Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win7 BSOD - claims issue with atikmdag.sys (FRST log)


  • This topic is locked This topic is locked
25 replies to this topic

#1 sr_philly

sr_philly

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 11 September 2016 - 07:46 PM

(Continued post from here)

 

Hi - in repairing a friend's computer, I've run into some malware.  Having done this for my own computer many years ago, I thought I'd be able to assist with simple tools, but this one is one like I haven't seen before. In my previous post, I've included a screenshot. I was recommended in the previous post above to run an FRST log, and I'm including below, along with the addition.txt file below.  I see a few questionable things, but won't take an action until direct to... Any installations from yesterday are the items I installed in trying to fix things (SuperAntiSpyware, etc.).

 

If it helps, in terms of dates in reading the logs, I think he said the computer started acting strangely about a week or two ago (I got a call about it on 9/4 - so it was already infected by then, went to look at it and brought it home on 9/7, started working on it on 9/7).

 

Once again, thank you for your assistance!

 

-Steve

 

___________________

FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016
Ran by viktoriya (administrator) on VIKTORIYA-PC (11-09-2016 20:27:34)
Running from C:\Users\viktoriya\Desktop
Loaded Profiles: viktoriya (Available Profiles: viktoriya)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
() C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe
() C:\Program Files (x86)\Stlr\nerta\nertacs.exe
() C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Skype Technologies) C:\Program Files (x86)\Skype\Updater\Updater.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Comcast\Desktop Doctor\bin\sprtsvc.exe
() C:\Program Files (x86)\Videodriver\WindowService.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
() C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Yandex) C:\Program Files (x86)\Yandex\Common\elements64.exe
() C:\Program Files (x86)\clitoral\weininger.exe
(Global surveys) C:\Users\viktoriya\AppData\Roaming\NetCtl\netctl.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
() C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
() C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Comcast\Desktop Doctor\bin\sprtcmd.exe
(Nullsoft, Inc.) C:\Program Files (x86)\Winamp\winampa.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [Dell DataSafe Online] => C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe [1807680 2010-02-09] ()
HKLM-x32\...\Run: [Desktop Disc Tool] => c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe [498160 2009-10-15] ()
HKLM-x32\...\Run: [ddoctorv2] => C:\Program Files (x86)\Comcast\Desktop Doctor\bin\sprtcmd.exe [202560 2008-04-24] (SupportSoft, Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Guard.Mail.ru.gui] => C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe [4721368 2015-11-20] ()
HKLM-x32\...\Run: [WinampAgent] => C:\Program Files (x86)\Winamp\winampa.exe [74752 2010-12-09] (Nullsoft, Inc.)
HKLM-x32\...\Run: [AlterGeoUpdater] => C:\Program Files (x86)\AlterGeo\Html5 geolocation provider\html5locsvc.exe [29256 2012-06-06] (AlterGeo)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1282120 2013-05-02] (CANON INC.)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe
HKLM-x32\...\Run: [curl] => C:\Users\Default\AppData\Roaming\Microsoft\Windows\Curl\curl.exe [10240 2016-08-20] (pepsmich)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9107104 2016-09-10] (AVAST Software)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] => C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe [559616 2011-10-08] (Dell)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [Desktop Software] => "C:\Program Files (x86)\Common Files\SupportSoft\bin\bcont.exe"  /ini "C:\Program Files (x86)\ComcastUI\Desktop Software\uinstaller.ini" /fromrun /starthidden
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [Clownfish] => 0
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [Download] => "C:\Users\viktoriya\AppData\Local\SupportSoft\ddoctorv2\viktoriya\SSGet.exe" 120 "hxxp://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe"
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [MAgent] => C:\Users\viktoriya\AppData\Roaming\Mail.Ru\Agent\magent.exe [28413472 2013-02-05] (Mail.Ru)
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [AlterGeoUpdater] => C:\ProgramData\AlterGeo\Update for Html5 geolocation provider\html5locsvc.exe [29904 2014-08-01] (AlterGeo)
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-11-15] (Google Inc.)
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [Muzbaza] => C:\Program Files (x86)\Muzabaza\Muzabaza player\Muzabaza.exe -m
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [YandexElements] => C:\Program Files (x86)\Yandex\Common\elements64.exe [1164576 2014-07-09] (Yandex)
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [Ads Expert Browser] => C:\Users\viktoriya\AppData\Roaming\AEB\Updater_aeb.exe
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [weininger] => C:\Program Files (x86)\clitoral\weininger.exe [36769 2016-09-03] ()
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [AdobeFlash] => C:\Program Files (x86)\Error Finder\Adobeflash.exe
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [L] => C:\Program Files (x86)\Error Finder\fatalerror.exe
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [NetCtl] => C:\Users\viktoriya\AppData\Roaming\NetCtl\netctl.exe [4110336 2016-09-10] (Global surveys)
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [ENHVINGORT] => "C:\Program Files (x86)\DPower\XYO8BFEO2U.exe"
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [MRA.exe] => C:\Windows\system32\MRA.exe
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [dionysius] => "C:\Program Files (x86)\grizzly\acetyl.exe"
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2016-08-30] (SUPERAntiSpyware)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2013-03-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-09-10] (AVAST Software)
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX32.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX32.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX32.dll No File
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-09-27]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-09-27]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nerta.lnk [2016-09-10]
ShortcutTarget: Nerta.lnk -> C:\Windows\System32\schtasks.exe (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{61AD0BC6-7DD8-4068-B3DB-DEF7940206ED}: [NameServer] 188.120.239.115,8.8.8.8
Tcpip\..\Interfaces\{61AD0BC6-7DD8-4068-B3DB-DEF7940206ED}: [DhcpNameServer] 192.168.1.1
ManualProxies:

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617911&ResetID=131180007039751758&GUID=4BAE66A8-9ED8-4FFB-94E6-8CDA3B49C111
URLSearchHook: HKLM-x32 - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM -> {9E75ECF1-E6E2-4DCA-9B8E-45DD1015E2DC} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {22174564-B0BF-40A0-B4EB-1AEA9AC49A66} URL =
SearchScopes: HKLM-x32 -> {23CA2FD6-95D7-4F3C-9F80-1A0B562F6D8B} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM-x32 -> {EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C} URL = hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20110328060230803&tb_oid=20-12-2010&tb_mrud=28-03-2011
SearchScopes: HKU\.DEFAULT -> DefaultScope {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\.DEFAULT -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> DefaultScope {104FBF2C-59B4-4352-9D32-36B0B70F97EE} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> Comcast URL = hxxp://search.comcast.net/?cat=web&con=net&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {104FBF2C-59B4-4352-9D32-36B0B70F97EE} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {23CA2FD6-95D7-4F3C-9F80-1A0B562F6D8B} URL = hxxp://www.bing.com/search?FORM=SKY2DF&PC=SKY2&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {8C3078A0-9AAB-4371-85D1-656CA8E46EE8} URL = hxxps://yandex.ua/search/?text={searchTerms}&clid=2261463
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {989CBD03-E3E2-4713-94F4-8CFC9CD6DBDB} URL = hxxp://yandex.ua/yandsearch?win=133&clid=1946476-103&text={searchTerms}
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {E519AA1F-E8A8-47ED-92E3-BCFB65055819} URL = hxxp://search.comcast.net/search?cat=Web&con=toolbar&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C} URL = hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20110328060230803&tb_oid=20-12-2010&tb_mrud=28-03-2011
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {F7BA91BB-EC61-4902-B109-7BF82CC7C0F3} URL = hxxp://www.google.com.ua/search?hl=ru&q={searchTerms}&rlz=1I7ADFA_en
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/search?q={SearchTerms}&ieverfix=1&fr=ieverfix_dse
BHO: MailRuBHO Class -> {8984B388-A5BB-4DF7-B274-77B879E179DB} -> C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik_x64.dll => No File
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-09-10] (AVAST Software)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-22] (Google Inc.)
BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2013-05-14] (Skype Technologies S.A.)
BHO: Візуальні закладки -> {D5FEC983-01DB-414a-9456-AF95AC9ED7B5} -> C:\Program Files (x86)\Yandex\FastDial\fastdial64Host.dll [2014-07-09] ()
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-09-27] (Sun Microsystems, Inc.)
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO-x32: No Name -> {164d3751-cac6-4a6d-becd-ea67df61d232} -> No File
BHO-x32: No Name -> {2EECD738-5844-4a99-B4B6-146BF802613B} -> No File
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll [2010-11-08] (CANON INC.)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO-x32: No Name -> {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} -> No File
BHO-x32: No Name -> {8984B388-A5BB-4DF7-B274-77B879E179DB} -> No File
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-09-10] (AVAST Software)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO-x32: AlterGeoBHO Class -> {9BFBA68E-E21B-458E-AE12-FE85E903D2C0} -> C:\ProgramData\AlterGeo\Update for Html5 geolocation provider\npHtml5loc.dll [2014-08-01] (Altergeo)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-22] (Google Inc.)
BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-05-14] (Skype Technologies S.A.)
BHO-x32: No Name -> {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} -> No File
BHO-x32: Візуальні закладки -> {D5FEC983-01DB-414a-9456-AF95AC9ED7B5} -> C:\Program Files (x86)\Yandex\FastDial\fastdialHost.dll [2014-07-09] ()
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2010-09-27] (Sun Microsystems, Inc.)
Toolbar: HKLM - Ñïóòíèê@Mail.Ru - {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik_x64.dll No File
Toolbar: HKLM - Елементи Яндекса - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\Program Files (x86)\Yandex\Elements\bartab64host.dll [2014-07-09] ()
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-22] (Google Inc.)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll [2010-11-08] (CANON INC.)
Toolbar: HKLM-x32 - Елементи Яндекса - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\Program Files (x86)\Yandex\Elements\bartabhost.dll [2014-07-09] ()
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-22] (Google Inc.)
Toolbar: HKU\.DEFAULT -> Елементи Яндекса - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\Program Files (x86)\Yandex\Elements\bartab64host.dll [2014-07-09] ()
Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-22] (Google Inc.)
Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} -  No File
Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> Ñïóòíèê@Mail.Ru - {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik_x64.dll No File
Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> No Name - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} -  No File
Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> Елементи Яндекса - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\Program Files (x86)\Yandex\Elements\bartab64host.dll [2014-07-09] ()
DPF: HKLM-x32 {D71F9A27-723E-4B8B-B428-B725E47CBA3E} hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2013-05-14] (Skype Technologies S.A.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-05-14] (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\nhuzu5j4.default-1473517595655
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-12] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-28] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-12] ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL [2010-03-25] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-06-23] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4222842628-115724200-1229576652-1000: @altergeo.ru/Html5loc -> C:\ProgramData\AlterGeo\Update for Html5 geolocation provider\npHtml5loc.dll [2014-08-01] (Altergeo)
FF Plugin HKU\S-1-5-21-4222842628-115724200-1229576652-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\viktoriya\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-03-10] (Unity Technologies ApS)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npkimi.dll [2007-12-17] ( )
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFFICE.DLL [2007-03-22] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-06-23] (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\mailru.xml [2014-02-15]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\ozonru.xml [2014-02-15]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\priceru.xml [2014-02-15]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yandex-slovari.xml [2014-02-15]
FF Extension: (Firefox Hotfix) - C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\nhuzu5j4.default-1473517595655\Extensions\firefox-hotfix@mozilla.org.xpi [2016-09-10]
FF Extension: (Skype Click to Call) - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-06-19] [not signed]
FF Extension: (Skype Click to Call) - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-06-19] [not signed]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-09-10]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-09-10]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR HomePage: Default -> mail.ru/cnt/9852088
CHR StartupUrls: Default -> "hxxp://mail.ru/cnt/10445",
      "hxxp://opatolo.ru/?utm_source=startpage03&utm_content=678dd9988de1f846bfeee036e0fe1554&utm_term=70AFCE0233AED4F034BA8FBB883B3149&utm_d=20160217"
    
CHR DefaultSearchURL: Default -> hxxp://go.mail.ru/search?q={SearchTerms}&fr=chrome
CHR DefaultSearchKeyword: Default -> go.mail.ru
CHR DefaultSuggestURL: Default -> hxxp://suggests.go.mail.ru/ff3?q={searchTerms}
CHR Profile: C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-17]
CHR Extension: (Поделиться ВКонтакте) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjgfnbgjnmeohehminfenoahkcddidpi [2016-02-17]
CHR Extension: (Slither.io Mods,Skins Hack & Guide) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjfkhabmnaeohgoibhpiebgjfejjjdml [2016-05-29]
CHR Extension: (Smashy Road) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\filnchommffflkjipikhoolnfdghadnm [2016-05-30]
CHR Extension: (Slither.io Mod Play with friends Without LAGS) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\foocpcikeakahdlplgpgfoilanoajijf [2016-05-30]
CHR Extension: (Google Docs Offline) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (Agar.io Powerups Guide) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnfiiapoopclmhaikgpbgddfpmmddmeo [2016-05-29]
CHR Extension: (Agar.io Guide Skins and Powerups) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\lggjoeoadbenkimmgnfdigiodkkmknik [2016-05-29]
CHR Extension: (Diep.io Skins, Mods, Hack & Guide) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\mobocjabocnlckohhkhcalnfcllgnkhi [2016-05-29]
CHR Extension: (Ad;Block Plus) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbcokjcdigciakmjlohaodfinhniimgp [2016-05-29]
CHR Extension: (JoniCOupon) - C:\ProgramData\cdegcldddpfnjgjpdiolmbiioflenoja\ []
CHR Profile: C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Slither.io Bots, Mods,& Friends) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ihmcniojbflmaonbojipkkjcehcggjla [2016-05-30]
CHR Extension: (Chrome Web Store Payments) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-30]
CHR HKLM-x32\...\Chrome\Extension: [bejbohlohkkgompgecdcbbglkpjfjgdj] - C:\Users\VIKTOR~1\AppData\Local\Temp\crx325F.tmp <not found>
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gndaciceccgapjhpniecknjlmmlanaem] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [knkbjienkchfjlhelbmjfhlongandllk] - C:\Users\viktoriya\AppData\Local\FASTExtensions\knkbjienkchfjlhelbmjfhlongandllk_main.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-05-14]
CHR HKLM-x32\...\Chrome\Extension: [pldbienodkpgkccocelidinmciedjdok] - hxxps://clients2.google.com/service/update2/crx

Opera:
=======
OPR StartupUrls: "hxxp://opatolo.ru/?utm_source=startpage03&utm_content=678dd9988de1f846bfeee036e0fe1554&utm_term=70AFCE0233AED4F034BA8FBB883B3149&utm_d=20160217"
StartMenuInternet: (HKLM) Opera - C:\Program Files\Opera x64\Opera.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-09-10] (AVAST Software)
R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation) [File not signed]
R2 Guard.Mail.ru; C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe [4721368 2015-11-20] ()
R2 nrtService; C:\Program Files (x86)\Stlr\nerta\nertacs.exe [12288 2016-08-16] () [File not signed]
R2 sprtsvc_ddoctorv2; C:\Program Files (x86)\Comcast\Desktop Doctor\bin\sprtsvc.exe [202560 2008-04-24] (SupportSoft, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WindowService; C:\Program Files (x86)\Videodriver\WindowService.exe [8192 2016-09-02] () [File not signed]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-09-10] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-09-10] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108816 2016-09-10] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-09-10] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-09-10] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [969560 2016-09-10] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [513496 2016-09-10] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [163416 2016-09-10] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292704 2016-09-10] (AVAST Software)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 cpuz134; \??\C:\Users\VIKTOR~1\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-11 22:44 - 2016-09-11 22:44 - 00003870 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1400692265
2016-09-11 20:27 - 2016-09-11 20:27 - 00031169 _____ C:\Users\viktoriya\Desktop\FRST.txt
2016-09-11 19:52 - 2016-09-11 20:27 - 00000000 ____D C:\FRST
2016-09-11 19:51 - 2016-09-11 19:51 - 02397696 _____ (Farbar) C:\Users\viktoriya\Desktop\FRST64.exe
2016-09-10 18:53 - 2016-09-10 18:53 - 00000000 ____D C:\Users\viktoriya\AppData\Roaming\SUPERAntiSpyware.com
2016-09-10 18:53 - 2016-09-10 18:53 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2016-09-10 18:53 - 2016-09-10 18:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2016-09-10 18:53 - 2016-09-10 18:53 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-09-10 18:52 - 2016-09-03 12:20 - 00313856 _____ C:\Users\viktoriya\AppData\Local\settings.dll
2016-09-10 18:52 - 2015-06-26 15:08 - 00294400 _____ (CodePlex Community) C:\Users\viktoriya\AppData\Local\Microsoft.Win32.TaskScheduler.dll
2016-09-10 18:38 - 2016-09-10 18:39 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
2016-09-10 18:38 - 2016-09-10 18:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
2016-09-10 18:16 - 2016-09-10 18:16 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2016-09-10 18:16 - 2016-09-10 18:16 - 00003898 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1473545815
2016-09-10 18:16 - 2016-09-10 18:16 - 00001005 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-09-10 18:15 - 2016-09-10 18:15 - 00513496 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00391496 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-09-10 18:15 - 2016-09-10 18:15 - 00292704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00163416 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00108816 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00103064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00074544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00044952 _____ () C:\Windows\system32\Drivers\staport.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00037656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00003922 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-09-10 18:15 - 2016-09-10 18:15 - 00001884 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2016-09-10 18:15 - 2016-09-10 18:15 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-09-10 18:15 - 2016-09-10 18:15 - 00000000 ____D C:\Users\viktoriya\AppData\Roaming\AVAST Software
2016-09-10 18:15 - 2016-09-10 18:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-09-10 18:15 - 2016-09-10 18:15 - 00000000 ____D C:\Program Files\Common Files\AV
2016-09-10 18:15 - 2016-09-10 18:14 - 00969560 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2016-09-10 18:14 - 2016-09-10 18:16 - 00000000 ____D C:\Program Files\AVAST Software
2016-09-10 18:14 - 2016-09-10 18:14 - 00053208 _____ (AVAST Software) C:\Windows\avastSS.scr
2016-09-10 18:13 - 2016-09-10 18:16 - 00000000 ____D C:\ProgramData\AVAST Software
2016-09-10 12:07 - 2016-09-10 17:38 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-09-10 12:06 - 2016-09-10 12:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-09-10 12:05 - 2016-09-10 12:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-09-10 12:05 - 2016-03-10 17:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-09-10 12:05 - 2016-03-10 17:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-09-10 12:05 - 2016-03-10 17:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-09-10 11:58 - 2016-09-10 11:58 - 00000000 ____D C:\Program Files (x86)\Marketing Research Association
2016-09-10 11:47 - 2016-09-10 19:33 - 00000051 _____ C:\Users\viktoriya\AppData\Roaming\st
2016-09-10 11:38 - 2016-09-10 17:06 - 00000000 ____D C:\Program Files (x86)\WebShield
2016-09-10 11:25 - 2016-09-10 11:25 - 00018432 _____ C:\Users\viktoriya\AppData\Roaming\Main.dat
2016-09-10 11:25 - 2016-09-10 11:25 - 00003254 _____ C:\Windows\System32\Tasks\nerta
2016-09-10 11:25 - 2016-09-10 11:25 - 00000000 ____D C:\Program Files (x86)\Stlr
2016-09-10 11:24 - 2016-09-10 11:24 - 00000000 ____D C:\Windows\system32\sstmp
2016-09-10 11:12 - 2016-09-10 17:03 - 00000000 ____D C:\Program Files (x86)\DPower
2016-09-10 11:10 - 2016-09-10 17:03 - 00000000 ____D C:\Program Files (x86)\mpck
2016-09-10 10:56 - 2016-09-10 17:06 - 00000852 _____ C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Temp File Cleaner.lnk
2016-09-10 10:56 - 2016-09-10 10:56 - 00000000 ____D C:\Users\viktoriya\AppData\Roaming\NetCtl
2016-09-10 10:56 - 2016-09-10 10:56 - 00000000 ____D C:\Program Files\Temp File Cleaner
2016-09-10 01:26 - 2016-09-10 01:27 - 00114970 _____ C:\Windows\ntbtlog.txt
2016-09-10 01:17 - 2016-09-10 01:17 - 00000000 __SHD C:\found.002
2016-09-07 23:07 - 2016-09-07 23:07 - 00000000 __SHD C:\found.001
2016-09-07 22:23 - 2016-09-07 22:23 - 00000000 ____D C:\ProgramData\dbg
2016-09-03 22:46 - 2016-09-07 22:23 - 00000000 ____D C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol
2016-09-03 22:46 - 2016-09-07 22:23 - 00000000 ____D C:\Users\Default\AppData\Local\AutoUpdate
2016-09-03 22:46 - 2016-09-07 22:23 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol
2016-09-03 22:46 - 2016-09-07 22:23 - 00000000 ____D C:\Users\Default User\AppData\Local\AutoUpdate
2016-09-03 22:46 - 2016-09-03 22:46 - 00000000 ____D C:\Users\Default\AppData\Local\Eui
2016-09-03 22:46 - 2016-09-03 22:46 - 00000000 ____D C:\Users\Default\Act
2016-09-03 22:46 - 2016-09-03 22:46 - 00000000 ____D C:\Users\Default User\AppData\Local\Eui
2016-09-03 16:54 - 2016-09-10 11:25 - 07090176 _____ C:\Users\viktoriya\AppData\Roaming\agent.dat
2016-09-03 16:54 - 2016-09-09 21:37 - 00000000 ____D C:\Program Files\AiduwbUn
2016-09-03 16:54 - 2016-09-03 16:54 - 00000000 ____D C:\Program Files\Aiduwb
2016-09-03 16:52 - 2016-09-10 11:23 - 00138240 _____ C:\Users\viktoriya\AppData\Roaming\Installer.dat
2016-09-03 16:52 - 2016-09-03 16:52 - 00000000 _____ C:\Windows\SysWOW64\Number of results
2016-09-03 16:47 - 2016-09-03 16:47 - 00000000 ____D C:\Users\viktoriya\AppData\Local\CEF
2016-09-03 16:19 - 2016-09-03 16:19 - 00000000 ____D C:\Users\viktoriya\AppData\Local\nsData
2016-09-03 16:18 - 2016-09-10 15:24 - 00000000 ____D C:\Program Files (x86)\ns
2016-09-03 16:17 - 2016-09-03 16:17 - 00000000 ____D C:\Users\viktoriya\AppData\Local\CrashRpt
2016-09-03 16:13 - 2016-09-03 16:13 - 00000000 ____D C:\Users\viktoriya\AppData\Roaming\c
2016-09-03 16:11 - 2016-09-10 18:20 - 00000000 ___HD C:\Program Files (x86)\grizzly
2016-09-03 16:11 - 2016-09-03 16:11 - 00000000 ___HD C:\Program Files (x86)\clitoral
2016-09-03 16:10 - 2016-09-03 16:10 - 00000000 ____D C:\Users\viktoriya\AppData\Local\Shortcut Installer
2016-09-03 16:07 - 2016-09-11 19:54 - 00000000 ____D C:\Program Files (x86)\Videodriver
2016-09-03 16:07 - 2016-09-10 07:09 - 00000000 ____D C:\bin
2016-09-03 16:07 - 2016-09-03 16:07 - 00002560 _____ C:\Users\viktoriya\AppData\Local\uninstallssl.exe
2016-09-03 16:00 - 2016-09-10 10:57 - 00000000 ____D C:\Windows\system32\SSL
2016-09-03 15:58 - 2016-09-03 15:58 - 00645200 _____ C:\Users\viktoriya\Downloads\Gta5 ModMenuUsb.gz
2016-09-03 15:56 - 2016-09-03 15:56 - 00433301 _____ C:\Users\viktoriya\Downloads\SkyAcro6.5 .rar
2016-09-03 12:20 - 2016-09-03 12:20 - 00313856 _____ C:\Windows\settings.dll
2016-09-03 12:20 - 2016-09-03 12:20 - 00194048 _____ C:\Windows\hearts.exe
2016-09-03 12:20 - 2016-09-03 12:20 - 00127639 _____ C:\Users\viktoriya\AppData\Local\26963124.exe
2016-08-17 10:08 - 2016-07-08 11:32 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-08-17 10:08 - 2016-07-08 11:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-08-16 14:35 - 2016-08-16 14:35 - 00076106 _____ C:\Users\viktoriya\Downloads\512.jpeg
2016-08-16 14:31 - 2016-08-16 14:52 - 00069648 _____ C:\Users\viktoriya\Downloads\1441648944-2d72ce4336860643b4d9615b38505480.jpeg

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-11 22:44 - 2014-06-14 22:45 - 00000000 ____D C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-09-11 22:44 - 2014-06-14 22:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-09-11 22:44 - 2014-06-14 22:45 - 00000000 ____D C:\Program Files\WinRAR
2016-09-11 22:44 - 2014-05-21 13:11 - 00000000 ____D C:\Program Files (x86)\Opera
2016-09-11 20:28 - 2012-09-24 12:59 - 00000000 ____D C:\Users\viktoriya\AppData\Local\Mail.Ru
2016-09-11 20:25 - 2012-04-10 14:11 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-09-11 20:25 - 2011-11-07 18:47 - 00000418 _____ C:\Windows\Tasks\PC Optimizer Pro64 startups.job
2016-09-11 20:25 - 2010-10-24 22:56 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2016-09-11 20:25 - 2010-10-24 22:56 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2016-09-11 20:25 - 2010-09-27 20:17 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2016-09-11 20:25 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-11 19:56 - 2009-07-14 00:45 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-09-11 19:56 - 2009-07-14 00:45 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-09-11 19:48 - 2010-10-25 04:00 - 00000000 ____D C:\Users\viktoriya\AppData\Roaming\Skype
2016-09-11 19:48 - 2010-09-27 20:22 - 00000000 ____D C:\ProgramData\Skype
2016-09-11 19:47 - 2010-09-27 20:23 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-09-10 18:56 - 2009-07-14 01:13 - 00783464 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-10 18:56 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-09-10 18:40 - 2010-12-14 18:55 - 00000000 ____D C:\ProgramData\TEMP
2016-09-10 18:18 - 2011-07-31 11:32 - 00001945 _____ C:\Windows\epplauncher.mif
2016-09-10 17:06 - 2014-07-18 16:13 - 00000000 ____D C:\VkontakteDJ
2016-09-10 17:06 - 2012-10-01 16:02 - 00000000 ____D C:\Users\viktoriya\AppData\Local\Apps\2.0
2016-09-10 17:06 - 2010-10-24 22:56 - 00001351 _____ C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-09-10 17:06 - 2009-07-14 00:57 - 00001234 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
2016-09-10 17:06 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\Help
2016-09-10 17:05 - 2016-08-08 18:48 - 00001156 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Horizon.lnk
2016-09-10 17:05 - 2016-05-02 21:01 - 00001109 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-09-10 17:05 - 2015-01-22 23:57 - 00000993 _____ C:\Users\viktoriya\Desktop\PhotoScape.lnk
2016-09-10 17:05 - 2014-10-16 10:07 - 00001001 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera 39.lnk
2016-09-10 17:05 - 2014-06-16 23:30 - 00001983 _____ C:\Users\Public\Desktop\Canon Quick Menu.lnk
2016-09-10 17:05 - 2014-06-16 23:27 - 00002302 _____ C:\Users\Public\Desktop\Canon MG3500 series On-screen Manual.lnk
2016-09-10 17:05 - 2014-06-14 22:51 - 00002657 _____ C:\Users\viktoriya\Desktop\Microsoft Office Word 2003.lnk
2016-09-10 17:05 - 2014-05-21 13:11 - 00001073 _____ C:\Users\Public\Desktop\Opera 39.lnk
2016-09-10 17:05 - 2014-04-20 11:20 - 00002697 _____ C:\Users\Public\Desktop\Skype.lnk
2016-09-10 17:05 - 2014-01-16 15:36 - 00001155 _____ C:\Users\viktoriya\Desktop\QIP Shot.lnk
2016-09-10 17:05 - 2013-12-27 15:54 - 00002178 _____ C:\Users\viktoriya\Desktop\Yandex.lnk
2016-09-10 17:05 - 2013-12-27 14:47 - 00001873 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2016-09-10 17:05 - 2013-10-06 06:12 - 00002429 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2016-09-10 17:05 - 2012-08-03 15:02 - 00001854 _____ C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Mail.Ru Агент.lnk
2016-09-10 17:05 - 2011-08-26 13:52 - 00001109 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-09-10 17:05 - 2010-10-24 22:55 - 00001923 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Help Documentation.lnk
2016-09-10 17:05 - 2010-09-27 22:09 - 00001333 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2016-09-10 17:05 - 2010-09-27 22:09 - 00001314 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2016-09-10 17:05 - 2010-09-27 20:26 - 00002423 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2010.lnk
2016-09-10 17:05 - 2010-09-27 20:25 - 00001215 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop Elements 8.0.lnk
2016-09-10 17:05 - 2009-07-14 01:01 - 00001282 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
2016-09-10 17:05 - 2009-07-14 00:57 - 00001535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-09-10 17:05 - 2009-07-14 00:57 - 00001340 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
2016-09-10 17:05 - 2009-07-14 00:57 - 00001318 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
2016-09-10 17:05 - 2009-07-14 00:54 - 00001198 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
2016-09-10 17:05 - 2009-07-14 00:49 - 00001266 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
2016-09-10 17:04 - 2011-07-23 16:59 - 00000000 ____D C:\Program Files (x86)\Conduit
2016-09-10 17:04 - 2010-12-18 11:34 - 00000000 ____D C:\Users\viktoriya\AppData\Roaming\Systweak
2016-09-10 15:25 - 2011-11-07 18:36 - 00000000 ____D C:\ProgramData\Yahoo!
2016-09-10 15:25 - 2011-11-07 18:36 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2016-09-10 12:05 - 2011-01-03 16:28 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-09-10 07:09 - 2011-07-28 20:21 - 00000000 ____D C:\Users\viktoriya\AppData\Local\MediaGet2
2016-09-09 21:44 - 2010-12-20 18:13 - 00000000 ____D C:\Users\viktoriya\AppData\LocalLow\Temp
2016-09-03 16:12 - 2014-06-19 23:28 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-09-02 17:33 - 2015-03-02 14:59 - 00803840 ____H C:\Users\viktoriya\Downloads\photothumb.db
2016-09-02 01:11 - 2014-06-16 23:23 - 00000000 ____D C:\ProgramData\CanonIJPLM
2016-08-18 13:10 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
2016-08-15 23:09 - 2010-11-15 22:40 - 00000000 ____D C:\Users\viktoriya\AppData\Local\Google

==================== Files in the root of some directories =======

2016-09-03 16:54 - 2016-09-10 11:25 - 7090176 _____ () C:\Users\viktoriya\AppData\Roaming\agent.dat
2016-09-03 16:52 - 2016-09-10 11:23 - 0138240 _____ () C:\Users\viktoriya\AppData\Roaming\Installer.dat
2016-09-10 11:25 - 2016-09-10 11:25 - 0018432 _____ () C:\Users\viktoriya\AppData\Roaming\Main.dat
2016-09-10 11:47 - 2016-09-10 19:33 - 0000051 _____ () C:\Users\viktoriya\AppData\Roaming\st
2010-11-11 12:51 - 2010-11-11 17:23 - 0005243 _____ () C:\Users\viktoriya\AppData\Roaming\UserTile.png
2016-09-03 12:20 - 2016-09-03 12:20 - 0127639 _____ () C:\Users\viktoriya\AppData\Local\26963124.exe
2010-11-05 20:32 - 2010-11-05 20:32 - 0003584 _____ () C:\Users\viktoriya\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-09-10 18:52 - 2015-06-26 15:08 - 0294400 _____ (CodePlex Community) C:\Users\viktoriya\AppData\Local\Microsoft.Win32.TaskScheduler.dll
2016-09-10 18:52 - 2016-09-03 12:20 - 0313856 _____ () C:\Users\viktoriya\AppData\Local\settings.dll
2016-09-03 16:07 - 2016-09-03 16:07 - 0002560 _____ () C:\Users\viktoriya\AppData\Local\uninstallssl.exe
2015-11-23 23:14 - 2015-11-23 23:14 - 0000000 _____ () C:\Users\viktoriya\AppData\Local\{BFA172E8-8FAB-4A26-91DB-F70B230192B9}
2010-11-08 17:51 - 2010-11-08 17:51 - 0000056 ____H () C:\ProgramData\ezsidmv.dat

Files to move or delete:
====================
C:\Users\viktoriya\mseinstall.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-09-10 13:36

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 12 September 2016 - 08:22 AM

Hi sr_philly :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me a few hours to review your logs and come up with a reply.

Thank you!

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 sr_philly

sr_philly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 12 September 2016 - 01:24 PM

Thank you, Aura. Looking forward to working with you. :) and I totally understand your schedule. I work full time as well, and several years ago, was taking night classes twice a week, so I really, really appreciate your assistance.

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 12 September 2016 - 03:40 PM

Thank you for waiting :)

Do you know if your friend uses Russian-based programs, like Mail.Ru? I see it everywhere on his system. Even though it's a legitimate application and website, it is often bundled (PUP). So if he's not using Mail.Ru, I'll get rid of everything related to it in the FRST fix.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 sr_philly

sr_philly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 12 September 2016 - 04:24 PM

Hi. Yes, the use of the Russian-based programs is legitimate, as they're from Ukraine and keep in touch with family back there. Things like mail.ru and Yandex are normal in this case.

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 13 September 2016 - 07:15 AM

Good :)

Sorry to not have replied yesterday, I'm currently sick and had the biggest headache, so going through logs was simply too hard for me. This being said, let's get started.

warning.gifMalicious Programs Warning!

I noticed that you have malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.
  • Google Toolbar for Internet Explorer - PUP
  • StreamOptimizer
If you have an issue when uninstalling a program, please let me know.

Now we'll run a first fix with FRST, and follow up with a quick sweep using JRT and AdwCleaner.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    CloseProcesses:
    CreateRestorePoint:
    
    HKLM-x32\...\Run: [] => [X]
    HKLM-x32\...\Run: [curl] => C:\Users\Default\AppData\Roaming\Microsoft\Windows\Curl\curl.exe [10240 2016-08-20] (pepsmich)
    HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [Clownfish] => 0
    HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-11-15] (Google Inc.)
    HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [Ads Expert Browser] => C:\Users\viktoriya\AppData\Roaming\AEB\Updater_aeb.exe
    HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [weininger] => C:\Program Files (x86)\clitoral\weininger.exe [36769 2016-09-03] ()
    HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [AdobeFlash] => C:\Program Files (x86)\Error Finder\Adobeflash.exe
    HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [L] => C:\Program Files (x86)\Error Finder\fatalerror.exe
    HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [NetCtl] => C:\Users\viktoriya\AppData\Roaming\NetCtl\netctl.exe [4110336 2016-09-10] (Global surveys)
    HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [ENHVINGORT] => "C:\Program Files (x86)\DPower\XYO8BFEO2U.exe"
    HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [MRA.exe] => C:\Windows\system32\MRA.exe
    HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [dionysius] => "C:\Program Files (x86)\grizzly\acetyl.exe"
    ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX64.dll No File
    ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX64.dll No File
    ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX64.dll No File
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-09-10] (AVAST Software)
    ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX32.dll No File
    ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX32.dll No File
    ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX32.dll No File
    Startup: C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nerta.lnk [2016-09-10]
    
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617911&ResetID=131180007039751758&GUID=4BAE66A8-9ED8-4FFB-94E6-8CDA3B49C111
    URLSearchHook: HKLM-x32 - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
    SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
    SearchScopes: HKLM -> {9E75ECF1-E6E2-4DCA-9B8E-45DD1015E2DC} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
    SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> {22174564-B0BF-40A0-B4EB-1AEA9AC49A66} URL =
    SearchScopes: HKLM-x32 -> {23CA2FD6-95D7-4F3C-9F80-1A0B562F6D8B} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
    SearchScopes: HKLM-x32 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
    SearchScopes: HKLM-x32 -> {EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C} URL = hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20110328060230803&tb_oid=20-12-2010&tb_mrud=28-03-2011
    SearchScopes: HKU\.DEFAULT -> DefaultScope {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
    SearchScopes: HKU\.DEFAULT -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
    SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> DefaultScope {104FBF2C-59B4-4352-9D32-36B0B70F97EE} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
    SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> Comcast URL = hxxp://search.comcast.net/?cat=web&con=net&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {104FBF2C-59B4-4352-9D32-36B0B70F97EE} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
    SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {23CA2FD6-95D7-4F3C-9F80-1A0B562F6D8B} URL = hxxp://www.bing.com/search?FORM=SKY2DF&PC=SKY2&q={searchTerms}&src=IE-SearchBox
    SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {8C3078A0-9AAB-4371-85D1-656CA8E46EE8} URL = hxxps://yandex.ua/search/?text={searchTerms}&clid=2261463
    SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {989CBD03-E3E2-4713-94F4-8CFC9CD6DBDB} URL = hxxp://yandex.ua/yandsearch?win=133&clid=1946476-103&text={searchTerms}
    SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {E519AA1F-E8A8-47ED-92E3-BCFB65055819} URL = hxxp://search.comcast.net/search?cat=Web&con=toolbar&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C} URL = hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20110328060230803&tb_oid=20-12-2010&tb_mrud=28-03-2011
    SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {F7BA91BB-EC61-4902-B109-7BF82CC7C0F3} URL = hxxp://www.google.com.ua/search?hl=ru&q={searchTerms}&rlz=1I7ADFA_en
    SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/search?q={SearchTerms}&ieverfix=1&fr=ieverfix_dse
    BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-22] (Google Inc.)
    BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
    BHO-x32: No Name -> {164d3751-cac6-4a6d-becd-ea67df61d232} -> No File
    BHO-x32: No Name -> {2EECD738-5844-4a99-B4B6-146BF802613B} -> No File
    BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
    BHO-x32: No Name -> {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} -> No File
    BHO-x32: No Name -> {8984B388-A5BB-4DF7-B274-77B879E179DB} -> No File
    BHO-x32: No Name -> {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} -> No File
    Toolbar: HKLM - Спутник@Mail.Ru - {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik_x64.dll No File
    Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
    Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-22] (Google Inc.)
    Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} -  No File
    Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> Спутник@Mail.Ru - {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik_x64.dll No File
    Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> No Name - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} -  No File
    
    CHR Extension: (JoniCOupon) - C:\ProgramData\cdegcldddpfnjgjpdiolmbiioflenoja\ []
    CHR HKLM-x32\...\Chrome\Extension: [bejbohlohkkgompgecdcbbglkpjfjgdj] - C:\Users\VIKTOR~1\AppData\Local\Temp\crx325F.tmp <not found>
    CHR HKLM-x32\...\Chrome\Extension: [knkbjienkchfjlhelbmjfhlongandllk] - C:\Users\viktoriya\AppData\Local\FASTExtensions\knkbjienkchfjlhelbmjfhlongandllk_main.crx <not found>
    
    OPR StartupUrls: "hxxp://opatolo.ru/?utm_source=startpage03&utm_content=678dd9988de1f846bfeee036e0fe1554&utm_term=70AFCE0233AED4F034BA8FBB883B3149&utm_d=20160217"
    
    R2 WindowService; C:\Program Files (x86)\Videodriver\WindowService.exe [8192 2016-09-02] () [File not signed]
    S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
    S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
    S3 cpuz134; \??\C:\Users\VIKTOR~1\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
    S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
    
    Task: {3A7D2967-AA66-447E-ABAE-545261F7E74F} - \PC Optimizer Pro64 startups -> No File <==== ATTENTION
    Task: {3F8BB832-88EC-4269-A94F-1DC9DC9615C5} - \{63EE1480-1CB5-49CA-BCC5-418C462C7CE6} -> No File <==== ATTENTION
    Task: {53C0A7C7-CB7A-4351-A032-60E6EED1B5F8} - \{CFC0547F-5D6F-4E03-AC3A-7052A6AAE395} -> No File <==== ATTENTION
    Task: {5A21ADEA-6998-4BCF-9CC7-0FBEABEDA799} - \{65240D79-E369-4B74-AB72-6CB8F5B28F22} -> No File <==== ATTENTION
    Task: {754D2E22-1F2D-442C-B344-5E0F29DA1CC3} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
    Task: {A778C531-B4BB-430A-8F74-A18CB7FF82B0} - \Adobe Flash Player Updater -> No File <==== ATTENTION
    Task: {B73BD037-8E2B-47D5-99BC-D9B42AABDC93} - \{2466E16D-B651-4232-8A1F-4E591ECC94F8} -> No File <==== ATTENTION
    Task: {DDE6C437-6458-4BF2-A868-0E6173AAA742} - \User_Feed_Synchronization-{DF620602-A2BF-4E02-856E-81EA2FAF530D} -> No File <==== ATTENTION
    Task: C:\Windows\Tasks\PC Optimizer Pro64 startups.job => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION
    
    AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]
    AlternateDataStreams: C:\ProgramData\TEMP:BF14D50A [260]
    
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
    
    FirewallRules: [{2CF73DAF-7B72-498C-8B69-EE1F7E0A06F1}] => (Allow) C:\Users\viktoriya\AppData\Roaming\AEB\aeb.exe
    FirewallRules: [{54DBD905-635E-4391-B7ED-8C6731E4CA39}] => (Allow) C:\Users\viktoriya\AppData\Roaming\AEB\ntaeb.exe
    FirewallRules: [{D6F12C15-EAB1-4D9E-83F3-3023E79EA0C7}] => (Allow) C:\Users\viktoriya\AppData\Roaming\AEB\Updater_aeb.exe
    FirewallRules: [{6D04C7E5-BD0D-457B-A37A-EE66452A6A0B}] => (Allow) C:\Users\viktoriya\AppData\Local\ddnowyes.exe
    FirewallRules: [{0AA8C091-A3B4-4E78-9785-4A9CE2CFD74C}] => (Allow) C:\Users\viktoriya\AppData\Local\11903152.exe
    FirewallRules: [{7B599699-F747-4051-BDD3-22C8D70315CD}] => (Allow) C:\Users\viktoriya\AppData\Local\tinstall.exe
    FirewallRules: [{05842C01-98ED-4643-BD8A-54DC6C7F11A2}] => (Allow) C:\Program Files (x86)\grizzly\acetyl.exe
    FirewallRules: [{E585A6B8-170B-4250-8070-B744FBFC8397}] => (Allow) C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
    FirewallRules: [{1EC41E7D-8243-4BE3-B7C1-45C19A185032}] => (Allow) C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
    
    C:\Program Files\AiduwbUn
    C:\Program Files\Aiduwb
    C:\Program Files\PC Optimizer Pro
    C:\Program Files (x86)\clitoral
    C:\Program Files (x86)\Conduit
    C:\Program Files (x86)\DPower
    C:\Program Files (x86)\Error Finder
    C:\Program Files (x86)\grizzly
    C:\Program Files (x86)\Itibiti Soft Phone
    C:\Program Files (x86)\mpck
    C:\Program Files (x86)\ns
    C:\Program Files (x86)\Stlr
    C:\Program Files (x86)\Videodriver
    C:\Users\viktoriya\mseinstall.exe
    C:\Users\viktoriya\AppData\Local\{BFA172E8-8FAB-4A26-91DB-F70B230192B9}
    C:\Users\viktoriya\AppData\Local\Shortcut Installer
    C:\Users\viktoriya\AppData\Local\MEGAsync
    C:\Users\viktoriya\AppData\Local\nsData
    C:\Users\viktoriya\AppData\Local\26963124.exe
    C:\Users\viktoriya\AppData\Local\settings.dll
    C:\Users\viktoriya\AppData\Local\Microsoft.Win32.TaskScheduler.dll
    C:\Users\viktoriya\AppData\Local\uninstallssl.exe
    C:\Users\viktoriya\AppData\Roaming\AEB
    C:\Users\viktoriya\AppData\Roaming\c
    C:\Users\viktoriya\AppData\Roaming\NetCtl
    C:\Users\viktoriya\AppData\Roaming\Systweak
    C:\Users\viktoriya\AppData\Roaming\agent.dat
    C:\Users\viktoriya\AppData\Roaming\Installer.dat
    C:\Users\viktoriya\AppData\Roaming\Main.dat
    C:\Users\viktoriya\AppData\Roaming\st
    C:\Users\viktoriya\AppData\Roaming\UserTile.png
    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Curl
    C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Temp File Cleaner.lnk
    C:\Windows\settings.dll
    C:\Windows\hearts.exe
    C:\Windows\system32\MRA.exe
    C:\Windows\system32\drivers\RTKVHD64.sys
    C:\Windows\SysWOW64\Number of results
    
    EmptyTemp:
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;
iT103hr.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
Your next reply(ies) should therefore contain:
  • Confirmation that the programs listed above have been uninstalled (if not, why);
  • Copy/pasted content of the FRST fixlog.txt;
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 sr_philly

sr_philly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 13 September 2016 - 06:04 PM

Hi Aura,

 

Many thanks again for your prompt replies, especially when you're not feeling your best. 

I can confirm that the two malicious programs you noted were removed. Below is the content of each log file, as requested:

 

______________________________________________________________________

FRST fix log

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-09-2016
Ran by viktoriya (13-09-2016 18:28:04) Run:1
Running from C:\Users\viktoriya\Desktop
Loaded Profiles: viktoriya (Available Profiles: viktoriya)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [curl] => C:\Users\Default\AppData\Roaming\Microsoft\Windows\Curl\curl.exe [10240 2016-08-20] (pepsmich)
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [Clownfish] => 0
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-11-15] (Google Inc.)
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [Ads Expert Browser] => C:\Users\viktoriya\AppData\Roaming\AEB\Updater_aeb.exe
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [weininger] => C:\Program Files (x86)\clitoral\weininger.exe [36769 2016-09-03] ()
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [AdobeFlash] => C:\Program Files (x86)\Error Finder\Adobeflash.exe
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [L] => C:\Program Files (x86)\Error Finder\fatalerror.exe
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [NetCtl] => C:\Users\viktoriya\AppData\Roaming\NetCtl\netctl.exe [4110336 2016-09-10] (Global surveys)
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [ENHVINGORT] => "C:\Program Files (x86)\DPower\XYO8BFEO2U.exe"
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [MRA.exe] => C:\Windows\system32\MRA.exe
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [dionysius] => "C:\Program Files (x86)\grizzly\acetyl.exe"
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-09-10] (AVAST Software)
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX32.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX32.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\viktoriya\AppData\Local\MEGAsync\ShellExtX32.dll No File
Startup: C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nerta.lnk [2016-09-10]

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617911&ResetID=131180007039751758&GUID=4BAE66A8-9ED8-4FFB-94E6-8CDA3B49C111
URLSearchHook: HKLM-x32 - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM -> {9E75ECF1-E6E2-4DCA-9B8E-45DD1015E2DC} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {22174564-B0BF-40A0-B4EB-1AEA9AC49A66} URL =
SearchScopes: HKLM-x32 -> {23CA2FD6-95D7-4F3C-9F80-1A0B562F6D8B} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM-x32 -> {EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C} URL = hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20110328060230803&tb_oid=20-12-2010&tb_mrud=28-03-2011
SearchScopes: HKU\.DEFAULT -> DefaultScope {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\.DEFAULT -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> DefaultScope {104FBF2C-59B4-4352-9D32-36B0B70F97EE} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> Comcast URL = hxxp://search.comcast.net/?cat=web&con=net&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {104FBF2C-59B4-4352-9D32-36B0B70F97EE} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {23CA2FD6-95D7-4F3C-9F80-1A0B562F6D8B} URL = hxxp://www.bing.com/search?FORM=SKY2DF&PC=SKY2&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {8C3078A0-9AAB-4371-85D1-656CA8E46EE8} URL = hxxps://yandex.ua/search/?text={searchTerms}&clid=2261463
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {989CBD03-E3E2-4713-94F4-8CFC9CD6DBDB} URL = hxxp://yandex.ua/yandsearch?win=133&clid=1946476-103&text={searchTerms}
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {E519AA1F-E8A8-47ED-92E3-BCFB65055819} URL = hxxp://search.comcast.net/search?cat=Web&con=toolbar&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C} URL = hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20110328060230803&tb_oid=20-12-2010&tb_mrud=28-03-2011
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {F7BA91BB-EC61-4902-B109-7BF82CC7C0F3} URL = hxxp://www.google.com.ua/search?hl=ru&q={searchTerms}&rlz=1I7ADFA_en
SearchScopes: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/search?q={SearchTerms}&ieverfix=1&fr=ieverfix_dse
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-22] (Google Inc.)
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO-x32: No Name -> {164d3751-cac6-4a6d-becd-ea67df61d232} -> No File
BHO-x32: No Name -> {2EECD738-5844-4a99-B4B6-146BF802613B} -> No File
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO-x32: No Name -> {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} -> No File
BHO-x32: No Name -> {8984B388-A5BB-4DF7-B274-77B879E179DB} -> No File
BHO-x32: No Name -> {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} -> No File
Toolbar: HKLM - Спутник@Mail.Ru - {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik_x64.dll No File
Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-22] (Google Inc.)
Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} -  No File
Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> Спутник@Mail.Ru - {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik_x64.dll No File
Toolbar: HKU\S-1-5-21-4222842628-115724200-1229576652-1000 -> No Name - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} -  No File

CHR Extension: (JoniCOupon) - C:\ProgramData\cdegcldddpfnjgjpdiolmbiioflenoja\ []
CHR HKLM-x32\...\Chrome\Extension: [bejbohlohkkgompgecdcbbglkpjfjgdj] - C:\Users\VIKTOR~1\AppData\Local\Temp\crx325F.tmp <not found>
CHR HKLM-x32\...\Chrome\Extension: [knkbjienkchfjlhelbmjfhlongandllk] - C:\Users\viktoriya\AppData\Local\FASTExtensions\knkbjienkchfjlhelbmjfhlongandllk_main.crx <not found>

OPR StartupUrls: "hxxp://opatolo.ru/?utm_source=startpage03&utm_content=678dd9988de1f846bfeee036e0fe1554&utm_term=70AFCE0233AED4F034BA8FBB883B3149&utm_d=20160217"

R2 WindowService; C:\Program Files (x86)\Videodriver\WindowService.exe [8192 2016-09-02] () [File not signed]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 cpuz134; \??\C:\Users\VIKTOR~1\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]

Task: {3A7D2967-AA66-447E-ABAE-545261F7E74F} - \PC Optimizer Pro64 startups -> No File <==== ATTENTION
Task: {3F8BB832-88EC-4269-A94F-1DC9DC9615C5} - \{63EE1480-1CB5-49CA-BCC5-418C462C7CE6} -> No File <==== ATTENTION
Task: {53C0A7C7-CB7A-4351-A032-60E6EED1B5F8} - \{CFC0547F-5D6F-4E03-AC3A-7052A6AAE395} -> No File <==== ATTENTION
Task: {5A21ADEA-6998-4BCF-9CC7-0FBEABEDA799} - \{65240D79-E369-4B74-AB72-6CB8F5B28F22} -> No File <==== ATTENTION
Task: {754D2E22-1F2D-442C-B344-5E0F29DA1CC3} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
Task: {A778C531-B4BB-430A-8F74-A18CB7FF82B0} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {B73BD037-8E2B-47D5-99BC-D9B42AABDC93} - \{2466E16D-B651-4232-8A1F-4E591ECC94F8} -> No File <==== ATTENTION
Task: {DDE6C437-6458-4BF2-A868-0E6173AAA742} - \User_Feed_Synchronization-{DF620602-A2BF-4E02-856E-81EA2FAF530D} -> No File <==== ATTENTION
Task: C:\Windows\Tasks\PC Optimizer Pro64 startups.job => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]
AlternateDataStreams: C:\ProgramData\TEMP:BF14D50A [260]

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"

FirewallRules: [{2CF73DAF-7B72-498C-8B69-EE1F7E0A06F1}] => (Allow) C:\Users\viktoriya\AppData\Roaming\AEB\aeb.exe
FirewallRules: [{54DBD905-635E-4391-B7ED-8C6731E4CA39}] => (Allow) C:\Users\viktoriya\AppData\Roaming\AEB\ntaeb.exe
FirewallRules: [{D6F12C15-EAB1-4D9E-83F3-3023E79EA0C7}] => (Allow) C:\Users\viktoriya\AppData\Roaming\AEB\Updater_aeb.exe
FirewallRules: [{6D04C7E5-BD0D-457B-A37A-EE66452A6A0B}] => (Allow) C:\Users\viktoriya\AppData\Local\ddnowyes.exe
FirewallRules: [{0AA8C091-A3B4-4E78-9785-4A9CE2CFD74C}] => (Allow) C:\Users\viktoriya\AppData\Local\11903152.exe
FirewallRules: [{7B599699-F747-4051-BDD3-22C8D70315CD}] => (Allow) C:\Users\viktoriya\AppData\Local\tinstall.exe
FirewallRules: [{05842C01-98ED-4643-BD8A-54DC6C7F11A2}] => (Allow) C:\Program Files (x86)\grizzly\acetyl.exe
FirewallRules: [{E585A6B8-170B-4250-8070-B744FBFC8397}] => (Allow) C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
FirewallRules: [{1EC41E7D-8243-4BE3-B7C1-45C19A185032}] => (Allow) C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe

C:\Program Files\AiduwbUn
C:\Program Files\Aiduwb
C:\Program Files\PC Optimizer Pro
C:\Program Files (x86)\clitoral
C:\Program Files (x86)\Conduit
C:\Program Files (x86)\DPower
C:\Program Files (x86)\Error Finder
C:\Program Files (x86)\grizzly
C:\Program Files (x86)\Itibiti Soft Phone
C:\Program Files (x86)\mpck
C:\Program Files (x86)\ns
C:\Program Files (x86)\Stlr
C:\Program Files (x86)\Videodriver
C:\Users\viktoriya\mseinstall.exe
C:\Users\viktoriya\AppData\Local\{BFA172E8-8FAB-4A26-91DB-F70B230192B9}
C:\Users\viktoriya\AppData\Local\Shortcut Installer
C:\Users\viktoriya\AppData\Local\MEGAsync
C:\Users\viktoriya\AppData\Local\nsData
C:\Users\viktoriya\AppData\Local\26963124.exe
C:\Users\viktoriya\AppData\Local\settings.dll
C:\Users\viktoriya\AppData\Local\Microsoft.Win32.TaskScheduler.dll
C:\Users\viktoriya\AppData\Local\uninstallssl.exe
C:\Users\viktoriya\AppData\Roaming\AEB
C:\Users\viktoriya\AppData\Roaming\c
C:\Users\viktoriya\AppData\Roaming\NetCtl
C:\Users\viktoriya\AppData\Roaming\Systweak
C:\Users\viktoriya\AppData\Roaming\agent.dat
C:\Users\viktoriya\AppData\Roaming\Installer.dat
C:\Users\viktoriya\AppData\Roaming\Main.dat
C:\Users\viktoriya\AppData\Roaming\st
C:\Users\viktoriya\AppData\Roaming\UserTile.png
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Curl
C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Temp File Cleaner.lnk
C:\Windows\settings.dll
C:\Windows\hearts.exe
C:\Windows\system32\MRA.exe
C:\Windows\system32\drivers\RTKVHD64.sys
C:\Windows\SysWOW64\Number of results

EmptyTemp:
*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\curl => value removed successfully
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Clownfish => value removed successfully
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Windows\CurrentVersion\Run\\swg => value not found.
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Ads Expert Browser => value removed successfully
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Windows\CurrentVersion\Run\\weininger => value removed successfully
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeFlash => value removed successfully
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Windows\CurrentVersion\Run\\L => value removed successfully
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Windows\CurrentVersion\Run\\NetCtl => value removed successfully
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ENHVINGORT => value removed successfully
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Windows\CurrentVersion\Run\\MRA.exe => value removed successfully
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Windows\CurrentVersion\Run\\dionysius => value removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtPending" => key removed successfully
"HKCR\CLSID\{056D528D-CE28-4194-9BA3-BA2E9197FF8C}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtSynced" => key removed successfully
"HKCR\CLSID\{05B38830-F4E9-4329-978B-1DD28605D202}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtSyncing" => key removed successfully
"HKCR\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890637}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully
"HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}" => key removed successfully
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtPending" => key removed successfully
"HKCR\Wow6432Node\CLSID\{056D528D-CE28-4194-9BA3-BA2E9197FF8C}" => key removed successfully
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtSynced" => key removed successfully
"HKCR\Wow6432Node\CLSID\{05B38830-F4E9-4329-978B-1DD28605D202}" => key removed successfully
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtSyncing" => key removed successfully
"HKCR\Wow6432Node\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890637}" => key removed successfully
C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nerta.lnk => moved successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} => value removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9E75ECF1-E6E2-4DCA-9B8E-45DD1015E2DC}" => key removed successfully
HKCR\CLSID\{9E75ECF1-E6E2-4DCA-9B8E-45DD1015E2DC} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{22174564-B0BF-40A0-B4EB-1AEA9AC49A66}" => key removed successfully
HKCR\Wow6432Node\CLSID\{22174564-B0BF-40A0-B4EB-1AEA9AC49A66} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{23CA2FD6-95D7-4F3C-9F80-1A0B562F6D8B}" => key removed successfully
HKCR\Wow6432Node\CLSID\{23CA2FD6-95D7-4F3C-9F80-1A0B562F6D8B} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\Wow6432Node\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}" => key removed successfully
HKCR\Wow6432Node\CLSID\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C} => key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}" => key removed successfully
HKCR\CLSID\{FFEBBF0A-C22C-4172-89FF-45215A135AC7} => key not found.
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Comcast" => key removed successfully
HKCR\CLSID\Comcast => key not found.
"HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{104FBF2C-59B4-4352-9D32-36B0B70F97EE}" => key removed successfully
HKCR\CLSID\{104FBF2C-59B4-4352-9D32-36B0B70F97EE} => key not found.
"HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{23CA2FD6-95D7-4F3C-9F80-1A0B562F6D8B}" => key removed successfully
HKCR\CLSID\{23CA2FD6-95D7-4F3C-9F80-1A0B562F6D8B} => key not found.
"HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8C3078A0-9AAB-4371-85D1-656CA8E46EE8}" => key removed successfully
HKCR\CLSID\{8C3078A0-9AAB-4371-85D1-656CA8E46EE8} => key not found.
"HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{989CBD03-E3E2-4713-94F4-8CFC9CD6DBDB}" => key removed successfully
HKCR\CLSID\{989CBD03-E3E2-4713-94F4-8CFC9CD6DBDB} => key not found.
"HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E519AA1F-E8A8-47ED-92E3-BCFB65055819}" => key removed successfully
HKCR\CLSID\{E519AA1F-E8A8-47ED-92E3-BCFB65055819} => key not found.
"HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}" => key removed successfully
HKCR\CLSID\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C} => key not found.
"HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F7BA91BB-EC61-4902-B109-7BF82CC7C0F3}" => key removed successfully
HKCR\CLSID\{F7BA91BB-EC61-4902-B109-7BF82CC7C0F3} => key not found.
"HKU\S-1-5-21-4222842628-115724200-1229576652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}" => key removed successfully
HKCR\CLSID\{FFEBBF0A-C22C-4172-89FF-45215A135AC7} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7} => key not found.
HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => key removed successfully
HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{164d3751-cac6-4a6d-becd-ea67df61d232}" => key removed successfully
HKCR\Wow6432Node\CLSID\{164d3751-cac6-4a6d-becd-ea67df61d232} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}" => key removed successfully
HKCR\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}" => key removed successfully
HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79CEEA4E-C231-4614-9E3B-53B2A02F39B7}" => key removed successfully
HKCR\Wow6432Node\CLSID\{79CEEA4E-C231-4614-9E3B-53B2A02F39B7} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8984B388-A5BB-4DF7-B274-77B879E179DB}" => key removed successfully
HKCR\Wow6432Node\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}" => key removed successfully
HKCR\Wow6432Node\CLSID\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} => key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{09900DE8-1DCA-443F-9243-26FF581438AF} => value removed successfully
"HKCR\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}" => key removed successfully
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => value removed successfully
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => key not found.
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} => value removed successfully
HKCR\CLSID\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} => key not found.
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{09900DE8-1DCA-443F-9243-26FF581438AF} => value removed successfully
HKCR\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF} => key not found.
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} => value removed successfully
HKCR\CLSID\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} => key not found.
C:\ProgramData\cdegcldddpfnjgjpdiolmbiioflenoja\ => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\knkbjienkchfjlhelbmjfhlongandllk" => key removed successfully
OPR StartupUrls: "hxxp://opatolo.ru/?utm_source=startpage03&utm_content=678dd9988de1f846bfeee036e0fe1554&utm_term=70AFCE0233AED4F034BA8FBB883B3149&utm_d=20160217" => removed successfully
WindowService => service removed successfully
gupdate => service removed successfully
gupdatem => service removed successfully
cpuz134 => service removed successfully
IntcAzAudAddService => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3A7D2967-AA66-447E-ABAE-545261F7E74F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3A7D2967-AA66-447E-ABAE-545261F7E74F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PC Optimizer Pro64 startups" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3F8BB832-88EC-4269-A94F-1DC9DC9615C5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F8BB832-88EC-4269-A94F-1DC9DC9615C5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{63EE1480-1CB5-49CA-BCC5-418C462C7CE6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{53C0A7C7-CB7A-4351-A032-60E6EED1B5F8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{53C0A7C7-CB7A-4351-A032-60E6EED1B5F8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{CFC0547F-5D6F-4E03-AC3A-7052A6AAE395}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5A21ADEA-6998-4BCF-9CC7-0FBEABEDA799}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A21ADEA-6998-4BCF-9CC7-0FBEABEDA799}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{65240D79-E369-4B74-AB72-6CB8F5B28F22}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{754D2E22-1F2D-442C-B344-5E0F29DA1CC3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{754D2E22-1F2D-442C-B344-5E0F29DA1CC3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Acrobat Update Task" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A778C531-B4BB-430A-8F74-A18CB7FF82B0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A778C531-B4BB-430A-8F74-A18CB7FF82B0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Flash Player Updater" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B73BD037-8E2B-47D5-99BC-D9B42AABDC93}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B73BD037-8E2B-47D5-99BC-D9B42AABDC93}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{2466E16D-B651-4232-8A1F-4E591ECC94F8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DDE6C437-6458-4BF2-A868-0E6173AAA742}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DDE6C437-6458-4BF2-A868-0E6173AAA742}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{DF620602-A2BF-4E02-856E-81EA2FAF530D}" => key removed successfully
C:\Windows\Tasks\PC Optimizer Pro64 startups.job => moved successfully
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.
C:\ProgramData\TEMP => ":BF14D50A" ADS removed successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\GoToAssist" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2CF73DAF-7B72-498C-8B69-EE1F7E0A06F1} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{54DBD905-635E-4391-B7ED-8C6731E4CA39} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D6F12C15-EAB1-4D9E-83F3-3023E79EA0C7} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6D04C7E5-BD0D-457B-A37A-EE66452A6A0B} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0AA8C091-A3B4-4E78-9785-4A9CE2CFD74C} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7B599699-F747-4051-BDD3-22C8D70315CD} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{05842C01-98ED-4643-BD8A-54DC6C7F11A2} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E585A6B8-170B-4250-8070-B744FBFC8397} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1EC41E7D-8243-4BE3-B7C1-45C19A185032} => value removed successfully
C:\Program Files\AiduwbUn => moved successfully
C:\Program Files\Aiduwb => moved successfully
"C:\Program Files\PC Optimizer Pro" => not found.
C:\Program Files (x86)\clitoral => moved successfully
C:\Program Files (x86)\Conduit => moved successfully
C:\Program Files (x86)\DPower => moved successfully
"C:\Program Files (x86)\Error Finder" => not found.
C:\Program Files (x86)\grizzly => moved successfully
"C:\Program Files (x86)\Itibiti Soft Phone" => not found.
C:\Program Files (x86)\mpck => moved successfully
C:\Program Files (x86)\ns => moved successfully
C:\Program Files (x86)\Stlr => moved successfully
C:\Program Files (x86)\Videodriver => moved successfully
C:\Users\viktoriya\mseinstall.exe => moved successfully
C:\Users\viktoriya\AppData\Local\{BFA172E8-8FAB-4A26-91DB-F70B230192B9} => moved successfully
C:\Users\viktoriya\AppData\Local\Shortcut Installer => moved successfully
C:\Users\viktoriya\AppData\Local\MEGAsync => moved successfully
C:\Users\viktoriya\AppData\Local\nsData => moved successfully
C:\Users\viktoriya\AppData\Local\26963124.exe => moved successfully
C:\Users\viktoriya\AppData\Local\settings.dll => moved successfully
C:\Users\viktoriya\AppData\Local\Microsoft.Win32.TaskScheduler.dll => moved successfully
C:\Users\viktoriya\AppData\Local\uninstallssl.exe => moved successfully
"C:\Users\viktoriya\AppData\Roaming\AEB" => not found.
C:\Users\viktoriya\AppData\Roaming\c => moved successfully
C:\Users\viktoriya\AppData\Roaming\NetCtl => moved successfully
C:\Users\viktoriya\AppData\Roaming\Systweak => moved successfully
C:\Users\viktoriya\AppData\Roaming\agent.dat => moved successfully
C:\Users\viktoriya\AppData\Roaming\Installer.dat => moved successfully
C:\Users\viktoriya\AppData\Roaming\Main.dat => moved successfully
C:\Users\viktoriya\AppData\Roaming\st => moved successfully
C:\Users\viktoriya\AppData\Roaming\UserTile.png => moved successfully
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Curl => moved successfully
C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Temp File Cleaner.lnk => moved successfully
C:\Windows\settings.dll => moved successfully
C:\Windows\hearts.exe => moved successfully
"C:\Windows\system32\MRA.exe" => not found.
"C:\Windows\system32\drivers\RTKVHD64.sys" => not found.
C:\Windows\SysWOW64\Number of results => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 185204412 B
Java, Flash, Steam htmlcache => 1573 B
Windows/system/drivers => 44777979 B
Edge => 0 B
Chrome => 600346727 B
Firefox => 112584285 B
Opera => 333330517 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 263832 B
systemprofile32 => 2834010 B
LocalService => 132244 B
NetworkService => 45656130 B
viktoriya => 93296284 B

RecycleBin => 0 B
EmptyTemp: => 1.3 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 18:32:29 ====

 

______________________________________________________________________

 

 

JRT Log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 7 Home Premium x64
Ran by viktoriya (Administrator) on Tue 09/13/2016 at 18:38:01.58
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 35

Failed to delete: C:\Users\viktoriya\AppData\Local\amigo (Folder)
Failed to delete: C:\Users\viktoriya\AppData\Local\babylon (Folder)
Failed to delete: C:\Users\viktoriya\AppData\Local\crashrpt (Folder)
Failed to delete: C:\Users\viktoriya\AppData\Local\mediaget2 (Folder)
Failed to delete: C:\Users\viktoriya\AppData\Local\nico mak computing (Folder)
Successfully deleted: C:\ProgramData\alawarwrapper (Folder)
Successfully deleted: C:\ProgramData\babylon (Folder)
Successfully deleted: C:\ProgramData\media get llc (Folder)
Successfully deleted: C:\ProgramData\ngjghlfgaogdhljaghakieadgcjlahai (Folder)
Successfully deleted: C:\Users\viktoriya\AppData\Local\media get llc (Folder)
Successfully deleted: C:\Users\viktoriya\Appdata\LocalLow\comcasttb (Folder)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\babylon (Folder)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\mailproducts (Folder)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\media get llc (Folder)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\d34b7lpt.default\MRSputnikData\mailru.xml (File)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\d34b7lpt.default\searchplugins\aol-search.xml (File)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\d34b7lpt.default\searchplugins\aol-web-search.xml (File)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\d34b7lpt.default\searchplugins\bingp.xml (File)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\d34b7lpt.default\searchplugins\winamp-search.xml (File)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\d34b7lpt.default\searchplugins\yqs-barff-yandex.xml (File)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\d34b7lpt.default\winampToolbarData\opensearch.xml (File)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\d34b7lpt.default\yasearch-xb\packages\{830c8b71-8d3e-4290-a2e5-0c896e7412de}\mailru.xml (File)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\d34b7lpt.default\yasearch-xb\packages\{ad27bfcf-2826-41c3-871e-2d4acd15150d}\altsearch.xml (File)
Successfully deleted: C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\nhuzu5j4.default-1473517595655\Invalidprefs.js (File)
Successfully deleted: C:\Windows\reimage.ini (File)
Successfully deleted: C:\Windows\SysWOW64\conduitengine.tmp (File)
Successfully deleted: C:\Program Files (x86)\comcasttb (Folder)
Successfully deleted: C:\Program Files (x86)\webshield (Folder)
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARNOTIFIER.EXE-969E73DB.pf (File)
Successfully deleted: C:\Windows\SysWOW64\sho1A91.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\sho283A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\sho711B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\sho82F4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\sho98C6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\shoE6BC.tmp (File)

user_pref(keyword.URL, hxxp://go.mail.ru/search?fr=ntg&q=);



Registry: 4

Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\YandexElements (Registry Value)
Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\Guard.Mail.ru (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{91397D20-1446-11D4-8AF4-0040CA1127B6} (Registry Value)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{91397D20-1446-11D4-8AF4-0040CA1127B6} (Registry Value)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 09/13/2016 at 18:46:17.98
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

_________________________________________________________________________________________

 

AdwCleaner clean log:

 

# AdwCleaner v6.010 - Logfile created 13/09/2016 at 18:55:12
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-09-13.1 [Server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : viktoriya - VIKTORIYA-PC
# Running from : C:\Users\viktoriya\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum



***** [ Services ] *****

[-] Service deleted: Guard.Mail.ru
[-] Service deleted: nrtService


***** [ Folders ] *****

[-] Folder deleted: C:\Program Files (x86)\EnjjOyyCoupon
[-] Folder deleted: C:\Program Files (x86)\SaeverExteinsion
[-] Folder deleted: C:\Program Files (x86)\ShopDrrop
[-] Folder deleted: C:\Program Files (x86)\TaakeeTeheCoupoNN
[-] Folder deleted: C:\ProgramData\{3d54d6c8-5490-2707-3d54-4d6c85495b21}
[-] Folder deleted: C:\ProgramData\{93864934-971e-6b84-9386-6493497124d2}
[-] Folder deleted: C:\Users\viktoriya\AppData\Local\Amigo
[-] Folder deleted: C:\Users\viktoriya\AppData\Local\Babylon
[-] Folder deleted: C:\Users\viktoriya\AppData\Local\Mail.Ru
[-] Folder deleted: C:\Users\viktoriya\AppData\Local\MailRu
[-] Folder deleted: C:\Users\viktoriya\AppData\Local\MediaGet2
[-] Folder deleted: C:\Users\viktoriya\AppData\Local\Nichrome
[-] Folder deleted: C:\Users\viktoriya\AppData\LocalLow\Yahoo!\Companion
[-] Folder deleted: C:\Users\viktoriya\AppData\Roaming\Mail.Ru
[-] Folder deleted: C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mail.Ru
[-] Folder deleted: C:\ProgramData\AlterGeo
[-] Folder deleted: C:\ProgramData\Mail.Ru
[#] Folder deleted on reboot: C:\ProgramData\Application Data\AlterGeo
[#] Folder deleted on reboot: C:\ProgramData\Application Data\Mail.Ru
[-] Folder deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MediaGet2
[-] Folder deleted: C:\Program Files (x86)\AlterGeo
[-] Folder deleted: C:\Program Files (x86)\Mail.Ru
[-] Folder deleted: C:\Program Files (x86)\Yahoo!\Companion
[-] Folder deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Amigo
[-] Folder deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Mail.Ru
[-] Folder deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData


***** [ Files ] *****

[-] File deleted: C:\Users\viktoriya\Favorites\Mail.Ru.url
[-] File deleted: C:\Users\viktoriya\Favorites\Mail.Ru Агент - используй для общения!.url
[-] File deleted: C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\mailru.xml
[#] File deleted: C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\mailru.xml
[#] File deleted: C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\mailru.xml


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.KJOE5CON4YSEURCOUTJD6SBO2M
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SCService
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Scheduler
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\WindowService
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\nrtService
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\PCOptimizerService
[-] Key deleted: HKLM\SOFTWARE\Classes\Babylon.dskBnd
[-] Key deleted: HKLM\SOFTWARE\Classes\Babylon.dskBnd.1
[-] Key deleted: HKLM\SOFTWARE\Classes\bbylnApp.appCore
[-] Key deleted: HKLM\SOFTWARE\Classes\bbylnApp.appCore.1
[-] Key deleted: HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
[-] Key deleted: HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
[-] Key deleted: HKLM\SOFTWARE\Classes\Conduit.Engine
[-] Key deleted: HKLM\SOFTWARE\Classes\driverscanner
[-] Key deleted: HKLM\SOFTWARE\Classes\escort.escortIEPane
[-] Key deleted: HKLM\SOFTWARE\Classes\escort.escortIEPane.1
[-] Key deleted: HKLM\SOFTWARE\Classes\escort.escrtBtn.1
[-] Key deleted: HKLM\SOFTWARE\Classes\Prod.cap
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1
[-] Key deleted: HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine
[-] Key deleted: HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine.1
[-] Key deleted: HKLM\SOFTWARE\Classes\SdcUser.SdcMailCtl
[-] Key deleted: HKLM\SOFTWARE\Classes\SdcUser.SdcMailCtl.1
[-] Key deleted: HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar
[-] Key deleted: HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{DA60568C-C30E-4680-ADEA-89BF1DD050EA}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{5777FB26-1203-4D16-A47F-24B3FF5E0476}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{71AC0D70-4274-4B53-8101-26F7249EAFE4}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{67C605D7-71E7-40B7-AF78-8E382E039E8B}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{0A4376DD-C64A-4499-86BA-54578FD3BE3E}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{1E66D651-C63F-4B5A-8DBB-4C093647BF9B}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{3E3BEAE8-5B73-4AA4-8191-6AAD3E17D7CC}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{E1700B22-E107-4EC6-943E-5FBBADF213B3}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{C71EA797-7B15-438B-894A-9AB54D752430}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{0CD3C780-F128-4E7F-BA5C-A7B4FE0B904E}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{6DBD484A-FAA1-4E09-9D82-5B472D9774E8}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{76A9FB77-FA97-4656-8B91-25848DC7BFD6}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{3C4E958B-177E-4B3A-A998-4B0263A9564D}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{638B87E0-5EF3-45FA-ACB8-2C7C67958665}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{6A1F6969-2069-4036-A0AB-07D4628DF5A1}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{6F776034-C1E7-41CB-B099-839FCA62E732}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{F4D12989-AF1C-4363-BFCF-B9AD96D18B0F}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{E1164984-B567-47BD-A7FF-240C2594404A}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{57BCA5FA-5DBB-45A2-B558-1755C3F6253B}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D35349A7-84D1-4A70-8536-E9C1F77DCF5B}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[-] Key deleted: HKU\.DEFAULT\Software\Mail.Ru
[-] Key deleted: HKU\.DEFAULT\Software\Amigo
[-] Key deleted: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailRuUpdater
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Ads Expert Browser
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Conduit
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\IM
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\ImInstaller
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\powerpack
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\SereneScreen
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Softonic
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Yahoo\Companion
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Yahoo\YFriendsBar
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\YahooPartnerToolbar
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Mail.Ru
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\Amigo
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\MICROSOFT\OTUT
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\systweak
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\INSTALLPATH\STATUS
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\AppDataLow\Toolbar
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\AppDataLow\Software\Conduit
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\AppDataLow\Software\Freecause
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\AppDataLow\Software\Settings Manager
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\AppDataLow\Software\Yahoo\Companion
[-] Key deleted: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\AppDataLow\Software\Mail.Ru
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4222842628-115724200-1229576652-1000\Software\BabylonToolbar
[#] Key deleted on reboot: HKU\S-1-5-18\Software\Mail.Ru
[#] Key deleted on reboot: HKU\S-1-5-18\Software\Amigo
[#] Key deleted on reboot: HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailRuUpdater
[#] Key deleted on reboot: HKCU\Software\Ads Expert Browser
[#] Key deleted on reboot: HKCU\Software\Conduit
[#] Key deleted on reboot: HKCU\Software\IM
[#] Key deleted on reboot: HKCU\Software\ImInstaller
[#] Key deleted on reboot: HKCU\Software\powerpack
[#] Key deleted on reboot: HKCU\Software\SereneScreen
[#] Key deleted on reboot: HKCU\Software\Softonic
[#] Key deleted on reboot: HKCU\Software\Yahoo\Companion
[#] Key deleted on reboot: HKCU\Software\Yahoo\YFriendsBar
[#] Key deleted on reboot: HKCU\Software\YahooPartnerToolbar
[#] Key deleted on reboot: HKCU\Software\Mail.Ru
[#] Key deleted on reboot: HKCU\Software\Amigo
[#] Key deleted on reboot: HKCU\Software\MICROSOFT\OTUT
[#] Key deleted on reboot: HKCU\Software\systweak
[#] Key deleted on reboot: HKCU\Software\INSTALLPATH\STATUS
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Toolbar
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\Conduit
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\Freecause
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\Settings Manager
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\Yahoo\Companion
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\Mail.Ru
[-] Key deleted: HKLM\SOFTWARE\{F2E9660B-98AF-42c0-8258-9CDDF07BF95D}
[-] Key deleted: HKLM\SOFTWARE\Babylon
[-] Key deleted: HKLM\SOFTWARE\Conduit
[-] Key deleted: HKLM\SOFTWARE\MediaGet
[-] Key deleted: HKLM\SOFTWARE\SearchModule
[-] Key deleted: HKLM\SOFTWARE\Uniblue
[#] Key deleted on reboot: HKLM\SOFTWARE\Uniblue\DriverScanner
[-] Key deleted: HKLM\SOFTWARE\W3I
[-] Key deleted: HKLM\SOFTWARE\Yahoo\Companion
[-] Key deleted: HKLM\SOFTWARE\Mail.Ru
[-] Key deleted: HKLM\SOFTWARE\xs
[-] Key deleted: HKLM\SOFTWARE\systweak
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\govids.net
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.govids.net
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ck.ridna.ua
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\counter.rambler.ru
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\dotomi.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\driverupdate.net
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\images.rambler.ru
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\izito.com
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Guard.Mail.ru.gui]
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\escort.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\esrv.EXE
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}


***** [ Web browsers ] *****

[-] [search.yahoo.com] [Search Provider] Deleted: search.yahoo.com
[-] [search.conduit.com] [Search Provider] Deleted: search.conduit.com
[-] [yahoo.com search] [Search Provider] Deleted: yahoo.com search
[-] [C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://mail.ru/cnt/10445
[-] [C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://opatolo.ru/?utm_source=startpage03&utm_content=678dd9988de1f846bfeee036e0fe1554&utm_term=70AFCE0233AED4F034BA8FBB883B3149&utm_d=20160217
[-] [C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: bejbohlohkkgompgecdcbbglkpjfjgdj
[-] [C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: hcncjpganfocbfoenaemagjjopkkindp
[-] [C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default] [homepage] Deleted: hxxp://mail.ru/cnt/10445
[-] [mytos.is] [Search Provider] Deleted: mytos.is
[-] [C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Profile 1] [startup_urls] Deleted: hxxp://mail.ru/cnt/10445
[-] [C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Profile 1] [startup_urls] Deleted: hxxp://opatolo.ru/?utm_source=startpage03&utm_content=678dd9988de1f846bfeee036e0fe1554&utm_term=70AFCE0233AED4F034BA8FBB883B3149&utm_d=20160217
[-] [C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Profile 1] [extension] Deleted: bejbohlohkkgompgecdcbbglkpjfjgdj


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [16009 Bytes] - [13/09/2016 18:55:12]
C:\AdwCleaner\AdwCleaner[S0].txt - [15396 Bytes] - [13/09/2016 18:53:02]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [16157 Bytes] ##########

_________________________________________

 

Thank you again. Pleaes let me know what the next steps are in the process.


Edited by sr_philly, 13 September 2016 - 06:07 PM.


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 13 September 2016 - 06:09 PM

Sadly it seems like the Mail.Ru and Guard.Mail.Ru programs were damaged by JRT and AdwCleaner (since it flags them as malicious), so your friend will probably have to reinstall them. Now we'll run Malwarebytes and Emsisoft Emergency Kit to see if there are any remnants, and get a fresh set of FRST logs after.

0isDeWa.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
G0tu5D9.pngEmsisoft Emergency Kit
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.
  • Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder;
  • Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it.
  • After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes).
  • Once the scan is complete, make sure that every item in the list is checked, and click on Quarantine selected;
    Egla2gt.png
  • If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
  • After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it;
  • This time, click on Logs;
  • From there, go under the Quarantine Log tab, and click on the Export button;
    IgfWDr3.png
  • Save the log on your desktop, then open it, and copy/paste its content in your next reply;
iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Check the Addition.txt option;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply;
How's the computer running now?

Your next reply(ies) should include:
  • Copy/pasted content of the Malwarebytes clean log;
  • Copy/pasted content of the EEK clean log;
  • Copy/pasted content of FRST.txt;
  • Copy/pasted content of Addition.txt;
  • Answer to my question about how your computer is currently running;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 sr_philly

sr_philly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 13 September 2016 - 07:59 PM

Well, I made it part of the way through...

 

The Malwarebytes log is below:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/13/2016
Scan Time: 8:04 PM
Logfile: mbam log.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.09.13.15
Rootkit Database: v2016.08.15.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: viktoriya

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 323321
Time Elapsed: 18 min, 59 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

______________________________________

 

 

Emsisoft Emergency Kit wouldn't make it past one file while scanning, so I aborted the scan and tried again. It still was hung up on one file (screenshot here). A quick Google search told me that zPharaoh.exe was bad news, and Emsisoft Emergency kit seems to hang on that one. I don't want to act on that file without your advice, so I'll abort the scan again at this point.



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 13 September 2016 - 08:47 PM

We'll remove it using FRST.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    CloseProcesses:
    
    C:\zPharaoh.exe
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 sr_philly

sr_philly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 13 September 2016 - 09:07 PM

Below is the FRST log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-09-2016
Ran by viktoriya (13-09-2016 22:05:00) Run:2
Running from C:\Users\viktoriya\Desktop
Loaded Profiles: viktoriya (Available Profiles: viktoriya)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:

C:\zPharaoh.exe
*****************

Processes closed successfully.
"C:\zPharaoh.exe" => not found.


The system needed a reboot.

==== End of Fixlog 22:05:00 ====



#12 sr_philly

sr_philly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 13 September 2016 - 09:31 PM

EEK Quarantine log (after a successful scan, now):

 

Emsisoft Emergency Kit - Version 11.9
Quarantine log

Date    Source    Event    Detection    
9/13/2016 10:22:02 PM    Value: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\YNDBAR.DLL -> APPID    Moved to quarantine    Application.Win32.SearchBar (A)    
9/13/2016 10:22:02 PM    Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{91397D20-1446-11D4-8AF4-0040CA1127B6}    Moved to quarantine    Application.Win32.SearchBar (A)    
9/13/2016 10:22:02 PM    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR -> {91397D20-1446-11D4-8AF4-0040CA1127B6}    Moved to quarantine    Application.Win32.SearchBar (A)    
9/13/2016 10:22:02 PM    C:\$Recycle.Bin\S-1-5-21-4106385973-4032632059-1231172415-1001\$R9A5D2T\R.exe    Moved to quarantine    Gen:Variant.Razy.91107 (B)    
9/13/2016 10:22:02 PM    C:\Users\viktoriya\AppData\Roaming\winxzip\winrarview.exe    Moved to quarantine    Gen:Variant.Palevo.9 (B)    
9/13/2016 10:22:02 PM    C:\Users\viktoriya\AppData\Roaming\winxzip\winzip.exe    Moved to quarantine    Gen:Variant.Palevo.9 (B)    
 

_____________________________________________________

 

FRST log file:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-09-2016
Ran by viktoriya (administrator) on VIKTORIYA-PC (13-09-2016 22:26:04)
Running from C:\Users\viktoriya\Desktop
Loaded Profiles: viktoriya (Available Profiles: viktoriya)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Comcast\Desktop Doctor\bin\sprtsvc.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
() C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
() C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
() C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Comcast\Desktop Doctor\bin\sprtcmd.exe
(Nullsoft, Inc.) C:\Program Files (x86)\Winamp\winampa.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox334.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [Dell DataSafe Online] => C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe [1807680 2010-02-09] ()
HKLM-x32\...\Run: [Desktop Disc Tool] => c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe [498160 2009-10-15] ()
HKLM-x32\...\Run: [ddoctorv2] => C:\Program Files (x86)\Comcast\Desktop Doctor\bin\sprtcmd.exe [202560 2008-04-24] (SupportSoft, Inc.)
HKLM-x32\...\Run: [WinampAgent] => C:\Program Files (x86)\Winamp\winampa.exe [74752 2010-12-09] (Nullsoft, Inc.)
HKLM-x32\...\Run: [AlterGeoUpdater] => C:\Program Files (x86)\AlterGeo\Html5 geolocation provider\html5locsvc.exe
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1282120 2013-05-02] (CANON INC.)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9107616 2016-09-13] (AVAST Software)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] => C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe [559616 2011-10-08] (Dell)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [Desktop Software] => "C:\Program Files (x86)\Common Files\SupportSoft\bin\bcont.exe"  /ini "C:\Program Files (x86)\ComcastUI\Desktop Software\uinstaller.ini" /fromrun /starthidden
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [Download] => "C:\Users\viktoriya\AppData\Local\SupportSoft\ddoctorv2\viktoriya\SSGet.exe" 120 "hxxp://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe"
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [MAgent] => C:\Users\viktoriya\AppData\Roaming\Mail.Ru\Agent\magent.exe -CU
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [AlterGeoUpdater] => C:\ProgramData\AlterGeo\Update for Html5 geolocation provider\html5locsvc.exe
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [Muzbaza] => C:\Program Files (x86)\Muzabaza\Muzabaza player\Muzabaza.exe -m
HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2016-08-30] (SUPERAntiSpyware)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2013-03-20] (Microsoft Corporation)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-09-27]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-09-27]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{61AD0BC6-7DD8-4068-B3DB-DEF7940206ED}: [NameServer] 188.120.239.115,8.8.8.8
Tcpip\..\Interfaces\{61AD0BC6-7DD8-4068-B3DB-DEF7940206ED}: [DhcpNameServer] 192.168.1.1
ManualProxies:

Internet Explorer:
==================
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: MailRuBHO Class -> {8984B388-A5BB-4DF7-B274-77B879E179DB} -> C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik_x64.dll => No File
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-09-10] (AVAST Software)
BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2013-05-14] (Skype Technologies S.A.)
BHO: Візуальні закладки -> {D5FEC983-01DB-414a-9456-AF95AC9ED7B5} -> C:\Program Files (x86)\Yandex\FastDial\fastdial64Host.dll [2014-07-09] ()
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-09-27] (Sun Microsystems, Inc.)
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll [2010-11-08] (CANON INC.)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-09-10] (AVAST Software)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO-x32: AlterGeoBHO Class -> {9BFBA68E-E21B-458E-AE12-FE85E903D2C0} -> C:\ProgramData\AlterGeo\Update for Html5 geolocation provider\npHtml5loc.dll => No File
BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-05-14] (Skype Technologies S.A.)
BHO-x32: Візуальні закладки -> {D5FEC983-01DB-414a-9456-AF95AC9ED7B5} -> C:\Program Files (x86)\Yandex\FastDial\fastdialHost.dll [2014-07-09] ()
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2010-09-27] (Sun Microsystems, Inc.)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll [2010-11-08] (CANON INC.)
Toolbar: HKU\.DEFAULT -> No Name - {91397D20-1446-11D4-8AF4-0040CA1127B6} -  No File
DPF: HKLM-x32 {D71F9A27-723E-4B8B-B428-B725E47CBA3E} hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2013-05-14] (Skype Technologies S.A.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-05-14] (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\nhuzu5j4.default-1473517595655
FF Keyword.URL: hxxp://go.mail.ru/search?fr=ntg&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-12] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-28] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-12] ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL [2010-03-25] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-06-23] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4222842628-115724200-1229576652-1000: @altergeo.ru/Html5loc -> C:\ProgramData\AlterGeo\Update for Html5 geolocation provider\npHtml5loc.dll [No File]
FF Plugin HKU\S-1-5-21-4222842628-115724200-1229576652-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\viktoriya\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-03-10] (Unity Technologies ApS)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npkimi.dll [2007-12-17] ( )
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFFICE.DLL [2007-03-22] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-06-23] (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\ozonru.xml [2014-02-15]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\priceru.xml [2014-02-15]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yandex-slovari.xml [2014-02-15]
FF Extension: (Firefox Hotfix) - C:\Users\viktoriya\AppData\Roaming\Mozilla\Firefox\Profiles\nhuzu5j4.default-1473517595655\Extensions\firefox-hotfix@mozilla.org.xpi [2016-09-11]
FF Extension: (Skype Click to Call) - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-06-19] [not signed]
FF Extension: (Skype Click to Call) - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-06-19] [not signed]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-09-10]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-09-10]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR HomePage: Default -> mail.ru/cnt/9852088
CHR DefaultSearchURL: Default -> hxxp://go.mail.ru/search?q={SearchTerms}&fr=chrome
CHR DefaultSearchKeyword: Default -> go.mail.ru
CHR DefaultSuggestURL: Default -> hxxp://suggests.go.mail.ru/ff3?q={searchTerms}
CHR Profile: C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-17]
CHR Extension: (Поделиться ВКонтакте) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjgfnbgjnmeohehminfenoahkcddidpi [2016-02-17]
CHR Extension: (Slither.io Mods,Skins Hack & Guide) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjfkhabmnaeohgoibhpiebgjfejjjdml [2016-05-29]
CHR Extension: (Smashy Road) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\filnchommffflkjipikhoolnfdghadnm [2016-05-30]
CHR Extension: (Slither.io Mod Play with friends Without LAGS) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\foocpcikeakahdlplgpgfoilanoajijf [2016-05-30]
CHR Extension: (Google Docs Offline) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (Agar.io Powerups Guide) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnfiiapoopclmhaikgpbgddfpmmddmeo [2016-05-29]
CHR Extension: (Agar.io Guide Skins and Powerups) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\lggjoeoadbenkimmgnfdigiodkkmknik [2016-05-29]
CHR Extension: (Diep.io Skins, Mods, Hack & Guide) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\mobocjabocnlckohhkhcalnfcllgnkhi [2016-05-29]
CHR Extension: (Ad;Block Plus) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbcokjcdigciakmjlohaodfinhniimgp [2016-05-29]
CHR Profile: C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Slither.io Bots, Mods,& Friends) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ihmcniojbflmaonbojipkkjcehcggjla [2016-05-30]
CHR Extension: (Chrome Web Store Payments) - C:\Users\viktoriya\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-30]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gndaciceccgapjhpniecknjlmmlanaem] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-05-14]
CHR HKLM-x32\...\Chrome\Extension: [pldbienodkpgkccocelidinmciedjdok] - hxxps://clients2.google.com/service/update2/crx

Opera:
=======
StartMenuInternet: (HKLM) Opera - C:\Program Files\Opera x64\Opera.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-09-10] (AVAST Software)
R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation) [File not signed]
R2 sprtsvc_ddoctorv2; C:\Program Files (x86)\Comcast\Desktop Doctor\bin\sprtsvc.exe [202560 2008-04-24] (SupportSoft, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-09-10] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-09-10] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108816 2016-09-10] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-09-10] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-09-10] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [969184 2016-09-13] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [513496 2016-09-10] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [163416 2016-09-10] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292704 2016-09-10] (AVAST Software)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-13 22:26 - 2016-09-13 22:26 - 00019665 _____ C:\Users\viktoriya\Desktop\FRST.txt
2016-09-13 20:25 - 2016-09-13 22:24 - 00000000 ____D C:\EEK
2016-09-13 18:49 - 2016-09-13 18:55 - 00000000 ____D C:\AdwCleaner
2016-09-13 18:35 - 2015-06-26 15:08 - 00294400 _____ (CodePlex Community) C:\Users\viktoriya\AppData\Local\Microsoft.Win32.TaskScheduler.dll
2016-09-13 18:21 - 2016-09-13 22:26 - 00000000 ____D C:\Users\viktoriya\Desktop\fix
2016-09-11 22:44 - 2016-09-11 22:44 - 00003870 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1400692265
2016-09-11 19:52 - 2016-09-13 22:26 - 00000000 ____D C:\FRST
2016-09-11 19:51 - 2016-09-13 18:27 - 02398720 _____ (Farbar) C:\Users\viktoriya\Desktop\FRST64.exe
2016-09-10 18:53 - 2016-09-10 18:53 - 00000000 ____D C:\Users\viktoriya\AppData\Roaming\SUPERAntiSpyware.com
2016-09-10 18:53 - 2016-09-10 18:53 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2016-09-10 18:53 - 2016-09-10 18:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2016-09-10 18:53 - 2016-09-10 18:53 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-09-10 18:38 - 2016-09-10 18:39 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
2016-09-10 18:38 - 2016-09-10 18:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
2016-09-10 18:16 - 2016-09-10 18:16 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2016-09-10 18:16 - 2016-09-10 18:16 - 00003898 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1473545815
2016-09-10 18:16 - 2016-09-10 18:16 - 00001005 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-09-10 18:15 - 2016-09-13 18:41 - 00969184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2016-09-10 18:15 - 2016-09-11 20:34 - 00004180 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-09-10 18:15 - 2016-09-10 18:15 - 00513496 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00391496 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-09-10 18:15 - 2016-09-10 18:15 - 00292704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00163416 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00108816 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00103064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00074544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00044952 _____ () C:\Windows\system32\Drivers\staport.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00037656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2016-09-10 18:15 - 2016-09-10 18:15 - 00001884 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2016-09-10 18:15 - 2016-09-10 18:15 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-09-10 18:15 - 2016-09-10 18:15 - 00000000 ____D C:\Users\viktoriya\AppData\Roaming\AVAST Software
2016-09-10 18:15 - 2016-09-10 18:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-09-10 18:15 - 2016-09-10 18:15 - 00000000 ____D C:\Program Files\Common Files\AV
2016-09-10 18:14 - 2016-09-10 18:16 - 00000000 ____D C:\Program Files\AVAST Software
2016-09-10 18:14 - 2016-09-10 18:14 - 00053208 _____ (AVAST Software) C:\Windows\avastSS.scr
2016-09-10 18:13 - 2016-09-10 18:16 - 00000000 ____D C:\ProgramData\AVAST Software
2016-09-10 12:07 - 2016-09-13 20:04 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-09-10 12:06 - 2016-09-10 12:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-09-10 12:05 - 2016-09-10 12:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-09-10 12:05 - 2016-03-10 17:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-09-10 12:05 - 2016-03-10 17:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-09-10 12:05 - 2016-03-10 17:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-09-10 11:58 - 2016-09-10 11:58 - 00000000 ____D C:\Program Files (x86)\Marketing Research Association
2016-09-10 11:24 - 2016-09-10 11:24 - 00000000 ____D C:\Windows\system32\sstmp
2016-09-10 10:56 - 2016-09-10 10:56 - 00000000 ____D C:\Program Files\Temp File Cleaner
2016-09-10 01:26 - 2016-09-10 01:27 - 00114970 _____ C:\Windows\ntbtlog.txt
2016-09-10 01:17 - 2016-09-10 01:17 - 00000000 __SHD C:\found.002
2016-09-07 23:07 - 2016-09-07 23:07 - 00000000 __SHD C:\found.001
2016-09-07 22:23 - 2016-09-07 22:23 - 00000000 ____D C:\ProgramData\dbg
2016-09-03 22:46 - 2016-09-07 22:23 - 00000000 ____D C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol
2016-09-03 22:46 - 2016-09-07 22:23 - 00000000 ____D C:\Users\Default\AppData\Local\AutoUpdate
2016-09-03 22:46 - 2016-09-07 22:23 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol
2016-09-03 22:46 - 2016-09-07 22:23 - 00000000 ____D C:\Users\Default User\AppData\Local\AutoUpdate
2016-09-03 22:46 - 2016-09-03 22:46 - 00000000 ____D C:\Users\Default\AppData\Local\Eui
2016-09-03 22:46 - 2016-09-03 22:46 - 00000000 ____D C:\Users\Default\Act
2016-09-03 22:46 - 2016-09-03 22:46 - 00000000 ____D C:\Users\Default User\AppData\Local\Eui
2016-09-03 16:47 - 2016-09-03 16:47 - 00000000 ____D C:\Users\viktoriya\AppData\Local\CEF
2016-09-03 16:17 - 2016-09-03 16:17 - 00000000 ____D C:\Users\viktoriya\AppData\Local\CrashRpt
2016-09-03 16:07 - 2016-09-10 07:09 - 00000000 ____D C:\bin
2016-09-03 16:00 - 2016-09-10 10:57 - 00000000 ____D C:\Windows\system32\SSL
2016-09-03 15:58 - 2016-09-03 15:58 - 00645200 _____ C:\Users\viktoriya\Downloads\Gta5 ModMenuUsb.gz
2016-09-03 15:56 - 2016-09-03 15:56 - 00433301 _____ C:\Users\viktoriya\Downloads\SkyAcro6.5 .rar
2016-08-17 10:08 - 2016-07-08 11:32 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-08-17 10:08 - 2016-07-08 11:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-08-16 14:35 - 2016-08-16 14:35 - 00076106 _____ C:\Users\viktoriya\Downloads\512.jpeg
2016-08-16 14:31 - 2016-08-16 14:52 - 00069648 _____ C:\Users\viktoriya\Downloads\1441648944-2d72ce4336860643b4d9615b38505480.jpeg

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-13 22:22 - 2010-12-14 18:55 - 00000000 ____D C:\Users\viktoriya\AppData\Roaming\winxzip
2016-09-13 22:13 - 2009-07-14 00:45 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-09-13 22:13 - 2009-07-14 00:45 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-09-13 22:12 - 2009-07-14 01:13 - 00783464 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-13 22:12 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-09-13 22:06 - 2010-09-27 20:17 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2016-09-13 22:05 - 2010-10-24 22:56 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2016-09-13 22:05 - 2010-10-24 22:56 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2016-09-13 22:05 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-13 18:54 - 2011-11-07 18:36 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2016-09-13 18:53 - 2011-11-07 18:36 - 00000000 ____D C:\Users\viktoriya\AppData\LocalLow\Yahoo!
2016-09-13 18:40 - 2016-05-02 20:26 - 00000000 ____D C:\Users\viktoriya\AppData\Local\Nico Mak Computing
2016-09-13 18:33 - 2010-11-15 22:40 - 00000000 ____D C:\Program Files\Google
2016-09-13 18:33 - 2010-11-15 22:40 - 00000000 ____D C:\Program Files (x86)\Google
2016-09-13 18:28 - 2010-10-24 22:55 - 00000000 ____D C:\Users\viktoriya
2016-09-13 18:25 - 2010-11-15 22:40 - 00000000 ____D C:\Users\viktoriya\AppData\Local\Google
2016-09-13 18:25 - 2010-11-15 22:40 - 00000000 ____D C:\ProgramData\Google
2016-09-11 22:44 - 2014-06-14 22:45 - 00000000 ____D C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-09-11 22:44 - 2014-06-14 22:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-09-11 22:44 - 2014-06-14 22:45 - 00000000 ____D C:\Program Files\WinRAR
2016-09-11 22:44 - 2014-05-21 13:11 - 00000000 ____D C:\Program Files (x86)\Opera
2016-09-11 20:25 - 2012-04-10 14:11 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-09-11 19:48 - 2010-10-25 04:00 - 00000000 ____D C:\Users\viktoriya\AppData\Roaming\Skype
2016-09-11 19:48 - 2010-09-27 20:22 - 00000000 ____D C:\ProgramData\Skype
2016-09-11 19:47 - 2010-09-27 20:23 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-09-10 18:40 - 2010-12-14 18:55 - 00000000 ____D C:\ProgramData\TEMP
2016-09-10 18:18 - 2011-07-31 11:32 - 00001945 _____ C:\Windows\epplauncher.mif
2016-09-10 17:06 - 2014-07-18 16:13 - 00000000 ____D C:\VkontakteDJ
2016-09-10 17:06 - 2012-10-01 16:02 - 00000000 ____D C:\Users\viktoriya\AppData\Local\Apps\2.0
2016-09-10 17:06 - 2010-10-24 22:56 - 00001351 _____ C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-09-10 17:06 - 2009-07-14 00:57 - 00001234 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
2016-09-10 17:06 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\Help
2016-09-10 17:05 - 2016-08-08 18:48 - 00001156 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Horizon.lnk
2016-09-10 17:05 - 2016-05-02 21:01 - 00001109 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-09-10 17:05 - 2015-01-22 23:57 - 00000993 _____ C:\Users\viktoriya\Desktop\PhotoScape.lnk
2016-09-10 17:05 - 2014-10-16 10:07 - 00001001 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera 39.lnk
2016-09-10 17:05 - 2014-06-16 23:30 - 00001983 _____ C:\Users\Public\Desktop\Canon Quick Menu.lnk
2016-09-10 17:05 - 2014-06-16 23:27 - 00002302 _____ C:\Users\Public\Desktop\Canon MG3500 series On-screen Manual.lnk
2016-09-10 17:05 - 2014-06-14 22:51 - 00002657 _____ C:\Users\viktoriya\Desktop\Microsoft Office Word 2003.lnk
2016-09-10 17:05 - 2014-05-21 13:11 - 00001073 _____ C:\Users\Public\Desktop\Opera 39.lnk
2016-09-10 17:05 - 2014-04-20 11:20 - 00002697 _____ C:\Users\Public\Desktop\Skype.lnk
2016-09-10 17:05 - 2014-01-16 15:36 - 00001155 _____ C:\Users\viktoriya\Desktop\QIP Shot.lnk
2016-09-10 17:05 - 2013-12-27 15:54 - 00002178 _____ C:\Users\viktoriya\Desktop\Yandex.lnk
2016-09-10 17:05 - 2013-12-27 14:47 - 00001873 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2016-09-10 17:05 - 2013-10-06 06:12 - 00002429 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2016-09-10 17:05 - 2012-08-03 15:02 - 00001854 _____ C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Start Menu\Mail.Ru Агент.lnk
2016-09-10 17:05 - 2011-08-26 13:52 - 00001109 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-09-10 17:05 - 2010-10-24 22:55 - 00001923 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Help Documentation.lnk
2016-09-10 17:05 - 2010-09-27 22:09 - 00001333 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2016-09-10 17:05 - 2010-09-27 22:09 - 00001314 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2016-09-10 17:05 - 2010-09-27 20:26 - 00002423 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2010.lnk
2016-09-10 17:05 - 2010-09-27 20:25 - 00001215 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop Elements 8.0.lnk
2016-09-10 17:05 - 2009-07-14 01:01 - 00001282 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
2016-09-10 17:05 - 2009-07-14 00:57 - 00001535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-09-10 17:05 - 2009-07-14 00:57 - 00001340 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
2016-09-10 17:05 - 2009-07-14 00:57 - 00001318 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
2016-09-10 17:05 - 2009-07-14 00:54 - 00001198 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
2016-09-10 17:05 - 2009-07-14 00:49 - 00001266 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
2016-09-10 15:25 - 2011-11-07 18:36 - 00000000 ____D C:\ProgramData\Yahoo!
2016-09-10 12:05 - 2011-01-03 16:28 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-09-09 21:44 - 2010-12-20 18:13 - 00000000 ____D C:\Users\viktoriya\AppData\LocalLow\Temp
2016-09-03 16:12 - 2014-06-19 23:28 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-09-02 17:33 - 2015-03-02 14:59 - 00803840 ____H C:\Users\viktoriya\Downloads\photothumb.db
2016-09-02 01:11 - 2014-06-16 23:23 - 00000000 ____D C:\ProgramData\CanonIJPLM
2016-08-18 13:10 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache

==================== Files in the root of some directories =======

2010-11-05 20:32 - 2010-11-05 20:32 - 0003584 _____ () C:\Users\viktoriya\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-09-13 18:35 - 2015-06-26 15:08 - 0294400 _____ (CodePlex Community) C:\Users\viktoriya\AppData\Local\Microsoft.Win32.TaskScheduler.dll
2010-11-08 17:51 - 2010-11-08 17:51 - 0000056 ____H () C:\ProgramData\ezsidmv.dat

Some files in TEMP:
====================
C:\Users\viktoriya\AppData\Local\Temp\libeay32.dll
C:\Users\viktoriya\AppData\Local\Temp\msvcr120.dll
C:\Users\viktoriya\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-09-10 13:36

==================== End of FRST.txt ============================

 

_________________________________

Addition.txt file

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-09-2016
Ran by viktoriya (13-09-2016 22:27:17)
Running from C:\Users\viktoriya\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2010-10-25 02:55:29)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4222842628-115724200-1229576652-500 - Administrator - Disabled)
Guest (S-1-5-21-4222842628-115724200-1229576652-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-4222842628-115724200-1229576652-1002 - Limited - Enabled)
viktoriya (S-1-5-21-4222842628-115724200-1229576652-1000 - Administrator - Enabled) => C:\Users\viktoriya

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avast Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 22 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 22.0.0.210 - Adobe Systems Incorporated)
Adobe Flash Player 22 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
Adobe Photoshop Elements 8.0 (HKLM-x32\...\Adobe Photoshop Elements 8.0) (Version: 8.0 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.17) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.17 - Adobe Systems Incorporated)
Anarchy (HKLM-x32\...\Anarchy) (Version: 3.0.0.0 - XB36Hazard)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 12.3.2280 - AVAST Software)
Bandicam (HKLM-x32\...\Bandicam) (Version: 3.1.1.1073 - Bandisoft.com)
Bandisoft MPEG-1 Decoder (HKLM-x32\...\BandiMPEG1) (Version:  - Bandisoft.com)
Canon Easy-PhotoPrint EX (HKLM-x32\...\Easy-PhotoPrint EX) (Version:  - )
Canon Easy-WebPrint EX (HKLM-x32\...\Easy-WebPrint EX) (Version:  - )
Canon MG3500 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG3500_series) (Version: 1.00 - Canon Inc.)
Canon MG3500 series On-screen Manual (HKLM-x32\...\Canon MG3500 series On-screen Manual) (Version: 7.6.1 - Canon Inc.)
Canon MG3500 series User Registration (HKLM-x32\...\Canon MG3500 series User Registration) (Version:  - ‭Canon Inc.)
Canon MP Navigator EX 4.0 (HKLM-x32\...\MP Navigator EX 4.0) (Version:  - )
Canon My Image Garden (HKLM-x32\...\Canon My Image Garden) (Version: 2.0.1 - Canon Inc.)
Canon My Image Garden Design Files (HKLM-x32\...\Canon My Image Garden Design Files) (Version: 2.0.0 - Canon Inc.)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.1.0 - Canon Inc.)
Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.2.1 - Canon Inc.)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Dell DataSafe Local Backup - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 9.4.60 - Dell)
Dell DataSafe Local Backup (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 9.4.60 - Dell)
Dell DataSafe Online (HKLM-x32\...\{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}) (Version: 1.2.0011 - Dell, Inc.)
Dell Dock (HKLM-x32\...\Dell Dock) (Version:  - Stardock Corporation)
Dell Dock (Version: 2.0 - Stardock Corporation) Hidden
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Dell Getting Started Guide (HKLM-x32\...\{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}) (Version: 1.00.0000 - Dell Inc.)
Desktop Doctor (HKLM-x32\...\{D87149B3-7A1D-4548-9CBF-032B791E5908}) (Version: 2.5.5 - Comcast)
Google Chrome (HKLM-x32\...\{B9082609-19CD-3D8D-B53C-E1F0D3F409E3}) (Version: 52.0.2743.116 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
GoToAssist 8.0.0.514 (HKLM-x32\...\GoToAssist) (Version:  - )
Guard.Mail.ru (HKLM-x32\...\Guard.Mail.ru) (Version:  - Mail.ru) <==== ATTENTION
Horizon (HKLM-x32\...\{6c4303a5-5115-4cfd-bf48-8af0541cd082}) (Version: 2.8.26 - Daring Development Inc.)
Horizon (x32 Version: 2.8.26 - Daring Development Inc.) Hidden
Html5 geolocation provider (HKLM-x32\...\{21FA0004-7D45-4295-9ABF-5270439EA2F8}) (Version: 3.5.4.872 - AlterGeo)
Imikimi Plugin (HKLM-x32\...\Imikimi Plugin) (Version:  - )
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.0.1014 - Intel Corporation)
Java™ 6 Update 20 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416020FF}) (Version: 6.0.200 - Sun Microsystems, Inc.)
Java™ 6 Update 20 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216020FF}) (Version: 6.0.200 - Sun Microsystems, Inc.)
Junk Mail filter update (x32 Version: 14.0.8089.726 - Microsoft Corporation) Hidden
Mail.Ru Агент 6.0 (сборка 6037, для текущего пользователя) (HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\MRA) (Version:  - Mail.Ru) <==== ATTENTION
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
MediaGet2 version 2.1.829.0 (HKLM-x32\...\{9193306E-5935-47E0-B458-2548778C1614}_is1) (Version: 2.1.829.0 - MediaGet LLC)
MediaGet2 version 2.1.890.0 (HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\{9193306E-5935-47E0-B458-2548778C1614}_is1) (Version: 2.1.890.0 - MediaGet LLC)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Expression Encoder 4 (HKLM-x32\...\Encoder_4.0.1651.0) (Version: 4.0.1651.0 - Microsoft Corporation)
Microsoft Expression Encoder 4 Screen Capture Codec (HKLM-x32\...\{952DCCD8-4039-46C8-BC8B-5C1EB6C8E130}) (Version: 4.0.1651.0 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM-x32\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM-x32\...\{90850422-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50428.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Sync Framework Runtime Native v1.0 (x86) (HKLM-x32\...\{8A74E887-8F0F-4017-AF53-CBA42211AAA5}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Sync Framework Services Native v1.0 (x86) (HKLM-x32\...\{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable - KB2467175 (HKLM-x32\...\{a0fe116e-9a8a-466f-aee0-625cb7c207e3}) (Version: 8.0.51011 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{052bac4a-6f79-46d4-a024-1ce1b4f73cd4}) (Version: 8.0.58299 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{820B6609-4C97-3A2B-B644-573B06A0F0CC}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 46.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 46.0.1 (x86 en-US)) (Version: 46.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 46.0.1 - Mozilla)
Opera 12.16 (HKLM\...\Opera 12.16.1860) (Version: 12.16.1860 - Opera Software ASA)
Opera Stable 35.0.2066.37 (HKLM-x32\...\Opera 35.0.2066.37) (Version: 35.0.2066.37 - Opera Software)
Opera Stable 39.0.2256.71 (HKLM-x32\...\Opera 39.0.2256.71) (Version: 39.0.2256.71 - Opera Software)
PhotoScape (HKLM-x32\...\PhotoScape) (Version:  - )
Roxio Burn (HKLM-x32\...\{B2E47DE7-800B-40BB-BD1F-9F221C3AEE87}) (Version: 1.01 - Roxio)
SafeZone Stable 1.51.2220.53 (x32 Version: 1.51.2220.53 - Avast Software) Hidden
Skype Click to Call (HKLM-x32\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.9.12585 - Skype Technologies S.A.)
Skype™ 7.27 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.27.101 - Skype Technologies S.A.)
SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)
Sqirlz Water Reflections (HKLM-x32\...\Sqirlz Water Reflections) (Version: 2.0 - xiberpix)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1224 - SUPERAntiSpyware.com)
Temp File Cleaner (HKLM\...\Temp File Cleaner) (Version: 4.4.0 - Addpcs, LLC)
TinyZIP (HKLM-x32\...\{1D5355BA-562B-4C29-83C0-1D0ED41B2D87}) (Version: 1.0.2 - TinyZIP.net)
-Uh Radio- Player (HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\-Uh Radio- Player) (Version:  - Uh Radio)
Unity Web Player (HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\UnityWebPlayer) (Version: 5.3.4f1 - Unity Technologies ApS)
Update for Html5 geolocation provider (HKLM-x32\...\{B0F669AB-9F2E-41A1-A052-CF908054B79F}) (Version: 3.7.6.911 - AlterGeo)
Winamp (HKLM-x32\...\Winamp) (Version: 5.601  - Nullsoft, Inc)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8089.0726 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM-x32\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
Windows Live Upload Tool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
Yandex (HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\YandexBrowser) (Version: 34.0.1847.18825 - ООО «ЯНДЕКС»)
Элементы Яндекса 8.1 для Internet Explorer (HKLM-x32\...\{63CD0C4E-17FE-4C97-9216-5D566508879A}) (Version: 8.1.3.6036 - Яндекс)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {15E1945E-67B6-451E-941C-FCAEA28E1909} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-09-10] (AVAST Software)
Task: {60A85AF0-EC75-4EE0-B282-58E7C779A9DC} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-09-10] (AVAST Software)
Task: {7B85CEAD-1B4D-40F1-878F-793FE19F00E1} - System32\Tasks\Opera scheduled Autoupdate 1400692265 => C:\Program Files (x86)\Opera\launcher.exe [2016-09-02] (Opera Software)
Task: {7F3BB248-6E2A-4301-9D02-D5C105F3CB28} - System32\Tasks\SafeZone scheduled Autoupdate 1473545815 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-08-09] (Avast Software)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Network Shortcuts\My Web Sites on MSN\target.lnk -> hxxp://www.msnusers.com

==================== Loaded Modules (Whitelisted) ==============

2010-09-27 20:17 - 2011-08-18 11:05 - 02751808 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
2010-02-09 14:34 - 2010-02-09 14:34 - 01807680 _____ () C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
2009-10-15 04:10 - 2009-10-15 04:10 - 00498160 _____ () C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
2016-09-10 18:14 - 2016-09-10 18:14 - 00169064 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-09-13 18:22 - 2016-09-13 18:22 - 03085112 _____ () C:\Program Files\AVAST Software\Avast\defs\16091303\algo.dll
2016-09-10 18:14 - 2016-09-10 18:14 - 00482928 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2010-02-09 14:34 - 2010-02-09 14:34 - 00275776 _____ () C:\Program Files (x86)\Dell DataSafe Online\SdbShared.dll
2010-02-09 14:34 - 2010-02-09 14:34 - 00058688 _____ () C:\Program Files (x86)\Dell DataSafe Online\BalloonWindow.dll
2010-02-09 14:34 - 2010-02-09 14:34 - 00095552 _____ () C:\Program Files (x86)\Dell DataSafe Online\SdbUI.dll
2010-02-09 14:34 - 2010-02-09 14:34 - 00152896 _____ () C:\Program Files (x86)\Dell DataSafe Online\SdbShared.XmlSerializers.dll
2010-02-09 14:34 - 2010-02-09 14:34 - 00017728 _____ () C:\Program Files (x86)\Dell DataSafe Online\cpputils.dll
2016-09-10 18:15 - 2016-09-10 18:15 - 48936448 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2016-05-12 10:10 - 2016-05-12 10:10 - 00170496 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\a43e262ba6a83b1620aec78f2d735962\IsdiInterop.ni.dll
2010-09-27 20:12 - 2010-03-03 21:08 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-4222842628-115724200-1229576652-1000\...\1001movie.com -> 1001movie.com

There are 6091 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2016-09-10 11:29 - 00001270 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 mpa.one.microsoft.com
127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com
127.0.0.1       union.baidu2019.com
162.222.194.13       cocomo.tremorhub.com
127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com
127.0.0.1       union.baidu2019.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\viktoriya\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 188.120.239.115 - 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{7C527AA1-3076-4463-8E82-5A53D1942406}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\wlcsdk.exe
FirewallRules: [{1EB3E2D0-7554-4B06-8669-085258CA58E5}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{63A7C092-E764-44BB-BC54-38EE77E0B025}] => (Allow) svchost.exe
FirewallRules: [{D980B720-21BB-42FD-816E-747D4C0FBF24}] => (Allow) C:\Program Files (x86)\Windows Live\Sync\WindowsLiveSync.exe
FirewallRules: [{4D95218D-FB39-4D54-95AE-8F2C04FE784D}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{BEF3F59A-064A-4CC6-80AD-8BD908614A5F}] => (Allow) C:\Program Files (x86)\Adobe\Elements Organizer 8.0\AdobePhotoshopElementsMediaServer.exe
FirewallRules: [{5EC23B39-56A6-49A1-A2FC-026CBC3F66EA}] => (Allow) C:\Program Files (x86)\Adobe\Elements Organizer 8.0\AdobePhotoshopElementsMediaServer.exe
FirewallRules: [{9E30D877-BC71-40A3-9117-AF17883820F1}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{9F6AE1FB-FA9D-40D4-A600-571084FF0DA6}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{5AD63231-CE3A-4920-A0F6-C9DCF1F544C5}] => (Allow) C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikFlashPlayer.exe
FirewallRules: [{3D79263F-6B03-4DA6-BC61-3AC83D36B838}] => (Allow) C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikFlashPlayer.exe
FirewallRules: [{F3251771-E56B-43F2-B7DA-747978F3C8EE}] => (Allow) C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe
FirewallRules: [{6F0F9C90-D93A-4649-BBA0-3387B8C42C69}] => (Allow) C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe
FirewallRules: [{B22A3E64-CAA7-407C-A511-90A26FBA3963}] => (Allow) C:\Users\viktoriya\AppData\Roaming\Mail.Ru\Agent\magent.exe
FirewallRules: [{01B8E095-F922-42F9-89BA-E249329F48E5}] => (Allow) C:\Users\viktoriya\AppData\Roaming\Mail.Ru\Agent\magent.exe
FirewallRules: [{C2F033D1-557E-445B-9139-0FE74DA2DE13}] => (Allow) C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe
FirewallRules: [{3C221D75-DA75-42C2-8CBE-508C270EC641}] => (Allow) C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe
FirewallRules: [{89B1E85F-434C-4C13-9E11-64990FDD2472}] => (Allow) C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper_32.exe
FirewallRules: [{3978734A-0EBC-43C6-AF1A-91F116668E0E}] => (Allow) C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper_32.exe
FirewallRules: [{BB2A3417-2581-4DC7-A71A-C0F827170E8A}] => (Allow) C:\Program Files\Opera x64\opera.exe
FirewallRules: [{6E79BE65-DB14-45B0-80F4-AB7C8A39DCDA}] => (Allow) C:\Program Files\Opera x64\opera.exe
FirewallRules: [{4B679513-8C3D-4EA8-85E2-48FA7E54B0CA}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\MxUp.exe
FirewallRules: [{55A867F5-E745-4C71-8989-FB27ACE294D9}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
FirewallRules: [{9637F1B3-0725-43EB-AC86-7ECFE96CF7CD}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\MxUp.exe
FirewallRules: [{815F7A50-148E-40A5-86C3-81DE48460757}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
FirewallRules: [{02525DC0-7873-43CF-B89F-5DEFE4184A71}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{6B1ED780-9378-48CF-9965-4D5079A0A53A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{77B4D4C6-0403-4027-B10B-377C68CC175B}C:\users\viktoriya\desktop\agar.io private server\agar.io private server app (keep this).exe] => (Allow) C:\users\viktoriya\desktop\agar.io private server\agar.io private server app (keep this).exe
FirewallRules: [UDP Query User{6B69E90B-B700-4241-B58E-4DBE088FBFC0}C:\users\viktoriya\desktop\agar.io private server\agar.io private server app (keep this).exe] => (Allow) C:\users\viktoriya\desktop\agar.io private server\agar.io private server app (keep this).exe
FirewallRules: [TCP Query User{F4DAECAB-0F23-4093-9360-AE7FB621A06B}C:\games\world_of_warships\wowslauncher.exe] => (Allow) C:\games\world_of_warships\wowslauncher.exe
FirewallRules: [UDP Query User{931990B3-CEFA-4DB3-A295-6E359D3ABF7D}C:\games\world_of_warships\wowslauncher.exe] => (Allow) C:\games\world_of_warships\wowslauncher.exe
FirewallRules: [{169EDFC6-A3B5-458A-B42A-8E5260651EB3}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{CCEE94C4-FA4F-49FB-BD7E-A97D8389A1C0}] => (Allow) C:\Users\viktoriya\AppData\Local\Temp\MPCOnline\MPCDownload.exe
FirewallRules: [{1C338520-872C-4855-AF13-D9E94BA1FB18}] => (Allow) C:\Users\viktoriya\AppData\Local\Temp\MPCOnline\MPCDownload.exe
FirewallRules: [{C2853D1B-95E6-4365-8E3F-B68D0FD79D2F}] => (Allow) C:\Windows\system32\rundll32.exe

==================== Restore Points =========================

10-09-2016 13:42:49 Scheduled Checkpoint
10-09-2016 15:23:44 Removed PDF2HTML
10-09-2016 18:18:42 ASU_MSI_TRAN
11-09-2016 20:49:52 Windows Update
11-09-2016 22:44:51 ASU_MSI_TRAN
13-09-2016 18:28:08 Restore Point Created by FRST
13-09-2016 18:38:06 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/13/2016 10:07:04 PM) (Source: Swapdrive Backup) (EventID: 0) (User: )
Description: Swapdrive Backup: Web Service Error: System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 63.245.197.212:443
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.InternalConnect(EndPoint remoteEP)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Swapdrive.Shared.com.backup.uswsvcdell.Service.GetInfo(GetInfoRequest req)
   at Swapdrive.Shared.ActivationWsvcs.GetInfo()

Error: (09/13/2016 10:05:58 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
The action cannot be completed. Try the action again. If the problem continues, contact Microsoft Product Support.

Error: (09/13/2016 10:05:57 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
The action cannot be completed. Try the action again. If the problem continues, contact Microsoft Product Support.

Error: (09/13/2016 10:05:57 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
Product registration is corrupted for {90140011-0066-0409-0000-0000000FF1CE}

Error: (09/13/2016 10:05:57 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
Error: Product {90140011-0066-0409-0000-0000000FF1CE} found in the registry but SoftGrid doesn't know about it, skipping...

Error: (09/13/2016 10:05:57 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
Product registration is corrupted for {90140011-0066-0409-0000-0000000FF1CE}

Error: (09/13/2016 10:05:57 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
Error: Product {90140011-0066-0409-0000-0000000FF1CE} found in the registry but SoftGrid doesn't know about it, skipping...

Error: (09/13/2016 10:03:51 PM) (Source: Swapdrive Backup) (EventID: 0) (User: )
Description: Swapdrive Backup: Web Service Error: System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 63.245.197.212:443
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.InternalConnect(EndPoint remoteEP)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Swapdrive.Shared.com.backup.uswsvcdell.Service.GetInfo(GetInfoRequest req)
   at Swapdrive.Shared.ActivationWsvcs.GetInfo()

Error: (09/13/2016 10:01:47 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
The action cannot be completed. Try the action again. If the problem continues, contact Microsoft Product Support.

Error: (09/13/2016 10:01:47 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
The action cannot be completed. Try the action again. If the problem continues, contact Microsoft Product Support.


System errors:
=============
Error: (09/13/2016 10:05:02 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Application Virtualization Client service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/13/2016 10:05:00 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (09/13/2016 10:05:00 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Software Protection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (09/13/2016 10:05:00 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Modules Installer service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (09/13/2016 10:05:00 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Rapid Storage Technology service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/13/2016 10:05:00 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (09/13/2016 10:05:00 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The SupportSoft Sprocket Service (ddoctorv2) service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/13/2016 10:05:00 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Client Virtualization Handler service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/13/2016 10:05:00 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Application Virtualization Service Agent service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/13/2016 10:05:00 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The SoftThinks Agent Service service terminated unexpectedly.  It has done this 1 time(s).


==================== Memory info ===========================

Processor: Pentium® Dual-Core CPU E5700 @ 3.00GHz
Percentage of memory in use: 37%
Total physical RAM: 4060.98 MB
Available physical RAM: 2552.58 MB
Total Virtual: 8420.15 MB
Available Virtual: 6641.28 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:453.69 GB) (Free:345.66 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 259D4594)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=453.7 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 14 September 2016 - 07:20 AM

Good :) There's a few remnants to take care of, and at the same the fix will list the content of some folders I'm not sure of.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    CloseProcesses:
    CreateRestorePoint:
    
    Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
    
    BHO: MailRuBHO Class -> {8984B388-A5BB-4DF7-B274-77B879E179DB} -> C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik_x64.dll => No File
    BHO-x32: AlterGeoBHO Class -> {9BFBA68E-E21B-458E-AE12-FE85E903D2C0} -> C:\ProgramData\AlterGeo\Update for Html5 geolocation provider\npHtml5loc.dll => No File
    Toolbar: HKU\.DEFAULT -> No Name - {91397D20-1446-11D4-8AF4-0040CA1127B6} -  No File
    FF Plugin HKU\S-1-5-21-4222842628-115724200-1229576652-1000: @altergeo.ru/Html5loc -> C:\ProgramData\AlterGeo\Update for Html5 geolocation provider\npHtml5loc.dll [No File]
    
    C:\Program Files (x86)\Mozilla Firefox\firefox334.exe
    C:\Users\viktoriya\AppData\Roaming\winxzip
    
    CMD: dir "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol"
    CMD: dir "C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol"
    CMD: dir "C:\Users\Default\AppData\Local\AutoUpdate"
    CMD: dir "C:\Users\Default User\AppData\Local\AutoUpdate"
    CMD: dir "C:\Users\Default\AppData\Local\Eui"
    CMD: dir "C:\Users\Default\Act"
    CMD: dir "C:\Users\Default User\AppData\Local\Eui"
    CMD: dir "C:\Users\viktoriya\AppData\Local\CEF"
    CMD: dir "C:\Users\viktoriya\AppData\Local\Apps\2.0"
    
    EmptyTemp:
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 sr_philly

sr_philly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 14 September 2016 - 06:17 PM

Good evening,

 

Here is the latest FRST fix log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-09-2016
Ran by viktoriya (14-09-2016 19:03:35) Run:3
Running from C:\Users\viktoriya\Desktop
Loaded Profiles: viktoriya (Available Profiles: viktoriya)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]

BHO: MailRuBHO Class -> {8984B388-A5BB-4DF7-B274-77B879E179DB} -> C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik_x64.dll => No File
BHO-x32: AlterGeoBHO Class -> {9BFBA68E-E21B-458E-AE12-FE85E903D2C0} -> C:\ProgramData\AlterGeo\Update for Html5 geolocation provider\npHtml5loc.dll => No File
Toolbar: HKU\.DEFAULT -> No Name - {91397D20-1446-11D4-8AF4-0040CA1127B6} -  No File
FF Plugin HKU\S-1-5-21-4222842628-115724200-1229576652-1000: @altergeo.ru/Html5loc -> C:\ProgramData\AlterGeo\Update for Html5 geolocation provider\npHtml5loc.dll [No File]

C:\Program Files (x86)\Mozilla Firefox\firefox334.exe
C:\Users\viktoriya\AppData\Roaming\winxzip

CMD: dir "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol"
CMD: dir "C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol"
CMD: dir "C:\Users\Default\AppData\Local\AutoUpdate"
CMD: dir "C:\Users\Default User\AppData\Local\AutoUpdate"
CMD: dir "C:\Users\Default\AppData\Local\Eui"
CMD: dir "C:\Users\Default\Act"
CMD: dir "C:\Users\Default User\AppData\Local\Eui"
CMD: dir "C:\Users\viktoriya\AppData\Local\CEF"
CMD: dir "C:\Users\viktoriya\AppData\Local\Apps\2.0"

EmptyTemp:
*****************

Processes closed successfully.
Restore point was successfully created.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8984B388-A5BB-4DF7-B274-77B879E179DB}" => key removed successfully
"HKCR\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9BFBA68E-E21B-458E-AE12-FE85E903D2C0}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{9BFBA68E-E21B-458E-AE12-FE85E903D2C0}" => key removed successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{91397D20-1446-11D4-8AF4-0040CA1127B6} => value removed successfully
HKCR\CLSID\{91397D20-1446-11D4-8AF4-0040CA1127B6} => key not found.
"HKU\S-1-5-21-4222842628-115724200-1229576652-1000\Software\MozillaPlugins\@altergeo.ru/Html5loc" => key removed successfully
C:\ProgramData\AlterGeo\Update for Html5 geolocation provider\npHtml5loc.dll => not found.
C:\Program Files (x86)\Mozilla Firefox\firefox334.exe => moved successfully
C:\Users\viktoriya\AppData\Roaming\winxzip => moved successfully

========= dir "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol" =========

 Volume in drive C is OS
 Volume Serial Number is 9C16-C020

 Directory of C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol

09/07/2016  10:23 PM    <DIR>          .
09/07/2016  10:23 PM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)  370,805,530,624 bytes free

========= End of CMD: =========


========= dir "C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol" =========

 Volume in drive C is OS
 Volume Serial Number is 9C16-C020

 Directory of C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol

09/07/2016  10:23 PM    <DIR>          .
09/07/2016  10:23 PM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)  370,805,530,624 bytes free

========= End of CMD: =========


========= dir "C:\Users\Default\AppData\Local\AutoUpdate" =========

 Volume in drive C is OS
 Volume Serial Number is 9C16-C020

 Directory of C:\Users\Default\AppData\Local\AutoUpdate

09/07/2016  10:23 PM    <DIR>          .
09/07/2016  10:23 PM    <DIR>          ..
08/26/2016  09:28 AM                68 AutoUpdate.bat
               1 File(s)             68 bytes
               2 Dir(s)  370,805,530,624 bytes free

========= End of CMD: =========


========= dir "C:\Users\Default User\AppData\Local\AutoUpdate" =========

 Volume in drive C is OS
 Volume Serial Number is 9C16-C020

 Directory of C:\Users\Default User\AppData\Local\AutoUpdate

09/07/2016  10:23 PM    <DIR>          .
09/07/2016  10:23 PM    <DIR>          ..
08/26/2016  09:28 AM                68 AutoUpdate.bat
               1 File(s)             68 bytes
               2 Dir(s)  370,805,526,528 bytes free

========= End of CMD: =========


========= dir "C:\Users\Default\AppData\Local\Eui" =========

 Volume in drive C is OS
 Volume Serial Number is 9C16-C020

 Directory of C:\Users\Default\AppData\Local\Eui

09/03/2016  10:46 PM    <DIR>          .
09/03/2016  10:46 PM    <DIR>          ..
08/26/2016  10:15 AM                31 Eui.bat
               1 File(s)             31 bytes
               2 Dir(s)  370,805,526,528 bytes free

========= End of CMD: =========


========= dir "C:\Users\Default\Act" =========

 Volume in drive C is OS
 Volume Serial Number is 9C16-C020

 Directory of C:\Users\Default\Act

09/03/2016  10:46 PM    <DIR>          .
09/03/2016  10:46 PM    <DIR>          ..
08/26/2016  10:14 AM                30 Act.bat
               1 File(s)             30 bytes
               2 Dir(s)  370,805,526,528 bytes free

========= End of CMD: =========


========= dir "C:\Users\Default User\AppData\Local\Eui" =========

 Volume in drive C is OS
 Volume Serial Number is 9C16-C020

 Directory of C:\Users\Default User\AppData\Local\Eui

09/03/2016  10:46 PM    <DIR>          .
09/03/2016  10:46 PM    <DIR>          ..
08/26/2016  10:15 AM                31 Eui.bat
               1 File(s)             31 bytes
               2 Dir(s)  370,805,526,528 bytes free

========= End of CMD: =========


========= dir "C:\Users\viktoriya\AppData\Local\CEF" =========

 Volume in drive C is OS
 Volume Serial Number is 9C16-C020

 Directory of C:\Users\viktoriya\AppData\Local\CEF

09/03/2016  04:47 PM    <DIR>          .
09/03/2016  04:47 PM    <DIR>          ..
09/03/2016  04:47 PM    <DIR>          User Data
               0 File(s)              0 bytes
               3 Dir(s)  370,805,526,528 bytes free

========= End of CMD: =========


========= dir "C:\Users\viktoriya\AppData\Local\Apps\2.0" =========

 Volume in drive C is OS
 Volume Serial Number is 9C16-C020

 Directory of C:\Users\viktoriya\AppData\Local\Apps\2.0

09/10/2016  05:06 PM    <DIR>          .
09/10/2016  05:06 PM    <DIR>          ..
03/08/2016  09:12 AM                 0 7dc8436000ad11e690c70616440bcd7d.sts
10/01/2012  04:02 PM    <DIR>          Data
09/03/2016  04:53 PM               656 InstallUtil.InstallLog
10/01/2012  04:02 PM    <DIR>          X8AQC2YA.6QE
               2 File(s)            656 bytes
               4 Dir(s)  370,805,526,528 bytes free

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 8669220 B
Java, Flash, Steam htmlcache => 492 B
Windows/system/drivers => 1102 B
Edge => 0 B
Chrome => 0 B
Firefox => 47105280 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 0 B
viktoriya => 6621811 B

RecycleBin => 0 B
EmptyTemp: => 67.5 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 19:05:35 ====



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 14 September 2016 - 06:21 PM

These .bat files are quite suspicious. Let's collect them using FRST. After running the fix, a file called Upload.zip will appear on your desktop. Please upload it to the link below.

http://www.bleepingcomputer.com/submit-malware.php?channel=194

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    Collect: C:\Users\Default\AppData\Local\AutoUpdate\AutoUpdate.bat;C:\Users\Default\AppData\Local\Eui\Eui.bat;
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users