Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Backdoor.bot and Every Browser redirects to Playwebgames website


  • This topic is locked This topic is locked
6 replies to this topic

#1 Ckbhawsar

Ckbhawsar

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 16 September 2016 - 02:36 AM

Hii

My PC has been infected by Backdoor.bot i come to know about it when i scanned via malware bytes logs.

And every browser redirects to paywebgames.com website.

After that i searched how to remove Backdoor.bot and come to know about a post on bleeping computer but there was clearly mentioned that the process of removal varies from machine machine hence decided to post a new Log

So i installed FRST.exe and Logs are pasted and attached

hoping for reply as soon as possible

Addition.txt is attached

 

FRST log is as below:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 16-09-2016
Ran by Chetan (administrator) on USER-PC (16-09-2016 12:42:58)
Running from C:\Users\Chetan\Downloads\Programs
Loaded Profiles: Chetan (Available Profiles: Chetan)
Platform: Windows 7 Ultimate (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser not detected!)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
() C:\UsbFix\UsbFix.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Motorola) C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Internet Download Manager, Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\UsbFix\UsbFix.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated)
HKU\S-1-5-21-3947430648-2715038719-3123753769-1000\...\Run: [IDMan] => C:\Program Files (x86)\Internet Download Manager\IDMan.exe [3907152 2015-07-07] (Tonec Inc.)
HKU\S-1-5-21-3947430648-2715038719-3123753769-1000\...\Run: [uTorrent] => C:\Users\Chetan\AppData\Roaming\uTorrent\uTorrent.exe [1959424 2016-09-07] (BitTorrent Inc.)
HKU\S-1-5-21-3947430648-2715038719-3123753769-1000\...\MountPoints2: {72c14dab-784c-11e4-8d98-f0bf9703337c} - E:\AutoRun.exe
HKU\S-1-5-21-3947430648-2715038719-3123753769-1000\...\MountPoints2: {8b76f719-6b1b-11e4-947c-f0bf9703337c} - E:\AutoRun.exe
HKU\S-1-5-21-3947430648-2715038719-3123753769-1000\...\MountPoints2: {8b76f727-6b1b-11e4-947c-f0bf9703337c} - E:\AutoRun.exe
HKU\S-1-5-21-3947430648-2715038719-3123753769-1000\...\MountPoints2: {bb51ff49-9673-11e4-ba27-f0bf9703337c} - E:\.\setup.exe
HKU\S-1-5-21-3947430648-2715038719-3123753769-1000\...\MountPoints2: {ec1d289b-6b49-11e4-b50b-f0bf9703337c} - E:\AutoRun.exe
HKU\S-1-5-18\...\Run: [GuaZhuan] => "C:\Windows\TEMP\quiey.exe" -autorun  <===== ATTENTION
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2014-04-21] (Tonec Inc.)
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} => C:\Program Files (x86)\KuaiZip\X64\KZipShell.dll No File
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog9 01 chtbrkg.dll No File 
Winsock: Catalog9 02 chtbrkg.dll No File 
Winsock: Catalog9 03 chtbrkg.dll No File 
Winsock: Catalog9 04 chtbrkg.dll No File 
Winsock: Catalog9 05 chtbrkg.dll No File 
Winsock: Catalog9 06 chtbrkg.dll No File 
Winsock: Catalog9 07 chtbrkg.dll No File 
Winsock: Catalog9 08 chtbrkg.dll No File 
Winsock: Catalog9 09 chtbrkg.dll No File 
Winsock: Catalog9 10 chtbrkg.dll No File 
Winsock: Catalog9 21 chtbrkg.dll No File 
Winsock: Catalog9-x64 01 chtbrkg.dll No File 
Winsock: Catalog9-x64 02 chtbrkg.dll No File 
Winsock: Catalog9-x64 03 chtbrkg.dll No File 
Winsock: Catalog9-x64 04 chtbrkg.dll No File 
Winsock: Catalog9-x64 05 chtbrkg.dll No File 
Winsock: Catalog9-x64 06 chtbrkg.dll No File 
Winsock: Catalog9-x64 07 chtbrkg.dll No File 
Winsock: Catalog9-x64 08 chtbrkg.dll No File 
Winsock: Catalog9-x64 09 chtbrkg.dll No File 
Winsock: Catalog9-x64 10 chtbrkg.dll No File 
Winsock: Catalog9-x64 21 chtbrkg.dll No File 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 183.87.116.18 120.138.96.18
Tcpip\..\Interfaces\{0983F25B-B914-4116-9463-F9A7DCD743ED}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{2865164F-A89C-484F-9CFD-FC6E3B455E38}: [DhcpNameServer] 183.87.116.18 120.138.96.18
Tcpip\..\Interfaces\{4E274934-7381-4E19-8A35-1CEF2E7EC9EF}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{501CB329-EC01-406E-8BEF-8FF8CCC84E34}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{64D98D31-6391-48B6-919A-BB418C3E4398}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{6BF364F3-366D-45A5-BECD-7D484B3F782B}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{6E21E507-5501-4550-A937-69756AD09DF7}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{7E58266F-2979-4F65-9ADB-3A406F4BE915}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{9327024E-9FBF-44AC-9C21-C23A1994B5F8}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{B777645C-126E-499A-B9A6-9F0BD3731477}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{C0553742-AA4D-48AE-AC54-93615C2A2447}: [DhcpNameServer] 192.168.42.129
 
Internet Explorer:
==================
HKU\S-1-5-21-3947430648-2715038719-3123753769-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.evotrackr.in/tracking202/redirect/rtr.php?t202id=4221
SearchScopes: HKLM-x32 -> DefaultScope value is missing
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2015-07-08] (Internet Download Manager, Tonec Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2015-07-08] (Internet Download Manager, Tonec Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\ssv.dll [2015-10-24] (Oracle Corporation)
BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2011-04-29] (Atheros Commnucations)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\jp2ssv.dll [2015-10-24] (Oracle Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-14] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-14] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-14] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-14] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Chetan\AppData\Roaming\Profiles\06v3r0fi.default
FF NewTab: C:\\ProgramData\\ApppazmaLs\\ff.NT
FF Homepage: C:\\ProgramData\\ApppazmaLs\\ff.HP
FF Keyword.URL: undefined://undefined/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_23_0_0_162.dll [2016-09-13] ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_162.dll [2016-09-13] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [No File]
FF Plugin-x32: @java.com/DTPlugin,version=11.65.2 -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\dtplugin\npDeployJava1.dll [2015-10-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.65.2 -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\plugin2\npjp2.dll [2015-10-24] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Reader 3\npnitromozilla.dll [2013-07-26] (Nitro PDF)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2011-02-18] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2011-02-18] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
FF user.js: detected! => C:\Users\Chetan\AppData\Roaming\Profiles\06v3r0fi.default\user.js [2016-06-26]
FF HKU\S-1-5-21-3947430648-2715038719-3123753769-1000\...\Firefox\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Users\Chetan\AppData\Roaming\IDM\idmmzcc7
FF Extension: (IDM integration) - C:\Users\Chetan\AppData\Roaming\IDM\idmmzcc7 [2015-07-22] [not signed]
FF HKU\S-1-5-21-3947430648-2715038719-3123753769-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Chetan\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\Chetan\AppData\Roaming\IDM\idmmzcc5 [2016-09-16] [not signed]
 
Chrome: 
=======
CHR Profile: C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-06-26]
CHR Extension: (Google Docs) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-06-26]
CHR Extension: (Google Drive) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-26]
CHR Extension: (YouTube) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-06-26]
CHR Extension: (Google Sheets) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-06-26]
CHR Extension: (Google Docs Offline) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-26]
CHR Extension: (IDM Integration Module) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngpampappnmepgilojfohadhhmbhlaek [2016-06-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-26]
CHR Extension: (Gmail) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-06-26]
CHR Profile: C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Slides) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-06-26]
CHR Extension: (Video & GIF Downloader For Facebook) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ajanondpapegkikdhmmhmoogcaajdokn [2016-08-28]
CHR Extension: (Google Docs) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2016-06-26]
CHR Extension: (Google Drive) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-26]
CHR Extension: (YouTube) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-06-26]
CHR Extension: (Tab Manager) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coonecdghnepgiblpccbbihiahajndda [2016-09-10]
CHR Extension: (Tampermonkey) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2016-08-29]
CHR Extension: (Google Sheets) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-06-26]
CHR Extension: (Google Docs Offline) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-26]
CHR Extension: (AdBlock) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-08-24]
CHR Extension: (AirDroid) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\hkgndiocipalkpejnpafdbdlfdjihomd [2016-08-14]
CHR Extension: (IDM Integration Module) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ngpampappnmepgilojfohadhhmbhlaek [2016-06-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-26]
CHR Extension: (Gmail) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-06-26]
CHR Extension: (Chrome Media Router) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-30]
CHR Profile: C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2
CHR Extension: (Google Slides) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-08-23]
CHR Extension: (Google Docs) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\aohghmighlieiainnegkcijnfilokake [2016-08-23]
CHR Extension: (Google Drive) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-08-23]
CHR Extension: (YouTube) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-08-23]
CHR Extension: (Google Sheets) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-08-23]
CHR Extension: (Google Docs Offline) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-23]
CHR Extension: (IDM Integration Module) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\ngpampappnmepgilojfohadhhmbhlaek [2016-08-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-23]
CHR Extension: (Gmail) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-08-23]
CHR Extension: (Chrome Media Router) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-23]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2015-07-15]
CHR HKU\S-1-5-21-3947430648-2715038719-3123753769-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [dhdgffkkebhmkfjojejmpbldmpobfkfo] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2015-07-15]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 Atheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [146592 2011-04-29] (Atheros) [File not signed]
S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [413184 2015-04-08] (BlueStack Systems, Inc.) [File not signed]
S4 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [388824 2015-04-06] (BlueStack Systems, Inc.)
S2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [798424 2015-04-06] (BlueStack Systems, Inc.)
S2 Change Modem Device Service; C:\ProgramData\ChgService.exe [114688 2012-02-07] () [File not signed]
S2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2361344 2011-03-22] (Realsil Microelectronics Inc.) [File not signed]
S2 Idea Net Setter. RunOuc; C:\Program Files (x86)\Idea Net Setter\UpdateDog\ouc.exe [218624 2014-11-13] () [File not signed]
R2 Kuaizip Update Checker; C:\Program Files (x86)\KuaiZip\X86\kuaizipUpdateChecker.dll [216704 2016-07-30] ()
R2 Motorola Device Manager; C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [137528 2014-04-08] (Motorola Mobility LLC)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273168 2011-12-08] ()
S2 NitroReaderDriverReadSpool3; C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [230416 2013-07-26] (Nitro PDF Software)
S3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [279848 2007-06-27] (Nero AG)
R2 PST Service; C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [7534864 2016-08-25] (TeamViewer GmbH)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [594704 2011-12-08] (Intel® Corporation)
S2 fisusyscheduleCherbsy.exe; "C:\Program Files (x86)\Shociph\fisusyscheduleCherbsy.exe" {C25DA384-2010-45A4-A1ED-BFA540D4789B} {9DC74CD5-24EA-4ADE-9C42-608A8CE17116} [X]
S3 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
S3 Lenovo EasyPlus Hotspot; "C:\Program Files (x86)\Common Files\LENOVO\easyplussdk\bin\EPHotspot64.exe" [X]
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [144600 2015-04-06] (BlueStack Systems)
S3 cmnsusbser; C:\Windows\System32\DRIVERS\cmnsusbser.sys [126080 2011-09-15] (QUALCOMM Incorporated)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
R2 KuaiZipDrive2; C:\Windows\system32\drivers\KuaiZipDrive2.sys [93072 2016-07-30] (WinMount International Inc) <==== ATTENTION
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [33008 2014-09-17] (Synaptics Incorporated)
S3 ApfiltrService; system32\DRIVERS\Apfiltr.sys [X]
S3 ComputerZ_x64; \??\C:\Program Files (x86)\LuDaShi\ComputerZ_x64.sys [X] <==== ATTENTION
S1 DirectIO; \??\C:\Users\Chetan\AppData\Local\Temp\DirectIO.sys [X]
S3 ewusbmbb; system32\DRIVERS\ewusbwwan.sys [X]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]
S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]
S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 MEmuDrv; \??\C:\memu\MEmuHyperv\MEmuDrv.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVCx32: HpSvc -> no filepath.
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-16 12:42 - 2016-09-16 12:42 - 00000000 ____D C:\FRST
2016-09-16 06:28 - 2016-09-16 01:40 - 00000000 ____D C:\Android
2016-09-16 06:27 - 2016-09-16 06:27 - 00000000 ____D C:\.Trash
2016-09-16 00:47 - 2016-09-16 00:47 - 00201290 _____ C:\ubnldr.exe
2016-09-16 00:47 - 2016-09-16 00:47 - 00185009 _____ C:\ubnldr
2016-09-16 00:47 - 2016-09-16 00:47 - 00008192 _____ C:\ubnldr.mbr
2016-09-16 00:44 - 2016-09-16 12:16 - 00000000 ____D C:\UsbFix
2016-09-16 00:44 - 2016-09-16 00:44 - 00001448 _____ C:\Users\Chetan\Desktop\UsbFix.lnk
2016-09-16 00:26 - 2016-09-16 10:58 - 00000000 ____D C:\Users\Chetan\AppData\LocalLow\uTorrent
2016-09-15 23:56 - 2016-09-15 23:56 - 00000000 ____D C:\Users\Chetan\AppData\Local\ElevatedDiagnostics
2016-09-15 19:13 - 2016-09-15 19:13 - 00000000 ____D C:\Users\Chetan\AppData\Local\Kipesoft_.INC
2016-09-15 19:13 - 2016-09-15 19:13 - 00000000 ____D C:\ProgramData\Caphyon
2016-09-15 19:12 - 2016-09-15 19:12 - 00000000 ____D C:\Users\Chetan\Documents\Kipesoft
2016-09-15 19:09 - 2016-09-15 19:13 - 00000000 ____D C:\Users\Chetan\AppData\Roaming\Kipesoft .INC
2016-09-15 11:24 - 2016-09-15 11:25 - 03801566 _____ C:\Users\Chetan\Downloads\boot371.zip
2016-09-14 11:30 - 2016-09-14 11:30 - 00042560 _____ C:\Users\Chetan\Downloads\CV.pdf
2016-09-14 10:40 - 2016-09-14 10:41 - 03263126 _____ C:\Users\Chetan\Downloads\Greenify Donate v2.9.apk
2016-09-13 12:05 - 2016-09-13 12:06 - 00354332 _____ C:\Users\Chetan\Downloads\Nomination_FAQs.pdf
2016-09-13 11:13 - 2016-09-13 11:13 - 00001007 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 11.lnk
2016-09-13 11:13 - 2016-09-13 11:13 - 00000995 _____ C:\Users\Public\Desktop\TeamViewer 11.lnk
2016-09-13 10:27 - 2016-09-13 10:30 - 10835000 _____ (TeamViewer GmbH) C:\Users\Chetan\Downloads\TeamViewer_Setup_en-sbv.exe
2016-09-11 23:00 - 2016-09-12 00:48 - 346891735 _____ C:\Users\Chetan\Downloads\cm-13.0-20160820-SNAPSHOT-ZNH5YAO0J8-titan.zip
2016-09-11 22:49 - 2016-09-11 22:50 - 00616165 _____ C:\Users\Chetan\Downloads\contactssept.vcf
2016-09-11 22:38 - 2016-09-11 22:49 - 72055228 _____ C:\Users\Chetan\Downloads\open_gapps-arm-7.0-pico-20160911.zip
2016-09-11 18:52 - 2016-09-11 18:52 - 00000004 _____ C:\Users\Chetan\Desktop\comp.txt
2016-09-11 13:32 - 2016-09-11 13:39 - 02262582 _____ C:\Users\Chetan\Downloads\Unconfirmed 768937.crdownload
2016-09-11 13:00 - 2016-09-11 13:06 - 00086582 _____ C:\Users\Chetan\Downloads\Unconfirmed 666028.crdownload
2016-09-11 13:00 - 2016-09-11 13:03 - 00521782 _____ C:\Users\Chetan\Downloads\Unconfirmed 563687.crdownload
2016-09-11 12:03 - 2016-09-11 13:02 - 354675452 _____ C:\Users\Chetan\Downloads\cm-14.0-20160910-UNOFFICIAL-titan.zip
2016-09-11 01:17 - 2016-09-11 01:17 - 00003132 _____ C:\Users\Chetan\Downloads\Chapter+4+problem+solutions.zip
2016-09-10 23:29 - 2016-09-10 23:44 - 00000000 ____D C:\Users\Chetan\Desktop\bhagyesh
2016-09-10 17:11 - 2016-09-10 17:11 - 00016509 _____ C:\Users\Chetan\Downloads\E3441C915F57D2ABB866DAD2F23C0D7954285A0A.torrent
2016-09-10 17:11 - 2016-09-10 17:11 - 00016509 _____ C:\Users\Chetan\Downloads\E3441C915F57D2ABB866DAD2F23C0D7954285A0A (1).torrent
2016-09-10 16:53 - 2016-09-11 01:37 - 00000000 ____D C:\Users\Chetan\Desktop\mayur
2016-09-10 16:50 - 2016-09-10 16:50 - 00000000 ____D C:\Users\Chetan\Desktop\screen
2016-09-10 15:13 - 2016-09-12 15:15 - 00000000 ____D C:\Users\Chetan\Documents\BHAGYESH(ASSU)
2016-09-09 14:40 - 2016-09-09 14:40 - 00126363 _____ C:\Users\Chetan\Desktop\www.irctc.co.in_eticketing_printTicket.pdf
2016-09-08 11:02 - 2016-09-08 11:02 - 01423687 _____ C:\Users\Chetan\Downloads\14255419_555489161318139_14581047_n.mp4
2016-09-08 11:02 - 2016-09-08 11:02 - 01423687 _____ C:\Users\Chetan\Downloads\14255419_555489161318139_14581047_n (4).mp4
2016-09-08 11:02 - 2016-09-08 11:02 - 01423687 _____ C:\Users\Chetan\Downloads\14255419_555489161318139_14581047_n (3).mp4
2016-09-08 11:02 - 2016-09-08 11:02 - 01423687 _____ C:\Users\Chetan\Downloads\14255419_555489161318139_14581047_n (2).mp4
2016-09-08 11:02 - 2016-09-08 11:02 - 01423687 _____ C:\Users\Chetan\Downloads\14255419_555489161318139_14581047_n (1).mp4
2016-09-07 18:24 - 2016-09-07 18:24 - 00015189 _____ C:\Users\Chetan\Downloads\563131B55ADD8C6E6B1E4D9675179638D3FC5A68 (2).torrent
2016-09-07 18:24 - 2016-09-07 18:24 - 00015189 _____ C:\Users\Chetan\Downloads\563131B55ADD8C6E6B1E4D9675179638D3FC5A68 (1).torrent
2016-09-07 17:59 - 2016-09-07 17:59 - 00224018 _____ C:\Users\Chetan\Downloads\Provident_Fund_Nomination_Form_Single.pdf
2016-09-07 15:00 - 2016-09-07 15:00 - 00002606 _____ C:\Users\Chetan\Desktop\µTorrent.lnk
2016-09-07 15:00 - 2016-09-07 15:00 - 00002606 _____ C:\Users\Chetan\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2016-09-07 10:50 - 2016-09-07 10:50 - 00300638 _____ C:\Users\Chetan\Downloads\joiningAnnexure.pdf
2016-09-07 10:47 - 2016-09-07 10:47 - 00072086 _____ C:\Users\Chetan\Downloads\CT20151599379_JL (2).pdf
2016-09-07 09:33 - 2016-09-07 09:33 - 00059537 _____ C:\Users\Chetan\Downloads\ROUTE_MAP_Trivandrum_.pdf
2016-09-07 09:33 - 2016-09-07 09:33 - 00059537 _____ C:\Users\Chetan\Downloads\ROUTE_MAP_Trivandrum_ (1).pdf
2016-09-06 19:25 - 2016-09-06 19:25 - 00072086 _____ C:\Users\Chetan\Downloads\CT20151599379_JL.pdf
2016-09-06 19:25 - 2016-09-06 19:25 - 00072086 _____ C:\Users\Chetan\Downloads\CT20151599379_JL (1).pdf
2016-09-06 18:47 - 2016-09-06 18:47 - 00072100 _____ C:\Users\Chetan\Downloads\CT20151735919_JL.pdf
2016-09-04 21:59 - 2016-09-04 21:59 - 00000010 _____ C:\Users\Chetan\Downloads\Whatsapp (1).txt
2016-09-04 21:29 - 2016-09-04 21:30 - 00000010 _____ C:\Users\Chetan\Downloads\Whatsapp.txt
2016-09-04 11:02 - 2016-09-04 11:03 - 00873102 _____ C:\Users\Chetan\Downloads\14247203_2064057620486725_1448966798_n.mp4
2016-09-04 11:00 - 2016-09-04 11:01 - 00787641 _____ C:\Users\Chetan\Downloads\14247203_2064057620486725_1448966798_n.mp4.crdownload
2016-09-04 11:00 - 2016-09-04 11:01 - 00522910 _____ C:\Users\Chetan\Downloads\14247203_2064057620486725_1448966798_n (1).mp4.crdownload
2016-09-04 11:00 - 2016-09-04 11:01 - 00172718 _____ C:\Users\Chetan\Downloads\14247203_2064057620486725_1448966798_n (2).mp4.crdownload
2016-09-02 15:26 - 2015-06-02 08:59 - 00047722 ____N C:\Users\Chetan\Silicon Valley S01E05 720p BRRip DD5.1 x264-PSYPHER.srt
2016-09-02 15:26 - 2015-06-02 08:59 - 00047544 ____N C:\Users\Chetan\Silicon Valley S01E01 720p BRRip DD5.1 x264-PSYPHER.srt
2016-09-02 15:26 - 2015-06-02 08:59 - 00045358 ____N C:\Users\Chetan\Silicon Valley S01E03 720p BRRip DD5.1 x264-PSYPHER.srt
2016-09-02 15:26 - 2015-06-02 08:59 - 00045164 ____N C:\Users\Chetan\Silicon Valley S01E07 720p BRRip DD5.1 x264-PSYPHER.srt
2016-09-02 15:26 - 2015-06-02 08:59 - 00044108 ____N C:\Users\Chetan\Silicon Valley S01E02 720p BRRip DD5.1 x264-PSYPHER.srt
2016-09-02 15:26 - 2015-06-02 08:59 - 00043318 ____N C:\Users\Chetan\Silicon Valley S01E04 720p BRRip DD5.1 x264-PSYPHER.srt
2016-09-02 15:26 - 2015-06-02 08:59 - 00043124 ____N C:\Users\Chetan\Silicon Valley S01E08 720p BRRip DD5.1 x264-PSYPHER.srt
2016-09-02 15:26 - 2015-06-02 08:59 - 00038696 ____N C:\Users\Chetan\Silicon Valley S01E06 720p BRRip DD5.1 x264-PSYPHER.srt
2016-09-02 13:31 - 2016-09-02 13:31 - 00021884 _____ C:\Users\Chetan\Downloads\F73F4EC19BBFEC7905271556A2A31C3C2D2C7D0B.torrent
2016-09-02 11:17 - 2016-09-02 11:46 - 3633455015 _____ C:\Users\Chetan\Downloads\BSNL JE.rar
2016-09-01 18:13 - 2016-09-01 18:13 - 00104846 _____ C:\Users\Chetan\Desktop\View_Print Submitted Form.pdf
2016-09-01 18:10 - 2016-09-01 18:10 - 00165655 _____ C:\Users\Chetan\Desktop\Appointment Reciept.pdf
2016-09-01 11:28 - 2016-09-01 11:28 - 00150713 _____ C:\Users\Chetan\Downloads\5085.tmp
2016-09-01 10:56 - 2016-09-01 10:59 - 00000000 ____D C:\Users\Chetan\AppData\Local\iWesoft
2016-09-01 10:55 - 2016-09-01 10:55 - 00000000 ____D C:\Program Files (x86)\Instagram Downloader
2016-09-01 10:54 - 2016-09-01 10:54 - 00878141 _____ C:\Users\Chetan\Downloads\InstagramDownloader_v2.rar
2016-08-31 19:56 - 2016-08-31 19:57 - 00929447 _____ C:\Users\Chetan\Downloads\12664386_518633641650842_1525545736_n.mp4
2016-08-31 10:52 - 2016-08-31 10:52 - 00000000 ____D C:\Users\Chetan\AppData\Roaming\com.adobe.mauby
2016-08-31 10:44 - 2016-08-31 10:44 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2016-08-31 10:44 - 2016-08-31 10:44 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2016-08-31 10:42 - 2016-08-31 10:42 - 00097712 _____ C:\Users\Chetan\Downloads\nsr form Kartik.protected.pdf
2016-08-31 10:41 - 2016-08-31 10:43 - 10753776 _____ (Adobe Systems Inc.) C:\Users\Chetan\Downloads\AdobeAIRInstaller.exe
2016-08-31 10:38 - 2016-08-31 10:38 - 00001974 _____ C:\Users\Public\Desktop\Adobe Reader 9.lnk
2016-08-30 21:09 - 2016-09-13 10:37 - 00000000 ____D C:\Users\Chetan\Downloads\OMG – Oh My God! 2012 Hindi 720p Blu-Ray x264 AAC 5.1 ESub-Masti
2016-08-30 11:58 - 2016-08-30 11:58 - 00000247 _____ C:\Users\Chetan\Downloads\ideone_LvSFzS.java
2016-08-29 22:55 - 2016-08-29 22:55 - 00118281 _____ C:\Users\Chetan\Downloads\RESUME APURVA SHINDE new.pdf
2016-08-29 22:51 - 2016-08-29 22:51 - 00119836 _____ C:\Users\Chetan\Desktop\RESUME APURVA SHINDE.pdf
2016-08-29 10:35 - 2016-08-29 10:36 - 04203424 _____ C:\Users\Chetan\Downloads\14134471_1083746234994902_314461706_n.mp4
2016-08-29 10:33 - 2016-08-29 10:34 - 01591601 _____ C:\Users\Chetan\Downloads\14019340_1727358547537364_2124690957_n.mp4
2016-08-28 23:17 - 2016-08-29 01:33 - 00000000 ____D C:\Users\Chetan\Downloads\BSNL JE
2016-08-28 12:47 - 2016-08-28 12:47 - 00001734 _____ C:\Users\Chetan\Downloads\46854E2AFB2993046CF88EBBC2165CE1389A8065.torrent
2016-08-27 18:29 - 2016-08-28 03:55 - 00000000 ____D C:\Users\Chetan\Downloads\jsy12600_qoika_1
2016-08-26 20:56 - 2016-08-26 20:56 - 00000004 _____ C:\Users\Chetan\Desktop\cmplt.txt
2016-08-25 19:45 - 2016-08-25 19:45 - 00020573 _____ C:\Users\Chetan\Downloads\WhatsApp Image 2016-08-25 at 7.19.26 PM.jpeg
2016-08-25 15:32 - 2016-08-25 15:32 - 00260644 _____ C:\Users\Chetan\Downloads\Advertisement (2).pdf
2016-08-25 15:31 - 2016-08-25 15:31 - 00260644 _____ C:\Users\Chetan\Downloads\Advertisement (1).pdf
2016-08-25 15:07 - 2016-08-25 15:07 - 00009020 _____ C:\Users\Chetan\Downloads\WhatsApp Image 2016-08-24 at 9.16.08 AM (1).jpeg
2016-08-25 14:57 - 2016-08-25 14:58 - 00009020 _____ C:\Users\Chetan\Downloads\WhatsApp Image 2016-08-24 at 9.16.08 AM.jpeg
2016-08-25 10:54 - 2016-08-25 10:54 - 00569098 _____ C:\Users\Chetan\Downloads\Advertisement_Gondia.pdf
2016-08-25 10:47 - 2016-08-25 10:48 - 00260644 _____ C:\Users\Chetan\Downloads\Advertisement.pdf
2016-08-25 09:54 - 2016-08-25 09:54 - 00118676 _____ C:\Users\Chetan\Downloads\WhatsApp Image 2016-08-24 at 9.25.24 AM.jpeg
2016-08-25 09:52 - 2016-08-25 09:52 - 00047803 _____ C:\Users\Chetan\Downloads\WhatsApp Image 2016-08-25 at 9.48.52 AM (1).jpeg
2016-08-25 09:52 - 2016-08-25 09:52 - 00009020 _____ C:\Users\Chetan\Downloads\WhatsApp Image 2016-08-25 at 9.48.52 AM.jpeg
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-16 12:30 - 2016-08-12 17:06 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-09-16 12:24 - 2016-06-27 16:36 - 00002207 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-09-16 12:24 - 2016-06-27 16:36 - 00002195 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-09-16 12:24 - 2015-08-22 14:33 - 00000934 _____ C:\Users\Chetan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Tor Browser.lnk
2016-09-16 12:21 - 2016-06-27 16:33 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-16 12:20 - 2016-06-27 16:33 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-16 12:19 - 2014-11-13 16:10 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-09-16 11:54 - 2015-06-16 12:29 - 00000000 ____D C:\Temp
2016-09-16 11:54 - 2009-07-14 10:43 - 00006178 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-16 11:49 - 2015-07-22 17:38 - 00000000 ____D C:\Users\Chetan\AppData\Roaming\uTorrent
2016-09-16 10:59 - 2009-07-14 10:15 - 00016160 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-09-16 10:59 - 2009-07-14 10:15 - 00016160 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-09-16 10:54 - 2014-10-12 13:39 - 00000000 ____D C:\ProgramData\NVIDIA
2016-09-16 10:54 - 2009-07-14 10:38 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-16 09:48 - 2015-07-22 22:31 - 00000000 ____D C:\Users\Chetan\AppData\Roaming\DMCache
2016-09-16 02:41 - 2016-08-14 08:15 - 00000000 ____D C:\Users\Chetan\AppData\Roaming\Microsoft Office
2016-09-16 02:36 - 2015-05-29 18:57 - 00000000 ____D C:\Windows\Minidump
2016-09-16 02:36 - 2015-01-15 13:14 - 00000000 ____D C:\Users\Chetan\AppData\Local\CrashDumps
2016-09-16 00:26 - 2016-06-26 15:34 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-09-16 00:26 - 2009-07-14 10:38 - 00032618 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-09-15 23:34 - 2009-07-14 13:16 - 00000000 ____D C:\Windows\CSC
2016-09-15 19:28 - 2016-08-05 22:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3
2016-09-14 08:20 - 2009-07-14 13:16 - 00000000 ____D C:\Windows\ShellNew
2016-09-13 22:21 - 2015-07-26 10:00 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-09-13 22:21 - 2009-07-14 10:15 - 00422120 _____ C:\Windows\system32\FNTCACHE.DAT
2016-09-13 17:46 - 2014-10-12 13:15 - 00109928 _____ C:\Users\Chetan\AppData\Local\GDIPFONTCACHEV1.DAT
2016-09-13 16:19 - 2014-11-13 16:10 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-09-13 15:22 - 2014-11-13 16:10 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-09-13 15:22 - 2014-11-13 16:10 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-09-13 15:22 - 2014-11-13 16:10 - 00000000 ____D C:\Windows\system32\Macromed
2016-09-13 15:22 - 2014-10-12 22:54 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-09-13 11:06 - 2014-10-12 13:58 - 00000000 ____D C:\Users\Chetan\AppData\Roaming\vlc
2016-09-13 10:40 - 2015-07-26 10:00 - 00000000 ____D C:\Users\Chetan\AppData\Roaming\TeamViewer
2016-09-10 12:10 - 2016-05-05 00:14 - 00000000 ___SD C:\Users\Chetan\AppData\LocalLow\Temp
2016-09-07 18:15 - 2009-07-14 08:50 - 00000000 ____D C:\Windows\inf
2016-09-06 20:22 - 2016-07-04 11:19 - 00000000 ____D C:\Users\Chetan\Desktop\tcs
2016-09-04 01:11 - 2016-08-14 18:44 - 00000000 ____D C:\Users\Chetan\Documents\AirDroid
2016-09-04 00:08 - 2015-01-04 13:36 - 00000120 _____ C:\Users\Chetan\AppData\default.pls
2016-09-02 15:26 - 2014-10-12 12:54 - 00000000 ____D C:\Users\Chetan
2016-08-31 10:51 - 2014-10-12 22:55 - 00000000 ____D C:\ProgramData\Adobe
2016-08-31 10:44 - 2014-10-14 00:51 - 00000000 ____D C:\Users\Chetan\AppData\Local\Adobe
2016-08-31 10:44 - 2014-10-12 22:55 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-08-31 10:38 - 2014-10-12 22:55 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
2016-08-29 01:14 - 2016-08-05 20:49 - 00000000 ____D C:\Users\Chetan\Downloads\Video
2016-08-28 23:44 - 2016-06-21 11:17 - 00000000 ____D C:\Users\Chetan\Downloads\Compressed
 
==================== Files in the root of some directories =======
 
2016-06-26 15:49 - 2016-06-26 15:49 - 6867456 _____ () C:\Users\Chetan\AppData\Roaming\agent.dat
2016-06-26 15:43 - 2016-06-26 15:43 - 0128512 _____ () C:\Users\Chetan\AppData\Roaming\Installer.dat
2016-06-26 15:49 - 2016-06-26 15:49 - 0018432 _____ () C:\Users\Chetan\AppData\Roaming\Main.dat
2015-09-20 10:47 - 2015-09-20 10:47 - 0000000 _____ () C:\Users\Chetan\AppData\Local\{2F21CD7D-E2C5-4075-999A-482921C11BB8}
2016-02-20 11:16 - 2016-02-20 11:16 - 0000000 _____ () C:\Users\Chetan\AppData\Local\{C1ABFAA1-F0A9-4F79-ABC4-07D4AAC19FFE}
2016-07-25 11:21 - 2012-02-07 11:36 - 0114688 _____ () C:\ProgramData\ChgService.exe
2009-07-14 05:01 - 2009-07-14 06:44 - 93260800 ___SH () C:\ProgramData\msnomuio.exe
2015-10-23 15:36 - 2015-10-23 15:36 - 0005086 _____ () C:\ProgramData\zscupymp.kxv
 
Files to move or delete:
====================
C:\ProgramData\ChgService.exe
C:\ProgramData\msnomuio.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-09-10 08:26
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:43 PM

Posted 16 September 2016 - 10:07 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This is the only defence you have instlled and out of date.
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} => C:\Program Files (x86)\KuaiZip\X64\KZipShell.dll No File
Winsock: Catalog9 01 chtbrkg.dll No File
Winsock: Catalog9 02 chtbrkg.dll No File
Winsock: Catalog9 03 chtbrkg.dll No File
Winsock: Catalog9 04 chtbrkg.dll No File
Winsock: Catalog9 05 chtbrkg.dll No File
Winsock: Catalog9 06 chtbrkg.dll No File
Winsock: Catalog9 07 chtbrkg.dll No File
Winsock: Catalog9 08 chtbrkg.dll No File
Winsock: Catalog9 09 chtbrkg.dll No File
Winsock: Catalog9 10 chtbrkg.dll No File
Winsock: Catalog9 21 chtbrkg.dll No File
Winsock: Catalog9-x64 01 chtbrkg.dll No File
Winsock: Catalog9-x64 02 chtbrkg.dll No File
Winsock: Catalog9-x64 03 chtbrkg.dll No File
Winsock: Catalog9-x64 04 chtbrkg.dll No File
Winsock: Catalog9-x64 05 chtbrkg.dll No File
Winsock: Catalog9-x64 06 chtbrkg.dll No File
Winsock: Catalog9-x64 07 chtbrkg.dll No File
Winsock: Catalog9-x64 08 chtbrkg.dll No File
Winsock: Catalog9-x64 09 chtbrkg.dll No File
Winsock: Catalog9-x64 10 chtbrkg.dll No File
Winsock: Catalog9-x64 21 chtbrkg.dll No File
SearchScopes: HKLM-x32 -> DefaultScope value is missing
FF Keyword.URL: undefined://undefined/
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [No File]
FF user.js: detected! => C:\Users\Chetan\AppData\Roaming\Profiles\06v3r0fi.default\user.js [2016-06-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-23]
R2 Kuaizip Update Checker; C:\Program Files (x86)\KuaiZip\X86\kuaizipUpdateChecker.dll [216704 2016-07-30] ()
S2 fisusyscheduleCherbsy.exe; "C:\Program Files (x86)\Shociph\fisusyscheduleCherbsy.exe" {C25DA384-2010-45A4-A1ED-BFA540D4789B} {9DC74CD5-24EA-4ADE-9C42-608A8CE17116} [X]
S3 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
S3 Lenovo EasyPlus Hotspot; "C:\Program Files (x86)\Common Files\LENOVO\easyplussdk\bin\EPHotspot64.exe" [X]
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
R2 KuaiZipDrive2; C:\Windows\system32\drivers\KuaiZipDrive2.sys [93072 2016-07-30] (WinMount International Inc) <==== ATTENTION
S3 ApfiltrService; system32\DRIVERS\Apfiltr.sys [X]
S3 ComputerZ_x64; \??\C:\Program Files (x86)\LuDaShi\ComputerZ_x64.sys [X] <==== ATTENTION
S1 DirectIO; \??\C:\Users\Chetan\AppData\Local\Temp\DirectIO.sys [X]
S3 ewusbmbb; system32\DRIVERS\ewusbwwan.sys [X]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]
S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]
S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 MEmuDrv; \??\C:\memu\MEmuHyperv\MEmuDrv.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
NETSVCx32: HpSvc -> no filepath.
Task: {0FC98C46-D6E7-4019-AA73-E09E3D6B1A41} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: {23F438A3-64FE-4046-8662-B786D7A5C277} - System32\Tasks\ComputerZLite => C:\Program Files (x86)\LdsLite\LdsLite.exe <==== ATTENTION
Task: {E1374F4D-3FEC-4FB5-A660-8F76B84FE8FA} - System32\Tasks\KuaiZip_Update => X86\Update.exe <==== ATTENTION
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION
Shortcut: C:\Users\Chetan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\Users\Chetan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Int?rn?t ???l?r?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk -> C:\Program Files (x86)\HPGuard\WebStarter.exe (No File)
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.navsmart.info/
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.navsmart.info/
C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2[b][/b]\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Program Files (x86)\KuaiZip
C:\Windows\system32\drivers\KuaiZipDrive2.sys
C:\ProgramData\msnomuio.exe
C:\ProgramData\zscupymp.kxv
C:\Windows\AutoKMS
C:\Program Files (x86)\LdsLite
cmd: netsh winsock reset catalog

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader Via the Control Panel > Programs > Programs and Features.
Adobe Reader 9 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A90000000001}) (Version: 9.0.0 - Adobe Systems Incorporated)
<<<>>>

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 8 Update 65 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218065F0}) (Version: 8.0.650.17 - Oracle Corporation)
===

Please post the Fixlog and let me know what problem persists.

#3 Ckbhawsar

Ckbhawsar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 17 September 2016 - 12:16 AM

Here is what i got in Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 16-09-2016
Ran by Chetan (17-09-2016 10:17:28) Run:1
Running from C:\Users\Chetan\Downloads\Programs
Loaded Profiles: Chetan (Available Profiles: Chetan)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} => C:\Program Files (x86)\KuaiZip\X64\KZipShell.dll No File
Winsock: Catalog9 01 chtbrkg.dll No File
Winsock: Catalog9 02 chtbrkg.dll No File
Winsock: Catalog9 03 chtbrkg.dll No File
Winsock: Catalog9 04 chtbrkg.dll No File
Winsock: Catalog9 05 chtbrkg.dll No File
Winsock: Catalog9 06 chtbrkg.dll No File
Winsock: Catalog9 07 chtbrkg.dll No File
Winsock: Catalog9 08 chtbrkg.dll No File
Winsock: Catalog9 09 chtbrkg.dll No File
Winsock: Catalog9 10 chtbrkg.dll No File
Winsock: Catalog9 21 chtbrkg.dll No File
Winsock: Catalog9-x64 01 chtbrkg.dll No File
Winsock: Catalog9-x64 02 chtbrkg.dll No File
Winsock: Catalog9-x64 03 chtbrkg.dll No File
Winsock: Catalog9-x64 04 chtbrkg.dll No File
Winsock: Catalog9-x64 05 chtbrkg.dll No File
Winsock: Catalog9-x64 06 chtbrkg.dll No File
Winsock: Catalog9-x64 07 chtbrkg.dll No File
Winsock: Catalog9-x64 08 chtbrkg.dll No File
Winsock: Catalog9-x64 09 chtbrkg.dll No File
Winsock: Catalog9-x64 10 chtbrkg.dll No File
Winsock: Catalog9-x64 21 chtbrkg.dll No File
SearchScopes: HKLM-x32 -> DefaultScope value is missing
FF Keyword.URL: undefined://undefined/
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [No File]
FF user.js: detected! => C:\Users\Chetan\AppData\Roaming\Profiles\06v3r0fi.default\user.js [2016-06-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-23]
R2 Kuaizip Update Checker; C:\Program Files (x86)\KuaiZip\X86\kuaizipUpdateChecker.dll [216704 2016-07-30] ()
S2 fisusyscheduleCherbsy.exe; "C:\Program Files (x86)\Shociph\fisusyscheduleCherbsy.exe" {C25DA384-2010-45A4-A1ED-BFA540D4789B} {9DC74CD5-24EA-4ADE-9C42-608A8CE17116} [X]
S3 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
S3 Lenovo EasyPlus Hotspot; "C:\Program Files (x86)\Common Files\LENOVO\easyplussdk\bin\EPHotspot64.exe" [X]
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
R2 KuaiZipDrive2; C:\Windows\system32\drivers\KuaiZipDrive2.sys [93072 2016-07-30] (WinMount International Inc) <==== ATTENTION
S3 ApfiltrService; system32\DRIVERS\Apfiltr.sys [X]
S3 ComputerZ_x64; \??\C:\Program Files (x86)\LuDaShi\ComputerZ_x64.sys [X] <==== ATTENTION
S1 DirectIO; \??\C:\Users\Chetan\AppData\Local\Temp\DirectIO.sys [X]
S3 ewusbmbb; system32\DRIVERS\ewusbwwan.sys [X]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]
S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]
S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 MEmuDrv; \??\C:\memu\MEmuHyperv\MEmuDrv.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
NETSVCx32: HpSvc -> no filepath.
Task: {0FC98C46-D6E7-4019-AA73-E09E3D6B1A41} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: {23F438A3-64FE-4046-8662-B786D7A5C277} - System32\Tasks\ComputerZLite => C:\Program Files (x86)\LdsLite\LdsLite.exe <==== ATTENTION
Task: {E1374F4D-3FEC-4FB5-A660-8F76B84FE8FA} - System32\Tasks\KuaiZip_Update => X86\Update.exe <==== ATTENTION
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION
Shortcut: C:\Users\Chetan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\Users\Chetan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Int?rn?t ???l?r?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk -> C:\Program Files (x86)\HPGuard\WebStarter.exe (No File)
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.navsmart.info/
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.navsmart.info/
C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Program Files (x86)\KuaiZip
C:\Windows\system32\drivers\KuaiZipDrive2.sys
C:\ProgramData\msnomuio.exe
C:\ProgramData\zscupymp.kxv
C:\Windows\AutoKMS
C:\Program Files (x86)\LdsLite
cmd: netsh winsock reset catalog
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KzShlobj2" => key removed successfully
"HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F3}" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000002" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000003" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000004" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000005" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000006" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000007" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000008" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000009" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000010" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000021" => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
Firefox "Keyword.URL" removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@google.com/npPicasa3,version=3.0.0" => key removed successfully
C:\Users\Chetan\AppData\Roaming\Profiles\06v3r0fi.default\user.js => moved successfully
C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
Kuaizip Update Checker => service removed successfully
fisusyscheduleCherbsy.exe => service removed successfully
gusvc => service removed successfully
Lenovo EasyPlus Hotspot => service removed successfully
MozillaMaintenance => service removed successfully
KuaiZipDrive2 => Unable to stop service.
KuaiZipDrive2 => service removed successfully
ApfiltrService => service removed successfully
ComputerZ_x64 => service removed successfully
DirectIO => service removed successfully
ewusbmbb => service removed successfully
ew_hwusbdev => service removed successfully
ew_usbenumfilter => service removed successfully
huawei_cdcacm => service removed successfully
huawei_enumerator => service removed successfully
huawei_ext_ctrl => service removed successfully
huawei_wwanecm => service removed successfully
hwdatacard => service removed successfully
MEmuDrv => service removed successfully
vmci => service removed successfully
VMnetAdapter => service removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs HpSvc => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{0FC98C46-D6E7-4019-AA73-E09E3D6B1A41}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0FC98C46-D6E7-4019-AA73-E09E3D6B1A41}" => key removed successfully
C:\Windows\System32\Tasks\AutoKMS => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{23F438A3-64FE-4046-8662-B786D7A5C277}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{23F438A3-64FE-4046-8662-B786D7A5C277}" => key removed successfully
C:\Windows\System32\Tasks\ComputerZLite => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ComputerZLite" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E1374F4D-3FEC-4FB5-A660-8F76B84FE8FA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E1374F4D-3FEC-4FB5-A660-8F76B84FE8FA}" => key removed successfully
C:\Windows\System32\Tasks\KuaiZip_Update => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KuaiZip_Update" => key removed successfully
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION => removed successfully
"C:\Users\Chetan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk" => Could not move.
"C:\Users\Chetan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Int?rn?t ???l?r?r.lnk" => Could not move.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk" => Could not move.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Could not remove or repair shortcut argument. The shortcut could be damaged.
C:\Users\Public\Desktop\Google Chrome.lnk => Could not remove or repair shortcut argument. The shortcut could be damaged.
"C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
"C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
"C:\Users\Chetan\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
C:\Program Files (x86)\KuaiZip => moved successfully
C:\Windows\system32\drivers\KuaiZipDrive2.sys => moved successfully
C:\ProgramData\msnomuio.exe => moved successfully
C:\ProgramData\zscupymp.kxv => moved successfully
C:\Windows\AutoKMS => moved successfully
"C:\Program Files (x86)\LdsLite" => not found.
 
========= netsh winsock reset catalog =========
 
Initialization Function InitHelperDll in NSHHTTP.DLL failed to start with error code 10107
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 24405820 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 1388196 B
Edge => 0 B
Chrome => 160028509 B
Firefox => 70866380 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 1660614 B
systemprofile32 => 9622536 B
LocalService => 132244 B
NetworkService => 68722 B
Chetan => 349734135 B
 
RecycleBin => 0 B
EmptyTemp: => 589.3 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 10:20:25 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:43 PM

Posted 17 September 2016 - 08:35 AM

Any remaining issues?

#5 Ckbhawsar

Ckbhawsar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 17 September 2016 - 10:28 PM

The website is not redirecting to any other site anymore Big thanks for that.

But how should i know that Backdoor.bot has been removed completely?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:43 PM

Posted 18 September 2016 - 08:13 AM

There could be some remnant items.
====


Please scan your computer with ESET Online Scanner.
  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:43 PM

Posted 24 September 2016 - 08:48 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users