Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several adware infections


  • This topic is locked This topic is locked
13 replies to this topic

#1 IDWR

IDWR

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 04 September 2016 - 10:00 AM

Every now and then I get these annoying adware infections, which open new tabs in my browser whithout asking. Then I start searching for a solution, but the adware is never being detected due to which I resort to clearing my browser data and restoring my settings. However, this time this appeared to be ineffective: several adware types, like SmartNewTab, Myimgt, LiveAdExchanger, Optmz, OnClickAds, keep popping up. I tried Clearing the cache, running the Windows Malware detection tool, HitmanPro, Malwarebytes, AdwCleaner, but none of these detect the adware, let alone solve the problem. Obviously...I started by looking at my browser extensions and installed programs, but I have disabled all extensions and no suspicous software has been installed.

 

If any of you could help me out and tell me what the best way is to go about, I would be incredibly grateful!

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016
Ran by Bram (administrator) on MARB (04-09-2016 16:11:16)
Running from C:\Users\Bram\Downloads
Loaded Profiles: Bram (Available Profiles: Bram & Administrator)
Platform: Windows 8.1 Connected (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Intel® Corporation) C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Lenovo Settings\LenovoSetSvr.exe
(Lenovo(beijing) Limited) C:\Windows\System32\LenovoWiFiHotspotSvr.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Lenovo) C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\USB Blocker\USBBKSvc.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDIntelligent.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor Corporation) C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17709_none_fa7932f59afc2e40\TiWorker.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13672152 2014-05-26] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1387376 2014-05-13] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_DOLBYDRAGON] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1387376 2014-05-13] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_MICPKEY] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1387376 2014-05-13] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2892616 2014-02-19] (ELAN Microelectronics Corp.)
HKLM\...\Run: [BtServer] => C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe [217088 2014-04-08] (Realtek Semiconductor Corporation)
HKLM\...\Run: [PhoneCompanion] => C:\Program Files\Lenovo PhoneCompanion\Phone Companion.exe [836592 2014-11-13] (Lenovo)
HKLM\...\Run: [Energy Manager] => C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe [16094704 2014-11-13] (Lenovo(beijing) Limited)
HKLM\...\Run: [Lenovo Utility] => C:\Program Files (x86)\Lenovo\Energy Manager\Utility.exe [10973168 2014-11-13] (Lenovo(beijing) Limited)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508128 2016-01-07] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\Run: [DAEMON Tools Lite Automount] => C:\Program Files\DAEMON Tools Lite\DTAgent.exe [4179288 2015-11-30] (Disc Soft Ltd)
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\Run: [HP Deskjet 3050A J611 series (NET)] => C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AdobeCollabSync.exe [882360 2016-06-30] (Adobe Systems Incorporated)
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\Bluestacks\HD-Agent.exe
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\MountPoints2: {43d2309c-b07e-11e5-8283-f0761c24249e} - "E:\SETUP.EXE" 
ShellIconOverlayIdentifiers: [00001LenovoSyncComplete] -> {1E9CED2C-E7B4-4C47-B07A-25416393B67B} => C:\Program Files\Hightail\Hightail for Lenovo\YSINSE64.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers: [00002LenovoSyncActive] -> {C1285F4D-918F-4EF2-BC94-CAD5B118C835} => C:\Program Files\Hightail\Hightail for Lenovo\YSINSE64.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers: [00003LenovoSyncError] -> {CE5633DA-1488-4D1D-9A9B-B500297D4A8C} => C:\Program Files\Hightail\Hightail for Lenovo\YSINSE64.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers: [00004LenovoLocalOnly] -> {C7362DA9-D3AC-4C17-B2F5-2F1823FA04C3} => C:\Program Files\Hightail\Hightail for Lenovo\YSINSE64.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers: [00USBBlockerShellDs] -> {BE57AC86-892D-436E-B763-71DA8FA49A48} => C:\Program Files (x86)\Lenovo\USB Blocker\USBBlockerShell.dll [2013-12-25] (Lenovo(beijing) Limited)
ShellIconOverlayIdentifiers: [00USBBlockerShellRd] -> {FFBCBB89-938E-4412-88AF-AE7A531F95C1} => C:\Program Files (x86)\Lenovo\USB Blocker\USBBlockerShell.dll [2013-12-25] (Lenovo(beijing) Limited)
ShellIconOverlayIdentifiers: [00USBBlockerShellRw] -> {42D4ABFA-0604-45F1-9A7C-622F85614BAB} => C:\Program Files (x86)\Lenovo\USB Blocker\USBBlockerShell.dll [2013-12-25] (Lenovo(beijing) Limited)
ShellIconOverlayIdentifiers-x32: [00001LenovoSyncComplete] -> {1E9CED2C-E7B4-4C47-B07A-25416393B67B} => C:\Program Files (x86)\Hightail\Hightail for Lenovo\YSINSE.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers-x32: [00002LenovoSyncActive] -> {C1285F4D-918F-4EF2-BC94-CAD5B118C835} => C:\Program Files (x86)\Hightail\Hightail for Lenovo\YSINSE.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers-x32: [00003LenovoSyncError] -> {CE5633DA-1488-4D1D-9A9B-B500297D4A8C} => C:\Program Files (x86)\Hightail\Hightail for Lenovo\YSINSE.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers-x32: [00004LenovoLocalOnly] -> {C7362DA9-D3AC-4C17-B2F5-2F1823FA04C3} => C:\Program Files (x86)\Hightail\Hightail for Lenovo\YSINSE.dll [2014-06-23] (Hightail Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{93B079ED-117B-483C-B2B9-A87FE2994859}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{D8B275DB-D904-45B2-BCE8-A227E76D92BC}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.lenovo.com
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.lenovo.com
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1622894908-720436876-2890570449-1001 -> {4EA51BAA-D52F-410E-B370-300507DF4984} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2013-07-10] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\2015\x64\AcroIEFavStub.dll [2015-12-18] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2013-07-13] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\2015\x64\AcroIEFavStub.dll [2015-12-18] (Adobe Systems Incorporated)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\2015\AcroIEFavStub.dll [2015-12-18] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2013-07-13] (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\2015\AcroIEFavStub.dll [2015-12-18] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\2015\x64\AcroIEFavStub.dll [2015-12-18] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\2015\AcroIEFavStub.dll [2015-12-18] (Adobe Systems Incorporated)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-07-29] (Adobe Systems)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1224194.dll [2016-02-19] (Adobe Systems, Inc.)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2013-07-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Air\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-07-29] (Adobe Systems)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2013-07-10] (Microsoft Corporation)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension.15@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat DC - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Browser\WCFirefoxExtn [2016-05-17]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://homepage-web.com/?s=lenovo&m=home
CHR StartupUrls: Default -> "hxxp://www.google.nl/"
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.866\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\PepperFlash\pepflashplayer.dll ()
CHR Profile: C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-26]
CHR Extension: (Google Search) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Gmail) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-31]
CHR Extension: (Chrome Media Router) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-30]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2159320 2016-08-22] (Adobe Systems, Incorporated)
S4 BTDevManager; C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe [95232 2014-03-28] () [File not signed]
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2780856 2015-10-07] (Microsoft Corporation)
S3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe [1368408 2015-11-30] (Disc Soft Ltd)
R2 ETDService; C:\Program Files\Elantech\ETDService.exe [99632 2013-10-09] (ELAN Microelectronics Corp.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [29728 2016-08-15] (HP Inc.)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe [733696 2013-07-02] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\TXE Components\TCS\SocketHeciServer.exe [822232 2013-07-02] (Intel® Corporation)
S3 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\lenovo\easyplussdk\bin\EPHotspot64.exe [533760 2014-06-03] (Lenovo)
R2 LenovoSetSvr; C:\Program Files (x86)\Lenovo\Lenovo Settings\LenovoSetSvr.exe [389680 2014-11-13] (Lenovo(beijing) Limited)
R2 LenovoWiFiHotspotSvr; C:\Windows\System32\LenovoWiFiHotspotSvr.exe [198192 2014-11-13] (Lenovo(beijing) Limited)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 PhoneCompanionPusher; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe [288240 2014-11-13] (Lenovo)
S3 PhoneCompanionVap; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionVap.exe [305136 2014-11-13] (Lenovo)
S4 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R2 USBBKSvc; C:\Program Files (x86)\Lenovo\USB Blocker\USBBKSvc.exe [35824 2013-12-25] (Lenovo(beijing) Limited)
S4 VeriFaceSrv; C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe [68880 2014-11-13] ()
S3 vmicvss; C:\Windows\System32\ICSvc.dll [524800 2014-10-29] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 dtlitescsibus; C:\Windows\System32\drivers\dtlitescsibus.sys [30264 2016-01-05] (Disc Soft Ltd)
R3 dtliteusbbus; C:\Windows\System32\drivers\dtliteusbbus.sys [46392 2016-01-05] (Disc Soft Ltd)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-06-22] ()
R2 LubFsFlt; C:\windows\System32\Drivers\LubFsFlt.sys [27384 2014-02-22] (Lenovo(beijing) Limited)
R0 LubSec; C:\Windows\System32\Drivers\LubSec.sys [45304 2014-02-22] (Lenovo(beijing) Limited)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-09-04] (Malwarebytes)
R3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290520 2013-09-24] (Realtek Semiconductor Corp.)
S3 RtkBtFilter; C:\Windows\system32\DRIVERS\RtkBtfilter.sys [559832 2014-02-26] (Realtek Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [3421040 2014-04-30] (Realtek Semiconductor Corporation                           )
S3 ssudserd; C:\Windows\system32\DRIVERS\ssudserd.sys [214832 2015-12-08] (DEVGURU Co., LTD.(www.devguru.co.kr))
R3 TXEIx64; C:\Windows\System32\drivers\TXEIx64.sys [87568 2013-07-02] (Intel Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-14] ("CyberLink)
S3 vmci; \SystemRoot\System32\drivers\vmci.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-04 16:11 - 2016-09-04 16:12 - 00021169 _____ C:\Users\Bram\Downloads\FRST.txt
2016-09-04 16:11 - 2016-09-04 16:11 - 00000000 ____D C:\FRST
2016-09-04 16:08 - 2016-09-04 16:09 - 02397696 _____ (Farbar) C:\Users\Bram\Downloads\FRST64.exe
2016-09-04 15:17 - 2016-09-04 15:17 - 03826240 _____ C:\Users\Bram\Downloads\adwcleaner_6.010.exe
2016-09-04 14:13 - 2016-09-04 14:13 - 00000000 ____D C:\Program Files\HitmanPro
2016-09-04 13:51 - 2016-09-04 13:53 - 137985808 _____ (Microsoft Corporation) C:\Users\Bram\Downloads\msert.exe
2016-09-04 12:55 - 2016-09-04 13:05 - 00000000 ____D C:\ProgramData\HitmanPro
2016-09-04 12:55 - 2016-09-04 12:55 - 11438608 _____ (SurfRight B.V.) C:\Users\Bram\Downloads\hitmanpro_x64.exe
2016-09-03 20:32 - 2016-09-03 20:32 - 00000000 ____D C:\windows\pss
2016-09-01 09:11 - 2016-09-04 15:29 - 00192216 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2016-09-01 09:07 - 2016-09-01 09:07 - 00001125 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-09-01 09:07 - 2016-09-01 09:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-09-01 09:06 - 2016-09-01 09:07 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-09-01 09:06 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2016-09-01 09:06 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamchameleon.sys
2016-09-01 09:06 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\windows\system32\Drivers\mbam.sys
2016-08-21 20:26 - 2016-09-01 00:30 - 00000000 ____D C:\Program Files (x86)\Yodot AVI Repair
2016-08-21 12:11 - 2016-09-02 12:29 - 00000000 ____D C:\Users\Bram\AppData\LocalLow\uTorrent
2016-08-17 15:38 - 2016-08-17 15:38 - 00041004 _____ C:\Users\Bram\Downloads\UCRPT317.pdf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-04 15:38 - 2016-05-04 11:40 - 00000000 ____D C:\Users\Bram\Documents\marktplaats
2016-09-04 15:29 - 2015-05-31 12:57 - 00000912 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-04 15:29 - 2015-05-04 22:14 - 00000000 ___RD C:\Users\Bram\OneDrive
2016-09-04 15:29 - 2013-08-22 16:45 - 00000006 ____H C:\windows\Tasks\SA.DAT
2016-09-04 15:28 - 2016-02-09 20:59 - 00000000 ____D C:\AdwCleaner
2016-09-04 15:15 - 2015-05-31 12:57 - 00000916 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-04 14:24 - 2016-01-05 20:46 - 00087040 ___SH C:\Users\Bram\Desktop\Thumbs.db
2016-09-04 12:54 - 2016-01-02 19:17 - 00000000 ____D C:\Users\Bram\AppData\Roaming\vlc
2016-09-03 21:13 - 2015-05-04 22:14 - 00003598 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1622894908-720436876-2890570449-1001
2016-09-03 20:33 - 2013-08-22 15:25 - 00262144 ___SH C:\windows\system32\config\BBI
2016-09-03 12:57 - 2014-03-18 11:53 - 00867660 _____ C:\windows\system32\PerfStringBackup.INI
2016-09-03 12:57 - 2013-08-22 15:36 - 00000000 ____D C:\windows\Inf
2016-09-03 12:32 - 2015-10-03 17:05 - 00000000 ____D C:\Users\Bram\AppData\Local\ElevatedDiagnostics
2016-09-03 10:29 - 2013-08-22 17:36 - 00000000 ____D C:\windows\AppReadiness
2016-09-02 12:44 - 2015-12-31 16:58 - 00000000 ____D C:\Users\Bram\AppData\Roaming\uTorrent
2016-08-30 17:44 - 2014-11-13 23:32 - 00000000 ____D C:\ProgramData\Energy Manager
2016-08-30 17:30 - 2016-01-05 02:09 - 00000000 ____D C:\Users\Bram\AppData\Local\Microsoft Help
2016-08-30 00:07 - 2015-05-04 22:07 - 00000000 ____D C:\Users\Bram\AppData\Local\Packages
2016-08-22 00:35 - 2015-07-31 21:30 - 00938496 ___SH C:\Users\Bram\Documents\Thumbs.db
2016-08-21 20:35 - 2014-11-13 23:10 - 00000000 ____D C:\ProgramData\Temp
2016-08-21 20:20 - 2015-07-26 11:25 - 01153024 ___SH C:\Users\Bram\Downloads\Thumbs.db
2016-08-14 21:22 - 2016-07-26 20:10 - 00016842 _____ C:\Users\Bram\Documents\artikel.odt
2016-08-10 11:08 - 2013-08-22 17:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-08-08 22:16 - 2015-05-31 12:57 - 00002400 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-08-08 22:16 - 2015-05-31 12:57 - 00002388 _____ C:\Users\Public\Desktop\Google Chrome.lnk
 
==================== Files in the root of some directories =======
 
2015-05-04 22:12 - 2015-05-07 23:00 - 0002417 _____ () C:\Users\Bram\AppData\Roaming\AbsoluteReminder.xml
2016-04-26 13:50 - 2016-04-26 14:06 - 0002832 _____ () C:\Users\Bram\AppData\Roaming\droid4xinstaller.log
2015-05-04 22:07 - 2016-09-04 15:29 - 3826367 _____ () C:\Users\Bram\AppData\Local\BTServer.log
2015-05-21 18:55 - 2015-10-23 19:47 - 0000600 _____ () C:\Users\Bram\AppData\Local\PUTTY.RND
2016-01-01 14:47 - 2016-03-04 13:38 - 0007601 _____ () C:\Users\Bram\AppData\Local\Resmon.ResmonCfg
2016-07-16 19:52 - 2016-07-16 19:52 - 0242981 _____ () C:\ProgramData\1468691395.bdinstall.bin
2016-07-16 19:52 - 2016-07-16 19:52 - 0028349 _____ () C:\ProgramData\1468691525.bdinstall.bin
2016-04-10 12:16 - 2016-04-10 12:16 - 0000057 _____ () C:\ProgramData\Ament.ini
2014-11-13 22:31 - 2014-11-13 22:31 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some files in TEMP:
====================
C:\Users\Bram\AppData\Local\Temp\BluestacksUninstaller.exe
C:\Users\Bram\AppData\Local\Temp\HD-LibraryHandler.dll
C:\Users\Bram\AppData\Local\Temp\HD-Logger-Native.dll
C:\Users\Bram\AppData\Local\Temp\libeay32.dll
C:\Users\Bram\AppData\Local\Temp\msvcr120.dll
C:\Users\Bram\AppData\Local\Temp\PidGenX.dll
C:\Users\Bram\AppData\Local\Temp\RemoveTemp.exe
C:\Users\Bram\AppData\Local\Temp\SHELL32.dll
C:\Users\Bram\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-08-31 01:17
 
==================== End of FRST.txt ============================

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 04 September 2016 - 02:31 PM

Hi IDWR :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

warning.gifP2P Program Warning!
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

We'll run a first fix with FRST and also run JRT to see what it can catch.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    CloseProcesses:
    
    Task: {0A4CCC92-28E6-40DC-91CD-CFC0436D2B30} - \AutoKMS -> No File <==== ATTENTION
    
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --proxy-pac-url=hxxp://stop-block.org/wpad.dat?37a3b8fc39d9bd1254fd1240d897cdc45920752
    ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --proxy-pac-url=hxxp://stop-block.org/wpad.dat?37a3b8fc39d9bd1254fd1240d897cdc45920752
    
    AlternateDataStreams: C:\Windows:nlsPreferences [386]
    AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
    AlternateDataStreams: C:\ProgramData\Temp:F3A89712 [147]
    
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"
    
    FirewallRules: [{A4544C7A-8714-4182-A450-E99140CF190D}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
    FirewallRules: [{81FAD8CB-4A8B-4356-8ED7-2BA0CFF8406D}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
    FirewallRules: [{39B61F76-F413-432B-90AE-2AC5FC9DCDB0}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
    FirewallRules: [{42EA6D52-83C3-4DBA-8A80-1ED2081A7D43}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
    FirewallRules: [{FB635B31-5C1D-461F-85A8-CD1D893E3E5D}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
    FirewallRules: [{E8A87C0E-B923-4DA6-A535-4B4A5D2F6A9C}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
    FirewallRules: [TCP Query User{536B4D0B-1FB1-43F3-9EC2-3ACF16B218F1}C:\program files\ms office 2013\microsoft toolkit.exe] => (Allow) C:\program files\ms office 2013\microsoft toolkit.exe
    FirewallRules: [UDP Query User{D2C23A65-35DD-49D5-8A8D-5921F04022D3}C:\program files\ms office 2013\microsoft toolkit.exe] => (Allow) C:\program files\ms office 2013\microsoft toolkit.exe
    FirewallRules: [{31D6C4D7-B6CF-44F8-8CEA-D335129A38A8}] => (Allow) C:\Users\Bram\Downloads\putty (3).exe
    FirewallRules: [{F0FD3CD5-5822-4BF2-B262-93655A60723D}] => (Allow) C:\Users\Bram\Downloads\putty (3).exe
    FirewallRules: [{3CEEC6B0-01EE-4184-BA2C-C4084944EF51}] => (Allow) C:\Users\Bram\Downloads\putty (3).exe
    FirewallRules: [{8A2C5E40-4101-49CA-BE64-3181F2ED6145}] => (Allow) C:\Users\Bram\Downloads\putty (3).exe
    
    C:\Program Files (x86)\AVG
    
    EmptyTemp:
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;
iT103hr.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
Once done, can you tell me if you still get ads in your web browser?

Your next reply(ies) should include:
  • Copy/pasted content of FRST's fixlog.txt;
  • Copy/pasted content of JRT.txt;
  • Answer to my question about the ads in your web browser;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 IDWR

IDWR
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 05 September 2016 - 03:19 AM

Thus far, it seems that the adware has been completely removed. Unbelievable!
Thank you SO much for this...
I really wonder how on earth it's possible that all those scanners failed to detect these files...
Thousand, thousand times thanks!
 
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 31-08-2016
Ran by Bram (04-09-2016 22:08:44) Run:1
Running from C:\Users\Bram\Downloads
Loaded Profiles: Bram (Available Profiles: Bram & Administrator)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
 
Task: {0A4CCC92-28E6-40DC-91CD-CFC0436D2B30} - \AutoKMS -> No File <==== ATTENTION
 
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --proxy-pac-url=hxxp://stop-block.org/wpad.dat?37a3b8fc39d9bd1254fd1240d897cdc45920752
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --proxy-pac-url=hxxp://stop-block.org/wpad.dat?37a3b8fc39d9bd1254fd1240d897cdc45920752
 
AlternateDataStreams: C:\Windows:nlsPreferences [386]
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
AlternateDataStreams: C:\ProgramData\Temp:F3A89712 [147]
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"
 
FirewallRules: [{A4544C7A-8714-4182-A450-E99140CF190D}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{81FAD8CB-4A8B-4356-8ED7-2BA0CFF8406D}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{39B61F76-F413-432B-90AE-2AC5FC9DCDB0}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{42EA6D52-83C3-4DBA-8A80-1ED2081A7D43}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{FB635B31-5C1D-461F-85A8-CD1D893E3E5D}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{E8A87C0E-B923-4DA6-A535-4B4A5D2F6A9C}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [TCP Query User{536B4D0B-1FB1-43F3-9EC2-3ACF16B218F1}C:\program files\ms office 2013\microsoft toolkit.exe] => (Allow) C:\program files\ms office 2013\microsoft toolkit.exe
FirewallRules: [UDP Query User{D2C23A65-35DD-49D5-8A8D-5921F04022D3}C:\program files\ms office 2013\microsoft toolkit.exe] => (Allow) C:\program files\ms office 2013\microsoft toolkit.exe
FirewallRules: [{31D6C4D7-B6CF-44F8-8CEA-D335129A38A8}] => (Allow) C:\Users\Bram\Downloads\putty (3).exe
FirewallRules: [{F0FD3CD5-5822-4BF2-B262-93655A60723D}] => (Allow) C:\Users\Bram\Downloads\putty (3).exe
FirewallRules: [{3CEEC6B0-01EE-4184-BA2C-C4084944EF51}] => (Allow) C:\Users\Bram\Downloads\putty (3).exe
FirewallRules: [{8A2C5E40-4101-49CA-BE64-3181F2ED6145}] => (Allow) C:\Users\Bram\Downloads\putty (3).exe
 
C:\Program Files (x86)\AVG
 
EmptyTemp:
*****************
 
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{0A4CCC92-28E6-40DC-91CD-CFC0436D2B30}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0A4CCC92-28E6-40DC-91CD-CFC0436D2B30}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => key removed successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Public\Desktop\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Windows => ":nlsPreferences" ADS removed successfully.
C:\ProgramData\Reprise => ":wupeogjxldtlfudivq`qsp`27hfm" ADS removed successfully.
C:\ProgramData\Temp => ":F3A89712" ADS removed successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\MSIServer" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A4544C7A-8714-4182-A450-E99140CF190D} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{81FAD8CB-4A8B-4356-8ED7-2BA0CFF8406D} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{39B61F76-F413-432B-90AE-2AC5FC9DCDB0} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{42EA6D52-83C3-4DBA-8A80-1ED2081A7D43} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FB635B31-5C1D-461F-85A8-CD1D893E3E5D} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E8A87C0E-B923-4DA6-A535-4B4A5D2F6A9C} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{536B4D0B-1FB1-43F3-9EC2-3ACF16B218F1}C:\program files\ms office 2013\microsoft toolkit.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{D2C23A65-35DD-49D5-8A8D-5921F04022D3}C:\program files\ms office 2013\microsoft toolkit.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{31D6C4D7-B6CF-44F8-8CEA-D335129A38A8} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F0FD3CD5-5822-4BF2-B262-93655A60723D} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3CEEC6B0-01EE-4184-BA2C-C4084944EF51} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8A2C5E40-4101-49CA-BE64-3181F2ED6145} => value removed successfully
C:\Program Files (x86)\AVG => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 63779823 B
Java, Flash, Steam htmlcache => 1102 B
Windows/system/drivers => 153468978 B
Edge => 0 B
Chrome => 430980821 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 22245 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 55156 B
NetworkService => 1415912 B
Bram => 709662931 B
Administrator => 17406565 B
 
RecycleBin => 23910481446 B
EmptyTemp: => 23.6 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 22:10:28 ====
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 8.1 Connected x64 
Ran by Bram (Administrator) on Sun 09/04/2016 at 22:14:12.71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 4 
 
Successfully deleted: C:\ProgramData\1468691395.bdinstall.bin (File) 
Successfully deleted: C:\ProgramData\1468691525.bdinstall.bin (File) 
Successfully deleted: C:\ProgramData\thunder network (Folder) 
Successfully deleted: C:\Users\Public\thunder network (Folder) 
 
 
 
Registry: 3 
 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{4EA51BAA-D52F-410E-B370-300507DF4984} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 09/04/2016 at 22:17:39.45
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 05 September 2016 - 08:54 AM

The Google Chrome shortcuts were hijacked by an argument that launched them with a proxy configuration file, so my guess is that this is where the ads were coming from. We'll just run Emsisoft Emergency Kit to see if there are any remnants left, and grab a fresh set of FRST logs after.

G0tu5D9.pngEmsisoft Emergency Kit
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.
  • Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder;
  • Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it.
  • After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes).
  • Once the scan is complete, make sure that every item in the list is checked, and click on Quarantine selected;
    Egla2gt.png
  • If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
  • After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it;
  • This time, click on Logs;
  • From there, go under the Quarantine Log tab, and click on the Export button;
    IgfWDr3.png
  • Save the log on your desktop, then open it, and copy/paste its content in your next reply;
iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Check the Addition.txt option;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply;
How's your computer running now?

Your next reply(ies) should include:
  • Copy/pasted content of the EEK clean log;
  • Copy/pasted content of FRST.txt;
  • Copy/pasted content of Addition.txt;
  • Answer to my question about your computer's current state;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 IDWR

IDWR
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 07 September 2016 - 09:20 AM

Hi Aura!

 

Thanks for this, too...

It seems that yet other items put my laptop at risk, as there were still files being removed.

My pc is working just fine. Chrome notified me that a program had hijacked the settings and that Chrome restored the settings by itself - this is probably linked to one browser redirection I had, in which a page imitated a message from Google, but was actually adware. And this was only before I ran the scans listed below...

 

Thanks!

 

 

 

--------------------

Emsisoft Emergency Kit - Version 11.9
Scan log
 
Date Scan Method Objects Scanned Objects Detected Duration Type Computer Name
9/7/2016 3:44:37 PM Malware 76459 9 0:09:38 Manual scan MARB
-------------------
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016
Ran by Bram (administrator) on MARB (07-09-2016 15:59:37)
Running from C:\Users\Bram\Downloads
Loaded Profiles: Bram & Administrator (Available Profiles: Bram & Administrator)
Platform: Windows 8.1 Connected (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Intel® Corporation) C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Lenovo Settings\LenovoSetSvr.exe
(Lenovo(beijing) Limited) C:\Windows\System32\LenovoWiFiHotspotSvr.exe
(Lenovo) C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\USB Blocker\USBBKSvc.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_6.3.9600.20278_x64__8wekyb3d8bbwe\numbers.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\acrotray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13672152 2014-05-26] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1387376 2014-05-13] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_DOLBYDRAGON] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1387376 2014-05-13] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_MICPKEY] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1387376 2014-05-13] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2892616 2014-02-19] (ELAN Microelectronics Corp.)
HKLM\...\Run: [BtServer] => C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe [217088 2014-04-08] (Realtek Semiconductor Corporation)
HKLM\...\Run: [PhoneCompanion] => C:\Program Files\Lenovo PhoneCompanion\Phone Companion.exe [836592 2014-11-13] (Lenovo)
HKLM\...\Run: [Energy Manager] => C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe [16094704 2014-11-13] (Lenovo(beijing) Limited)
HKLM\...\Run: [Lenovo Utility] => C:\Program Files (x86)\Lenovo\Energy Manager\Utility.exe [10973168 2014-11-13] (Lenovo(beijing) Limited)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508128 2016-01-07] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\Run: [DAEMON Tools Lite Automount] => C:\Program Files\DAEMON Tools Lite\DTAgent.exe [4179288 2015-11-30] (Disc Soft Ltd)
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\Run: [HP Deskjet 3050A J611 series (NET)] => C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AdobeCollabSync.exe [882360 2016-06-30] (Adobe Systems Incorporated)
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\Bluestacks\HD-Agent.exe
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\MountPoints2: {43d2309c-b07e-11e5-8283-f0761c24249e} - "E:\SETUP.EXE" 
HKU\S-1-5-21-1622894908-720436876-2890570449-500\...\MountPoints2: {43d2309c-b07e-11e5-8283-f0761c24249e} - "E:\SETUP.EXE" 
ShellIconOverlayIdentifiers: [00001LenovoSyncComplete] -> {1E9CED2C-E7B4-4C47-B07A-25416393B67B} => C:\Program Files\Hightail\Hightail for Lenovo\YSINSE64.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers: [00002LenovoSyncActive] -> {C1285F4D-918F-4EF2-BC94-CAD5B118C835} => C:\Program Files\Hightail\Hightail for Lenovo\YSINSE64.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers: [00003LenovoSyncError] -> {CE5633DA-1488-4D1D-9A9B-B500297D4A8C} => C:\Program Files\Hightail\Hightail for Lenovo\YSINSE64.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers: [00004LenovoLocalOnly] -> {C7362DA9-D3AC-4C17-B2F5-2F1823FA04C3} => C:\Program Files\Hightail\Hightail for Lenovo\YSINSE64.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers: [00USBBlockerShellDs] -> {BE57AC86-892D-436E-B763-71DA8FA49A48} => C:\Program Files (x86)\Lenovo\USB Blocker\USBBlockerShell.dll [2013-12-25] (Lenovo(beijing) Limited)
ShellIconOverlayIdentifiers: [00USBBlockerShellRd] -> {FFBCBB89-938E-4412-88AF-AE7A531F95C1} => C:\Program Files (x86)\Lenovo\USB Blocker\USBBlockerShell.dll [2013-12-25] (Lenovo(beijing) Limited)
ShellIconOverlayIdentifiers: [00USBBlockerShellRw] -> {42D4ABFA-0604-45F1-9A7C-622F85614BAB} => C:\Program Files (x86)\Lenovo\USB Blocker\USBBlockerShell.dll [2013-12-25] (Lenovo(beijing) Limited)
ShellIconOverlayIdentifiers-x32: [00001LenovoSyncComplete] -> {1E9CED2C-E7B4-4C47-B07A-25416393B67B} => C:\Program Files (x86)\Hightail\Hightail for Lenovo\YSINSE.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers-x32: [00002LenovoSyncActive] -> {C1285F4D-918F-4EF2-BC94-CAD5B118C835} => C:\Program Files (x86)\Hightail\Hightail for Lenovo\YSINSE.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers-x32: [00003LenovoSyncError] -> {CE5633DA-1488-4D1D-9A9B-B500297D4A8C} => C:\Program Files (x86)\Hightail\Hightail for Lenovo\YSINSE.dll [2014-06-23] (Hightail Inc.)
ShellIconOverlayIdentifiers-x32: [00004LenovoLocalOnly] -> {C7362DA9-D3AC-4C17-B2F5-2F1823FA04C3} => C:\Program Files (x86)\Hightail\Hightail for Lenovo\YSINSE.dll [2014-06-23] (Hightail Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{93B079ED-117B-483C-B2B9-A87FE2994859}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{D8B275DB-D904-45B2-BCE8-A227E76D92BC}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.lenovo.com
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.lenovo.com
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
HKU\S-1-5-21-1622894908-720436876-2890570449-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-1622894908-720436876-2890570449-500\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-1622894908-720436876-2890570449-500\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
HKU\S-1-5-21-1622894908-720436876-2890570449-500\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.lenovo.com
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2013-07-10] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\2015\x64\AcroIEFavStub.dll [2015-12-18] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2013-07-13] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\2015\x64\AcroIEFavStub.dll [2015-12-18] (Adobe Systems Incorporated)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\2015\AcroIEFavStub.dll [2015-12-18] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2013-07-13] (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\2015\AcroIEFavStub.dll [2015-12-18] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\2015\x64\AcroIEFavStub.dll [2015-12-18] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\2015\AcroIEFavStub.dll [2015-12-18] (Adobe Systems Incorporated)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-07-29] (Adobe Systems)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1224194.dll [2016-02-19] (Adobe Systems, Inc.)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2013-07-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Air\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-07-29] (Adobe Systems)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2013-07-10] (Microsoft Corporation)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension.15@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat DC - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Browser\WCFirefoxExtn [2016-05-17]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://homepage-web.com/?s=lenovo&m=home
CHR StartupUrls: Default -> "hxxp://www.google.nl/"
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.866\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\PepperFlash\pepflashplayer.dll ()
CHR Profile: C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-26]
CHR Extension: (Google Search) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Gmail) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-31]
CHR Extension: (Chrome Media Router) - C:\Users\Bram\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-30]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2159320 2016-08-22] (Adobe Systems, Incorporated)
S4 BTDevManager; C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe [95232 2014-03-28] () [File not signed]
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2780856 2015-10-07] (Microsoft Corporation)
S3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe [1368408 2015-11-30] (Disc Soft Ltd)
R2 ETDService; C:\Program Files\Elantech\ETDService.exe [99632 2013-10-09] (ELAN Microelectronics Corp.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [29728 2016-08-15] (HP Inc.)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe [733696 2013-07-02] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\TXE Components\TCS\SocketHeciServer.exe [822232 2013-07-02] (Intel® Corporation)
S3 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\lenovo\easyplussdk\bin\EPHotspot64.exe [533760 2014-06-03] (Lenovo)
R2 LenovoSetSvr; C:\Program Files (x86)\Lenovo\Lenovo Settings\LenovoSetSvr.exe [389680 2014-11-13] (Lenovo(beijing) Limited)
R2 LenovoWiFiHotspotSvr; C:\Windows\System32\LenovoWiFiHotspotSvr.exe [198192 2014-11-13] (Lenovo(beijing) Limited)
R2 PhoneCompanionPusher; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe [288240 2014-11-13] (Lenovo)
S3 PhoneCompanionVap; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionVap.exe [305136 2014-11-13] (Lenovo)
S4 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R2 USBBKSvc; C:\Program Files (x86)\Lenovo\USB Blocker\USBBKSvc.exe [35824 2013-12-25] (Lenovo(beijing) Limited)
S4 VeriFaceSrv; C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe [68880 2014-11-13] ()
S3 vmicvss; C:\Windows\System32\ICSvc.dll [524800 2014-10-29] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 dtlitescsibus; C:\Windows\System32\drivers\dtlitescsibus.sys [30264 2016-01-05] (Disc Soft Ltd)
R3 dtliteusbbus; C:\Windows\System32\drivers\dtliteusbbus.sys [46392 2016-01-05] (Disc Soft Ltd)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S4 epp; C:\EEK\bin64\epp.sys [116944 2016-06-30] (Emsisoft Ltd)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-06-22] ()
R2 LubFsFlt; C:\windows\System32\Drivers\LubFsFlt.sys [27384 2014-02-22] (Lenovo(beijing) Limited)
R0 LubSec; C:\Windows\System32\Drivers\LubSec.sys [45304 2014-02-22] (Lenovo(beijing) Limited)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290520 2013-09-24] (Realtek Semiconductor Corp.)
S3 RtkBtFilter; C:\Windows\system32\DRIVERS\RtkBtfilter.sys [559832 2014-02-26] (Realtek Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [3421040 2014-04-30] (Realtek Semiconductor Corporation                           )
S3 ssudserd; C:\Windows\system32\DRIVERS\ssudserd.sys [214832 2015-12-08] (DEVGURU Co., LTD.(www.devguru.co.kr))
R3 TXEIx64; C:\Windows\System32\drivers\TXEIx64.sys [87568 2013-07-02] (Intel Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-14] ("CyberLink)
S3 vmci; \SystemRoot\System32\drivers\vmci.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-07 15:56 - 2016-09-07 15:56 - 00000390 _____ C:\Users\Bram\Desktop\Scan_160907-155643.txt
2016-09-07 15:08 - 2016-09-07 15:57 - 00000000 ____D C:\EEK
2016-09-07 15:04 - 2016-09-07 15:07 - 246967656 _____ C:\Users\Bram\Downloads\EmsisoftEmergencyKit.exe
2016-09-07 10:30 - 2016-09-07 10:30 - 00000000 _____ C:\Users\Bram\Desktop\Bank accounts.txt
2016-09-04 22:17 - 2016-09-04 22:17 - 00001239 _____ C:\Users\Bram\Desktop\JRT.txt
2016-09-04 22:09 - 2016-09-04 22:10 - 01610560 _____ (Malwarebytes) C:\Users\Bram\Downloads\JRT.exe
2016-09-04 22:08 - 2016-09-04 22:10 - 00007028 _____ C:\Users\Bram\Downloads\Fixlog.txt
2016-09-04 16:13 - 2016-09-04 16:14 - 00037963 _____ C:\Users\Bram\Downloads\Addition.txt
2016-09-04 16:11 - 2016-09-07 16:00 - 00020226 _____ C:\Users\Bram\Downloads\FRST.txt
2016-09-04 16:11 - 2016-09-07 15:59 - 00000000 ____D C:\FRST
2016-09-04 16:08 - 2016-09-04 16:09 - 02397696 _____ (Farbar) C:\Users\Bram\Downloads\FRST64.exe
2016-09-04 15:17 - 2016-09-04 15:17 - 03826240 _____ C:\Users\Bram\Downloads\adwcleaner_6.010.exe
2016-09-04 14:13 - 2016-09-04 14:13 - 00000000 ____D C:\Program Files\HitmanPro
2016-09-04 13:51 - 2016-09-04 13:53 - 137985808 _____ (Microsoft Corporation) C:\Users\Bram\Downloads\msert.exe
2016-09-04 12:55 - 2016-09-04 13:05 - 00000000 ____D C:\ProgramData\HitmanPro
2016-09-04 12:55 - 2016-09-04 12:55 - 11438608 _____ (SurfRight B.V.) C:\Users\Bram\Downloads\hitmanpro_x64.exe
2016-09-03 20:32 - 2016-09-03 20:32 - 00000000 ____D C:\windows\pss
2016-09-03 11:14 - 2016-09-03 11:14 - 00060119 _____ C:\Users\Bram\Documents\PhD studentship - Bram Mulder.pdf
2016-09-02 12:47 - 2016-09-02 12:47 - 00007101 _____ C:\Users\Bram\Documents\aantekeningen.odt
2016-09-01 09:11 - 2016-09-04 17:10 - 00192216 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2016-09-01 09:07 - 2016-09-01 09:07 - 00001125 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-09-01 09:07 - 2016-09-01 09:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-09-01 09:06 - 2016-09-01 09:07 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-09-01 09:06 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2016-09-01 09:06 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamchameleon.sys
2016-09-01 09:06 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\windows\system32\Drivers\mbam.sys
2016-08-21 20:47 - 2016-08-21 20:48 - 484466688 _____ C:\Users\Bram\Documents\Arrow.S01E14.HDTV.XviD-AFG
2016-08-21 20:26 - 2016-09-01 00:30 - 00000000 ____D C:\Program Files (x86)\Yodot AVI Repair
2016-08-21 12:11 - 2016-09-04 17:35 - 00000000 ____D C:\Users\Bram\AppData\LocalLow\uTorrent
2016-08-18 12:35 - 2016-08-18 12:35 - 00079740 _____ C:\Users\Bram\Downloads\mcr_timetable.pdf
2016-08-18 12:34 - 2016-08-18 12:34 - 00851930 _____ C:\Users\Bram\Downloads\international_student_guide.pdf
2016-08-18 12:10 - 2016-08-18 12:10 - 02165368 _____ C:\Users\Bram\Downloads\mcr_handbook.pdf
2016-08-17 15:38 - 2016-08-17 15:38 - 00041004 _____ C:\Users\Bram\Downloads\UCRPT317.pdf
2016-08-17 15:27 - 2016-08-17 15:28 - 01297717 _____ C:\Users\Bram\Downloads\downing_plan_-_visitor_2016.pdf
2016-08-14 21:24 - 2016-08-14 21:24 - 00371564 _____ C:\Users\Bram\Downloads\Mulder%2c Bram.pdf
2016-08-14 21:24 - 2016-08-14 21:24 - 00156015 _____ C:\Users\Bram\Downloads\1Disability disclosure letter 2015.pdf
2016-08-12 20:30 - 2016-08-12 20:30 - 00009656 _____ C:\Users\Bram\Documents\Language assessment.odt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-07 15:15 - 2015-05-31 12:57 - 00000916 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-07 11:53 - 2015-05-04 22:07 - 00000000 ____D C:\Users\Bram\AppData\Local\Packages
2016-09-07 10:15 - 2015-05-31 12:57 - 00000912 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-06 14:29 - 2015-07-31 21:30 - 00938496 ___SH C:\Users\Bram\Documents\Thumbs.db
2016-09-06 14:27 - 2016-05-04 11:40 - 00000000 ____D C:\Users\Bram\Documents\marktplaats
2016-09-05 12:52 - 2015-05-04 22:14 - 00000000 ____D C:\Users\Bram\OneDrive
2016-09-04 22:29 - 2015-05-04 22:14 - 00003598 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1622894908-720436876-2890570449-1001
2016-09-04 22:11 - 2016-01-05 20:46 - 00087040 ___SH C:\Users\Bram\Desktop\Thumbs.db
2016-09-04 22:11 - 2013-08-22 16:45 - 00000006 ____H C:\windows\Tasks\SA.DAT
2016-09-04 22:09 - 2015-05-07 23:17 - 00000000 ____D C:\Users\Bram\AppData\LocalLow\Temp
2016-09-04 22:08 - 2015-12-31 16:58 - 00000000 ____D C:\Users\Bram\AppData\Roaming\uTorrent
2016-09-04 22:08 - 2015-05-31 12:57 - 00002237 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-09-04 22:08 - 2015-05-31 12:57 - 00002225 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-09-04 22:01 - 2016-01-02 19:17 - 00000000 ____D C:\Users\Bram\AppData\Roaming\vlc
2016-09-04 15:28 - 2016-02-09 20:59 - 00000000 ____D C:\AdwCleaner
2016-09-03 20:33 - 2013-08-22 15:25 - 00262144 ___SH C:\windows\system32\config\BBI
2016-09-03 12:57 - 2014-03-18 11:53 - 00867660 _____ C:\windows\system32\PerfStringBackup.INI
2016-09-03 12:57 - 2013-08-22 15:36 - 00000000 ____D C:\windows\Inf
2016-09-03 12:32 - 2015-10-03 17:05 - 00000000 ____D C:\Users\Bram\AppData\Local\ElevatedDiagnostics
2016-09-03 10:29 - 2013-08-22 17:36 - 00000000 ____D C:\windows\AppReadiness
2016-08-30 17:44 - 2014-11-13 23:32 - 00000000 ____D C:\ProgramData\Energy Manager
2016-08-30 17:30 - 2016-01-05 02:09 - 00000000 ____D C:\Users\Bram\AppData\Local\Microsoft Help
2016-08-21 20:35 - 2014-11-13 23:10 - 00000000 ____D C:\ProgramData\Temp
2016-08-21 20:20 - 2015-07-26 11:25 - 01153024 ___SH C:\Users\Bram\Downloads\Thumbs.db
2016-08-14 21:22 - 2016-07-26 20:10 - 00016842 _____ C:\Users\Bram\Documents\artikel.odt
2016-08-10 11:08 - 2013-08-22 17:36 - 00000000 ___HD C:\Program Files\WindowsApps
 
==================== Files in the root of some directories =======
 
2015-05-04 22:12 - 2015-05-07 23:00 - 0002417 _____ () C:\Users\Bram\AppData\Roaming\AbsoluteReminder.xml
2016-04-26 13:50 - 2016-04-26 14:06 - 0002832 _____ () C:\Users\Bram\AppData\Roaming\droid4xinstaller.log
2015-05-04 22:07 - 2016-09-04 22:12 - 3827265 _____ () C:\Users\Bram\AppData\Local\BTServer.log
2015-05-21 18:55 - 2015-10-23 19:47 - 0000600 _____ () C:\Users\Bram\AppData\Local\PUTTY.RND
2016-01-01 14:47 - 2016-03-04 13:38 - 0007601 _____ () C:\Users\Bram\AppData\Local\Resmon.ResmonCfg
2016-04-10 12:16 - 2016-04-10 12:16 - 0000057 _____ () C:\ProgramData\Ament.ini
2014-11-13 22:31 - 2014-11-13 22:31 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-08-31 01:17
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 31-08-2016
Ran by Bram (07-09-2016 16:01:20)
Running from C:\Users\Bram\Downloads
Windows 8.1 Connected (Update) (X64) (2015-05-04 20:06:47)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1622894908-720436876-2890570449-500 - Administrator - Enabled) => C:\Users\Administrator
Bram (S-1-5-21-1622894908-720436876-2890570449-1001 - Administrator - Enabled) => C:\Users\Bram
Guest (S-1-5-21-1622894908-720436876-2890570449-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1622894908-720436876-2890570449-1004 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\uTorrent) (Version: 3.4.8.42449 - BitTorrent Inc.)
Adobe Acrobat DC (HKLM-x32\...\{AC76BA86-1033-FFFF-7760-0E0F06755100}) (Version: 15.006.30201 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.4.0.2710 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.2 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.2.4.194 - Adobe Systems, Inc.)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 - Cisco Systems, Inc.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.0.2810 - CyberLink Corp.)
CyberLink PowerDirector 10 (Version: 10.0.0.2810 - CyberLink Corp.) Hidden
DAEMON Tools Lite (HKLM\...\DAEMON Tools Lite) (Version: 10.2.0.0114 - Disc Soft Ltd)
Dolby Digital Plus Advanced Audio (HKLM\...\{B0BFC63F-EA07-419E-960B-3FB2ED5DD0B2}) (Version: 7.6.3.1 - Dolby Laboratories Inc)
Energy Manager (HKLM-x32\...\InstallShield_{AC768037-7079-4658-AC24-2897650E0ABE}) (Version: 1.5.0.16 - Lenovo)
Energy Manager (x32 Version: 1.5.0.16 - Lenovo) Hidden
GIMP 2.8.16 (HKLM\...\GIMP-2_is1) (Version: 2.8.16 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 52.0.2743.116 - Google Inc.)
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
Hightail for Lenovo (HKLM\...\{2F10E937-F6D7-4174-8AB9-B299E8FC5CEC}) (Version: 2.4.97.2857 - Hightail, Inc.)
HP Deskjet 3050A J611 series Basic Device Software (HKLM\...\{1B77E249-B8D5-4E5E-8848-693ACEF84E6D}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Support Solutions Framework (HKLM-x32\...\{CE7447C2-EF12-4EF3-BE51-BFC3B049C0F6}) (Version: 12.5.32.37 - HP)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3408 - Intel Corporation)
Intel® Trusted Execution Engine (HKLM\...\{176E2755-0A17-42C6-88E2-192AB2131278}) (Version: 1.0.0.1050 - Intel Corporation)
Lenovo FusionEngine  (HKLM-x32\...\Lenovo FusionEngine) (Version: 1.0.13.0 - Lenovo, Inc.)
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 8.1.0.2326 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 8.1.0.2326 - CyberLink Corp.) Hidden
Lenovo PhoneCompanion (HKLM-x32\...\InstallShield_{0F82EA83-B0C5-4AB9-9695-DFE92C5FD57B}) (Version: 1.2.0.0 - Lenovo)
Lenovo PhoneCompanion (x32 Version: 1.2.0.0 - Lenovo) Hidden
Lenovo pointing device (HKLM\...\Elantech) (Version: 11.4.38.2 - ELAN Microelectronic Corp.)
Lenovo Settings (HKLM-x32\...\InstallShield_{42F8AFC3-7944-46CC-9689-94FF9869D0A7}) (Version: 1.0.0.42 - Lenovo)
Lenovo Settings (x32 Version: 1.0.0.42 - Lenovo) Hidden
Lenovo SHAREit (HKLM-x32\...\Lenovo SHAREit_is1) (Version: 2.0.5.0 - Lenovo Group Limited)
Lenovo USB Blocker (HKLM-x32\...\InstallShield_{18706F18-ACE4-4510-A59C-104693E7978B}) (Version: 1.0.0.37 - Lenovo)
Lenovo USB Blocker (x32 Version: 1.0.0.37 - Lenovo) Hidden
Lenovo VeriFace Pro (HKLM\...\Lenovo VeriFace) (Version: 5.1.14.2111 - Lenovo)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Metric Collection SDK 35 (x32 Version: 1.2.0001.00 - Lenovo Group Limited) Hidden
Microsoft Office Professional Plus 2013 (HKLM\...\Office15.PROPLUS) (Version: 15.0.4420.1017 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Opticon USB Drivers Installer (HKLM-x32\...\Opticon USB Installer) (Version:  - )
Outils de vérification linguistique 2013 de Microsoft Office - Français (Version: 15.0.4420.1017 - Microsoft Corporation) Hidden
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.10525 - CyberLink Corp.)
REALTEK Bluetooth Driver (HKLM-x32\...\{9D3D8C60-A5EF-4123-B2B9-172095903AB}) (Version: 3.810.812.040814 - REALTEK Semiconductor Corp.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9600.29071 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.24.1218.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7254 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{9DAABC60-A5EF-41FF-B2B9-17329590CD5}) (Version: 1.00.243 - REALTEK Semiconductor Corp.)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Total Commander 64-bit (Remove or Repair) (HKLM\...\Totalcmd64) (Version: 8.51a - Ghisler Software GmbH)
User Manuals (HKLM-x32\...\InstallShield_{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 3.0.0.3 - Lenovo)
User Manuals (x32 Version: 3.0.0.3 - Lenovo) Hidden
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Windows Driver Package - Lenovo (ACPIVPC) System  (09/24/2013 19.29.2.34) (HKLM\...\EE9B1F2037C580F36D92FA431CC02BFF04C31F15) (Version: 09/24/2013 19.29.2.34 - Lenovo)
Windows Driver Package - Lenovo (WUDFRd) LenovoVhid  (07/25/2013 10.30.0.288) (HKLM\...\6BCA401E9CBEED970D75F55FA5320F60D11984E9) (Version: 07/25/2013 10.30.0.288 - Lenovo)
WinRAR 5.20 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.20.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {04721EA3-B211-40A1-AD3A-D577928449FD} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-05-31] (Google Inc.)
Task: {0B545118-B563-42FC-8D07-B78F602FCF34} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList
Task: {3B3AA27F-6F28-4C62-9AD0-8EEA887AF857} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe
Task: {3FBCFD1A-AEB9-4CE3-9A0E-E04E0927DD71} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe [2014-05-30] (Lenovo)
Task: {5528DAFD-DB63-4950-937D-C3AA4356213E} - System32\Tasks\DolbySelectorTask => C:\Program Files\Dolby Digital Plus\ddp.exe
Task: {5CB3C9CC-804C-42C5-BDAA-DE3F97F74BFC} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2012-10-01] (Microsoft Corporation)
Task: {6CD7C04B-4904-4AF0-847C-57BE1B5F4A52} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => Rundll32.exe aepdu.dll,AePduRunUpdate -nolegacy
Task: {7724DBD9-CEEF-4AD8-954C-784909CF0040} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe
Task: {79B360CF-93E4-4357-897D-291D6CAF9C06} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2015-10-07] (Microsoft Corporation)
Task: {84C1A032-B94A-46E1-83AC-D224512BFC6E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-05-31] (Google Inc.)
Task: {8818A562-7085-4858-80E6-25FD93778836} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2012-10-01] (Microsoft Corporation)
Task: {8E360733-7B5F-440C-9F4F-92843D761DC6} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-06-25] (Adobe Systems Incorporated)
Task: {A180F87B-0565-4AB3-85F3-D15F19BE7D45} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe [2012-10-01] (Microsoft Corporation)
Task: {B1903AA8-EE02-4DC5-A509-01632F452FA3} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [2016-05-09] (Hewlett-Packard)
Task: {D405D405-3350-401D-9D98-D2438AF725A5} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2015-10-07] (Microsoft Corporation)
Task: {E85A9D4A-792C-4F77-9F03-ADEC39FE0376} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-08-03] (HP Inc.)
Task: {FFB87EBA-E45D-4402-86EA-61F2D63C6310} - System32\Tasks\PDVDServ Task => C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.EXE
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-05-07 22:56 - 2015-10-07 20:28 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2013-07-10 20:31 - 2013-07-10 20:31 - 08865448 _____ () C:\Program Files\Microsoft Office\Office15\1033\GrooveIntlResource.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 15:25 - 2016-07-16 19:48 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\Control Panel\Desktop\\Wallpaper -> C:\windows\Web\Wallpaper\Lenovo\LenovoWallPaper.jpg
HKU\S-1-5-21-1622894908-720436876-2890570449-500\Control Panel\Desktop\\Wallpaper -> C:\windows\Web\Wallpaper\Lenovo\LenovoWallPaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\Services: BTDevManager => 2
MSCONFIG\Services: RichVideo64 => 2
MSCONFIG\Services: VeriFaceSrv => 2
HKLM\...\StartupApproved\Run: => "RtHDVBg_LENOVO_MICPKEY"
HKLM\...\StartupApproved\Run: => "RtHDVBg_LENOVO_DOLBYDRAGON"
HKLM\...\StartupApproved\Run: => "Energy Manager"
HKLM\...\StartupApproved\Run: => "PhoneCompanion"
HKLM\...\StartupApproved\Run: => "Lenovo Utility"
HKLM\...\StartupApproved\Run: => "PasswordManager"
HKLM\...\StartupApproved\Run: => "RtHDVCpl"
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run32: => "ConnectionCenter"
HKLM\...\StartupApproved\Run32: => "Redirector"
HKLM\...\StartupApproved\Run32: => "UpdateP2GShortCut"
HKLM\...\StartupApproved\Run32: => "CitrixReceiver"
HKLM\...\StartupApproved\Run32: => "AvgUi"
HKLM\...\StartupApproved\Run32: => "AVG_UI"
HKLM\...\StartupApproved\Run32: => "ConsumerClickSysTrayIcon"
HKLM\...\StartupApproved\Run32: => "Acrobat Assistant 8.0"
HKLM\...\StartupApproved\Run32: => "Adobe ARM"
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\StartupApproved\Run: => "DAEMON Tools Lite Automount"
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\StartupApproved\Run: => "Adobe Acrobat Synchronizer"
HKU\S-1-5-21-1622894908-720436876-2890570449-1001\...\StartupApproved\Run: => "BlueStacks Agent"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{55EDCDC7-C883-4004-9413-D71E84D1DF8F}] => (Allow) C:\Program Files (x86)\Lenovo\SHAREit\SHAREit.exe
FirewallRules: [{1891A970-2321-48E1-9770-4FF3D7CF9E99}] => (Allow) C:\Program Files (x86)\Lenovo\SHAREit\SHAREit.exe
FirewallRules: [{0A68E231-5955-45D1-8271-AA799FDEA751}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
FirewallRules: [{D75A2007-52C6-4993-85AE-4468FB5119D2}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\MxUp.exe
FirewallRules: [{1FD505E9-7019-42C1-9C25-83D7EC206E5D}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
FirewallRules: [{E8872595-C8DB-43E6-8667-15D7853FB0F2}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\MxUp.exe
FirewallRules: [{2799B041-8663-4B8B-9C84-53900F498F2F}] => (Allow) C:\Program Files\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [{07686D08-220E-435A-803E-5CE6B956B1D2}] => (Allow) LPort=55100
FirewallRules: [{FE18252F-1276-4842-98D0-071EA4406D61}] => (Allow) C:\Program Files\Lenovo PhotoMasterImport\PhotoMasterImport.exe
FirewallRules: [{57999B53-6056-44A1-895E-45536800F762}] => (Allow) C:\Users\Bram\AppData\Local\Temp\nsn9E01.tmp\CnetInstaller-10038129.exe
FirewallRules: [{36C92912-2A56-4E93-83C7-EC3417E29D72}] => (Allow) C:\Users\Bram\AppData\Local\Temp\nsn9E01.tmp\CnetInstaller-10038129.exe
FirewallRules: [{8EE05DAE-7A47-43B6-B29A-D0E3C1BA881B}] => (Allow) C:\windows\system32\mstsc.exe
FirewallRules: [{2A82D80E-3196-4110-AED1-55DF4AE78132}] => (Allow) C:\windows\system32\mstsc.exe
FirewallRules: [{A1412632-535F-414E-AD6C-8B576CD6E64E}] => (Allow) C:\windows\system32\mstsc.exe
FirewallRules: [{34E6294D-6BFD-42DA-9B83-EF53BB3B6C2D}] => (Allow) C:\windows\system32\mstsc.exe
FirewallRules: [{58B27187-540E-4E1B-902E-39374B385517}] => (Allow) LPort=6000
FirewallRules: [{C6136B9D-E191-43E5-B4BE-B3E808E1EC9C}] => (Allow) C:\Program Files (x86)\Xming\XLaunch.exe
FirewallRules: [{EEF29E7C-AA23-41F5-BDA2-09ADF47E0800}] => (Allow) C:\Program Files (x86)\Xming\XLaunch.exe
FirewallRules: [{E1819170-1ADF-4CC7-B234-82FBD71B7845}] => (Allow) C:\Program Files (x86)\Xming\XLaunch.exe
FirewallRules: [{4BAC880F-9EA0-4BCA-8745-F31232FA25B4}] => (Allow) C:\Program Files (x86)\Xming\XLaunch.exe
FirewallRules: [{C0A74684-3643-447B-B5F7-0B0167A0CF33}] => (Allow) C:\Program Files (x86)\Xming\Xming.exe
FirewallRules: [{49D36C98-DF0D-4567-AB87-E0CEB7408389}] => (Allow) C:\Program Files (x86)\Xming\Xming.exe
FirewallRules: [{C4114781-963F-43B6-991A-392C1CB108BB}] => (Allow) C:\Program Files (x86)\Xming\Xming.exe
FirewallRules: [{601C1757-694D-488D-B7F2-B438D8FC8558}] => (Allow) C:\Program Files (x86)\Xming\Xming.exe
FirewallRules: [{544C87AD-E0B0-49BB-8A90-2276753EA67E}] => (Allow) C:\Program Files (x86)\XCURSION\x86\wxserver.exe
FirewallRules: [{EC1634C6-B21A-4F48-BDD5-662A0E035F66}] => (Allow) C:\Program Files (x86)\XCURSION\x86\wxserver.exe
FirewallRules: [{FC4CC6F8-B333-44FB-864C-D747151C1856}] => (Allow) C:\Program Files (x86)\XCURSION\x86\wxserver.exe
FirewallRules: [{3AA82904-FC66-460A-BA4D-8B7F3FCB22C7}] => (Allow) C:\Program Files (x86)\XCURSION\x86\wxserver.exe
FirewallRules: [TCP Query User{8D3515F7-BF13-42B7-A434-D94BDE6638AC}C:\program files (x86)\starnet\x-win32 2014\esd.exe] => (Allow) C:\program files (x86)\starnet\x-win32 2014\esd.exe
FirewallRules: [UDP Query User{A76E7177-90B9-4BFB-9C69-6680EF7C63F4}C:\program files (x86)\starnet\x-win32 2014\esd.exe] => (Allow) C:\program files (x86)\starnet\x-win32 2014\esd.exe
FirewallRules: [{14532387-626D-41EA-B08F-38BD32A04F40}] => (Block) C:\program files (x86)\starnet\x-win32 2014\esd.exe
FirewallRules: [{5182CF9B-B401-4C68-9951-1A3E34D41B19}] => (Block) C:\program files (x86)\starnet\x-win32 2014\esd.exe
FirewallRules: [TCP Query User{7043423E-5262-45E4-A9C5-6710A09B9089}C:\program files\totalcmd\totalcmd64.exe] => (Allow) C:\program files\totalcmd\totalcmd64.exe
FirewallRules: [UDP Query User{9DA2A8C3-F701-4B36-96FD-8594D6A1A549}C:\program files\totalcmd\totalcmd64.exe] => (Allow) C:\program files\totalcmd\totalcmd64.exe
FirewallRules: [{B8E297D2-A9FE-4C08-A736-435175274610}] => (Block) C:\program files\totalcmd\totalcmd64.exe
FirewallRules: [{7D691980-DF04-4F75-AC62-0E8F7AD6EA98}] => (Block) C:\program files\totalcmd\totalcmd64.exe
FirewallRules: [{41939EB5-7CF3-4CAE-BDB0-163F08BDAC9B}] => (Allow) C:\Users\Bram\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{5CE56E95-547B-4931-9BE2-A2516A5610FA}] => (Allow) C:\Users\Bram\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{06E6DE59-02A0-47F8-AAF2-9E4C5CD5A1EB}] => (Allow) C:\Users\Bram\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{65B256DD-6E1E-49AB-9DA6-C8B0A1B650D1}] => (Allow) C:\Users\Bram\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{634F945B-6764-453D-A35C-2C3C402750C5}] => (Allow) C:\Users\Bram\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{586D1786-81AF-4D41-BF47-A68E3C07FB77}] => (Allow) C:\Users\Bram\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{69A811DF-5FA1-4232-AD48-F41F59F22AC6}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{E240B298-663A-411B-BB56-CBBA61B442D0}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{3EEC2279-F24A-4272-A4DB-FD13113F8EA4}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{E5B2ACBF-9624-43A4-B7A5-0BA6D7F5171A}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{A233AAF4-EBCE-4527-8053-A1EFA270E2D6}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{5842AAE4-C340-4C94-81CB-77D98F08BC6C}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{64D89501-6828-4FC8-B48C-AD70BB0621D6}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{DF48F01E-4FDA-4546-8CE8-C0700938F42B}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{643CDDC4-CAFA-49D6-9841-F281A29042CF}] => (Allow) C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\DeviceSetup.exe
FirewallRules: [{F23DAD9A-38A6-49E8-9DAB-7B36402E2D53}] => (Allow) C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPNetworkCommunicator.exe
FirewallRules: [{F3496C84-9F62-4B44-85E8-B39B63E79672}] => (Allow) C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{90EDB22A-AF12-464D-907E-AEA97E8B2E08}] => (Allow) C:\Program Files\Andy\SetupFiles\Uninstall.exe
FirewallRules: [{DA4DAC32-B6BC-44BC-B5FD-1B96C672E6A7}] => (Allow) C:\Program Files\Andy\SetupFiles\Uninstall.exe
FirewallRules: [TCP Query User{F8E224E7-91B0-4E43-B241-6955362086D3}C:\users\bram\appdata\roaming\haiyuinst\plugins\download\minithunderplatform.exe] => (Allow) C:\users\bram\appdata\roaming\haiyuinst\plugins\download\minithunderplatform.exe
FirewallRules: [{EBF05F47-73DB-460E-87F2-929DD54E5A4A}] => (Allow) C:\Program Files (x86)\Droid4X\Droid4X.exe
FirewallRules: [{304CCE00-FE9E-4CA8-B310-4E9BBE3DF66A}] => (Allow) C:\Program Files (x86)\Droid4X\download\MiniThunderPlatform.exe
FirewallRules: [{C62D278D-EF19-44F8-BAC3-246893DB2CD3}] => (Allow) C:\Program Files (x86)\Droid4X\download\MiniThunderPlatform.exe
FirewallRules: [{9FB71D28-DB71-40FE-B691-20902289E01D}] => (Allow) C:\Program Files\Oracle\VirtualBox\vboxheadless.exe
FirewallRules: [TCP Query User{3CA83CDA-BBCF-4438-997A-AA33C98077F2}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{BF557D57-0A05-4B3F-8368-1BEA0A570356}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [TCP Query User{56CCCF84-474C-4C3C-AADD-F19017FA944B}C:\program files (x86)\skype\phone\skype.exe] => (Block) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{DFF144E3-5E48-40D4-AA90-10B192C81BAE}] => (Allow) C:\Users\Bram\AppData\Local\Temp\andy-x64\Setup.exe
FirewallRules: [{9E84C4B6-C3E4-42A8-8A6E-C7D86C104AD7}] => (Allow) C:\Program Files\Andy\andy.exe
FirewallRules: [{506E56EA-D00B-424D-AB93-74D7FF70088C}] => (Allow) C:\Program Files\Andy\andy.exe
FirewallRules: [{D159D7CA-4108-4960-80A5-488D8CCE78DB}] => (Allow) C:\Program Files\Andy\AndyConsole.exe
FirewallRules: [{3696F1F7-6C00-4468-AE52-839D8B14B733}] => (Allow) C:\Program Files\Andy\AndyConsole.exe
FirewallRules: [{7F678179-C71C-4407-8D79-B6912FEA882B}] => (Allow) C:\Program Files\Andy\HandyAndy.exe
FirewallRules: [{D4156B3A-7C92-404B-9240-468DA63D9C3C}] => (Allow) C:\Program Files\Andy\HandyAndy.exe
FirewallRules: [{A0BE6B0D-67E1-4CD6-B52B-1AEB104F59BD}] => (Allow) C:\Program Files\Andy\SetupFiles\Uninstall.exe
FirewallRules: [{EDC5434B-E57F-44BD-B1E5-D0A3CD4FCBB1}] => (Allow) C:\Program Files\Andy\SetupFiles\Uninstall.exe
FirewallRules: [{8C40B839-BE71-4050-9877-1B5D200CEBC5}] => (Allow) C:\Users\Bram\AppData\Local\Temp\andy-x64\Setup.exe
FirewallRules: [TCP Query User{49A2EFCB-5FDA-45F7-934C-8FD1221D8444}C:\users\bram\appdata\local\skypeplugin\pluginhost.exe] => (Allow) C:\users\bram\appdata\local\skypeplugin\pluginhost.exe
FirewallRules: [UDP Query User{D2F09BB4-8439-4F95-918D-A357246DBCFD}C:\users\bram\appdata\local\skypeplugin\pluginhost.exe] => (Allow) C:\users\bram\appdata\local\skypeplugin\pluginhost.exe
FirewallRules: [TCP Query User{994C52E0-37B3-4281-88E6-2A9BA070B7EC}C:\users\bram\appdata\local\skypeplugin\pluginhost.exe] => (Block) C:\users\bram\appdata\local\skypeplugin\pluginhost.exe
FirewallRules: [UDP Query User{102EC47F-41E7-4149-88B2-8B987248FB09}C:\users\bram\appdata\local\skypeplugin\pluginhost.exe] => (Block) C:\users\bram\appdata\local\skypeplugin\pluginhost.exe
FirewallRules: [{051B4C47-3D25-4432-997E-9C692BB912A9}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
28-08-2016 16:28:54 Scheduled Checkpoint
04-09-2016 22:14:15 JRT Pre-Junkware Removal
 
==================== Faulty Device Manager Devices =============
 
Name: Realtek Bluetooth 4.0 Adapter
Description: Realtek Bluetooth 4.0 Adapter
Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
Manufacturer: Realtek Semiconductor Corp.
Service: BTHUSB
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (09/07/2016 09:36:40 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/06/2016 10:41:54 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/05/2016 09:29:47 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/04/2016 09:51:12 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/03/2016 08:39:59 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\windows\system32\msiexec.exe /V; Description = Removed Absolute Reminder; Error = 0x8007043c).
 
Error: (09/03/2016 08:39:58 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\windows\system32\msiexec.exe /V; Description = Removed Absolute Reminder; Error = 0x8007043c).
 
Error: (09/03/2016 10:34:24 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/02/2016 03:19:17 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/01/2016 08:45:01 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (08/31/2016 12:23:00 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0
 
 
System errors:
=============
Error: (09/07/2016 03:06:58 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer COMTREND
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D8B275DB-D904-45B2-BCE8-A227E76D92BC}.
The master browser is stopping or an election is being forced.
 
Error: (09/07/2016 01:54:53 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer COMTREND
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D8B275DB-D904-45B2-BCE8-A227E76D92BC}.
The master browser is stopping or an election is being forced.
 
Error: (09/07/2016 12:54:49 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer COMTREND
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D8B275DB-D904-45B2-BCE8-A227E76D92BC}.
The master browser is stopping or an election is being forced.
 
Error: (09/07/2016 11:54:46 AM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer COMTREND
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D8B275DB-D904-45B2-BCE8-A227E76D92BC}.
The master browser is stopping or an election is being forced.
 
Error: (09/07/2016 10:42:41 AM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer COMTREND
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D8B275DB-D904-45B2-BCE8-A227E76D92BC}.
The master browser is stopping or an election is being forced.
 
Error: (09/07/2016 09:42:37 AM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer COMTREND
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D8B275DB-D904-45B2-BCE8-A227E76D92BC}.
The master browser is stopping or an election is being forced.
 
Error: (09/06/2016 09:29:46 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer COMTREND
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D8B275DB-D904-45B2-BCE8-A227E76D92BC}.
The master browser is stopping or an election is being forced.
 
Error: (09/06/2016 08:29:42 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer COMTREND
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D8B275DB-D904-45B2-BCE8-A227E76D92BC}.
The master browser is stopping or an election is being forced.
 
Error: (09/06/2016 07:05:35 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer COMTREND
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D8B275DB-D904-45B2-BCE8-A227E76D92BC}.
The master browser is stopping or an election is being forced.
 
Error: (09/06/2016 06:05:32 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer COMTREND
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D8B275DB-D904-45B2-BCE8-A227E76D92BC}.
The master browser is stopping or an election is being forced.
 
 
CodeIntegrity:
===================================
  Date: 2016-09-05 12:55:23.553
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-09-04 12:54:34.687
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-30 15:35:42.138
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-23 12:54:55.646
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-16 22:28:15.356
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-06-22 03:18:37.837
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-05-22 15:53:24.698
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-05-17 09:50:33.980
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-05-03 16:54:06.354
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-05-02 10:38:59.449
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\AVG\Framework\Common\avgfmwbasex.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Celeron® CPU N2840 @ 2.16GHz
Percentage of memory in use: 43%
Total physical RAM: 3978.19 MB
Available physical RAM: 2236.13 MB
Total Virtual: 4746.19 MB
Available Virtual: 2591.23 MB
 
==================== Drives ================================
 
Drive c: (Windows8_OS) (Fixed) (Total:423.73 GB) (Free:284.41 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (LENOVO) (Fixed) (Total:25 GB) (Free:22.59 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 7BF02449)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 07 September 2016 - 09:32 AM

It seems that yet other items put my laptop at risk, as there were still files being removed.


What do you mean by that? What files were removed and by what program?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 IDWR

IDWR
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 07 September 2016 - 10:12 AM

Oh,I'm sorry.

It was the Emisoft Kit, which stilll found files that had to be quarantained. So I meant that apparently not all issues were resolved after the prior scans :)



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 07 September 2016 - 10:21 AM

In the log you copy/pasted (which appears incomplete), I don't see any detections. Can you copy/paste again and make sure that the detections are included?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 IDWR

IDWR
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 07 September 2016 - 12:22 PM

Ah, now I see..

 

Emsisoft Emergency Kit - Version 11.9
Last update: 9/7/2016 3:25:47 PM
User account: MARB\Bram
Computer name: MARB
OS version: Windows 8.1x64 
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 9/7/2016 3:44:37 PM
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
C:\windows\SECOH-QAD.dll detected: Riskware.NetTool (A)
 
Scanned 76459
Found 9
 
Scan end: 9/7/2016 3:54:15 PM
Scan time: 0:09:38
 
C:\windows\SECOH-QAD.dll Riskware.NetTool (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN Setting.NoRun (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR Setting.DisableTaskMgr (A)
 
Quarantined 5


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 07 September 2016 - 12:28 PM

Except the SECOH-QAD.dll file that was deleted, the others are standard detections by Emsisoft, nothing to worry about :) Do you have another device (computer, laptop, etc.) where you have Google Chrome installed and you are logged in your Google account?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 IDWR

IDWR
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 07 September 2016 - 12:31 PM

Yes, there is an android tablet device, where my Google account is used foor Google Play etc.



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 07 September 2016 - 12:48 PM

Alright, on your computer, in Google Chrome, go in the Settings (click on the little hamburger menu in the top-right corner). Now, under On startup, click on the Set pages button, and delete the homepage-web.com URL and click on the Ok button. Once done, close Google chrome, re-open it, follow the same instructions and tell me if the homepage-web.com URL is still present or not.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 10 September 2016 - 01:46 PM

Hi IDWR,

Are you still with me? Can you follow the instructions in my previous post?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 12 September 2016 - 06:58 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users