
    2016-07-21 13:27 - 2016-02-18 16:03 - 00000000 ____D C:\Users\Customer1\AppData\Local\YkPack
    2016-07-21 13:27 - 2015-12-16 19:02 - 00000000 ____D C:\Users\Customer1\AppData\Local\Ipksoft
    2016-07-21 22:53 - 2016-02-18 16:03 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\ProxyGate
    2016-07-18 17:36 - 2016-07-18 18:31 - 00533520 ___SH C:\Users\Customer1\AppData\Roaming\YONCbdWAdRhT
    2016-07-18 17:36 - 2016-07-18 18:31 - 00036363 ___SH C:\Users\Customer1\AppData\Roaming\QfZUFVKaGXPMCTWQFcS
    2016-07-19 12:53 - 2016-07-19 02:29 - 00533520 ___SH C:\Users\Customer1\AppData\Roaming\cAWSZFFKZUZT
    2016-07-19 12:53 - 2016-07-19 02:29 - 00036363 ___SH C:\Users\Customer1\AppData\Roaming\cUPNebdgPiZQWUISfXT
    2016-07-20 17:49 - 2016-07-19 22:43 - 00533520 ___SH C:\Users\Customer1\AppData\Roaming\JMUfLdCJbBFY
    2016-07-20 17:49 - 2016-07-19 22:43 - 00036363 ___SH C:\Users\Customer1\AppData\Roaming\eLLCQifYKHTXBbYDDQD
    2016-07-21 12:06 - 2016-07-21 11:45 - 00533520 ___SH C:\Users\Customer1\AppData\Roaming\gURgIIdCafiA
    2016-07-16 15:13 - 2016-07-20 15:29 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\gplyra
    2016-07-21 12:06 - 2016-07-21 11:45 - 00036337 ___SH C:\Users\Customer1\AppData\Roaming\VaZNdVNBRFfREKdFIcF
    2016-07-18 17:36 - 2016-07-18 18:31 - 00936960 ___SH (AutoIt Team) C:\Users\Customer1\AppData\Roaming\QfZUFVKaGXPMCTWQFcSAU.cmd
    2016-07-20 17:49 - 2016-07-19 22:43 - 00936960 ___SH (AutoIt Team) C:\Users\Customer1\AppData\Roaming\BgdeYfGFPXRhZiHZbGYVL.cmd
    2016-07-21 12:06 - 2016-07-21 11:45 - 00936960 ___SH (AutoIt Team) C:\Users\Customer1\AppData\Roaming\aLIGCRXRWWdbcRMbgRaKe.cmd
    2016-07-21 12:06 - 2015-12-28 10:02 - 00524288 ___SH (Simon Tatham) C:\Users\Customer1\AppData\Roaming\putty.exe
    2016-07-20 15:32 - 2016-07-20 15:34 - 00000000 ____D C:\Users\Customer1\Downloads\Malwarebytes Anti-Malware v2.1.8.1057 + Serial
    2016-07-20 15:27 - 2016-07-20 15:27 - 00000000 ____D C:\Users\Customer1\Downloads\Malwarebytes Anti-Malware Premium 2.1.8.1057 + KeyGen
    2016-07-19 11:35 - 2016-07-17 14:55 - 00000000 ____D C:\Users\Customer1\Downloads\Microsoft Toolkit
    
    C:\WINDOWS\AutoKMS
    C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ipksoft
    C:\WINDOWS\system32\config\systemprofile\AppData\Local\YkPack
    C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ontotax
    
    EmptyTemp:
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;
iT103hr.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
0isDeWa.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
Your next reply(ies) should therefore contain:
  • Your decision concerning uTorrent;
  • Confirmation that you uninstalled the malicious programs listed above (if not, which ones couldn't you uninstall);
  • Copy/pasted content of the FRST fixlog;
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted Malwarebytes clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 leo009

leo009
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 24 July 2016 - 11:00 AM

when I try to uninstall SnapDo it does as if its loading but it doesn't do anything program stays there.



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 24 July 2016 - 11:03 AM

In that case you can leave it be, we'll address it later. Follow the next set of instructions and continue from there.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 leo009

leo009
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 24 July 2016 - 11:09 AM

Hi Yoan, when I created the fixlist.txt. I then ran the FRST, when it opened suddenly the computer sent me a message that read: pc ran into an error and needs to restart. when it restarted my fixlist.txt wasnt on my desktop anymore.
 



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 24 July 2016 - 11:12 AM

Do you have a file called fixlog.txt instead on your desktop?

And did the crash occur as soon as you pressed the "Fix" button?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 leo009

leo009
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 24 July 2016 - 11:15 AM

oh sorry the fixlist is still there only in between other programs so I couldn't see it. but no I did not even have time to press fix button it read that right when I opened FRST.

should I try again?


Edited by leo009, 24 July 2016 - 11:15 AM.


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 24 July 2016 - 11:17 AM

Please do and if it gives you another BSOD, let me know.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 leo009

leo009
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 24 July 2016 - 11:20 AM

ok so now when I run FRST as administrator it says that the file or directory is corrupted and unreadable.



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 24 July 2016 - 11:23 AM

In that case, please delete the current FRST64.exe file you downloaded, and download a new copy from here.

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ (this link will trigger the download automatically)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 leo009

leo009
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 24 July 2016 - 07:40 PM

Hello, Yoan. I have done everything you told me to, I decided to uninstall utorrent. I also uninstalled the other 3 malicious programs. remember I couldn't uninstall SnapDo? last time I checked it wasn't in my programs anymore. so that went pretty good. here are the logs you asked for.

 

FRST

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 24-07-2016
Ran by Top Gamers (2016-07-24 12:43:58) Run:1
Running from C:\Users\Customer1\Desktop
Loaded Profiles: Top Gamers (Available Profiles: Top Gamers)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

HKLM\...\Run: [gplyra] => C:\Users\Customer1\AppData\Roaming\gplyra\gplyra.exe [1400320 2016-06-10] ()
HKLM-x32\...\Run: [Ipksoft] => C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Local\Ipksoft\apsdl64.exe [112377 2016-06-15] ()
HKLM-x32\...\Run: [YkPack] => regsvr32.exe C:\WINDOWS\system32\config\systemprofile\AppData\Local\YkPack\RoverMapClock90.dll <===== ATTENTION
HKLM-x32\...\Run: [Ufmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ipksoft\AaShell16.dll
HKLM\...\RunOnce: [Java Update Controller] => C:\ProgramData\Java Update Controller\7kam5qmw77.exe [596992 2016-07-22] ()
HKLM-x32\...\RunOnce: [Java Update Controller] => C:\ProgramData\Java Update Controller\7kam5qmw77.exe [596992 2016-07-22] ()
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [Ipksoft] => C:\Users\Customer1\AppData\Local\Ipksoft\7197.exe [0 2016-07-17] ()
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [Ufmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ipksoft\AaShell16.dll
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [YkPack] => regsvr32.exe C:\WINDOWS\system32\config\systemprofile\AppData\Local\YkPack\RoverMapClock90.dll <===== ATTENTION
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [ProxyGate] => C:\Users\Customer1\AppData\Roaming\ProxyGate\MainService.exe
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Run: [Java Update Controller] => C:\ProgramData\Java Update Controller\7kam5qmw77.exe [596992 2016-07-22] ()
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\RunOnce: [b612084a] => C:\ProgramData\Java Update Controller\7kam5qmw77.exe [596992 2016-07-22] ()
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Policies\Explorer: [NoInstrumentation] 1
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\...\MountPoints2: {8c6423fc-7ee8-11e3-be86-d43d7ebced8d} - "E:\setup.exe"
AppInit_DLLs: C:\ProgramData\Airtostrong\Truelex.dll => No File
AppInit_DLLs-x32: C:\ProgramData\Airtostrong\SilverSololab.dll => No File
IFEO\MRT.exe: [Debugger] cddzxllhmiw.exe
IFEO\mrtstub.exe: [Debugger] ndbppoiwsuj.exe
IFEO\rstrui.exe: [Debugger] mlrhkdrlclh.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
Startup: C:\Users\Customer1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2016-07-21]
ShortcutTarget: Dropbox.lnk ->  (No File)
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXjxx2YAbMnESB7-vlrn1PjGz9ICL2vzM_ih-VxTLV92LIyjEVYZu2s349iNYOpqRFHoY1zi-R87GN2lgbW-okrUy7WvMHA,
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
SearchScopes: HKLM-x32 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKU\S-1-5-21-4058035717-616954772-1676694511-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_BzVc49EzkVQF7WROkpMz2sZAqJN-vAthYcWqjHibw1Z86WKTm2VP528x8sfqPFUwZIO8CJCiMww48TXSFrP-4YIx20Wf3szQDc6JFI4sT4gcsj2GKyNuo00GPoKvfMCuQgF4TZwICAheASP5dofeIReAW1Fq_JW8G9V2AkFOAWNk,&q={searchTerms}
BHO: AllSaover -> {02b3c8ea-677c-44f8-8348-333f2839ec51} -> C:\ProgramData\AllSaover\YbH4yYsyhDEYud.x64.dll => No File
BHO: No Name -> {2ce0ed48-9204-4dda-b303-d05517c70521} -> No File
BHO: No Name -> {6204b53d-873f-4f87-a115-bfe5eb4394e5} -> No File
BHO: No Name -> {dd0cba33-7a8a-4a8d-857d-7e8a5d56a7d6} -> No File
BHO: No Name -> {e93ed9c5-f4d5-4fb8-bd14-56035800d183} -> No File
BHO-x32: No Name -> {2ce0ed48-9204-4dda-b303-d05517c70521} -> No File
BHO-x32: No Name -> {6204b53d-873f-4f87-a115-bfe5eb4394e5} -> No File

CHR HKLM-x32\...\Chrome\Extension: [fcgnigmofekcllgbiejhmigggmgehkip] - hxxps://clients2.google.com/service/update2/crx

S2 Airtostrong; C:\ProgramData\\Airtostrong\\Airtostrong.exe [0 2016-07-20] () <==== ATTENTION (zero byte File/Folder)
S2 backlh; C:\ProgramData\Logic Handler\set.exe [0 2016-07-17] () <==== ATTENTION (zero byte File/Folder)
R2 BitTorrent; C:\Program Files\BitTorrent\BitTorrent.exe [383488 2016-06-15] () [File not signed] <==== ATTENTION
S2 CloudPrinter; C:\ProgramData\\CloudPrinter\\CloudPrinter.exe [0 2016-07-17] () <==== ATTENTION (zero byte File/Folder)
S2 Ronzap; C:\ProgramData\\Ronzap\\Ronzap.exe [0 2016-07-17] () <==== ATTENTION (zero byte File/Folder)
S2 xifs; C:\ProgramData\\xifs\\xifs.exe [0 2016-07-17] () <==== ATTENTION (zero byte File/Folder)

Task: {151AC8B5-3211-4DF6-8972-598903F638EC} - System32\Tasks\ex32bk3z => C:\Program Files\Common Files\a22c5bdy\98da6zk4yhoke.exe <==== ATTENTION
Task: {21001E1B-17C0-43A4-ABD7-187F37BDC066} - System32\Tasks\b0grw2rz => C:\Program Files\Common Files\4gwajam3\01a9bnfy4gcn0.exe <==== ATTENTION
Task: {275563E8-7D92-4974-B04B-550CFFFC5E0B} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\WatTask => C:\Windows Activation Technologies\wat.exe
Task: {366EA0CB-3D96-444E-A106-274A13FFA987} - System32\Tasks\byztoj0a => C:\Program Files\Common Files\hc3fq403\fa028laqpm3ek.exe [2016-07-16] () <==== ATTENTION
Task: {3C3A80C3-D7F2-43CC-ABD5-F0B1A26FA552} - System32\Tasks\oheupk0q => C:\Program Files\Common Files\f1vmwudl\2ba3145qiwpjy.exe <==== ATTENTION
Task: {5190905E-E66E-4507-98F6-351AA7B77079} - System32\Tasks\sjczxijc => C:\Program Files\Common Files\2xgdmfnr\62a06kplfqrsy.exe [2016-07-13] () <==== ATTENTION
Task: {52153555-0BFE-4CF5-B06D-60315D31F87B} - System32\Tasks\{ABCBDC22-AF9C-4CD5-9A1F-39DD7844373B} => pcalua.exe -a E:\Autorun.exe -d E:\
Task: {7165CDB1-7187-4068-B931-30F77EB6E1E6} - System32\Tasks\{1069B6A8-C9A4-4B85-AAEA-8B15E5446083} => pcalua.exe -a D:\RCAPlay.exe -d D:\ -c RealFlightAOV1~RealFlight~RealFlight Add-ons, Volume 2
Task: {716FE40A-8C45-4BBE-8E3E-3E7CFF2DD257} - System32\Tasks\mrwqwt34 => C:\Program Files\Common Files\bfius4x1\bf3aaraufatgc.exe <==== ATTENTION
Task: {72DD5B11-71B8-423D-A5C8-30F7619AAD14} - System32\Tasks\prouuct => C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ontotax <==== ATTENTION
Task: {7543CE87-67B6-4308-9F01-7060B2CE1BB8} - System32\Tasks\g3wixho5 => C:\Program Files\Common Files\tykxu0bm\021370svrwl5u.exe <==== ATTENTION
Task: {75EED9CB-7BBE-49F8-B4E6-A4DECE4916EC} - System32\Tasks\SystemSoundsService => C:\Users\CUSTOM~1\AppData\Local\Temp\nsisvc.exe <==== ATTENTION
Task: {79E395A4-49CB-4738-BD42-7D44C054ECA8} - System32\Tasks\{0CC4B521-ED2F-445F-A99A-C8AF57FA0675} => pcalua.exe -a "C:\Program Files (x86)\Common Files\Apex\uninstall.exe" -c shuz -f "C:\Program Files (x86)\Common Files\Apex\uninstall.dat" -a uninstallme 677ED751-C29E-44E5-8D20-BAA3E91BBDC9 DeviceId=db7002f9-1b62-3ab0-04cb-6688fdab3933 BarcodeId=50027003 ChannelId=3 DistributerName=APSnapdoAMRev
Task: {8908CEE9-2A24-4E64-ABE4-77B7D56B556B} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe
Task: {9082C5B3-8251-4C20-987B-6FFB3991196C} - System32\Tasks\222djcpz => C:\Program Files\Common Files\wfcj4rps\2091azyde53gb.exe <==== ATTENTION
Task: {9A01E967-EA15-472B-A733-F16599D3D1C3} - System32\Tasks\t0coqnay => C:\Program Files\Common Files\yhcdpile\81951r1lib3vx.exe [2016-07-17] () <==== ATTENTION
Task: {A48E5746-19D1-43C2-9570-99BBF8DA6346} - System32\Tasks\1vsni2a0 => C:\Program Files\Common Files\tsc5hkj3\c878dlpphaxmg.exe [2016-07-19] () <==== ATTENTION
Task: {A4E40685-92DE-43D5-9226-D409416A1914} - System32\Tasks\ifkos2fa => C:\Program Files\Common Files\geegzgch\d7e255vqtmx3r.exe [2016-07-14] () <==== ATTENTION
Task: {A6E05CE1-3F2A-40AA-A1DE-C6701D9A4664} - System32\Tasks\yzkpeumf => C:\Program Files\Common Files\newzaboa\d5079tniixrym.exe [2016-07-17] () <==== ATTENTION
Task: {B2566748-5486-43F3-957A-1C33641806F5} - System32\Tasks\ef340mhq => C:\Program Files\Common Files\3jvj5tqy\1f883txwjszxa.exe [2016-07-12] () <==== ATTENTION
Task: {D3165A9E-57E2-4EB2-82EF-A1C495D179A0} - System32\Tasks\r4hvnjwf => C:\Program Files\Common Files\dlalruym\5cd61gqcygpe1.exe [2016-07-19] () <==== ATTENTION
Task: {D4BAA4CC-D90D-4D63-94CB-31D10B7DB054} - System32\Tasks\{45078A4C-36F7-4FF2-B6E3-196FBCA7AD72} => pcalua.exe -a D:\setup.EXE -d D:\ -c /autorun
Task: {D96C1DFE-3AF4-4040-A2FD-B999E63D26EF} - System32\Tasks\r5b5wel0 => C:\Program Files\Common Files\cvzgfvdm\77d0ez3kf4upz.exe <==== ATTENTION

AlternateDataStreams: C:\Users\Customer1:Heroes & Generals [38]
AlternateDataStreams: C:\ProgramData\TEMP:054203E4 [124]

C:\Program Files\BitTorrent
2016-07-16 15:15 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Online.IO
2016-07-21 13:24 - 2016-07-21 13:24 - 02927263 _____ () C:\Program Files\Common Files\iyhhuvgj.exe
2016-07-21 13:06 - 2016-07-21 13:06 - 02919652 _____ () C:\Program Files\Common Files\allvqnq4.exe
2016-07-21 12:02 - 2016-07-21 12:02 - 02931957 _____ () C:\Program Files\Common Files\wkztugsb.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\tqbfifva.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\s3l00dkj.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\nqpmuq2v.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\hth3jn3l.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\31spbmat.exe
2016-07-21 11:53 - 2016-07-21 11:53 - 02931957 _____ () C:\Program Files\Common Files\31cuk5ac.exe
2016-07-20 20:26 - 2016-07-20 20:26 - 02929852 _____ () C:\Program Files\Common Files\gqmt4jwd.exe
2016-07-20 20:06 - 2016-07-20 20:06 - 02917546 _____ () C:\Program Files\Common Files\lxfo2pzf.exe
2016-07-20 17:14 - 2016-07-20 17:14 - 02913768 _____ () C:\Program Files\Common Files\m32tbm1r.exe
2016-07-20 17:02 - 2016-07-20 17:02 - 02916601 _____ () C:\Program Files\Common Files\m3h0t5dd.exe
2016-07-20 16:56 - 2016-07-20 16:56 - 02916601 _____ () C:\Program Files\Common Files\l3gmtoyj.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\xlve4xvz.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\xiihwhfk.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\x4hkefsa.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\ucr2xksq.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\pdjy21ch.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\mdlmtgbl.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\lywxswhm.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\iqzepgsk.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\gjbbi3ey.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\ga3h5ttn.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\cnzdeinj.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\b0u551ie.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\ac0jlcwd.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\3q0lfak1.exe
2016-07-20 15:21 - 2016-07-20 15:21 - 02935133 _____ () C:\Program Files\Common Files\1advcofw.exe
2016-07-19 11:46 - 2016-07-19 11:46 - 02921548 _____ () C:\Program Files\Common Files\qomcx3fe.exe
2016-07-19 11:08 - 2016-07-19 11:08 - 02936366 _____ () C:\Program Files\Common Files\px4gekgu.exe
2016-07-19 11:08 - 2016-07-19 11:08 - 02936366 _____ () C:\Program Files\Common Files\nnul2eip.exe
2016-07-17 20:26 - 2016-07-17 20:26 - 02926389 _____ () C:\Program Files\Common Files\yndczsgd.exe
2016-07-17 20:08 - 2016-07-17 20:08 - 02937401 _____ () C:\Program Files\Common Files\f5c13ioa.exe
2016-07-19 11:06 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\dlalruym
2016-07-19 11:44 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\tsc5hkj3
2016-07-17 13:22 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\newzaboa
2016-07-17 09:14 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\yhcdpile
2016-07-16 11:27 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\hc3fq403
2016-07-15 17:12 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\a22c5bdy
2016-07-14 11:50 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\geegzgch
2016-07-14 16:54 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\4gwajam3
2016-07-12 20:24 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\wfcj4rps
2016-07-13 11:59 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\2xgdmfnr
2016-06-29 13:35 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\cvzgfvdm
2016-06-23 16:59 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\f1vmwudl
2016-07-12 11:40 - 2016-07-20 15:10 - 00000000 ____D C:\Program Files\Common Files\3jvj5tqy
2016-07-20 15:10 - 2016-06-15 20:04 - 00000000 ____D C:\Program Files\Common Files\bfius4x1
2016-07-21 13:12 - 2016-06-18 12:51 - 00000000 ____D C:\Program Files\Common Files\tykxu0bm
2016-07-20 15:10 - 2014-12-25 22:29 - 00000000 ____D C:\ProgramData\8624337292199723864
2016-07-17 20:26 - 2016-07-21 12:45 - 00000000 ____D C:\ProgramData\Airtostrong
2016-07-17 20:26 - 2016-07-17 20:26 - 00000000 ____D C:\ProgramData\Airtostrongs
2016-07-20 15:10 - 2016-06-15 19:04 - 00000000 ____D C:\ProgramData\CloudPrinter
2016-07-08 12:08 - 2016-07-22 12:34 - 00000000 __SHD C:\ProgramData\Java Update Controller
2016-07-20 15:10 - 2016-06-15 19:04 - 00000000 ____D C:\ProgramData\Logic Handler
2016-07-19 11:36 - 2016-07-19 11:36 - 00000000 ____D C:\ProgramData\Microsoft Toolkit
2016-07-20 15:10 - 2016-06-15 19:04 - 00000000 ____D C:\ProgramData\Ronzap
2016-07-20 15:10 - 2016-06-15 22:04 - 00000000 ____D C:\ProgramData\xifs

2016-07-21 13:27 - 2016-02-18 16:03 - 00000000 ____D C:\Users\Customer1\AppData\Local\YkPack
2016-07-21 13:27 - 2015-12-16 19:02 - 00000000 ____D C:\Users\Customer1\AppData\Local\Ipksoft
2016-07-21 22:53 - 2016-02-18 16:03 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\ProxyGate
2016-07-18 17:36 - 2016-07-18 18:31 - 00533520 ___SH C:\Users\Customer1\AppData\Roaming\YONCbdWAdRhT
2016-07-18 17:36 - 2016-07-18 18:31 - 00036363 ___SH C:\Users\Customer1\AppData\Roaming\QfZUFVKaGXPMCTWQFcS
2016-07-19 12:53 - 2016-07-19 02:29 - 00533520 ___SH C:\Users\Customer1\AppData\Roaming\cAWSZFFKZUZT
2016-07-19 12:53 - 2016-07-19 02:29 - 00036363 ___SH C:\Users\Customer1\AppData\Roaming\cUPNebdgPiZQWUISfXT
2016-07-20 17:49 - 2016-07-19 22:43 - 00533520 ___SH C:\Users\Customer1\AppData\Roaming\JMUfLdCJbBFY
2016-07-20 17:49 - 2016-07-19 22:43 - 00036363 ___SH C:\Users\Customer1\AppData\Roaming\eLLCQifYKHTXBbYDDQD
2016-07-21 12:06 - 2016-07-21 11:45 - 00533520 ___SH C:\Users\Customer1\AppData\Roaming\gURgIIdCafiA
2016-07-16 15:13 - 2016-07-20 15:29 - 00000000 ____D C:\Users\Customer1\AppData\Roaming\gplyra
2016-07-21 12:06 - 2016-07-21 11:45 - 00036337 ___SH C:\Users\Customer1\AppData\Roaming\VaZNdVNBRFfREKdFIcF
2016-07-18 17:36 - 2016-07-18 18:31 - 00936960 ___SH (AutoIt Team) C:\Users\Customer1\AppData\Roaming\QfZUFVKaGXPMCTWQFcSAU.cmd
2016-07-20 17:49 - 2016-07-19 22:43 - 00936960 ___SH (AutoIt Team) C:\Users\Customer1\AppData\Roaming\BgdeYfGFPXRhZiHZbGYVL.cmd
2016-07-21 12:06 - 2016-07-21 11:45 - 00936960 ___SH (AutoIt Team) C:\Users\Customer1\AppData\Roaming\aLIGCRXRWWdbcRMbgRaKe.cmd
2016-07-21 12:06 - 2015-12-28 10:02 - 00524288 ___SH (Simon Tatham) C:\Users\Customer1\AppData\Roaming\putty.exe
2016-07-20 15:32 - 2016-07-20 15:34 - 00000000 ____D C:\Users\Customer1\Downloads\Malwarebytes Anti-Malware v2.1.8.1057 + Serial
2016-07-20 15:27 - 2016-07-20 15:27 - 00000000 ____D C:\Users\Customer1\Downloads\Malwarebytes Anti-Malware Premium 2.1.8.1057 + KeyGen
2016-07-19 11:35 - 2016-07-17 14:55 - 00000000 ____D C:\Users\Customer1\Downloads\Microsoft Toolkit

C:\WINDOWS\AutoKMS
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ipksoft
C:\WINDOWS\system32\config\systemprofile\AppData\Local\YkPack
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ontotax

EmptyTemp:

*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\gplyra => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Ipksoft => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\YkPack => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Ufmedia => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Java Update Controller => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Java Update Controller => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value removed successfully
"HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => key removed successfully
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Ipksoft => value removed successfully
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Ufmedia => value removed successfully
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Windows\CurrentVersion\Run\\YkPack => value removed successfully
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Windows\CurrentVersion\Run\\ProxyGate => value removed successfully
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Java Update Controller => value removed successfully
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\b612084a => value not found.
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoInstrumentation => value removed successfully
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => value removed successfully
"HKU\S-1-5-21-4058035717-616954772-1676694511-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c6423fc-7ee8-11e3-be86-d43d7ebced8d}" => key removed successfully
HKCR\CLSID\{8c6423fc-7ee8-11e3-be86-d43d7ebced8d} => key not found.
"C:\ProgramData\Airtostrong\Truelex.dll" => Value data removed successfully.
"C:\ProgramData\Airtostrong\SilverSololab.dll" => Value data removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MRT.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mrtstub.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\rstrui.exe" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
C:\Users\Customer1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk => moved successfully
ShortcutTarget: Dropbox.lnk ->  (No File) => not found.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\User => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main\\Search Bar => value removed successfully
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Internet Explorer\Main\\SearchAssistant => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\ielnksrch" => key removed successfully
HKCR\Wow6432Node\CLSID\ielnksrch => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{632F07F3-19A1-4d16-A23F-E6CE9486BAB5}" => key removed successfully
HKCR\Wow6432Node\CLSID\{632F07F3-19A1-4d16-A23F-E6CE9486BAB5} => key not found.
"HKU\S-1-5-21-4058035717-616954772-1676694511-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}" => key removed successfully
HKCR\CLSID\{ielnksrch} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02b3c8ea-677c-44f8-8348-333f2839ec51}" => key removed successfully
"HKCR\CLSID\{02b3c8ea-677c-44f8-8348-333f2839ec51}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ce0ed48-9204-4dda-b303-d05517c70521}" => key removed successfully
HKCR\CLSID\{2ce0ed48-9204-4dda-b303-d05517c70521} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6204b53d-873f-4f87-a115-bfe5eb4394e5}" => key removed successfully
HKCR\CLSID\{6204b53d-873f-4f87-a115-bfe5eb4394e5} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dd0cba33-7a8a-4a8d-857d-7e8a5d56a7d6}" => key removed successfully
HKCR\CLSID\{dd0cba33-7a8a-4a8d-857d-7e8a5d56a7d6} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e93ed9c5-f4d5-4fb8-bd14-56035800d183}" => key removed successfully
HKCR\CLSID\{e93ed9c5-f4d5-4fb8-bd14-56035800d183} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ce0ed48-9204-4dda-b303-d05517c70521}" => key removed successfully
HKCR\Wow6432Node\CLSID\{2ce0ed48-9204-4dda-b303-d05517c70521} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6204b53d-873f-4f87-a115-bfe5eb4394e5}" => key removed successfully
HKCR\Wow6432Node\CLSID\{6204b53d-873f-4f87-a115-bfe5eb4394e5} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fcgnigmofekcllgbiejhmigggmgehkip" => key removed successfully
Airtostrong => service removed successfully
backlh => service removed successfully
BitTorrent => Unable to stop service.
BitTorrent => service removed successfully
CloudPrinter => service removed successfully
Ronzap => service removed successfully
xifs => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{151AC8B5-3211-4DF6-8972-598903F638EC}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{151AC8B5-3211-4DF6-8972-598903F638EC}" => key removed successfully
C:\WINDOWS\System32\Tasks\ex32bk3z => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ex32bk3z" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{21001E1B-17C0-43A4-ABD7-187F37BDC066}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{21001E1B-17C0-43A4-ABD7-187F37BDC066}" => key removed successfully
C:\WINDOWS\System32\Tasks\b0grw2rz => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\b0grw2rz" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{275563E8-7D92-4974-B04B-550CFFFC5E0B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{275563E8-7D92-4974-B04B-550CFFFC5E0B}" => key removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\Windows Activation Technologies\WatTask => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\WatTask" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{366EA0CB-3D96-444E-A106-274A13FFA987}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{366EA0CB-3D96-444E-A106-274A13FFA987}" => key removed successfully
C:\WINDOWS\System32\Tasks\byztoj0a => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\byztoj0a" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3C3A80C3-D7F2-43CC-ABD5-F0B1A26FA552}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C3A80C3-D7F2-43CC-ABD5-F0B1A26FA552}" => key removed successfully
C:\WINDOWS\System32\Tasks\oheupk0q => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\oheupk0q" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5190905E-E66E-4507-98F6-351AA7B77079}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5190905E-E66E-4507-98F6-351AA7B77079}" => key removed successfully
C:\WINDOWS\System32\Tasks\sjczxijc => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\sjczxijc" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{52153555-0BFE-4CF5-B06D-60315D31F87B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{52153555-0BFE-4CF5-B06D-60315D31F87B}" => key removed successfully
C:\WINDOWS\System32\Tasks\{ABCBDC22-AF9C-4CD5-9A1F-39DD7844373B} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{ABCBDC22-AF9C-4CD5-9A1F-39DD7844373B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7165CDB1-7187-4068-B931-30F77EB6E1E6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7165CDB1-7187-4068-B931-30F77EB6E1E6}" => key removed successfully
C:\WINDOWS\System32\Tasks\{1069B6A8-C9A4-4B85-AAEA-8B15E5446083} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1069B6A8-C9A4-4B85-AAEA-8B15E5446083}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{716FE40A-8C45-4BBE-8E3E-3E7CFF2DD257}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{716FE40A-8C45-4BBE-8E3E-3E7CFF2DD257}" => key removed successfully
C:\WINDOWS\System32\Tasks\mrwqwt34 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\mrwqwt34" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{72DD5B11-71B8-423D-A5C8-30F7619AAD14}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72DD5B11-71B8-423D-A5C8-30F7619AAD14}" => key removed successfully
C:\WINDOWS\System32\Tasks\prouuct => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\prouuct" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7543CE87-67B6-4308-9F01-7060B2CE1BB8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7543CE87-67B6-4308-9F01-7060B2CE1BB8}" => key removed successfully
C:\WINDOWS\System32\Tasks\g3wixho5 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\g3wixho5" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{75EED9CB-7BBE-49F8-B4E6-A4DECE4916EC}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{75EED9CB-7BBE-49F8-B4E6-A4DECE4916EC}" => key removed successfully
C:\WINDOWS\System32\Tasks\SystemSoundsService => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemSoundsService" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{79E395A4-49CB-4738-BD42-7D44C054ECA8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{79E395A4-49CB-4738-BD42-7D44C054ECA8}" => key removed successfully
C:\WINDOWS\System32\Tasks\{0CC4B521-ED2F-445F-A99A-C8AF57FA0675} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{0CC4B521-ED2F-445F-A99A-C8AF57FA0675}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{8908CEE9-2A24-4E64-ABE4-77B7D56B556B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8908CEE9-2A24-4E64-ABE4-77B7D56B556B}" => key removed successfully
C:\WINDOWS\System32\Tasks\AutoKMS => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9082C5B3-8251-4C20-987B-6FFB3991196C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9082C5B3-8251-4C20-987B-6FFB3991196C}" => key removed successfully
C:\WINDOWS\System32\Tasks\222djcpz => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\222djcpz" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9A01E967-EA15-472B-A733-F16599D3D1C3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9A01E967-EA15-472B-A733-F16599D3D1C3}" => key removed successfully
C:\WINDOWS\System32\Tasks\t0coqnay => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\t0coqnay" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A48E5746-19D1-43C2-9570-99BBF8DA6346}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A48E5746-19D1-43C2-9570-99BBF8DA6346}" => key removed successfully
C:\WINDOWS\System32\Tasks\1vsni2a0 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\1vsni2a0" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A4E40685-92DE-43D5-9226-D409416A1914}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4E40685-92DE-43D5-9226-D409416A1914}" => key removed successfully
C:\WINDOWS\System32\Tasks\ifkos2fa => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ifkos2fa" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A6E05CE1-3F2A-40AA-A1DE-C6701D9A4664}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6E05CE1-3F2A-40AA-A1DE-C6701D9A4664}" => key removed successfully
C:\WINDOWS\System32\Tasks\yzkpeumf => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\yzkpeumf" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B2566748-5486-43F3-957A-1C33641806F5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B2566748-5486-43F3-957A-1C33641806F5}" => key removed successfully
C:\WINDOWS\System32\Tasks\ef340mhq => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ef340mhq" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D3165A9E-57E2-4EB2-82EF-A1C495D179A0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D3165A9E-57E2-4EB2-82EF-A1C495D179A0}" => key removed successfully
C:\WINDOWS\System32\Tasks\r4hvnjwf => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\r4hvnjwf" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D4BAA4CC-D90D-4D63-94CB-31D10B7DB054}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D4BAA4CC-D90D-4D63-94CB-31D10B7DB054}" => key removed successfully
C:\WINDOWS\System32\Tasks\{45078A4C-36F7-4FF2-B6E3-196FBCA7AD72} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{45078A4C-36F7-4FF2-B6E3-196FBCA7AD72}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D96C1DFE-3AF4-4040-A2FD-B999E63D26EF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D96C1DFE-3AF4-4040-A2FD-B999E63D26EF}" => key removed successfully
C:\WINDOWS\System32\Tasks\r5b5wel0 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\r5b5wel0" => key removed successfully
C:\Users\Customer1 => ":Heroes & Generals" ADS removed successfully.
C:\ProgramData\TEMP => ":054203E4" ADS removed successfully.
C:\Program Files\BitTorrent => moved successfully
C:\Program Files\Online.IO => moved successfully
C:\Program Files\Common Files\iyhhuvgj.exe => moved successfully
C:\Program Files\Common Files\allvqnq4.exe => moved successfully
C:\Program Files\Common Files\wkztugsb.exe => moved successfully
C:\Program Files\Common Files\tqbfifva.exe => moved successfully
C:\Program Files\Common Files\s3l00dkj.exe => moved successfully
C:\Program Files\Common Files\nqpmuq2v.exe => moved successfully
C:\Program Files\Common Files\hth3jn3l.exe => moved successfully
C:\Program Files\Common Files\31spbmat.exe => moved successfully
C:\Program Files\Common Files\31cuk5ac.exe => moved successfully
C:\Program Files\Common Files\gqmt4jwd.exe => moved successfully
C:\Program Files\Common Files\lxfo2pzf.exe => moved successfully
C:\Program Files\Common Files\m32tbm1r.exe => moved successfully
C:\Program Files\Common Files\m3h0t5dd.exe => moved successfully
C:\Program Files\Common Files\l3gmtoyj.exe => moved successfully
C:\Program Files\Common Files\xlve4xvz.exe => moved successfully
C:\Program Files\Common Files\xiihwhfk.exe => moved successfully
C:\Program Files\Common Files\x4hkefsa.exe => moved successfully
C:\Program Files\Common Files\ucr2xksq.exe => moved successfully
C:\Program Files\Common Files\pdjy21ch.exe => moved successfully
C:\Program Files\Common Files\mdlmtgbl.exe => moved successfully
C:\Program Files\Common Files\lywxswhm.exe => moved successfully
C:\Program Files\Common Files\iqzepgsk.exe => moved successfully
C:\Program Files\Common Files\gjbbi3ey.exe => moved successfully
C:\Program Files\Common Files\ga3h5ttn.exe => moved successfully
C:\Program Files\Common Files\cnzdeinj.exe => moved successfully
C:\Program Files\Common Files\b0u551ie.exe => moved successfully
C:\Program Files\Common Files\ac0jlcwd.exe => moved successfully
C:\Program Files\Common Files\3q0lfak1.exe => moved successfully
C:\Program Files\Common Files\1advcofw.exe => moved successfully
C:\Program Files\Common Files\qomcx3fe.exe => moved successfully
C:\Program Files\Common Files\px4gekgu.exe => moved successfully
C:\Program Files\Common Files\nnul2eip.exe => moved successfully
C:\Program Files\Common Files\yndczsgd.exe => moved successfully
C:\Program Files\Common Files\f5c13ioa.exe => moved successfully
C:\Program Files\Common Files\dlalruym => moved successfully
C:\Program Files\Common Files\tsc5hkj3 => moved successfully
C:\Program Files\Common Files\newzaboa => moved successfully
C:\Program Files\Common Files\yhcdpile => moved successfully
C:\Program Files\Common Files\hc3fq403 => moved successfully
C:\Program Files\Common Files\a22c5bdy => moved successfully
C:\Program Files\Common Files\geegzgch => moved successfully
C:\Program Files\Common Files\4gwajam3 => moved successfully
C:\Program Files\Common Files\wfcj4rps => moved successfully
C:\Program Files\Common Files\2xgdmfnr => moved successfully
C:\Program Files\Common Files\cvzgfvdm => moved successfully
C:\Program Files\Common Files\f1vmwudl => moved successfully
C:\Program Files\Common Files\3jvj5tqy => moved successfully
C:\Program Files\Common Files\bfius4x1 => moved successfully
C:\Program Files\Common Files\tykxu0bm => moved successfully
C:\ProgramData\8624337292199723864 => moved successfully
C:\ProgramData\Airtostrong => moved successfully
C:\ProgramData\Airtostrongs => moved successfully
C:\ProgramData\CloudPrinter => moved successfully
C:\ProgramData\Java Update Controller => moved successfully
C:\ProgramData\Logic Handler => moved successfully
C:\ProgramData\Microsoft Toolkit => moved successfully
C:\ProgramData\Ronzap => moved successfully
C:\ProgramData\xifs => moved successfully
C:\Users\Customer1\AppData\Local\YkPack => moved successfully
C:\Users\Customer1\AppData\Local\Ipksoft => moved successfully
C:\Users\Customer1\AppData\Roaming\ProxyGate => moved successfully
C:\Users\Customer1\AppData\Roaming\YONCbdWAdRhT => moved successfully
C:\Users\Customer1\AppData\Roaming\QfZUFVKaGXPMCTWQFcS => moved successfully
C:\Users\Customer1\AppData\Roaming\cAWSZFFKZUZT => moved successfully
C:\Users\Customer1\AppData\Roaming\cUPNebdgPiZQWUISfXT => moved successfully
C:\Users\Customer1\AppData\Roaming\JMUfLdCJbBFY => moved successfully
C:\Users\Customer1\AppData\Roaming\eLLCQifYKHTXBbYDDQD => moved successfully
C:\Users\Customer1\AppData\Roaming\gURgIIdCafiA => moved successfully
C:\Users\Customer1\AppData\Roaming\gplyra => moved successfully
C:\Users\Customer1\AppData\Roaming\VaZNdVNBRFfREKdFIcF => moved successfully
C:\Users\Customer1\AppData\Roaming\QfZUFVKaGXPMCTWQFcSAU.cmd => moved successfully
C:\Users\Customer1\AppData\Roaming\BgdeYfGFPXRhZiHZbGYVL.cmd => moved successfully
C:\Users\Customer1\AppData\Roaming\aLIGCRXRWWdbcRMbgRaKe.cmd => moved successfully
C:\Users\Customer1\AppData\Roaming\putty.exe => moved successfully
C:\Users\Customer1\Downloads\Malwarebytes Anti-Malware v2.1.8.1057 + Serial => moved successfully
C:\Users\Customer1\Downloads\Malwarebytes Anti-Malware Premium 2.1.8.1057 + KeyGen => moved successfully
C:\Users\Customer1\Downloads\Microsoft Toolkit => moved successfully
C:\WINDOWS\AutoKMS => moved successfully
"C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ipksoft" => not found.
"C:\WINDOWS\system32\config\systemprofile\AppData\Local\YkPack" => not found.
"C:\WINDOWS\system32\config\systemprofile\AppData\Local\Ontotax" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 57793818 B
Java, Flash, Steam htmlcache => 381659927 B
Windows/system/drivers => 151184040 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 32184631 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 152838 B
Customer1 => 7997238131 B

RecycleBin => 2394656 B
EmptyTemp: => 8 GB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 12:44:42 ====

 

 

 

JRT

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 8.1 Pro x64
Ran by Top Gamers (Administrator) on Sun 07/24/2016 at 20:05:56.20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

File System: 4

Successfully deleted: C:\ProgramData\pc1data (Folder)
Successfully deleted: C:\Users\Customer1\AppData\Local\crashrpt (Folder)
Successfully deleted: C:\WINDOWS\SysWOW64\findit.xml (File)
Successfully deleted: C:\Program Files (x86)\your product (Folder)

 

Registry: 3

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Search\\Default_Search_URL (Registry Value)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchUrl\\Default (Registry Value)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl\\Default (Registry Value)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 07/24/2016 at 20:08:07.36
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

ADWCLEANER

 

 

# AdwCleaner v5.201 - Logfile created 19/07/2016 at 13:33:15
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-18.2 [Server]
# Operating system : Windows 8.1 Pro  (X64)
# Username : Top Gamers - CUSTOMER
# Running from : C:\Users\Customer1\Downloads\adwcleaner_5.201.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****

[-] Service Deleted : CloudPrinter
[-] Service Deleted : Ronzap
[-] Service Deleted : Airtostrong
[-] Service Deleted : xifs
[-] Service Deleted : backlh

***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\CloudPrinter
[-] Folder Deleted : C:\ProgramData\Ronzap
[-] Folder Deleted : C:\ProgramData\Airtostrong
[-] Folder Deleted : C:\ProgramData\xifss
[-] Folder Deleted : C:\ProgramData\xifs
[-] Folder Deleted : C:\ProgramData\Ronzaps
[-] Folder Deleted : C:\ProgramData\Logic Handler
[-] Folder Deleted : C:\ProgramData\8624337292199723864
[-] Folder Deleted : C:\ProgramData\{96be6bc7-3c24-db40-96be-e6bc73c2af1c}
[-] Folder Deleted : C:\ProgramData\{b43e96d7-df77-c355-b43e-e96d7df75b5f}
[#] Folder Deleted : C:\ProgramData\Application Data\CloudPrinter
[#] Folder Deleted : C:\ProgramData\Application Data\Ronzap
[#] Folder Deleted : C:\ProgramData\Application Data\Airtostrong
[#] Folder Deleted : C:\ProgramData\Application Data\xifss
[#] Folder Deleted : C:\ProgramData\Application Data\xifs
[#] Folder Deleted : C:\ProgramData\Application Data\Ronzaps
[#] Folder Deleted : C:\ProgramData\Application Data\Logic Handler
[#] Folder Deleted : C:\ProgramData\Application Data\8624337292199723864
[#] Folder Deleted : C:\ProgramData\Application Data\{96be6bc7-3c24-db40-96be-e6bc73c2af1c}
[#] Folder Deleted : C:\ProgramData\Application Data\{b43e96d7-df77-c355-b43e-e96d7df75b5f}
[-] Folder Deleted : C:\Program Files (x86)\xtex
[-] Folder Deleted : C:\Users\Customer1\AppData\Local\28050
[-] Folder Deleted : C:\Users\Customer1\AppData\Roaming\ProxyGate
[-] Folder Deleted : C:\Users\Customer1\AppData\Roaming\gplyra
[-] Folder Deleted : C:\Program Files\Online.IO

***** [ Files ] *****

[-] File Deleted : C:\WINDOWS\SysWOW64\findit.xml
[-] File Deleted : C:\Users\Customer1\Desktop\TotalSystemCare.lnk

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

[-] Task Deleted : OIO

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SEARCHSCOPES\IELNKSRCH
[-] Key Deleted : HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}
[-] Value Deleted : HKCU\Environment [SNF]
[-] Value Deleted : HKCU\Environment [SNP]
[-] Key Deleted : HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Application Hosting
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SILENTPROCESSEXIT\Ronzap.exe
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RONZAP.EXE
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AIRTOSTRONG.EXE
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\XIFS.EXE
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SILENTPROCESSEXIT\xifs.exe
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\myway.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\radiorage.dl.myway.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\weatherblink.dl.myway.com
[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\fcgnigmofekcllgbiejhmigggmgehkip
[-] Key Deleted : HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
[-] Key Deleted : HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}
[-] Key Deleted : HKCU\Software\WEBAPP
[-] Key Deleted : HKLM\SOFTWARE\mtRonzap
[-] Key Deleted : HKLM\SOFTWARE\mtAirtostrong
[-] Key Deleted : HKLM\SOFTWARE\mtxifs
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online.IO
[-] Key Deleted : HKU\.DEFAULT\Software\INSTALLPATH\STATUS
[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
[-] Data Restored : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs]
[-] Data Restored : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs]
[-] Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ProxyGate]
[#] Value Deleted : HKU\S-1-5-21-4058035717-616954772-1676694511-1001\Software\Microsoft\Windows\CurrentVersion\Run [ProxyGate]
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [gupdate]

***** [ Web browsers ] *****

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [4952 bytes] - [19/07/2016 13:33:15]
C:\AdwCleaner\AdwCleaner[R0].txt - [5262 bytes] - [28/03/2015 11:58:44]
C:\AdwCleaner\AdwCleaner[S0].txt - [4885 bytes] - [28/03/2015 12:02:53]
C:\AdwCleaner\AdwCleaner[S1].txt - [5264 bytes] - [19/07/2016 13:32:11]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [5244 bytes] ##########
# AdwCleaner v5.201 - Logfile created 24/07/2016 at 20:14:06
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-24.1 [Server]
# Operating system : Windows 8.1 Pro  (X64)
# Username : Top Gamers - CUSTOMER
# Running from : C:\Users\Customer1\Desktop\AdwCleaner.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Users\Customer1\AppData\Local\CEF

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Value Deleted : HKCU\Environment [SNF]
[-] Value Deleted : HKCU\Environment [SNP]
[-] Key Deleted : HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Application Hosting
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SILENTPROCESSEXIT\Ronzap.exe
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RONZAP.EXE
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AIRTOSTRONG.EXE
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\XIFS.EXE
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SILENTPROCESSEXIT\xifs.exe
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\myway.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\radiorage.dl.myway.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\weatherblink.dl.myway.com
[-] Key Deleted : HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
[-] Key Deleted : HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}
[-] Key Deleted : HKCU\Software\WEBAPP
[-] Key Deleted : HKLM\SOFTWARE\mtRonzap
[-] Key Deleted : HKLM\SOFTWARE\mtAirtostrong
[-] Key Deleted : HKLM\SOFTWARE\mtxifs
[-] Key Deleted : HKU\.DEFAULT\Software\INSTALLPATH\STATUS
[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}

***** [ Web browsers ] *****

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [7670 bytes] - [19/07/2016 13:33:15]
C:\AdwCleaner\AdwCleaner[R0].txt - [5262 bytes] - [28/03/2015 11:58:44]
C:\AdwCleaner\AdwCleaner[S0].txt - [4885 bytes] - [28/03/2015 12:02:53]
C:\AdwCleaner\AdwCleaner[S1].txt - [8074 bytes] - [19/07/2016 13:32:11]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [7962 bytes] ##########

 

 

MBAM

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/24/2016
Scan Time: 8:22 PM
Logfile: mam.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.07.24.06
Rootkit Database: v2016.05.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Top Gamers

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 320817
Time Elapsed: 6 min, 24 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 13
PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\INTERFACE\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}, Quarantined, [e7efb96eaaf0f0467285efa546bc27d9],
PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}, Quarantined, [1bbbf3349901e94dd3242d6730d28e72],
PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\INTERFACE\{9B41579A-1996-42F9-8F84-7B7786818CEF}, Quarantined, [1bbbf3349901e94dd3242d6730d28e72],
PUP.Optional.MultiPlug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}, Quarantined, [1bbbf3349901e94dd3242d6730d28e72],
PUP.Optional.MultiPlug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{9B41579A-1996-42F9-8F84-7B7786818CEF}, Quarantined, [1bbbf3349901e94dd3242d6730d28e72],
PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}, Quarantined, [1bbbf3349901e94dd3242d6730d28e72],
PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{9B41579A-1996-42F9-8F84-7B7786818CEF}, Quarantined, [1bbbf3349901e94dd3242d6730d28e72],
PUP.Optional.MultiPlug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}, Quarantined, [bf1710172a7080b66790088ce22006fa],
PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}, Quarantined, [716538ef9bff8aac49aeafe5927022de],
PUP.Optional.Smeazymo, HKLM\SOFTWARE\MICROSOFT\TRACING\Latech_RASAPI32, Quarantined, [f0e682a5f3a74fe78d18c90804fe56aa],
PUP.Optional.Smeazymo, HKLM\SOFTWARE\MICROSOFT\TRACING\Latech_RASMANCS, Quarantined, [54820e19900a9e98fca9ffd235cdae52],
PUP.Optional.CrossRider, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{21111111-1111-1111-1111-110211671166}, Quarantined, [f7dfc166ff9b8ea8e27ab2ede023c739],
PUP.Optional.Linkury, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{677ED751-C29E-44E5-8D20-BAA3E91BBDC9}, Quarantined, [b5210225a1f9d264dfae53a0af5402fe],

Registry Values: 2
PUP.Optional.CrossRider, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{21111111-1111-1111-1111-110211671166}|AppName, Discount Buddy-bg.exe, Quarantined, [f7dfc166ff9b8ea8e27ab2ede023c739]
PUP.Optional.Linkury, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{677ED751-C29E-44E5-8D20-BAA3E91BBDC9}|DisplayName, SnapDo, Quarantined, [b5210225a1f9d264dfae53a0af5402fe]

Registry Data: 0
(No malicious items detected)

Folders: 1
PUP.Optional.Linkury.ACMB1, C:\Program Files (x86)\Common Files\Apex, Quarantined, [5c7a35f2009a9e981e44475658ac817f],

Files: 21
PUP.Optional.PCCleaners, C:\ProgramData\pclunst.exe, Quarantined, [c4124fd85941cf6797d931ea15ec7a86],
Trojan.DLDrop.NSIS, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Arrays.dll, Quarantined, [f0e6ad7aaeec41f549f2fae6cb36d42c],
Trojan.Injector.NS, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\OpenCandy.dll, Quarantined, [cf0740e7bedc95a1fc8806e028d9cb35],
Trojan.Kovter, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ProxySettings.dll, Quarantined, [c5110027594164d2492ee009ee132bd5],
Trojan.Injector, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\engulfments.dll, Quarantined, [8c4a35f2b4e649ed2c93eabf00018080],
Trojan.Injector, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\imposts.dll, Quarantined, [a92d3ceb8a10f046fd28bceb6899d729],
Trojan.Kovter, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\SFhelper.dll, Quarantined, [478fee390f8b2016a6237cf026ded52b],
Trojan.DLDrop.NSIS, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\sinfulness.dll, Quarantined, [6274b3741a804ee8345ee2ccf50cf40c],
PUP.Optional.Amonetize, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Stock-Eco.bin, Quarantined, [09cd32f5f1a9c472feb97f0c6d9406fa],
PUP.Optional.LogicHandler, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ZoomHold.bin, Quarantined, [d50185a2c2d8999d0fe5481622defc04],
PUP.Optional.Linkury, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Zotdom.bin, Quarantined, [8b4b6abd0496be782127292fa163669a],
Trojan.Injector, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\bevatron.dll, Quarantined, [b91d70b7edad8bab6bdd04a135cc0000],
Trojan.Injector.NS, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\CDRom.dll, Quarantined, [8e480b1c74267bbb155044996d94c739],
Trojan.Injector, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Crypto.dll, Quarantined, [7363e344e4b66fc71ce8855fb849af51],
PUP.Optional.Smeazymo, C:\Windows\System32\config\systemprofile\AppData\Local\Latech.dat, Quarantined, [5086d651aded9d993a694e83847e58a8],
PUP.Optional.Smeazymo, C:\Windows\System32\config\systemprofile\AppData\Local\LATECH.EXE.CONFIG, Quarantined, [4f876cbb32685adc2e75874a8d7515eb],
PUP.Optional.Linkury.Gen, C:\Users\Customer1\AppData\Roaming\PRIORITYQUEUE.TST, Quarantined, [23b3b0778317ae88f885ee0ff310e818],
PUP.Optional.Linkury.ACMB1, C:\Program Files (x86)\Common Files\Apex\InstallationConfiguration.xml, Quarantined, [5c7a35f2009a9e981e44475658ac817f],
PUP.Optional.Linkury.ACMB1, C:\Program Files (x86)\Common Files\Apex\uninstall.dat, Quarantined, [5c7a35f2009a9e981e44475658ac817f],
PUP.Optional.Linkury.ACMB1, C:\Program Files (x86)\Common Files\Apex\uninstall.exe, Quarantined, [5c7a35f2009a9e981e44475658ac817f],
PUP.Optional.Linkury.ACMB1, C:\Program Files (x86)\Common Files\Apex\uninstall.ico, Quarantined, [5c7a35f2009a9e981e44475658ac817f],

Physical Sectors: 0
(No malicious items detected)

(end)



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 24 July 2016 - 08:35 PM

Awesome :) That was a lot of deletions. Now we'll run Emsisoft Emergency Kit to catch the remnants, and we'll also run a fix with FRST that will give us more information about the leftovers so I can target them precisely in another FRST fix afterward.

G0tu5D9.pngEmsisoft Emergency Kit
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.
  • Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder;
  • Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it.
  • After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes).
  • Once the scan is complete, make sure that every item in the list is checked, and click on Quarantine selected;
    Egla2gt.png
  • If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
  • After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it;
  • This time, click on Logs;
  • From there, go under the Quarantine Log tab, and click on the Export button;
    IgfWDr3.png
  • Save the log on your desktop, then open it, and copy/paste its content in your next reply;
iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    Folder: C:\ProgramData
    Folder: C:\Program Files (x86)
    Folder: C:\Program Files (x86)\Common Files
    Folder: C:\Users\Customer1\AppData\Local
    Folder: C:\Users\Customer1\AppData\Roaming
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;
Your next reply(ies) should include:
  • Copy/pasted content from the EEK clean log;
  • Copy/pasted content from FRST fixlog.txt;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 leo009

leo009
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 24 July 2016 - 09:56 PM

Ok, so when I finished quarantining the files in emsisoft emergency tool it didn't reboot my system (don't know if that's a problem). my FRST file is too big to send it.

 

Emsisoft Emergency Kit - Version 11.0
Quarantine log

Date Source Event Detection 
7/24/2016 10:03:04 PM Key: HKEY_USERS\S-1-5-21-4058035717-616954772-1676694511-1001_CLASSES\WOW6432NODE\INTERFACE\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} Moved to quarantine Application.Toolbar (A) 
7/24/2016 10:03:03 PM C:\Program Files (x86)\Total War ATTILA\steam_api_ext.dll Moved to quarantine Gen:Trojan.Heur.LP.jH5@aa9Hnqk (B) 
7/24/2016 10:03:03 PM C:\Users\Customer1\AppData\Roaming\AnimGif.dll Moved to quarantine Trojan.GenericKD.3268879 (B) 
7/24/2016 10:03:03 PM C:\Users\Customer1\AppData\Roaming\bucker.dll Moved to quarantine Gen:Variant.Razy.26506 (B) 
7/24/2016 10:03:03 PM C:\Users\Customer1\AppData\Roaming\scrutators.dll Moved to quarantine Gen:Variant.Symmi.64527 (B) 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users