Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Korean/Chinese Malware


  • This topic is locked This topic is locked
13 replies to this topic

#1 SigmundLarsen

SigmundLarsen

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 23 October 2016 - 11:08 AM

Hello, and good day! First of all, thanks for the awesome help you've been giving to everybody, this site rocks. Well, after downloading the wrong torrent, my little brother got my laptop full of adware and virus and I haven't been able to clean it with Avira and Malwarebytes. Firefox is dead and the Windows key isn't working. I'm running Windows 10. I'd appreciate any help you could give me.

 

Here are the logs from FRST, as per requested. Thanks a lot!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-10-2016
Ran by house (administrator) on HOUSE-PC (23-10-2016 11:42:06)
Running from C:\Users\house\Searches\Downloads
Loaded Profiles: house &  (Available Profiles: house)
Platform: Microsoft Windows 10 Pro Version 1511 (X86) Language: Español (España, internacional)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avguard.exe
(Lenovo Corporation) C:\Program Files\Lenovo\PCManager\LenovoPcManagerService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
() C:\Program Files\UCBrowser\Application\UCService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.Systray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avshadow.exe
() C:\Program Files\UCBrowser\Application\5.7.16173.12\UCAgent.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3531952 2015-11-24] (Synaptics Incorporated)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM\...\Run: [Avira SystrayStartTrigger] => C:\Program Files\Avira\Launcher\Avira.SystrayStartTrigger.exe [61648 2016-09-26] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\Antivirus\avgnt.exe [917584 2016-09-27] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-21-341725365-624224163-1886038721-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6889176 2016-09-28] (Piriform Ltd)
HKU\S-1-5-21-341725365-624224163-1886038721-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6889176 2016-09-28] (Piriform Ltd)
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} =>  No File
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} =>  No File
Startup: C:\Users\house\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk [2016-07-21]
ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe (Rainmeter)
Startup: C:\Users\house\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Supervisar alertas de tinta - HP Deskjet 1010 series.lnk [2016-09-21]
GroupPolicyScripts\User: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog9 01 chtbrkg.dll No File 
Winsock: Catalog9 02 chtbrkg.dll No File 
Winsock: Catalog9 03 chtbrkg.dll No File 
Winsock: Catalog9 04 chtbrkg.dll No File 
Winsock: Catalog9 05 chtbrkg.dll No File 
Winsock: Catalog9 06 chtbrkg.dll No File 
Winsock: Catalog9 07 chtbrkg.dll No File 
Winsock: Catalog9 08 chtbrkg.dll No File 
Winsock: Catalog9 09 chtbrkg.dll No File 
Winsock: Catalog9 10 chtbrkg.dll No File 
Winsock: Catalog9 11 chtbrkg.dll No File 
Winsock: Catalog9 12 chtbrkg.dll No File 
Winsock: Catalog9 25 chtbrkg.dll No File 
Tcpip\Parameters: [DhcpNameServer] 10.0.0.2
Tcpip\..\Interfaces\{ce45fc11-7cf0-4c5d-8c9c-3e0de4a7d03e}: [DhcpNameServer] 10.0.0.2
 
Internet Explorer:
==================
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
 
FireFox:
========
FF DefaultProfile: o394kibz.default
FF ProfilePath: C:\Users\house\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\o394kibz.default\Profiles\o394kibz.default [not found]
FF ProfilePath: C:\Users\house\AppData\Roaming\Mozilla\Firefox\Profiles\o394kibz.default [2016-10-23]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\o394kibz.default -> youndoo
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\o394kibz.default -> youndoo
FF Homepage: Mozilla\Firefox\Profiles\o394kibz.default -> hxxps://search.avira.net"); verride.mstone", "49.0.2
FF Extension: (No Name) - C:\Users\house\AppData\Roaming\Mozilla\Firefox\Profiles\o394kibz.default\Extensions\abs@avira.com [2016-10-22]
FF Extension: (Privacy Badger) - C:\Users\house\AppData\Roaming\Mozilla\Firefox\Profiles\o394kibz.default\Extensions\jid1-MnnxcxisBPnSXQ-eff@jetpack.xpi [2016-08-17]
FF Extension: (WhatsApp™ Messenger) - C:\Users\house\AppData\Roaming\Mozilla\Firefox\Profiles\o394kibz.default\Extensions\rt42fsdty645jIidD@jetpack.xpi [2016-09-29]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-09-30] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Profile 1
CHR Profile: C:\Users\house\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2016-10-22] <==== ATTENTION
CHR Profile: C:\Users\house\AppData\Local\Google\Chrome\User Data\Profile 1 [2016-10-23]
CHR Extension: (Google Docs) - C:\Users\house\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2016-10-22]
CHR Extension: (Google Drive) - C:\Users\house\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-10-22]
CHR Extension: (YouTube) - C:\Users\house\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-10-22]
CHR Extension: (Avira Navegación segura) - C:\Users\house\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2016-10-22]
CHR Extension: (Documentos de Google sin conexión) - C:\Users\house\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-10-22]
CHR Extension: (Sistema de pagos de Chrome Web Store) - C:\Users\house\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-10-22]
CHR Extension: (Gmail) - C:\Users\house\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-10-22]
CHR Extension: (Chrome Media Router) - C:\Users\house\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-22]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AntiVirMailService; C:\Program Files\Avira\Antivirus\avmailc7.exe [1086040 2016-09-27] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\Antivirus\sched.exe [475232 2016-09-27] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\Antivirus\avguard.exe [475232 2016-09-27] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\Antivirus\avwebg7.exe [1489240 2016-09-27] (Avira Operations GmbH & Co. KG)
S2 Atamechterfu; C:\WINDOWS\system32\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
S2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [350584 2016-09-26] (Avira Operations GmbH & Co. KG)
R2 HpSvc; C:\Program Files\LuDaShi\lpi\HpSvc.dll [239016 2016-07-21] () <==== ATTENTION
R2 LenovoPcManagerService; C:\Program Files\Lenovo\PCManager\LenovoPcManagerService.exe [830280 2016-10-21] (Lenovo Corporation)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [218784 2015-11-24] (Synaptics Incorporated)
R2 UCBrowserSvc; C:\Program Files\UCBrowser\Application\UCService.exe [935312 2016-10-19] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [280376 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23264 2016-09-07] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\WINDOWS\System32\drivers\athwn.sys [3205632 2015-10-30] (Qualcomm Atheros Communications, Inc.)
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [124544 2016-09-27] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [151784 2016-09-27] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\system32\DRIVERS\avkmgr.sys [44208 2016-09-27] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\WINDOWS\system32\DRIVERS\avnetflt.sys [66872 2016-09-27] (Avira Operations GmbH & Co. KG)
R0 avusbflt; C:\WINDOWS\System32\Drivers\avusbflt.sys [20544 2016-09-27] (Avira Operations GmbH & Co. KG)
R3 MTsensor; C:\WINDOWS\System32\drivers\ATKACPI.sys [7680 2007-07-31] (ATK0100)
R3 rt640x86; C:\WINDOWS\System32\drivers\rt640x86.sys [494080 2015-10-30] (Realtek                                            )
R1 ucdrv; C:\WINDOWS\System32\drivers:ucdrv-x86.sys [69010 ] (UC Web Inc.) <==== ATTENTION
S1 UCGuard; C:\WINDOWS\System32\DRIVERS\ucguard.sys [72064 2016-08-29] (Huorong Borui (Beijing) Technology Co., Ltd.) <==== ATTENTION
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [37400 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [246104 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [98648 2015-10-30] (Microsoft Corporation)
S3 WUDFWpdMtp; C:\WINDOWS\system32\DRIVERS\WUDFRd.sys [163328 2015-10-30] (Microsoft Corporation)
U3 mbr; C:\Users\house\AppData\Local\Temp\mbr.sys [25088 2016-10-23] () [File not signed]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: HpSvc -> C:\Program Files\LuDaShi\lpi\HpSvc.dll ()
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-10-23 11:39 - 2016-10-23 11:42 - 00000000 ____D C:\FRST
2016-10-23 11:00 - 2016-10-23 11:00 - 00031399 _____ C:\Users\house\Desktop\dds.txt
2016-10-23 11:00 - 2016-10-23 11:00 - 00006856 _____ C:\Users\house\Desktop\attach.txt
2016-10-23 10:36 - 2016-10-23 11:36 - 00000308 _____ C:\WINDOWS\Tasks\UCBrowserUpdaterCore.job
2016-10-23 03:21 - 2016-10-23 03:22 - 00000000 ___HD C:\$WINDOWS.~BT
2016-10-23 03:13 - 2016-10-23 03:13 - 00000000 ___HD C:\OneDriveTemp
2016-10-22 09:05 - 2016-10-22 09:05 - 00000000 ____D C:\Users\house\AppData\Roaming\Avira
2016-10-22 08:57 - 2016-10-22 08:57 - 00000000 ____H C:\WINDOWS\system32\Drivers\Msft_Kernel_avusbflt_01011.Wdf
2016-10-22 08:57 - 2016-09-27 14:19 - 00020544 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avusbflt.sys
2016-10-22 08:55 - 2016-09-27 14:19 - 00151784 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avipbb.sys
2016-10-22 08:55 - 2016-09-27 14:19 - 00124544 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avgntflt.sys
2016-10-22 08:55 - 2016-09-27 14:19 - 00066872 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avnetflt.sys
2016-10-22 08:55 - 2016-09-27 14:19 - 00044208 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avkmgr.sys
2016-10-22 08:55 - 2016-09-27 14:19 - 00018760 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\ssmdrv.sys
2016-10-22 08:30 - 2016-10-22 08:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2016-10-22 08:30 - 2016-10-22 08:30 - 00001235 _____ C:\Users\Public\Desktop\Avira Connect.lnk
2016-10-22 08:28 - 2016-10-22 08:55 - 00000000 ____D C:\Program Files\Avira
2016-10-22 08:27 - 2016-10-22 08:27 - 00000000 ____D C:\ProgramData\Package Cache
2016-10-22 07:03 - 2016-10-22 07:03 - 00001034 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-10-22 07:03 - 2016-10-22 07:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-10-22 07:03 - 2016-10-22 07:03 - 00000000 ____D C:\Program Files\CCleaner
2016-10-22 06:58 - 2016-10-22 06:59 - 08270712 _____ (Piriform Ltd) C:\Users\house\Desktop\ccsetup523.exe
2016-10-21 23:11 - 2016-10-22 09:13 - 00000000 ____D C:\Users\house\AppData\Roaming\Ludashi
2016-10-21 21:59 - 2016-10-22 18:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\鲁大师
2016-10-21 21:57 - 2016-10-22 18:43 - 00000000 ____D C:\Program Files\LuDaShi
2016-10-21 21:43 - 2016-08-29 06:54 - 00072064 _____ (Huorong Borui (Beijing) Technology Co., Ltd.) C:\WINDOWS\system32\Drivers\ucguard.sys
2016-10-21 21:37 - 2016-10-21 21:37 - 00000000 ____D C:\Users\house\AppData\Roaming\Softlink
2016-10-21 21:35 - 2016-10-22 06:36 - 00000000 ____D C:\Users\house\AppData\Roaming\Lenovo
2016-10-21 21:34 - 2016-10-22 06:37 - 00000000 ____D C:\Users\house\AppData\Local\Lenovo
2016-10-21 21:34 - 2016-10-22 06:36 - 00000000 ____D C:\Program Files\Lenovo
2016-10-21 21:31 - 2016-10-18 15:58 - 00567808 _____ C:\WINDOWS\system32\chtbrkg.dll
2016-10-21 21:25 - 2016-10-21 21:59 - 00001541 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UC浏览器.lnk
2016-10-21 21:25 - 2016-10-21 21:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UC浏览器
2016-10-21 21:25 - 2016-10-21 21:25 - 00000000 ____D C:\Users\house\AppData\Local\UCBrowser
2016-10-21 21:23 - 2016-10-21 23:02 - 00000000 ____D C:\Program Files\UCBrowser
2016-10-21 21:11 - 2016-10-21 21:11 - 00000000 ____D C:\Users\Public\Thunder Network
2016-10-21 21:11 - 2016-10-21 21:11 - 00000000 ____D C:\ProgramData\Thunder Network
2016-10-21 21:06 - 2016-10-22 18:44 - 00000000 ____D C:\Program Files\hhh
2016-10-21 21:06 - 2016-10-22 08:55 - 00000000 ____D C:\ProgramData\Avira
2016-10-21 21:06 - 2016-10-21 21:06 - 00000000 ____D C:\ProgramData\Avg
2016-10-21 21:06 - 2016-10-21 21:06 - 00000000 ____D C:\ProgramData\AVAST Software
2016-10-21 21:03 - 2016-10-23 01:12 - 00000000 ____D C:\Program Files\Pezucultgivit
2016-10-21 21:03 - 2016-10-21 21:06 - 00000000 ____D C:\Users\house\AppData\Local\Biduty
2016-10-21 21:00 - 2016-10-21 21:00 - 05775382 _____ C:\WINDOWS\windowdowngrade.exe
2016-10-21 17:58 - 2016-10-21 21:05 - 00000000 ____D C:\Program Files\EA GAMES
2016-10-21 17:58 - 2016-10-21 17:58 - 00000000 ____D C:\Users\house\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EA GAMES
2016-10-21 17:58 - 2016-10-21 17:58 - 00000000 ____D C:\Users\house\AppData\Roaming\InstallShield Installation Information
2016-10-21 17:40 - 2016-10-21 18:30 - 00000000 ____D C:\Users\house\Documents\Battlefield 2
2016-10-21 14:54 - 2016-10-21 14:54 - 00012447 _____ C:\Users\house\AppData\Local\recently-used.xbel
2016-10-21 12:54 - 2016-10-21 12:54 - 00028931 _____ C:\Users\house\Documents\Book1.xlsx
2016-10-20 23:23 - 2016-10-21 21:06 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-10-18 22:03 - 2016-10-21 21:05 - 00000000 ____D C:\Program Files\LucasArts
2016-10-17 14:06 - 2016-10-17 14:06 - 00000000 ____D C:\WINDOWS\Blitzkrieg II DEMO
2016-10-15 19:35 - 2005-03-18 17:19 - 02337488 _____ (Microsoft Corporation) C:\WINDOWS\system32\d3dx9_25.dll
2016-10-15 19:35 - 2005-02-05 19:45 - 02222800 _____ (Microsoft Corporation) C:\WINDOWS\system32\d3dx9_24.dll
2016-10-11 13:59 - 2016-10-05 02:45 - 01422528 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-10-11 13:59 - 2016-10-05 02:45 - 01033408 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-10-11 13:59 - 2016-10-05 02:45 - 00504000 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-10-11 13:59 - 2016-10-05 02:45 - 00493760 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2016-10-11 13:59 - 2016-10-05 02:45 - 00284352 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-10-11 13:59 - 2016-10-05 02:45 - 00231616 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceCensus.exe
2016-10-11 13:59 - 2016-10-05 02:45 - 00122560 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2016-10-11 13:59 - 2016-10-05 02:45 - 00076480 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2016-10-11 13:59 - 2016-10-05 02:12 - 00876504 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.efi
2016-10-11 13:59 - 2016-10-05 02:12 - 00771120 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.exe
2016-10-11 13:59 - 2016-10-05 02:12 - 00099680 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tm.sys
2016-10-11 13:59 - 2016-10-05 02:10 - 05793632 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-10-11 13:59 - 2016-10-05 02:10 - 01051584 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
2016-10-11 13:59 - 2016-10-05 02:10 - 00927072 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
2016-10-11 13:59 - 2016-10-05 01:54 - 01090904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wpx.dll
2016-10-11 13:59 - 2016-10-05 01:53 - 01194336 _____ (Microsoft Corporation) C:\WINDOWS\system32\diagtrack.dll
2016-10-11 13:59 - 2016-10-05 01:45 - 00987488 _____ (Microsoft Corporation) C:\WINDOWS\system32\LicenseManager.dll
2016-10-11 13:59 - 2016-10-05 01:08 - 02937896 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-10-11 13:59 - 2016-10-05 01:05 - 00256704 _____ (Microsoft Corporation) C:\WINDOWS\system32\LockAppHost.exe
2016-10-11 13:59 - 2016-10-05 00:59 - 00505136 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2016-10-11 13:59 - 2016-10-05 00:33 - 01712992 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2016-10-11 13:59 - 2016-10-05 00:33 - 00546456 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontdrvhost.exe
2016-10-11 13:59 - 2016-10-05 00:33 - 00484192 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys
2016-10-11 13:59 - 2016-10-05 00:33 - 00336224 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms1.sys
2016-10-11 13:59 - 2016-10-05 00:32 - 00538744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll
2016-10-11 13:59 - 2016-10-05 00:26 - 00346456 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rdbss.sys
2016-10-11 13:59 - 2016-10-05 00:19 - 00717152 _____ (Microsoft Corporation) C:\WINDOWS\system32\drvstore.dll
2016-10-11 13:59 - 2016-10-05 00:18 - 00253080 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmpeffects.dll
2016-10-11 13:59 - 2016-10-04 23:50 - 00037376 _____ (Microsoft Corporation) C:\WINDOWS\system32\musdialoghandlers.dll
2016-10-11 13:59 - 2016-10-04 23:48 - 00160768 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotification.exe
2016-10-11 13:59 - 2016-10-04 23:41 - 00070144 _____ (Microsoft Corporation) C:\WINDOWS\system32\MDMAppInstaller.exe
2016-10-11 13:59 - 2016-10-04 23:40 - 00086016 _____ (Microsoft Corporation) C:\WINDOWS\system32\davclnt.dll
2016-10-11 13:59 - 2016-10-04 23:40 - 00051200 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotificationUx.exe
2016-10-11 13:59 - 2016-10-04 23:39 - 00115712 _____ (Microsoft Corporation) C:\WINDOWS\system32\pnpclean.dll
2016-10-11 13:59 - 2016-10-04 23:37 - 00049152 _____ (Microsoft Corporation) C:\WINDOWS\system32\offreg.dll
2016-10-11 13:59 - 2016-10-04 23:30 - 00174592 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmpdxm.dll
2016-10-11 13:59 - 2016-10-04 23:29 - 00175104 _____ (Microsoft Corporation) C:\WINDOWS\system32\puiapi.dll
2016-10-11 13:59 - 2016-10-04 23:28 - 00102912 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmpshell.dll
2016-10-11 13:59 - 2016-10-04 23:27 - 00364544 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcdedit.exe
2016-10-11 13:59 - 2016-10-04 23:24 - 00217600 _____ (Microsoft Corporation) C:\WINDOWS\system32\DafPrintProvider.dll
2016-10-11 13:59 - 2016-10-04 23:24 - 00088576 _____ (Microsoft Corporation) C:\WINDOWS\system32\adsmsext.dll
2016-10-11 13:59 - 2016-10-04 23:23 - 00199680 _____ (Microsoft Corporation) C:\WINDOWS\system32\WebClnt.dll
2016-10-11 13:59 - 2016-10-04 23:22 - 00263680 _____ (Microsoft Corporation) C:\WINDOWS\system32\diagtrack_win.dll
2016-10-11 13:59 - 2016-10-04 23:19 - 00202752 _____ (Microsoft Corporation) C:\WINDOWS\system32\wsqmcons.exe
2016-10-11 13:59 - 2016-10-04 23:18 - 00361472 _____ (Microsoft Corporation) C:\WINDOWS\system32\puiobj.dll
2016-10-11 13:59 - 2016-10-04 23:15 - 00129536 _____ (Microsoft Corporation) C:\WINDOWS\system32\AboveLockAppHost.dll
2016-10-11 13:59 - 2016-10-04 23:14 - 00355328 _____ (Microsoft Corporation) C:\WINDOWS\system32\das.dll
2016-10-11 13:59 - 2016-10-04 23:13 - 00368128 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Devices.Enumeration.dll
2016-10-11 13:59 - 2016-10-04 23:10 - 00687616 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-10-11 13:59 - 2016-10-04 23:09 - 00501760 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-10-11 13:59 - 2016-10-04 23:08 - 01035776 _____ (Microsoft Corporation) C:\WINDOWS\system32\ApplicationFrame.dll
2016-10-11 13:59 - 2016-10-04 23:06 - 00601600 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32spl.dll
2016-10-11 13:59 - 2016-10-04 23:05 - 01467904 _____ (Microsoft Corporation) C:\WINDOWS\system32\GdiPlus.dll
2016-10-11 13:59 - 2016-10-04 23:04 - 00885248 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2016-10-11 13:59 - 2016-10-04 23:03 - 01388032 _____ (Microsoft Corporation) C:\WINDOWS\system32\FntCache.dll
2016-10-11 13:59 - 2016-10-04 23:03 - 00125952 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxdav.sys
2016-10-11 13:59 - 2016-10-04 23:02 - 00114176 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dfsc.sys
2016-10-11 13:59 - 2016-10-04 23:00 - 00231936 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatehandlers.dll
2016-10-11 13:59 - 2016-10-04 22:59 - 02362880 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSVidCtl.dll
2016-10-11 13:59 - 2016-10-04 22:54 - 01987584 _____ (Microsoft Corporation) C:\WINDOWS\system32\DWrite.dll
2016-10-11 13:59 - 2016-10-04 22:48 - 02973696 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2016-10-11 13:59 - 2016-10-04 22:40 - 01626112 _____ (Microsoft Corporation) C:\WINDOWS\system32\dwmcore.dll
2016-10-11 13:59 - 2016-10-04 22:39 - 01500672 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-10-11 13:59 - 2016-10-04 22:30 - 02880512 _____ (Microsoft Corporation) C:\WINDOWS\system32\SystemSettingsThresholdAdminFlowUI.dll
2016-10-11 13:59 - 2016-10-04 22:27 - 09920512 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2016-10-11 13:59 - 2016-10-04 22:22 - 03664384 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-10-11 13:59 - 2016-10-04 22:21 - 01088512 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2016-10-11 13:59 - 2016-10-04 22:13 - 19349504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-10-11 13:59 - 2016-10-04 22:13 - 18675200 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2016-10-11 13:59 - 2016-10-04 22:13 - 12134400 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-10-11 13:59 - 2016-10-04 22:06 - 12587008 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmp.dll
2016-10-11 13:59 - 2016-10-04 22:01 - 05660160 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2016-10-11 13:59 - 2016-09-29 21:09 - 00446124 _____ C:\WINDOWS\system32\ApnDatabase.xml
2016-10-11 13:59 - 2016-09-26 22:39 - 00184320 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2016-10-11 13:59 - 2016-09-17 03:12 - 01526272 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2016-10-11 13:59 - 2016-09-17 02:55 - 01801216 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkMobileSettings.dll
2016-10-11 13:59 - 2016-09-17 02:43 - 02552832 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2016-10-11 13:59 - 2016-09-17 02:22 - 04405248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Search.dll
2016-10-11 11:35 - 2016-10-23 11:10 - 00000000 ____D C:\Program Files\Mozilla Thunderbird
2016-10-11 10:35 - 2016-10-11 10:35 - 00000939 _____ C:\Users\house\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Freelance.lnk
2016-10-11 00:38 - 2016-10-21 21:05 - 00000000 ____D C:\Program Files\GenoPro
2016-10-11 00:38 - 2016-10-11 00:38 - 00001176 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GenoPro.lnk
2016-10-11 00:38 - 2016-10-11 00:38 - 00000000 ____D C:\Users\house\AppData\Roaming\GenoPro
2016-10-10 08:51 - 2016-10-10 08:51 - 00000000 ____D C:\Program Files\Common Files\Skype
2016-10-06 03:33 - 2016-10-18 03:48 - 00003813 _____ C:\WINDOWS\diagwrn.xml
2016-10-06 03:33 - 2016-10-18 03:48 - 00003813 _____ C:\WINDOWS\diagerr.xml
2016-10-04 19:56 - 2016-10-04 19:56 - 08218610 _____ C:\Users\house\Documents\Oxman-Claudia_La-entrevista.pdf
2016-10-03 23:24 - 2016-10-03 23:24 - 16614958 _____ C:\Users\house\Documents\Friedrich_Nietzsche - The_Will_to_Power_(1968).pdf
2016-10-02 12:02 - 2016-10-02 13:15 - 00051640 _____ C:\Users\house\Documents\Planilla Petición de Grado.pdf
2016-09-26 08:09 - 2016-10-21 14:54 - 00000000 ____D C:\Users\house\AppData\Local\gtk-2.0
2016-09-26 07:51 - 2016-09-26 07:51 - 00001120 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP 2.lnk
2016-09-26 07:51 - 2016-09-26 07:51 - 00000000 ____D C:\Users\house\AppData\Local\gegl-0.2
2016-09-26 07:51 - 2016-09-26 07:51 - 00000000 ____D C:\Users\house\AppData\Local\fontconfig
2016-09-26 07:47 - 2016-10-21 21:06 - 00000000 ____D C:\Program Files\GIMP 2
2016-09-24 19:43 - 2016-09-24 19:51 - 00000000 ____D C:\Users\house\AppData\Local\Thunderbird
2016-09-24 19:43 - 2016-09-24 19:43 - 00000000 ____D C:\Users\house\AppData\Roaming\Thunderbird
2016-09-24 19:36 - 2016-09-24 19:36 - 00001236 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
2016-09-24 18:43 - 2016-09-24 19:14 - 00000000 ____D C:\Users\house\Documents\Cap I
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-10-23 11:54 - 2015-11-24 16:08 - 00000000 ___RD C:\Users\house\OneDrive
2016-10-23 11:54 - 2015-07-30 21:55 - 00000000 ____D C:\Users\house\Documents\Traducciones & Work
2016-10-23 11:50 - 2016-07-06 07:44 - 00001050 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-10-23 11:41 - 2016-07-19 21:34 - 00001224 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-10-23 11:41 - 2016-07-06 07:48 - 00002418 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-10-23 11:31 - 2015-07-28 22:42 - 00000000 ____D C:\Users\house\Documents\write
2016-10-23 11:03 - 2016-08-02 08:44 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-10-23 11:00 - 2016-07-05 16:28 - 00000000 ____D C:\WINDOWS\INF
2016-10-23 03:24 - 2016-07-05 16:49 - 00000000 ___DC C:\WINDOWS\Panther
2016-10-23 03:11 - 2016-07-06 07:44 - 00001046 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-10-23 03:10 - 2016-07-05 15:04 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-10-23 03:09 - 2016-07-05 14:51 - 00420840 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-10-23 03:08 - 2016-07-05 16:05 - 00786432 ___SH C:\WINDOWS\system32\config\BBI
2016-10-22 18:52 - 2016-07-07 08:05 - 00000000 ____D C:\Users\house\AppData\Roaming\uTorrent
2016-10-22 09:44 - 2016-07-05 16:30 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-10-22 07:32 - 2016-07-05 16:48 - 00000000 ____D C:\Windows.old
2016-10-21 23:08 - 2016-07-05 16:30 - 00000000 ____D C:\WINDOWS\SystemApps
2016-10-21 21:06 - 2016-09-04 10:51 - 00000000 ___RD C:\Program Files\Skype
2016-10-21 21:06 - 2016-08-09 18:56 - 00000000 ____D C:\Program Files\SPSSInc
2016-10-21 21:06 - 2016-07-21 20:32 - 00000000 ____D C:\Program Files\Rainmeter
2016-10-21 21:06 - 2016-07-19 21:34 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-10-21 21:06 - 2016-07-16 16:12 - 00000000 ____D C:\Program Files\WinRAR
2016-10-21 21:06 - 2016-07-05 16:45 - 00000000 ____D C:\Program Files\Synaptics
2016-10-21 21:06 - 2016-07-05 16:39 - 00000000 ____D C:\Program Files\Reference Assemblies
2016-10-21 21:06 - 2016-07-05 16:39 - 00000000 ____D C:\Program Files\MSBuild
2016-10-21 21:06 - 2016-07-05 16:30 - 00000000 __SHD C:\Program Files\Windows Sidebar
2016-10-21 21:06 - 2016-07-05 16:30 - 00000000 ____D C:\Program Files\Windows Portable Devices
2016-10-21 21:06 - 2016-07-05 16:30 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2016-10-21 21:06 - 2016-07-05 16:30 - 00000000 ____D C:\Program Files\Windows NT
2016-10-21 21:06 - 2016-07-05 16:30 - 00000000 ____D C:\Program Files\Windows Multimedia Platform
2016-10-21 21:06 - 2015-11-05 12:46 - 00000000 ____D C:\ESD
2016-10-21 21:06 - 2013-06-03 20:41 - 00000000 ____D C:\Sound
2016-10-21 21:06 - 2013-06-03 20:41 - 00000000 ____D C:\Material
2016-10-21 21:06 - 2012-07-10 17:40 - 00000000 ____D C:\Bejeweled 2 Deluxe en Español
2016-10-21 21:05 - 2016-08-26 09:08 - 00000000 ____D C:\Program Files\Freelancer.com
2016-10-21 21:05 - 2016-08-18 12:03 - 00000000 ____D C:\Program Files\Hewlett-Packard
2016-10-21 21:05 - 2016-08-18 09:55 - 00000000 ____D C:\Program Files\HP
2016-10-21 21:05 - 2016-08-02 08:36 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-10-21 21:05 - 2016-07-18 19:52 - 00000000 ____D C:\Program Files\Adobe
2016-10-21 21:05 - 2016-07-13 03:32 - 00000000 ____D C:\Program Files\CMAK
2016-10-21 21:05 - 2016-07-12 07:40 - 00000000 ____D C:\Program Files\Microsoft Synchronization Services
2016-10-21 21:05 - 2016-07-12 07:39 - 00000000 ____D C:\Program Files\Microsoft SQL Server Compact Edition
2016-10-21 21:05 - 2016-07-12 07:36 - 00000000 ____D C:\Program Files\Microsoft Analysis Services
2016-10-21 21:05 - 2016-07-12 07:33 - 00000000 ____D C:\Program Files\Microsoft Office
2016-10-21 21:05 - 2016-07-06 07:43 - 00000000 ____D C:\Program Files\Google
2016-10-21 16:49 - 2012-07-15 22:32 - 00000000 ____D C:\Users\house\setup
2016-10-21 14:54 - 2016-04-11 09:59 - 00000000 ____D C:\Users\house\.gimp-2.8
2016-10-21 09:37 - 2016-07-05 16:30 - 00000000 ___HD C:\Program Files\WindowsApps
2016-10-20 16:05 - 2016-07-05 16:30 - 00000000 ____D C:\WINDOWS\rescache
2016-10-18 22:23 - 2016-07-05 16:12 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-10-18 22:22 - 2015-10-30 01:44 - 00395264 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpnet.dll
2016-10-18 22:22 - 2015-10-30 01:44 - 00220160 _____ (Microsoft Corporation) C:\WINDOWS\system32\dplayx.dll
2016-10-18 22:22 - 2015-10-30 01:44 - 00061952 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpnathlp.dll
2016-10-18 22:22 - 2015-10-30 01:44 - 00047104 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpwsockx.dll
2016-10-18 22:22 - 2015-10-30 01:44 - 00025088 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpmodemx.dll
2016-10-18 22:22 - 2015-10-30 01:44 - 00023040 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpnsvr.exe
2016-10-18 22:22 - 2015-10-30 01:44 - 00020992 _____ (Microsoft Corporation) C:\WINDOWS\system32\dplaysvr.exe
2016-10-18 22:22 - 2015-10-30 01:44 - 00008704 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpnhupnp.dll
2016-10-18 22:22 - 2015-10-30 01:44 - 00008704 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpnhpast.dll
2016-10-18 22:22 - 2015-10-30 01:44 - 00004608 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpnlobby.dll
2016-10-18 22:22 - 2015-10-30 01:44 - 00004608 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpnaddr.dll
2016-10-18 16:45 - 2016-08-22 22:13 - 00000000 ____D C:\Users\house\AppData\Roaming\Skype
2016-10-18 16:38 - 2016-07-05 16:30 - 00000000 ____D C:\WINDOWS\System
2016-10-18 16:38 - 2015-10-30 01:44 - 00534016 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntvdm.exe
2016-10-18 16:38 - 2015-10-30 01:44 - 00256192 _____ (Microsoft Corporation) C:\WINDOWS\winhelp.exe
2016-10-18 16:38 - 2015-10-30 01:44 - 00221600 _____ (Microsoft Corporation) C:\WINDOWS\system32\lanman.drv
2016-10-18 16:38 - 2015-10-30 01:44 - 00177856 _____ (Microsoft Corporation) C:\WINDOWS\system32\typelib.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00169520 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole2disp.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00153008 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole2nls.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00127213 _____ C:\WINDOWS\system32\ega.cpi
2016-10-18 16:38 - 2015-10-30 01:44 - 00108464 _____ (Microsoft Corporation) C:\WINDOWS\system32\netapi.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00092320 _____ (Microsoft Corporation) C:\WINDOWS\system32\krnl386.exe
2016-10-18 16:38 - 2015-10-30 01:44 - 00082944 _____ (Microsoft Corporation) C:\WINDOWS\system32\olecli.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00082944 _____ (Microsoft Corporation) C:\WINDOWS\system\olecli.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00069886 _____ C:\WINDOWS\system32\edit.com
2016-10-18 16:38 - 2015-10-30 01:44 - 00068992 _____ (Microsoft Corporation) C:\WINDOWS\system32\MMSYSTEM.DLL
2016-10-18 16:38 - 2015-10-30 01:44 - 00068992 _____ (Microsoft Corporation) C:\WINDOWS\system\MMSYSTEM.DLL
2016-10-18 16:38 - 2015-10-30 01:44 - 00058880 _____ (Microsoft Corporation) C:\WINDOWS\system32\graftabl.com
2016-10-18 16:38 - 2015-10-30 01:44 - 00053600 _____ C:\WINDOWS\system32\dosx.exe
2016-10-18 16:38 - 2015-10-30 01:44 - 00050648 _____ C:\WINDOWS\system32\COMMAND.COM
2016-10-18 16:38 - 2015-10-30 01:44 - 00047840 _____ (Microsoft Corporation) C:\WINDOWS\system32\USER.EXE
2016-10-18 16:38 - 2015-10-30 01:44 - 00046592 _____ (Microsoft Corporation) C:\WINDOWS\system32\pmspl.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00042809 _____ C:\WINDOWS\system32\KEY01.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00042592 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole2.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00042537 _____ C:\WINDOWS\system32\KEYBOARD.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00039424 _____ (Microsoft Corporation) C:\WINDOWS\system32\DDEML.DLL
2016-10-18 16:38 - 2015-10-30 01:44 - 00039274 _____ C:\WINDOWS\system32\mem.exe
2016-10-18 16:38 - 2015-10-30 01:44 - 00035776 _____ C:\WINDOWS\system32\NTIO411.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00035552 _____ C:\WINDOWS\system32\NTIO412.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00034688 _____ C:\WINDOWS\system32\NTIO804.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00034688 _____ C:\WINDOWS\system32\NTIO404.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00033968 _____ C:\WINDOWS\system32\NTIO.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00032816 _____ (Microsoft Corporation) C:\WINDOWS\system32\COMMDLG.DLL
2016-10-18 16:38 - 2015-10-30 01:44 - 00032816 _____ (Microsoft Corporation) C:\WINDOWS\system\COMMDLG.DLL
2016-10-18 16:38 - 2015-10-30 01:44 - 00029370 _____ C:\WINDOWS\system32\NTDOS411.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00029274 _____ C:\WINDOWS\system32\NTDOS412.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00029146 _____ C:\WINDOWS\system32\NTDOS804.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00029146 _____ C:\WINDOWS\system32\NTDOS404.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00028420 _____ C:\WINDOWS\system32\bios1.rom
2016-10-18 16:38 - 2015-10-30 01:44 - 00028112 _____ (Microsoft Corporation) C:\WINDOWS\system32\DRWATSON.EXE
2016-10-18 16:38 - 2015-10-30 01:44 - 00027866 _____ C:\WINDOWS\system32\NTDOS.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00027792 _____ (Microsoft Corporation) C:\WINDOWS\system32\compobj.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00027200 _____ (Microsoft Corporation) C:\WINDOWS\system32\ctl3dv2.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00027097 _____ C:\WINDOWS\system32\country.sys
2016-10-18 16:38 - 2015-10-30 01:44 - 00024576 _____ (Microsoft Corporation) C:\WINDOWS\system32\GDI.EXE
2016-10-18 16:38 - 2015-10-30 01:44 - 00024064 _____ (Microsoft Corporation) C:\WINDOWS\system32\OLESVR.DLL
2016-10-18 16:38 - 2015-10-30 01:44 - 00024064 _____ (Microsoft Corporation) C:\WINDOWS\system\OLESVR.DLL
2016-10-18 16:38 - 2015-10-30 01:44 - 00021504 _____ (Microsoft Corporation) C:\WINDOWS\system32\vdmredir.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00021232 _____ C:\WINDOWS\system32\graphics.pro
2016-10-18 16:38 - 2015-10-30 01:44 - 00020634 _____ C:\WINDOWS\system32\debug.exe
2016-10-18 16:38 - 2015-10-30 01:44 - 00019694 _____ C:\WINDOWS\system32\GRAPHICS.COM
2016-10-18 16:38 - 2015-10-30 01:44 - 00018896 _____ (Microsoft Corporation) C:\WINDOWS\system32\sysedit.exe
2016-10-18 16:38 - 2015-10-30 01:44 - 00018832 _____ C:\WINDOWS\system32\v7vga.rom
2016-10-18 16:38 - 2015-10-30 01:44 - 00016384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntvdmd.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00014710 _____ C:\WINDOWS\system32\KB16.COM
2016-10-18 16:38 - 2015-10-30 01:44 - 00013888 _____ (Microsoft Corporation) C:\WINDOWS\system32\TOOLHELP.DLL
2016-10-18 16:38 - 2015-10-30 01:44 - 00013312 _____ C:\WINDOWS\system32\win87em.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00012704 _____ (Microsoft Corporation) C:\WINDOWS\system32\WFWNET.DRV
2016-10-18 16:38 - 2015-10-30 01:44 - 00012704 _____ (Microsoft Corporation) C:\WINDOWS\system\WFWNET.DRV
2016-10-18 16:38 - 2015-10-30 01:44 - 00012642 _____ C:\WINDOWS\system32\edlin.exe
2016-10-18 16:38 - 2015-10-30 01:44 - 00012498 _____ C:\WINDOWS\system32\append.exe
2016-10-18 16:38 - 2015-10-30 01:44 - 00011753 _____ C:\WINDOWS\system32\setver.exe
2016-10-18 16:38 - 2015-10-30 01:44 - 00010790 _____ C:\WINDOWS\system32\EDIT.HLP
2016-10-18 16:38 - 2015-10-30 01:44 - 00010544 _____ (Microsoft Corporation) C:\WINDOWS\system32\COMM.drv
2016-10-18 16:38 - 2015-10-30 01:44 - 00009936 _____ (Microsoft Corporation) C:\WINDOWS\system32\lzexpand.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00009936 _____ (Microsoft Corporation) C:\WINDOWS\system\lzexpand.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00009216 _____ (Microsoft Corporation) C:\WINDOWS\system32\WIFEMAN.DLL
2016-10-18 16:38 - 2015-10-30 01:44 - 00009029 _____ C:\WINDOWS\system32\ANSI.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00009008 _____ (Microsoft Corporation) C:\WINDOWS\system32\ver.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00009008 _____ (Microsoft Corporation) C:\WINDOWS\system\ver.dll
2016-10-18 16:38 - 2015-10-30 01:44 - 00008424 _____ C:\WINDOWS\system32\exe2bin.exe
2016-10-18 16:38 - 2015-10-30 01:44 - 00008191 _____ C:\WINDOWS\system32\bios4.rom
2016-10-18 16:38 - 2015-10-30 01:44 - 00007680 _____ (Microsoft Corporation) C:\WINDOWS\system32\win.com
2016-10-18 16:38 - 2015-10-30 01:44 - 00007052 _____ C:\WINDOWS\system32\nlsfunc.exe
2016-10-18 16:38 - 2015-10-30 01:44 - 00005532 _____ (Microsoft Corporation) C:\WINDOWS\system\stdole.tlb
2016-10-18 16:38 - 2015-10-30 01:44 - 00005120 _____ (Microsoft Corporation) C:\WINDOWS\system32\WINNLS.DLL
2016-10-18 16:38 - 2015-10-30 01:44 - 00005120 _____ (Microsoft Corporation) C:\WINDOWS\system32\SHELL.DLL
2016-10-18 16:38 - 2015-10-30 01:44 - 00005120 _____ (Microsoft Corporation) C:\WINDOWS\system\SHELL.DLL
2016-10-18 16:38 - 2015-10-30 01:44 - 00004768 _____ C:\WINDOWS\system32\HIMEM.SYS
2016-10-18 16:38 - 2015-10-30 01:44 - 00004208 _____ (Microsoft Corporation) C:\WINDOWS\system32\storage.dll
2016-10-18 03:54 - 2016-07-05 16:05 - 00032768 ___SH C:\WINDOWS\system32\config\ELAM
2016-10-18 03:49 - 2016-07-05 16:30 - 00000000 ____D C:\WINDOWS\Registration
2016-10-16 09:21 - 2016-07-05 15:02 - 00000000 ____D C:\Users\house
2016-10-16 07:26 - 2016-07-05 16:30 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-10-15 19:32 - 2016-07-05 16:38 - 00821782 _____ C:\WINDOWS\system32\perfh00A.dat
2016-10-15 19:32 - 2016-07-05 16:38 - 00161374 _____ C:\WINDOWS\system32\perfc00A.dat
2016-10-15 19:32 - 2016-07-05 15:09 - 01849776 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-10-15 07:39 - 2016-07-05 16:30 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-10-13 17:56 - 2016-07-18 19:53 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-10-13 05:38 - 2016-07-05 15:19 - 00000000 _____ C:\Recovery.txt
2016-10-12 03:32 - 2016-07-05 16:30 - 00000000 ___SD C:\WINDOWS\system32\DiagSvcs
2016-10-12 03:32 - 2016-07-05 16:30 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-10-11 22:11 - 2016-07-06 08:08 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-10-11 21:51 - 2016-07-06 08:08 - 141042968 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-10-11 10:42 - 2016-08-19 19:32 - 00000000 ____D C:\Users\house\AppData\Local\Ankama
2016-10-11 09:44 - 2015-10-27 20:25 - 00000000 ____D C:\Users\house\Documents\Cuenta Banesco
2016-10-10 08:51 - 2016-09-04 10:51 - 00000000 ____D C:\ProgramData\Skype
2016-10-02 14:15 - 2016-08-08 21:04 - 00000000 ____D C:\Users\house\Documents\Constancias del Algodonal
2016-09-30 20:23 - 2016-07-05 16:33 - 00828408 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2016-09-30 20:23 - 2016-07-05 16:33 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
 
==================== Files in the root of some directories =======
 
2016-10-21 14:54 - 2016-10-21 14:54 - 0012447 _____ () C:\Users\house\AppData\Local\recently-used.xbel
2016-08-18 12:02 - 2016-08-18 12:02 - 0000057 _____ () C:\ProgramData\Ament.ini
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-10-13 15:07
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 PM

Posted 23 October 2016 - 12:20 PM

Hi SigmundLarsen :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

We'll take out most of the infection using FRST, and then follow up with JRT and AdwCleaner to clean up the remnants (since most of the malware present are PUPs, Adware and Browser Hijacker).

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;
After running FRST, a file called Upload.zip will be on your desktop. Upload it to the link below.

http://www.bleepingcomputer.com/submit-malware.php?channel=194

iT103hr.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    MV5ejgW.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
Your next reply(ies) should therefore contain:
  • Copy/pasted content of FRST's fixlog.txt;
  • Confirmation that you uploaded the Upload.zip file to the link provided above;
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;

Attached Files


Edited by Aura, 23 October 2016 - 12:20 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 SigmundLarsen

SigmundLarsen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 25 October 2016 - 03:46 PM

Good afternoon, Yoan, and thank you very much for your cordial response! I'll write this up real quick so you know I've read your instructions, and I agree completely, and please give me some time so I can upload the logs you requested. Once again, thanks a lot! :)

 

David



#4 SigmundLarsen

SigmundLarsen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 25 October 2016 - 07:17 PM

Good night Yoan, thank you for your help. Here are the logs you requested, and I've already uploaded the Uplod.zip file as per requested, submiting the link to this thread as well! I'll be on the lookout for your reply, and thanks for taking your time to help. 

 

Kindly,

 

David

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 16-10-2016
Ran by house (25-10-2016 19:01:22) Run:1
Running from C:\Users\house\Desktop
Loaded Profiles: house (Available Profiles: house)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
 
Zip: C:\WINDOWS\windowdowngrade.exe
 
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} =>  No File
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} =>  No File
GroupPolicyScripts\User: Restriction <======= ATTENTION
 
FF DefaultProfile: o394kibz.default
FF ProfilePath: C:\Users\house\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\o394kibz.default\Profiles\o394kibz.default [not found]
FF ProfilePath: C:\Users\house\AppData\Roaming\Mozilla\Firefox\Profiles\o394kibz.default [2016-10-23]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\o394kibz.default -> youndoo
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\o394kibz.default -> youndoo
FF Homepage: Mozilla\Firefox\Profiles\o394kibz.default -> hxxps://search.avira.net"); verride.mstone", "49.0.2
FF Extension: (No Name) - C:\Users\house\AppData\Roaming\Mozilla\Firefox\Profiles\o394kibz.default\Extensions\abs@avira.com [2016-10-22]
 
CHR Profile: C:\Users\house\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2016-10-22] <==== ATTENTION
 
R2 HpSvc; C:\Program Files\LuDaShi\lpi\HpSvc.dll [239016 2016-07-21] () <==== ATTENTION
R2 UCBrowserSvc; C:\Program Files\UCBrowser\Application\UCService.exe [935312 2016-10-19] ()
R1 ucdrv; C:\WINDOWS\System32\drivers:ucdrv-x86.sys [69010 ] (UC Web Inc.) <==== ATTENTION
S1 UCGuard; C:\WINDOWS\System32\DRIVERS\ucguard.sys [72064 2016-08-29] (Huorong Borui (Beijing) Technology Co., Ltd.) <==== ATTENTION
U3 mbr; C:\Users\house\AppData\Local\Temp\mbr.sys [25088 2016-10-23] () [File not signed]
 
NETSVC: HpSvc -> C:\Program Files\LuDaShi\lpi\HpSvc.dll ()
 
Task: {B6B4152C-D1E6-4D4C-B40B-4364395ECD64} - System32\Tasks\UCBrowserUpdaterCore => C:\Program Files\UCBrowser\Application\update_task.exe [2016-10-19] (UCWeb Inc) <==== ATTENTION
Task: {D3A5E9EA-84D8-4A4D-94EF-BD26705E049D} - System32\Tasks\SecureUpdater => C:\Program Files\UCBrowser\Application\uclauncher.exe [2016-10-21] (UC Web Inc.) <==== ATTENTION
Task: C:\WINDOWS\Tasks\UCBrowserUpdaterCore.job => C:\Program Files\UCBrowser\Application\update_task.exe <==== ATTENTION
 
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION
 
ShortcutWithArgument: C:\Users\house\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\house\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://9o0gle.com/
ShortcutWithArgument: C:\Users\house\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://9o0gle.com/
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\house\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://9o0gle.com/
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://9o0gle.com/
 
AlternateDataStreams: C:\WINDOWS\system32\drivers:ucdrv-x86.sys [69010]
AlternateDataStreams: C:\WINDOWS\system32\drivers:x86 [1157922]
 
FirewallRules: [{736DAA0C-984C-48F9-90DE-901876158568}] => (Allow) C:\Users\house\AppData\Local\Temp\is-EP1CO.tmp\download\MiniThunderPlatform.exe
FirewallRules: [{317F6F06-6223-421E-AA81-4B4F171E0377}] => (Allow) C:\Program Files\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{416AE5F1-83FD-4BB4-8D26-28DEC518E306}] => (Allow) C:\Users\house\AppData\Local\Temp\inst_buychannel_06.exe
FirewallRules: [{7709B886-5A44-455E-BF5D-2C819A7077FB}] => (Allow) C:\Users\house\AppData\Local\Temp\inst_buychannel_06.exe
FirewallRules: [{F1608BA5-6D31-4EC3-A5AD-3A3CA055CEFA}] => (Allow) C:\Program Files\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{4D757F67-DBAD-4E33-9A34-4EBA6CA0EE4C}] => (Allow) C:\Program Files\UCBrowser\Application\Downloader\download\MiniThunderPlatform.exe
FirewallRules: [{0BC1E7C4-D9B6-46CF-93A2-09BBD205F2B7}] => (Allow) C:\Program Files\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{F4FEBF92-36CB-4651-9930-1F0D979C4F6D}] => (Allow) C:\Program Files\GreatMaker\MaohaWiFi\MaohaWifiSvr.exe
FirewallRules: [{359F6AD9-025D-4E92-93CA-A5F08C4B9E48}] => (Allow) C:\Program Files\LuDaShi\ComputerZTray.exe
FirewallRules: [{FF27F18E-AE1A-42CA-81DA-302A1A011F34}] => (Allow) C:\Program Files\LuDaShi\ComputerZTray.exe
 
C:\Program Files\GreatMaker
C:\Program Files\hhh
C:\Program Files\LuDaShi
C:\Program Files\Pezucultgivit
C:\Program Files\UCBrowser
C:\ProgramData\Avg
C:\ProgramData\AVAST Software
C:\ProgramData\Thunder Network
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\鲁大师
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UC浏览器
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UC浏览器.lnk
C:\Users\Public\Thunder Network
C:\Users\house\AppData\Local\Biduty
C:\Users\house\AppData\Local\UCBrowser
C:\Users\house\AppData\Roaming\Ludashi
C:\Users\house\AppData\Roaming\Softlink
C:\WINDOWS\windowdowngrade.exe
C:\WINDOWS\System32\drivers\ucdrv-x86.sys
C:\WINDOWS\System32\DRIVERS\ucguard.sys
 
cmd: netsh winsock reset
 
EmptyTemp:
*****************
 
Processes closed successfully.
Restore point was successfully created.
================== Zip: ===================
C:\WINDOWS\windowdowngrade.exe -> copied successfully to C:\Users\house\Desktop\Upload.zip
=========== Zip: End ===========
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KzShlobj" => key removed successfully.
HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KzShlobj2" => key removed successfully.
HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} => key not found. 
C:\WINDOWS\system32\GroupPolicy\User => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
 
========================= FF DefaultProfile: o394kibz.default ========================
 
"FF DefaultProo394kibz.default" => not found.
====== End of File: ======
 
C:\Users\house\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\o394kibz.default\Profiles\o394kibz.default => path removed successfully.
C:\Users\house\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\o394kibz.default\Profiles\o394kibz.default => path removed successfully.
C:\Users\house\AppData\Roaming\Mozilla\Firefox\Profiles\o394kibz.default => moved successfully
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\o394kibz.default -> youndoo => not found
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\o394kibz.default -> youndoo => not found
FF Homepage: Mozilla\Firefox\Profiles\o394kibz.default -> hxxps://search.avira.net"); verride.mstone", "49.0.2 => not found
C:\Users\house\AppData\Roaming\Mozilla\Firefox\Profiles\o394kibz.default\Extensions\abs@avira.com => not found.
C:\Users\house\AppData\Local\Google\Chrome\User Data\ChromeDefaultData => moved successfully
HpSvc => Service stopped successfully.
HpSvc => service removed successfully.
UCBrowserSvc => service removed successfully.
ucdrv => Service stopped successfully.
ucdrv => service removed successfully.
UCGuard => service removed successfully.
mbr => service not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs HpSvc => value removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B6B4152C-D1E6-4D4C-B40B-4364395ECD64}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B6B4152C-D1E6-4D4C-B40B-4364395ECD64}" => key removed successfully.
C:\Windows\System32\Tasks\UCBrowserUpdaterCore => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserUpdaterCore" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{D3A5E9EA-84D8-4A4D-94EF-BD26705E049D}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D3A5E9EA-84D8-4A4D-94EF-BD26705E049D}" => key removed successfully.
C:\Windows\System32\Tasks\SecureUpdater => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SecureUpdater" => key removed successfully.
C:\WINDOWS\Tasks\UCBrowserUpdaterCore.job => moved successfully
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION => removed successfully.
C:\Users\house\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => Shortcut argument removed successfully..
C:\Users\house\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk => Shortcut argument removed successfully..
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully..
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => Shortcut argument removed successfully..
C:\WINDOWS\system32\drivers => ":ucdrv-x86.sys" ADS removed successfully..
C:\WINDOWS\system32\drivers => ":x86" ADS removed successfully..
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{736DAA0C-984C-48F9-90DE-901876158568} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{317F6F06-6223-421E-AA81-4B4F171E0377} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{416AE5F1-83FD-4BB4-8D26-28DEC518E306} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7709B886-5A44-455E-BF5D-2C819A7077FB} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F1608BA5-6D31-4EC3-A5AD-3A3CA055CEFA} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4D757F67-DBAD-4E33-9A34-4EBA6CA0EE4C} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0BC1E7C4-D9B6-46CF-93A2-09BBD205F2B7} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F4FEBF92-36CB-4651-9930-1F0D979C4F6D} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{359F6AD9-025D-4E92-93CA-A5F08C4B9E48} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FF27F18E-AE1A-42CA-81DA-302A1A011F34} => value removed successfully.
"C:\Program Files\GreatMaker" => not found.
C:\Program Files\hhh => moved successfully
C:\Program Files\LuDaShi => moved successfully
C:\Program Files\Pezucultgivit => moved successfully
C:\Program Files\UCBrowser => moved successfully
C:\ProgramData\Avg => moved successfully
C:\ProgramData\AVAST Software => moved successfully
C:\ProgramData\Thunder Network => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\鲁大师 => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UC浏览器 => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UC浏览器.lnk => moved successfully
C:\Users\Public\Thunder Network => moved successfully
C:\Users\house\AppData\Local\Biduty => moved successfully
C:\Users\house\AppData\Local\UCBrowser => moved successfully
C:\Users\house\AppData\Roaming\Ludashi => moved successfully
C:\Users\house\AppData\Roaming\Softlink => moved successfully
C:\WINDOWS\windowdowngrade.exe => moved successfully
"C:\WINDOWS\System32\drivers\ucdrv-x86.sys" => not found.
C:\WINDOWS\System32\DRIVERS\ucguard.sys => moved successfully
 
========= netsh winsock reset =========
 
 
El cat logo Winsock se restableci¢ correctamente.
Debe reiniciar el equipo para completar el restablecimiento.
 
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 14887890 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 38193096 B
Edge => 5624 B
Chrome => 319651244 B
Firefox => 19464851 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
LocalService => 5888 B
NetworkService => 5618 B
house => 278969512 B
Classic .NET AppPool => 0 B
DefaultAppPool => 0 B
 
RecycleBin => 6264120 B
EmptyTemp: => 646.1 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 19:14:22 ====
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.9 (09.30.2016)
Operating System: Windows 10 Pro x86 
Ran by house (Administrator) on 25/10/2016 at 19:30:16,75
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 1 
 
Successfully deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\search.lnk (Shortcut) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 25/10/2016 at 19:32:54,95
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
# AdwCleaner v6.030 - Registro generado 25/10/2016 en 19:44:26
# *Updated on 19/10/2016 by Malwarebytes
# Base de datos : 2016-10-18.1 [*Local]
# Sistema operativo : Windows 10 Pro  (X86)
# Nombre de usuario : house - HOUSE-PC
# Ejecutado desde : C:\Users\house\Desktop\AdwCleaner.exe
# *Mode: Scan
 
 
 
***** [ Servicios ] *****
 
*No malicious services found.
 
 
***** [ Carpetas ] *****
 
*No malicious folders found.
 
 
***** [ Archivos ] *****
 
*No malicious files found.
 
 
***** [ DLL ] *****
 
*No malicious DLLs found.
 
 
***** [ WMI ] *****
 
*No malicious keys found.
 
 
***** [ Accesos directos ] *****
 
Búsqueda de accesos directos...
 
 
***** [ Tareas programadas ] *****
 
*No malicious task found.
 
 
***** [ Registro ] *****
 
encontrar HKLM\SOFTWARE\Classes\UCHTML
encontrar HKLM\SOFTWARE\Classes\UCHTML.AssocFile.CRX
encontrar HKLM\SOFTWARE\Classes\UCHTML.AssocFile.HTM
encontrar HKLM\SOFTWARE\Classes\UCHTML.AssocFile.HTML
encontrar HKLM\SOFTWARE\Classes\UCHTML.AssocFile.MHT
encontrar HKLM\SOFTWARE\Classes\UCHTML.AssocFile.SHTM
encontrar HKLM\SOFTWARE\Classes\UCHTML.AssocFile.SHTML
encontrar HKLM\SOFTWARE\Classes\UCHTML.AssocFile.WEBP
encontrar HKLM\SOFTWARE\Classes\UCHTML.AssocFile.XHT
encontrar HKLM\SOFTWARE\Classes\UCHTML.AssocFile.XHTML
encontrar HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\GoogleChromeUpService
encontrar HKLM\SOFTWARE\Classes\KuaiZip.001
encontrar HKLM\SOFTWARE\Classes\KuaiZip.002
encontrar HKLM\SOFTWARE\Classes\KuaiZip.003
encontrar HKLM\SOFTWARE\Classes\KuaiZip.004
encontrar HKLM\SOFTWARE\Classes\KuaiZip.005
encontrar HKLM\SOFTWARE\Classes\KuaiZip.006
encontrar HKLM\SOFTWARE\Classes\KuaiZip.007
encontrar HKLM\SOFTWARE\Classes\KuaiZip.008
encontrar HKLM\SOFTWARE\Classes\KuaiZip.009
encontrar HKLM\SOFTWARE\Classes\KuaiZip.01
encontrar HKLM\SOFTWARE\Classes\KuaiZip.010
encontrar HKLM\SOFTWARE\Classes\KuaiZip.011
encontrar HKLM\SOFTWARE\Classes\KuaiZip.012
encontrar HKLM\SOFTWARE\Classes\KuaiZip.013
encontrar HKLM\SOFTWARE\Classes\KuaiZip.014
encontrar HKLM\SOFTWARE\Classes\KuaiZip.015
encontrar HKLM\SOFTWARE\Classes\KuaiZip.016
encontrar HKLM\SOFTWARE\Classes\KuaiZip.017
encontrar HKLM\SOFTWARE\Classes\KuaiZip.018
encontrar HKLM\SOFTWARE\Classes\KuaiZip.019
encontrar HKLM\SOFTWARE\Classes\KuaiZip.02
encontrar HKLM\SOFTWARE\Classes\KuaiZip.020
encontrar HKLM\SOFTWARE\Classes\KuaiZip.021
encontrar HKLM\SOFTWARE\Classes\KuaiZip.022
encontrar HKLM\SOFTWARE\Classes\KuaiZip.023
encontrar HKLM\SOFTWARE\Classes\KuaiZip.024
encontrar HKLM\SOFTWARE\Classes\KuaiZip.025
encontrar HKLM\SOFTWARE\Classes\KuaiZip.026
encontrar HKLM\SOFTWARE\Classes\KuaiZip.027
encontrar HKLM\SOFTWARE\Classes\KuaiZip.028
encontrar HKLM\SOFTWARE\Classes\KuaiZip.029
encontrar HKLM\SOFTWARE\Classes\KuaiZip.03
encontrar HKLM\SOFTWARE\Classes\KuaiZip.030
encontrar HKLM\SOFTWARE\Classes\KuaiZip.031
encontrar HKLM\SOFTWARE\Classes\KuaiZip.032
encontrar HKLM\SOFTWARE\Classes\KuaiZip.033
encontrar HKLM\SOFTWARE\Classes\KuaiZip.034
encontrar HKLM\SOFTWARE\Classes\KuaiZip.035
encontrar HKLM\SOFTWARE\Classes\KuaiZip.036
encontrar HKLM\SOFTWARE\Classes\KuaiZip.037
encontrar HKLM\SOFTWARE\Classes\KuaiZip.038
encontrar HKLM\SOFTWARE\Classes\KuaiZip.039
encontrar HKLM\SOFTWARE\Classes\KuaiZip.04
encontrar HKLM\SOFTWARE\Classes\KuaiZip.040
encontrar HKLM\SOFTWARE\Classes\KuaiZip.041
encontrar HKLM\SOFTWARE\Classes\KuaiZip.042
encontrar HKLM\SOFTWARE\Classes\KuaiZip.043
encontrar HKLM\SOFTWARE\Classes\KuaiZip.044
encontrar HKLM\SOFTWARE\Classes\KuaiZip.045
encontrar HKLM\SOFTWARE\Classes\KuaiZip.046
encontrar HKLM\SOFTWARE\Classes\KuaiZip.047
encontrar HKLM\SOFTWARE\Classes\KuaiZip.048
encontrar HKLM\SOFTWARE\Classes\KuaiZip.049
encontrar HKLM\SOFTWARE\Classes\KuaiZip.05
encontrar HKLM\SOFTWARE\Classes\KuaiZip.050
encontrar HKLM\SOFTWARE\Classes\KuaiZip.051
encontrar HKLM\SOFTWARE\Classes\KuaiZip.052
encontrar HKLM\SOFTWARE\Classes\KuaiZip.053
encontrar HKLM\SOFTWARE\Classes\KuaiZip.054
encontrar HKLM\SOFTWARE\Classes\KuaiZip.055
encontrar HKLM\SOFTWARE\Classes\KuaiZip.056
encontrar HKLM\SOFTWARE\Classes\KuaiZip.057
encontrar HKLM\SOFTWARE\Classes\KuaiZip.058
encontrar HKLM\SOFTWARE\Classes\KuaiZip.059
encontrar HKLM\SOFTWARE\Classes\KuaiZip.06
encontrar HKLM\SOFTWARE\Classes\KuaiZip.060
encontrar HKLM\SOFTWARE\Classes\KuaiZip.061
encontrar HKLM\SOFTWARE\Classes\KuaiZip.062
encontrar HKLM\SOFTWARE\Classes\KuaiZip.063
encontrar HKLM\SOFTWARE\Classes\KuaiZip.064
encontrar HKLM\SOFTWARE\Classes\KuaiZip.065
encontrar HKLM\SOFTWARE\Classes\KuaiZip.066
encontrar HKLM\SOFTWARE\Classes\KuaiZip.067
encontrar HKLM\SOFTWARE\Classes\KuaiZip.068
encontrar HKLM\SOFTWARE\Classes\KuaiZip.069
encontrar HKLM\SOFTWARE\Classes\KuaiZip.07
encontrar HKLM\SOFTWARE\Classes\KuaiZip.070
encontrar HKLM\SOFTWARE\Classes\KuaiZip.071
encontrar HKLM\SOFTWARE\Classes\KuaiZip.072
encontrar HKLM\SOFTWARE\Classes\KuaiZip.073
encontrar HKLM\SOFTWARE\Classes\KuaiZip.074
encontrar HKLM\SOFTWARE\Classes\KuaiZip.075
encontrar HKLM\SOFTWARE\Classes\KuaiZip.076
encontrar HKLM\SOFTWARE\Classes\KuaiZip.077
encontrar HKLM\SOFTWARE\Classes\KuaiZip.078
encontrar HKLM\SOFTWARE\Classes\KuaiZip.079
encontrar HKLM\SOFTWARE\Classes\KuaiZip.08
encontrar HKLM\SOFTWARE\Classes\KuaiZip.080
encontrar HKLM\SOFTWARE\Classes\KuaiZip.081
encontrar HKLM\SOFTWARE\Classes\KuaiZip.082
encontrar HKLM\SOFTWARE\Classes\KuaiZip.083
encontrar HKLM\SOFTWARE\Classes\KuaiZip.084
encontrar HKLM\SOFTWARE\Classes\KuaiZip.085
encontrar HKLM\SOFTWARE\Classes\KuaiZip.086
encontrar HKLM\SOFTWARE\Classes\KuaiZip.087
encontrar HKLM\SOFTWARE\Classes\KuaiZip.088
encontrar HKLM\SOFTWARE\Classes\KuaiZip.089
encontrar HKLM\SOFTWARE\Classes\KuaiZip.09
encontrar HKLM\SOFTWARE\Classes\KuaiZip.090
encontrar HKLM\SOFTWARE\Classes\KuaiZip.091
encontrar HKLM\SOFTWARE\Classes\KuaiZip.092
encontrar HKLM\SOFTWARE\Classes\KuaiZip.093
encontrar HKLM\SOFTWARE\Classes\KuaiZip.094
encontrar HKLM\SOFTWARE\Classes\KuaiZip.095
encontrar HKLM\SOFTWARE\Classes\KuaiZip.096
encontrar HKLM\SOFTWARE\Classes\KuaiZip.097
encontrar HKLM\SOFTWARE\Classes\KuaiZip.098
encontrar HKLM\SOFTWARE\Classes\KuaiZip.099
encontrar HKLM\SOFTWARE\Classes\KuaiZip.7z
encontrar HKLM\SOFTWARE\Classes\KuaiZip.apk
encontrar HKLM\SOFTWARE\Classes\KuaiZip.arj
encontrar HKLM\SOFTWARE\Classes\KuaiZip.bz2
encontrar HKLM\SOFTWARE\Classes\KuaiZip.cab
encontrar HKLM\SOFTWARE\Classes\KuaiZip.gz
encontrar HKLM\SOFTWARE\Classes\KuaiZip.gzip
encontrar HKLM\SOFTWARE\Classes\KuaiZip.jar
encontrar HKLM\SOFTWARE\Classes\KuaiZip.kz
encontrar HKLM\SOFTWARE\Classes\KuaiZip.lzh
encontrar HKLM\SOFTWARE\Classes\KuaiZip.mou
encontrar HKLM\SOFTWARE\Classes\KuaiZip.rar
encontrar HKLM\SOFTWARE\Classes\KuaiZip.rpm
encontrar HKLM\SOFTWARE\Classes\KuaiZip.tar
encontrar HKLM\SOFTWARE\Classes\KuaiZip.tbz
encontrar HKLM\SOFTWARE\Classes\KuaiZip.tgz
encontrar HKLM\SOFTWARE\Classes\KuaiZip.wim
encontrar HKLM\SOFTWARE\Classes\KuaiZip.z
encontrar HKLM\SOFTWARE\Classes\KuaiZip.zip
encontrar HKLM\SOFTWARE\Classes\KuaiZip.zipx
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount.ape
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount.bin
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount.ccd
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount.cue
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount.flac
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount.iso
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount.isz
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount.mdf
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount.mds
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount.nrg
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount.vcd
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount.wv
encontrar HKLM\SOFTWARE\Classes\KuaiZipMount_FileAsso.Origin
encontrar HKLM\SOFTWARE\Classes\KuaiZip_FileAsso.Origin
encontrar HKLM\SOFTWARE\Classes\AppID\{9CC34070-3A38-4C7A-89CB-EF8177EF07A1}
encontrar HKLM\SOFTWARE\Classes\CLSID\{34B3C588-D06C-4F92-929C-2C3A0BC7F821}
encontrar HKU\.DEFAULT\Software\UCBrowser
encontrar HKU\S-1-5-21-341725365-624224163-1886038721-1000\Software\Installer
encontrar HKU\S-1-5-21-341725365-624224163-1886038721-1000\Software\UCBrowser
encontrar HKU\S-1-5-21-341725365-624224163-1886038721-1000\Software\UCBrowserPID
encontrar HKU\S-1-5-21-341725365-624224163-1886038721-1000\Software\AutoTime
encontrar HKU\S-1-5-21-341725365-624224163-1886038721-1000\Software\KuaiZip
encontrar HKU\S-1-5-21-341725365-624224163-1886038721-1000\Software\SNDA
encontrar HKU\S-1-5-21-341725365-624224163-1886038721-1000\Software\KuaiZipSFX
encontrar HKU\S-1-5-21-341725365-624224163-1886038721-1000\Software\Maoha
encontrar HKU\S-1-5-21-341725365-624224163-1886038721-1000\Software\Ludashi
encontrar HKU\S-1-5-18\Software\UCBrowser
encontrar HKCU\Software\Installer
encontrar HKCU\Software\UCBrowser
encontrar HKCU\Software\UCBrowserPID
encontrar HKCU\Software\AutoTime
encontrar HKCU\Software\KuaiZip
encontrar HKCU\Software\SNDA
encontrar HKCU\Software\KuaiZipSFX
encontrar HKCU\Software\Maoha
encontrar HKCU\Software\Ludashi
encontrar HKLM\SOFTWARE\UCBrowser
encontrar HKLM\SOFTWARE\UCBrowserPID
encontrar HKLM\SOFTWARE\Maoha
encontrar HKLM\SOFTWARE\Ludashi
encontrar HKLM\SOFTWARE\ComputerZ
encontrar HKCU\Software\Microsoft\Internet Explorer\DOMStorage\yeabests.cc
encontrar HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser
encontrar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\UCBrowser.exe
Valor HKLM\SOFTWARE\RegisteredApplications [UCBrowser]
encontrar HKLM\SOFTWARE\Microsoft\MediaPlayer\ShimInclusionList\UCBrowser.exe
Valor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved [KuaiZip Shell Extension]
Valor HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [kuaizipupdatesvc]
encontrar HKLM\SOFTWARE\Classes\AppID\QZipShell.DLL
 
 
***** [ Navegadores Web ] *****
 
Búsqueda de elementos del registro
Búsqueda de elementos del registro
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [10079 bytes] - [25/10/2016 19:44:26]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [10153 bytes] ##########
 


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 PM

Posted 25 October 2016 - 07:24 PM

Thank you :) Looks like FRST fixed pretty much everything and EEK took care of the rest. We'll still run Malwarebytes and Emsisoft Emergency Kit for remnants.

0isDeWa.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
G0tu5D9.pngEmsisoft Emergency Kit
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.
  • Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder;
  • Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it.
  • After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes).
  • Once the scan is complete, make sure that every item in the list is checked, and click on Quarantine selected;
    Egla2gt.png
  • If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
  • After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it;
  • This time, click on Logs;
  • From there, go under the Quarantine Log tab, and click on the Export button;
    IgfWDr3.png
  • Save the log on your desktop, then open it, and copy/paste its content in your next reply;
How's your computer running now? Is Firefox working properly, and the Windows key as well?

Your next reply(ies) should therefore contain:
  • Copy/pasted content of Malwarebytes clean log;
  • Copy/pasted content of EEK's clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 SigmundLarsen

SigmundLarsen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 25 October 2016 - 08:13 PM

So far, my windows key hasn't returned but Firefox is back online, thanks! The computer is running a tad slow, and I still see malware-ish processes running (via Task Manager) I'm dl'ing EEK and runing MBAM as we speak, so I'll be getting back to you soon!



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 PM

Posted 28 October 2016 - 06:51 AM

Hi Sigmund,

Are you still with me? Did you run Malwarebytes and EEK? If so, do you have the logs?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 SigmundLarsen

SigmundLarsen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 29 October 2016 - 03:48 PM

Yes, Aura! Good afternoon, I'm still with you. I'm terribly sorry, I've been away on a trip these past few days and haven't been able to sit down and finish this. I'm running EEK as we speak and after that I'll re-run MBAM. Here is the old log from MBAM! 

Thank you very much,

David.-

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 25/10/2016
Scan Time: 21:24
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.10.23.04
Rootkit Database: v2016.09.26.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x86
File System: NTFS
User: house
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 338322
Time Elapsed: 29 min, 21 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 5
PUP.Optional.Youndoo, C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default\prefs.js, Good: (), Bad: (user_pref("browser.search.searchengine.hp", "http://www.youndoo.com/?z=1aea67547f30d5f69f0be47g4zcm0m7eat7m8t5c7o&from=wak&uid=HitachiXHTS543225L9A300_090915FB6D32LJHNJS6AX&type=hp");), Replaced,[c6da1d7f1783b87e32517973aa5a8878]
PUP.Optional.Youndoo, C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default\prefs.js, Good: (), Bad: (dateTime.search-engine-update-timer", 1477094904);
user_pref("app.update.lastUpdateTime.xpi-signature-verification", 1477018199);
user_pref("browser.cache.disk.capacity", 358400);
user_pref("browser.cach), Replaced,[237d9507633745f1bcc748a4966eda26]
PUP.Optional.Youndoo, C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default\prefs.js, Good: (), Bad: (477018199);
user_pref("browser.cache.disk.capacity", 358400);
user_pref("browser.cache.disk.hashstats_reported", 1);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.cache.), Replaced,[dfc1405c2f6bb77f91f205e7fb0948b8]
PUP.Optional.Youndoo, C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default\prefs.js, Good: (), Bad: (update-timer", 1477094904);
user_pref("app.update.las), Replaced,[bfe176264d4d6bcb9be8b23af4106f91]
PUP.Optional.Youndoo, C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default\prefs.js, Good: (), Bad: (f("browser.cache.disk.hashstats_reported", 1);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.cache.disk.smart_size.use_old_max", false);
use), Replaced,[edb3f9a3a0faa78f61220ede8a7aba46]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#9 SigmundLarsen

SigmundLarsen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 29 October 2016 - 09:06 PM

Here are the logs from EEK (No threats found) and MBAM (still finds Youndoo). I'll be waiting for your instructions. Have a good night!

 

 

Emsisoft Emergency Kit - Versión 11.9
Última actualización: 29/10/2016 17:21:38
Cuenta de usuario: house-PC\house
Computer name: HOUSE-PC
OS version: Windows 10x86 
 
Configuraciones del análisis:
 
Tipo de análisis: Análisis de programas maliciosos
Objetos: Rootkits, Memoria, Trazas, Archivos
 
Detectar PUP: Activado
Análisis de archivos: Desactivado
Análisis ADS: Activado
Filtrar las extensiones de archivo: Desactivado
Caché avanzada: Activado
Acceso directo al disco: Desactivado
 
Inicio del análisis: 29/10/2016 17:26:09
 
Analizados 125211
Encontrados 0
 
Fin del análisis: 29/10/2016 17:56:52
Duración del análisis: 0:30:43
 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 29/10/2016
Scan Time: 19:24
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.10.29.08
Rootkit Database: v2016.09.26.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x86
File System: NTFS
User: house
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 341216
Time Elapsed: 29 min, 3 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 4
PUP.Optional.Youndoo, C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default\prefs.js, Good: (), Bad: (user_pref("browser.search.searchengine.sp", "http://www.youndoo.com/search/?from=wak&q={searchTerms}&type=sp&uid=HitachiXHTS543225L9A300_090915FB6D32LJHNJS6AX&z=1aea67547f30d5f69f0be47g4zcm0m7eat7m8t5c7o");), Replaced,[f408acf2d5c541f589f7a349c14331cf]
PUP.Optional.Youndoo, C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default\prefs.js, Good: (), Bad: (.disk.smart_size.use_old_max", false);
user_pref("browser.cache.frecency_experiment", 2);
user_pref("browser.download.importedFromSqlite", true);
user_pref("browser.download.lastDir", "C:\\Users\\house\\D), Replaced,[0eee28766535b3834c343ab227dd6e92]
PUP.Optional.Youndoo, C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default\prefs.js, Good: (), Bad: (ed", 1);
user_pref("browser.cache.disk.smart_size.fir), Replaced,[1be18c12f7a32016cdb335b700046898]
PUP.Optional.Youndoo, C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default\prefs.js, Good: (), Bad: (y_experiment", 2);
user_pref("browser.download.importedFromSqlite", true);
user_pref("browser.download.lastDir", "C:\\Users\\house\\Documents\\Traducciones & Work\\Freelance\\), Replaced,[28d4e9b5e5b5a78fe49cf1fbb351c040]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 PM

Posted 29 October 2016 - 10:57 PM

Malwarebytes still finds Youndoo because it seems like you're not cleaning the threat. This is a scan log not a clean log. Do you click on "Remove threats" after the scan?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 SigmundLarsen

SigmundLarsen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 30 October 2016 - 01:35 PM

Hmmm... it's still there... I clicked "Remove threats", MBAM quarantined the threats and after that I eliminated them from Quarantine and then ran Malwarebytes again and here it is again... I don't know where could I find the correct logs from MBAM? This is the latest log

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 30/10/2016
Scan Time: 12:53
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.10.30.08
Rootkit Database: v2016.09.26.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x86
File System: NTFS
User: house
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 339884
Time Elapsed: 34 min, 22 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 3
PUP.Optional.Youndoo, C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default\prefs.js, Good: (), Bad: (user_pref("browser.search.searchengine.url", "http://www.youndoo.com/search/?from=wak&q={searchTerms}&type=sp&uid=HitachiXHTS543225L9A300_090915FB6D32LJHNJS6AX&z=1aea67547f30d5f69f0be47g4zcm0m7eat7m8t5c7o");), Replaced,[78e8415e336776c00e6ea74570947e82]
PUP.Optional.Youndoo, C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default\prefs.js, Good: (), Bad: (st_run", false);
user_pref("browser.cacheocuments\\Tr), Replaced,[431dbce3e0ba4ee84636b5370afa7987]
PUP.Optional.Youndoo, C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default\prefs.js, Good: (), Bad: ();
user_pref("browser.download.panel.shown", true);
user_pref("browser.download.useDownloadDir", false);
user_pref("browser.eme.ui.firstContentShown", true);
user_pref("brow), Replaced,[8bd5653af5a5bf771a62c3294db72cd4]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 PM

Posted 30 October 2016 - 02:44 PM

Alright let's try this.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    C:\Users\house\AppData\Roaming\Profiles\Tevshdrleck.default
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;
Once done, run Malwarebytes again. Does it still detects Youndoo?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 PM

Posted 02 November 2016 - 12:02 PM

Hi SigmundLarsen,

Are you still with me? Can you follow the instructions in my previous post?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 PM

Posted 05 November 2016 - 12:25 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users