Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help poweliks removal


  • This topic is locked This topic is locked
19 replies to this topic

#1 PatryKing

PatryKing

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 07 December 2016 - 12:53 PM

I need help with removal of poweliks. My  laptop keep switching on after put into sleep mode. Powershell.exe is in the task bar when i start the computer, and eset antyvirus keeps removing viruses from RAM powershell.exe

I tried https://www.bleepingcomputer.com/virus-removal/remove-poweliks-trojan#self-help

but eset poweliks cleaner didn't find any threat.
Next I tried https://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

and I am here with rkill and FRST results in attach files.

 

Does anybody know what should I do to remove that threat?

Sorry for my bad english.

Attached Files


Edited by PatryKing, 07 December 2016 - 01:27 PM.


BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:01 PM

Posted 09 December 2016 - 11:55 AM

PatryKing:
 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil and  I would like to address you by your first name, if that is alright with you since we will be working together.
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

 
The FRST log that you submitted is incomplete and it is in Polish, a language that I do not speak.
 
Please rename FRST64.exe to FRST64English.exe.

 

RKill did not show any malicious processes to stop, so it is not necessary to run it again.

Please reboot your computer.

 

Right-click FRST64English.exe and select "Run As Administrator".

 

When FRST has finished, please check the FRST.txt scan log, by double-clicking it.  It should open in Notepad.  Scroll to the bottom of the log - you should see a line that says:

 

 

==================== End of FRST.txt ============================

 

 

If you do not see that line at the end of the FRST log file, please reboot your computer into Safe Mode With Networking.  Instructions can be found at this link.  Please right-click FRST64English.exe and select "Run as Administrator".  Submit those logs rather than incomplete logs. If the line quoted above is present, skip this entire instruction.

 

 

IMPORTANT: Please copy and paste, not attach, both the contents of the FRST.txt file and the contents of the Addition.txt file into your next post.  This makes it much easier for me.

 

 
I will need some time to review your FRST logs.  That could take a day or two.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil


Edited by garioch7, 09 December 2016 - 12:18 PM.

Graduate of the Bleeping Computer Malware Removal Study Hall


#3 PatryKing

PatryKing
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 10 December 2016 - 07:56 AM

HI Phil, 

My first name is Patryk (it's Polish version of Patrick, use whichever You like).
First i would like to thank You for helping me with my problem.
I've noticed that some of the text in addition.txt was not translated, so I've ruffly translated it myself.
FRST64English.exe worked after the first reboot, I've run it as administrator and here are the results:

FRST:
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-12-2016
Ran by Patryk (administrator) on PATRYK-PC (10-12-2016 13:13:25)
Running from C:\Users\Patryk\Desktop
Loaded Profiles: Patryk (Available Profiles: Patryk)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: Polski (Polska)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
(AuthenTec, Inc.) C:\Program Files\Fingerprint Sensor\ATService.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(DigitalPersona, Inc.) C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
() C:\Program Files (x86)\HiSuite\HandSetService\HuaweiHiSuiteService64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Skype Technologies) C:\Program Files (x86)\Skype\Updater\Updater.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Akamai Technologies, Inc.) C:\Users\Patryk\AppData\Local\Akamai\netsession_win.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Akamai Technologies, Inc.) C:\Users\Patryk\AppData\Local\Akamai\netsession_win.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
(DigitalPersona, Inc.) C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(DigitalPersona, Inc.) C:\Program Files\DigitalPersona\Bin\DpAgent.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
(Farbar) C:\Users\Patryk\Desktop\FRST64English.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [16165632 2015-08-06] (Realtek Semiconductor)
HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)
HKLM\...\Run: [hshhsaaaws] => [X]
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2832168 2011-10-01] (Synaptics Incorporated)
HKLM-x32\...\Run: [QlbCtrl.exe] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [323640 2009-11-24] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [DpAgent] => C:\Program Files (x86)\DigitalPersona\Bin\dpagent.exe [842816 2009-04-17] (DigitalPersona, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\Run: [Akamai NetSession Interface] => C:\Users\Patryk\AppData\Local\Akamai\netsession_win.exe [4691384 2015-09-10] (Akamai Technologies, Inc.)
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\Run: [{ED63C89B-B475-4607-9A8D-008CDD26D45F}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\WifnaB').YFGOAT)));
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\MountPoints2: F - F:\setup.exe
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\MountPoints2: {1294fda3-95e4-11e5-9aeb-c80aa9e185be} - F:\AutoRun.exe --autorun
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\MountPoints2: {1e8a457b-a3fb-11e5-a662-c80aa9e185be} - G:\LaunchEAW.exe
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\MountPoints2: {27943b24-5faf-11e6-8f64-001a6badcf7d} - F:\HiSuiteDownLoader.exe
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\MountPoints2: {27943b39-5faf-11e6-8f64-001a6badcf7d} - F:\HiSuiteDownLoader.exe
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\MountPoints2: {64390821-a1c3-11e6-9bbf-001a6badcf7d} - F:\HiSuiteDownLoader.exe
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\MountPoints2: {84532ba9-95e0-11e5-bb4d-806e6f6e6963} - E:\autorun.exe
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\MountPoints2: {e53fe45c-4b43-11e6-a0dc-001a6badcf7d} - F:\autorun.exe
Lsa: [Notification Packages] scecli c:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll DPPWDFLT
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2016-01-15]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
BootExecute: autocheck autochk * aswBoot.exe /M:b0d1878ca /wow /dir:"C:\Program Files\AVAST Software\Avast"
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3E49045B-7E70-4673-B0AA-F614A5F530B5}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{AC50A58E-77FB-4C0F-9B35-2CCA30273EAB}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_111\bin\ssv.dll [2016-11-03] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-11-03] (Oracle Corporation)
BHO-x32: DigitalPersona Personal Extension -> {395610AE-C624-4f58-B89E-23733EA00F9A} -> C:\Program Files (x86)\DigitalPersona\Bin\DpOtsPluginIe8.dll [2009-04-17] (DigitalPersona, Inc.)
 
FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [otis@digitalpersona.com] - C:\Program Files (x86)\DigitalPersona\Bin\FirefoxExt
FF Extension: (DigitalPersona Extension) - C:\Program Files (x86)\DigitalPersona\Bin\FirefoxExt [2016-01-16] [not signed]
FF HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\Firefox\Extensions: [otis@digitalpersona.com] - C:\Program Files (x86)\DigitalPersona\Bin\firefoxext
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_23_0_0_207.dll [2016-11-09] ()
FF Plugin: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-11-03] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-11-03] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-16] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_207.dll [2016-11-09] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3442756476-2532682054-792797034-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Patryk\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-01-22] (Unity Technologies ApS)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR StartupUrls: Default -> "hxxp://www.google.pl/","hxxps://www.youtube.com/"
CHR Profile: C:\Users\Patryk\AppData\Local\Google\Chrome\User Data\Default [2016-12-10]
CHR Extension: (Dysk Google) - C:\Users\Patryk\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-28]
CHR Extension: (James White) - C:\Users\Patryk\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkeidgmehkdjmpjodpjkepolokanalkm [2015-11-28]
CHR Extension: (YouTube) - C:\Users\Patryk\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-28]
CHR Extension: (Google Search) - C:\Users\Patryk\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-28]
CHR Extension: (AdBlock) - C:\Users\Patryk\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-12-10]
CHR Extension: (Płatności w sklepie Chrome Web Store) - C:\Users\Patryk\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Gmail) - C:\Users\Patryk\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-11-28]
CHR Extension: (Chrome Media Router) - C:\Users\Patryk\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-25]
CHR Extension: (That's Pretty Good (iDubbbzTV)) - C:\Users\Patryk\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnidecdngnainebcfbmebgpkmnmljdng [2016-07-24]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 DbxSvc; C:\Windows\system32\DbxSvc.exe [42096 2016-11-07] (Dropbox, Inc.)
S3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe [1369432 2015-11-18] (Disc Soft Ltd)
R2 DpHost; C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe [322624 2009-04-17] (DigitalPersona, Inc.) [File not signed]
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2815520 2016-10-11] (ESET)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148560 2016-01-29] (NVIDIA Corporation)
R2 HuaweiHiSuiteService64.exe; C:\Program Files (x86)\HiSuite\HandSetService\HuaweiHiSuiteService64.exe [192200 2016-08-26] () [File not signed]
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1706128 2016-01-29] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [21833360 2016-01-29] (NVIDIA Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [306944 2015-08-06] (Realtek Semiconductor)
U2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 Amfilter; C:\Windows\System32\DRIVERS\Amfltx64.sys [12288 2000-01-01] ((Standard mouse types))
S3 Amusbprt; C:\Windows\System32\DRIVERS\Amusbx64.sys [17920 2000-01-01] (A4Tech Co.,Ltd.)
S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [310728 2016-05-29] ()
R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2015-11-28] (Disc Soft Ltd)
R3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [47160 2015-11-28] (Disc Soft Ltd)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [232072 2016-10-13] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [177792 2016-10-13] (ESET)
R1 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [67712 2016-10-13] (ESET)
R3 HBtnKey; C:\Windows\System32\DRIVERS\cpqbttn.sys [19000 2010-02-25] (Hewlett-Packard Company)
S3 HWHandSet; C:\Windows\System32\DRIVERS\hw_quusbmdm.sys [223232 2016-05-25] (Huawei Technologies Co., Ltd.)
U5 hw_usbdev; C:\Windows\System32\Drivers\hw_usbdev.sys [116864 2016-05-25] (Huawei Technologies Co., Ltd.)
R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [42696 2016-05-29] ()
S3 NETwLv64; C:\Windows\System32\DRIVERS\NETwLv64.sys [7533568 2010-10-07] (Intel Corporation) [File not signed]
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2016-01-29] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2016-01-29] (NVIDIA Corporation)
R3 ScpVBus; C:\Windows\System32\DRIVERS\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
R3 smserial; C:\Windows\System32\DRIVERS\SmSerl64.sys [1227776 2009-06-10] (Motorola Inc.)
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [59904 2009-07-14] (Microsoft Corporation)
U0 aswVmm; no ImagePath
S3 dbx; system32\DRIVERS\dbx.sys [X]
S3 dcdbas; system32\DRIVERS\dcdbas64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-10 13:13 - 2016-12-10 13:14 - 00014957 _____ C:\Users\Patryk\Desktop\FRST.txt
2016-12-09 20:54 - 2016-12-09 21:06 - 260714276 _____ C:\Users\Patryk\Desktop\jojo37_HD.mp4
2016-12-07 18:21 - 2016-12-10 13:13 - 00000000 ____D C:\FRST
2016-12-07 18:21 - 2016-12-07 18:21 - 02420224 _____ (Farbar) C:\Users\Patryk\Desktop\FRST64English.exe
2016-12-07 18:13 - 2016-12-07 18:14 - 00002366 _____ C:\Users\Patryk\Desktop\Rkill.txt
2016-12-07 18:13 - 2016-12-07 18:13 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Patryk\Desktop\iExplore.exe
2016-12-02 19:30 - 2016-12-02 19:30 - 00000000 ____D C:\Users\Patryk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Urządzenia interfejsu Bluetooth
2016-11-25 23:48 - 2016-11-25 23:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2016-11-25 23:48 - 2016-11-25 23:48 - 00000000 ____D C:\ProgramData\ESET
2016-11-25 23:48 - 2016-11-25 23:48 - 00000000 ____D C:\Program Files\ESET
2016-11-25 23:31 - 2016-11-25 23:31 - 00002869 _____ C:\Windows\SysWOW64\servers.def.vpx
2016-11-25 23:31 - 2016-11-25 23:31 - 00000446 _____ C:\Windows\SysWOW64\prod-pgm.vpx
2016-11-25 21:59 - 2016-11-25 21:59 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-11-25 21:59 - 2016-11-25 21:59 - 00000000 ____D C:\Program Files\Common Files\AV
2016-11-25 21:55 - 2016-11-25 23:57 - 00000000 ____D C:\ProgramData\AVAST Software
2016-11-25 19:06 - 2016-11-25 19:06 - 00000000 ____D C:\Users\Patryk\AppData\Local\ESET
2016-11-23 14:28 - 2016-11-23 14:28 - 00000055 _____ C:\Users\Patryk\AppData\Roaming\MouseServer.ini
2016-11-23 14:22 - 2016-11-23 14:22 - 00000000 ____D C:\ProgramData\Google
2016-11-22 12:39 - 2016-11-22 13:02 - 00000000 ____D C:\Users\Patryk\Desktop\Hyper DBZ The Majin Build
2016-11-10 11:57 - 2016-11-10 11:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HiSuite
2016-11-10 11:57 - 2016-05-25 11:53 - 00287232 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\hw_quusbnet.sys
2016-11-10 11:57 - 2016-05-25 11:53 - 00223232 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\hw_quusbmdm.sys
2016-11-10 11:57 - 2016-05-25 11:53 - 00126592 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\hw_cdcacm.sys
2016-11-10 11:57 - 2016-05-25 11:53 - 00116864 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\hw_usbdev.sys
2016-11-10 11:57 - 2016-05-25 11:53 - 00033280 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbser.sys
2016-11-10 11:57 - 2016-05-25 11:53 - 00018816 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_usbccgpfilter.sys
2016-11-10 11:56 - 2016-11-10 11:57 - 00000000 ____D C:\Program Files (x86)\HiSuite
2016-11-10 11:55 - 2016-11-22 15:28 - 00000000 ____D C:\Users\Patryk\Desktop\Nowy folder
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-10 13:12 - 2015-11-28 16:33 - 00001044 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-12-10 13:11 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-10 13:09 - 2009-07-14 05:45 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-10 13:09 - 2009-07-14 05:45 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-10 04:19 - 2016-05-22 19:36 - 00000992 _____ C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job
2016-12-10 04:11 - 2016-07-08 19:25 - 00000930 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-12-10 03:59 - 2015-11-28 16:33 - 00001048 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-12-09 21:34 - 2015-12-02 15:03 - 00000000 ____D C:\Users\Patryk\AppData\Roaming\vlc
2016-12-08 15:43 - 2015-11-30 14:46 - 00000000 ____D C:\Users\Patryk\AppData\Roaming\uTorrent
2016-12-07 12:45 - 2016-07-08 19:25 - 00003868 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-12-07 12:45 - 2016-05-22 19:36 - 00003990 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2016-12-07 12:45 - 2015-12-09 11:42 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-12-07 12:45 - 2015-12-09 11:42 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-12-07 12:45 - 2015-11-28 17:02 - 00000000 ____D C:\Users\Patryk\AppData\Local\Adobe
2016-12-07 12:44 - 2015-12-09 11:42 - 00000000 ____D C:\Windows\system32\Macromed
2016-12-07 12:44 - 2015-12-02 14:23 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-12-06 21:14 - 2016-01-15 14:23 - 00000000 ____D C:\Program Files\Mouse
2016-12-06 21:14 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
2016-11-30 18:22 - 2016-03-07 14:18 - 00000157 _____ C:\Users\Patryk\Desktop\Pożyczone gry.txt
2016-11-25 22:06 - 2016-03-13 14:04 - 00000000 ____D C:\Users\Patryk\AppData\Roaming\Skype
2016-11-25 22:05 - 2016-03-13 14:04 - 00000000 ____D C:\ProgramData\Skype
2016-11-25 22:04 - 2016-07-15 12:18 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-11-25 20:24 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\NDF
2016-11-25 19:14 - 2015-11-28 16:33 - 00000000 ____D C:\Program Files (x86)\Google
2016-11-25 18:45 - 2015-11-29 16:28 - 02276752 ____H C:\Users\Patryk\AppData\Local\IconCache.db.backup
2016-11-24 02:41 - 2015-12-02 17:11 - 00000000 ___RD C:\Users\Patryk\Desktop\Programy
2016-11-15 00:02 - 2015-11-28 16:35 - 00002201 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-11-15 00:02 - 2015-11-28 16:35 - 00002189 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-11-12 19:58 - 2016-07-11 18:45 - 00000000 ___RD C:\Users\Patryk\Dropbox
2016-11-12 14:30 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\rescache
2016-11-12 11:04 - 2011-04-12 14:21 - 00740348 _____ C:\Windows\system32\perfh015.dat
2016-11-12 11:04 - 2011-04-12 14:21 - 00155890 _____ C:\Windows\system32\perfc015.dat
2016-11-12 11:04 - 2009-07-14 06:13 - 01669190 _____ C:\Windows\system32\PerfStringBackup.INI
2016-11-12 10:57 - 2009-07-14 05:45 - 00371888 _____ C:\Windows\system32\FNTCACHE.DAT
2016-11-12 02:15 - 2015-11-29 19:34 - 00000000 ____D C:\Windows\system32\MRT
2016-11-12 02:04 - 2015-11-29 19:34 - 141011376 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-11-10 11:58 - 2016-08-13 20:36 - 00000000 ____D C:\Users\Patryk\AppData\Local\Hisuite
 
==================== Files in the root of some directories =======
 
2016-11-23 14:28 - 2016-11-23 14:28 - 0000055 _____ () C:\Users\Patryk\AppData\Roaming\MouseServer.ini
2016-01-16 12:11 - 2016-01-16 12:11 - 0000000 _____ () C:\Users\Patryk\AppData\Local\AtStart.txt
2016-01-16 12:11 - 2016-01-16 12:11 - 0000000 _____ () C:\Users\Patryk\AppData\Local\DSwitch.txt
2016-01-16 12:11 - 2016-01-16 12:11 - 0000000 _____ () C:\Users\Patryk\AppData\Local\QSwitch.txt
 
Some files in TEMP:
====================
C:\Users\Patryk\AppData\Local\Temp\_is9F63.exe
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-12-04 19:58
 
==================== End of FRST.txt ============================

Addition:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-12-2016
Ran by Patryk (10-12-2016 13:14:42)
Running from C:\Users\Patryk\Desktop
Windows 7 Professional Service Pack 1 (X64) (2015-11-28 15:28:11)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3442756476-2532682054-792797034-500 - Administrator - Disabled)
Gość (S-1-5-21-3442756476-2532682054-792797034-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3442756476-2532682054-792797034-1002 - Limited - Enabled)
Patryk (S-1-5-21-3442756476-2532682054-792797034-1000 - Administrator - Enabled) => C:\Users\Patryk
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: ESET NOD32 Antivirus 10.0.369.1 (Enabled - Up to date) {EC1D6F37-E411-475A-DF50-12FF7FE4AC70}
AS: ESET NOD32 Antivirus 10.0.369.1 (Enabled - Up to date) {577C8ED3-C22B-48D4-E5E0-298D0463E6CD}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\uTorrent) (Version: 3.4.9.42951 - BitTorrent Inc.)
7-Zip 15.12 (x64) (HKLM\...\7-Zip) (Version: 15.12 - Igor Pavlov)
Adobe Acrobat Reader DC - Polish (HKLM-x32\...\{AC76BA86-7AD7-1045-7B44-AC0F074E4100}) (Version: 15.020.20042 - Adobe Systems Incorporated)
Adobe Flash Player 23 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 23.0.0.207 - Adobe Systems Incorporated)
Adobe Flash Player 23 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 23.0.0.207 - Adobe Systems Incorporated)
Adobe Flash Player 23 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 23.0.0.207 - Adobe Systems Incorporated)
Akamai NetSession Interface (HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\Akamai) (Version:  - Akamai Technologies, Inc)
Aktualizacje NVIDIA 17.12.8 (Version: 17.12.8 - NVIDIA Corporation) Hidden
Alien Nations 2 PL (HKLM-x32\...\Alien Nations 2 PL) (Version:  - )
AuthenTec Fingerprint Sensor Minimum Install (x32 Version: 7.7.0.62 - AuthenTec, Inc.) Hidden
AuthenTec Fingerprint Software (HKLM\...\{560DCF39-61D1-43B0-86DA-5EFF8F7A5144}) (Version: 8.4.4.39 - AuthenTec, Inc.)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Broadcom Bluetooth Software (HKLM\...\{A1439D4F-FD46-47F2-A1D3-FEE097C29A09}) (Version: 6.5.1.5000 - Broadcom Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 5.13 - Piriform)
DAEMON Tools Lite (HKLM\...\DAEMON Tools Lite) (Version: 10.2.0.0112 - Disc Soft Ltd)
DigitalPersona Personal 4.01 (HKLM\...\{30296AB9-984A-415B-8909-1FE367438B47}) (Version: 4.01.3749 - DigitalPersona, Inc.)
ESET NOD32 Antivirus (HKLM\...\{211A59C5-0F03-415F-B70A-663FFFF5D140}) (Version: 10.0.369.1 - ESET, spol. s r.o.)
GameRanger (HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\GameRanger) (Version:  - GameRanger Technologies)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 54.0.2840.99 - Google Inc.)
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
Gothic II Złota Edycja (HKLM-x32\...\{B4FD3F41-E90C-4A3E-AADF-F2FB64CF2E42}) (Version: 2.6 - JoWood)
Heroes of Might and Magic III - Złota Edycja (HKLM-x32\...\{2F95D723-72D2-425C-A238-367FF157B6EE}) (Version: 1.00 - Ubisoft)
HiSuite (HKLM-x32\...\Hi Suite) (Version: 1.0 - Huawei Technologies Co.,Ltd)
HP Quick Launch Buttons (HKLM-x32\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.14.1 - Hewlett-Packard Company)
Java 8 Update 111 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 (Polski) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1045) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Xbox 360 Accessories 1.2 (HKLM\...\{D9C50188-12D5-4D3E-8F00-682346C2AA5F}) (Version: 1.20.146.0 - Microsoft)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
NapiProjekt (2.2.0.2399) (HKLM-x32\...\NapiProjekt_is1) (Version:  - )
NVIDIA GeForce Experience 2.2.2 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.2.2 - NVIDIA Corporation)
NVIDIA Oprogramowanie systemu PhysX 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
NVIDIA Sterownik graficzny 341.96 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 341.96 - NVIDIA Corporation)
OpenOffice 4.1.2 (HKLM-x32\...\{E0ED9630-38E3-418F-A615-A9B2B5758BE5}) (Version: 4.12.9782 - Apache Software Foundation)
Oprogramowanie mikroukładu Intel® (x32 Version: 10.0.27 - Intel® Corporation) Hidden
Panel sterowania NVIDIA 341.96 (Version: 341.96 - NVIDIA Corporation) Hidden
QLBCASL (x32 Version: 6.40.17.2 - Hewlett-Packard) Hidden
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.94.723.2015 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7571 - Realtek Semiconductor Corp.)
RICOH Media Driver (HKLM-x32\...\{F5CC2EF8-20A4-4366-A681-3FE849E65809}) (Version: 2.14.00.05 - RICOH)
SHIELD Streaming (Version: 4.0.1000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 17.12.8 - NVIDIA Corporation) Hidden
Skype™ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)
SlimDrivers (HKLM-x32\...\{746AB259-6474-4111-8966-1C62F9A6E063}) (Version: 2.3.1 - SlimWare Utilities, Inc.)
Stardew Valley (HKLM-x32\...\1453375253_is1) (Version: 2.3.0.5 - GOG.com)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.27.1 - Synaptics Incorporated)
Unity Web Player (HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\UnityWebPlayer) (Version: 5.3.2f1 - Unity Technologies ApS)
Visual C++ 2008 - x64 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{6DA2B636-698A-3294-BF4A-B5E11B238CDD}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x64 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{8CCEA24C-51AE-3B71-9092-7D0C44DDA2DF}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x64 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{C3A57BB3-9AA6-3F6F-9395-6C062BDD5FC4}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x64 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{F6F09DD8-F39B-3A16-ADB9-C9E6B56903F9}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x86 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{04B34E21-5BEE-3D2B-8D3D-E3E80D253F64}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x86 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{14866AAD-1F23-39AC-A62B-7091ED1ADE64}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x86 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{4B90093A-5D9C-3956-8ABB-95848BE6EFAD}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x86 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{B42E259C-E4D4-37F1-A1B2-EB9C4FC5A04D}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)
WinRAR 5.31 (64-bitowy) (HKLM\...\WinRAR archiver) (Version: 5.31.0 - win.rar GmbH)
Worms Armageddon (HKLM-x32\...\Worms Armageddon) (Version:  - )
YTD Video Downloader 5.1.0 (HKLM-x32\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version: 5.1.0 - GreenTree Applications SRL) <==== ATTENTION
Złote Wrota (HKLM-x32\...\Złote Wrota) (Version: 1.05 - Złote Wrota Team)
Złote Wrota Dubbing (HKLM-x32\...\Złote Wrota Dubbing) (Version: 1.05 - Złote Wrota Team)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0215A4C0-5431-4FD0-9B06-46589B5C4939}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{048ED0E0-12CF-4C0F-9FFA-947C2FBE8C8E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{071339A1-1946-44B2-B63E-50459B15DB86}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{08A60FF7-BB37-44F4-9759-0ADA6C7B9CC9}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0B38CACA-3D3C-48EA-BEB5-7D95F4F6EE15}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0C3393F8-94F5-4B79-8C01-49A2D0CC0FE9}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0D555CE0-304A-47A6-858B-B145209A3982}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{12545889-6D32-4424-9967-1E1D7BD1F809}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{14679E3B-C952-4998-8E13-4B1286E6DD99}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1481B385-759A-4B00-9257-E96357563999}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{162EF0A1-5A33-46F2-ACCF-CA388B084A09}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1D625598-C876-4C51-8EF5-F9D8F96F62AA}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1D6DFD6A-9E16-435A-9327-6FFEC6BA372F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1E5724EA-3423-4BD3-ABD6-46E650D2DC66}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1E8A29BA-827D-4031-A4A3-AE7999B402F6}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1EA072EE-57FD-495E-889C-8243C3BDBDBC}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1FD7F53F-7ED5-439C-9A77-A3821CD09E98}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{20E47D5B-529A-45BD-8E77-BF1A3064A008}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2709544A-5B24-4F9F-A5DA-CEC7297D3A4E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2BCA857B-A18B-4AFA-B183-CC0E49C12058}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2C74F89E-7421-46B4-BA54-F86F1BD9F237}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2C7D1157-7D50-4A88-9777-5EBBA3189AB8}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{3497C2EC-5684-4B21-AF74-F6760E0221DC}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{38C8B14E-7879-4DA9-8C3F-8CAAC359293A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{3FCEB42C-9B98-486A-BED7-FD7F3ADB7291}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{40770568-0D5E-49D4-BE47-BC47A4F0B0A4}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{44A52280-AE56-490D-890C-89FB7279ED6B}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{46C56738-39C6-4240-8B9B-008CCD769A84}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{47179DDE-10AC-4737-97C9-8CE5379343EA}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{475C7B4A-6964-4F9E-9708-05A16EAC31D0}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{48270F9E-CCF6-4C79-B6FF-267C960E6425}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{48FEFCD7-5D7C-4E4A-9F11-60E69A31D4B1}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{49998808-648A-4A9C-A7A5-B1672775D9AB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{4A756F5F-CBA4-428B-B17F-AF80C0C8502D}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{4B40437B-8972-4444-BBE3-1588FF55F203}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{4BD03680-3C0F-4501-AFF7-3D008586917F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{5544903C-2CCC-487C-91BB-F310B72A8E9B}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{59A224A2-BEF8-4C89-96E0-83A5411ABB6C}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{622F6193-E4DD-46E6-BC66-2ED88E9FD28D}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{6451051B-AD22-4C6A-ACCE-013A0E1DDBC3}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{64B99FDB-1D85-447F-98C7-569DBDA723DB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{6BCE6F6E-C050-4F39-BD98-E2743949F724}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{6F56D7C9-18DD-4C15-9FA8-C54E3610EC40}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{70DBCAE8-8C2B-450C-9E1D-43E4686C6512}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{713C0E8A-5AE8-4695-B442-5ED6C4FE5C42}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{7293E009-3015-4AD3-96EC-D42C36B5FCE3}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{72EFC580-D085-4B81-8C55-26A79E445338}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{750AEC19-2E4C-4ED9-9B9F-F9CAFCD060F3}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{794199C5-827C-41C8-8CB2-3A1EA056AF5E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{798391FE-4AF2-4851-9DDA-1F0D70C02A9E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{7C239DAB-BC87-45F3-B7B1-FCC1541A235B}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{834CE679-2E47-49DE-9E41-FEC87E9192EB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{849AFB5B-D6C9-4924-A712-F7118FF9611F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{85452F88-5071-492E-B850-2E3C586DCBD8}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{87F5CF8F-A06D-498F-A05F-E520E6B570DB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{89F0FC31-3B1D-494B-A75B-6BD4FA527B8A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{8AA16DFC-DFC6-4B51-8FA2-A5D812BE33BF}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{8ED07FEF-E1B0-4CC3-B2BA-D354828AB952}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{988F4102-E6E3-4282-ACAC-55270827F2A8}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{9906CDFC-DB2C-4126-9422-13139B148495}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{9A21C6C5-27FC-4442-8590-575E7AFD73BB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{9ECF83FB-23C5-43B6-83DE-93CFBDD74D4A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{A58F47CC-FF65-4152-B0B1-666C643A5BFC}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{A6A3D586-44CF-44C2-A92C-620BB713B4F2}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{ABBE3F83-D585-4A50-9B69-198B0F566F2E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{AC5CECFA-F03A-41D2-A89C-704C44935941}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B1560245-190E-4BBD-81DF-9B642D0E5325}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B2A579E0-A797-40B1-8AEE-A8F6404719F8}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B47196BC-D4AB-41BB-A771-543D67CFC9F5}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B53CEF4B-1A13-49DE-BBC5-A7100FB2F38C}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B5EE2B68-9A23-4BCD-BB77-FEA6DFB24DD6}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B80687F9-FA4C-4735-9DC4-E5715F2BC698}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BAE5802A-CF21-4F9C-AE04-D98F4036AC31}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BBF6A206-CB04-479D-96AE-349E1E83319A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BC71DEA1-D6FB-48B8-AB06-D151C81BBCDD}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BF224DC3-B602-4EEE-BFE9-9E4E0AED6837}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BF4CC07E-E9BB-40D6-873F-855B211033B9}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C061C82C-D041-4214-BB07-B608107CEFCB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C2D4ACCC-A3D1-4A0A-AD59-0DD8BA3D5EE1}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C8C18F89-794D-466B-8B97-95634D9890EF}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C8EC7647-1E79-4F13-81D7-2EED803D0D22}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{CC23CA32-9892-4FBA-A108-FE31CA0F35A6}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{CD865713-70D6-4E15-BB7B-9B99AD9DEB85}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{D56F5AB3-9C4D-4F1A-A851-A671D9FE8C22}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{D66873EA-AAE5-41CC-8DD2-8CE3228E9F89}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{D86B6C47-11F2-4D95-B635-EA575F0892FC}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{DB207560-8449-4FAF-BDC2-61676EB012D4}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{DE74F5AD-DA2F-429F-BAF9-850A2808D585}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{DF6525C2-6358-4B07-813D-708120C5FE1A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E177A457-9EAA-43C3-A3CE-84874A28F6CA}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E29F6C45-6927-4508-8F3F-34105FD3FC5F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E4222C78-3670-4BB1-9AD4-7D8F3E581F2D}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E70DE962-842A-4488-9481-1D0FD72A020F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E9C07CEC-7B82-49E4-BBA2-7533B88E9D64}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{EA34A0C0-5CE7-4701-A6FA-117D25CD5EBB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{EF01D98A-747B-4522-AD70-991B90855DBF}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F196F03F-651A-43AF-BE34-D11942F24445}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F2DB0EE3-7137-4CB0-8349-483C4FF2143A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F40E2FF0-4D77-40B2-9A44-A3AEECCE8EFF}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F5522F0C-962A-48AC-9992-E81B07628F1F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F78DCF7C-043D-45FC-9D21-676FC307BA3F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F868EAEC-1B73-4F5E-BA73-90EBA94E75BE}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FA97F7A7-FD19-4D55-ABF2-CFEFFF777426}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FD51ED8A-D518-4554-B236-B6E9D234FD03}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FE054BB2-AF94-40AC-88AA-2F59F7018B1D}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FE317223-8EDE-4684-B424-E48B9EA90220}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FE718E8F-C3AA-4F30-9103-432450CF1DA1}\InprocServer32 -> axdb.dll => No File
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {38C94D97-C1D5-45E6-AF77-7322B0253019} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-11-28] (Google Inc.)
Task: {5241DA4D-45AB-4BBE-B51E-AF42AA34FEBE} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-12-07] (Adobe Systems Incorporated)
Task: {6E936DBC-8AD9-4F0D-8AFB-91BEE19EDA16} - System32\Tasks\{BC255D38-D441-41B8-86BE-334263BA10CD} => pcalua.exe -a C:\Users\Patryk\Desktop\GameRangerSetup.exe -d C:\Users\Patryk\Desktop
Task: {7747014E-34C0-4054-822D-53D2EC8A5D3F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-11-28] (Google Inc.)
Task: {8D4D8EDA-884B-4171-BBE9-D7669970F182} - System32\Tasks\{DDDA5F17-77D7-43EA-8157-4F25CD594832} => pcalua.exe -a C:\Users\Patryk\AppData\Local\Temp\Temp1_theguild2add_210_pl.zip\theguild2add_210_pl.exe <==== ATTENTION
Task: {9EBB0F22-919A-4159-BD24-F43BD07917B3} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_23_0_0_207_pepper.exe [2016-12-07] (Adobe Systems Incorporated)
Task: {BC9D7C9D-901B-49A5-BD53-33CD1DB821F6} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-12-08] (Piriform Ltd)
Task: {D1926604-9ADE-4FC2-809E-7AEB42FE2659} - System32\Tasks\DriverToolkit Autorun => C:\Program Files (x86)\DriverToolkit\DriverToolkit.exe
Task: {E3F17B12-666F-4D48-8704-3DF1CE9CFDA1} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-11-25] (AVAST Software)
Task: {F9A01EA7-A55F-45D5-A762-B39169A40C7D} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-10-21] (Adobe Systems Incorporated)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_23_0_0_207_pepper.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\DriverToolkit Autorun.job => C:\Program Files (x86)\DriverToolkit\DriverToolkit.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-11-29 18:56 - 2016-05-30 18:36 - 00133568 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2016-08-26 10:08 - 2016-08-26 10:08 - 00192200 _____ () C:\Program Files (x86)\HiSuite\HandSetService\HuaweiHiSuiteService64.exe
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 03:34 - 2016-01-15 14:11 - 00000962 ____A C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1 www.driver-soft.com
127.0.0.1 www.driver-soft.com
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Patryk\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\startupreg: ADSKAppManager => "C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgr.exe" -showminimized -checkautorun
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: DAEMON Tools Lite Automount => "C:\Program Files\DAEMON Tools Lite\DTAgent.exe" -autorun
MSCONFIG\startupreg: Dropbox => "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /systemstartup
MSCONFIG\startupreg: NvBackend => "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
MSCONFIG\startupreg: ShadowPlay => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{393A0FC0-EDC9-4FCA-BFEC-E8570D1D62F1}] => C:\Users\Patryk\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2EF212A3-D41A-49FF-BC2E-0CC02AB0B1A2}] => C:\Users\Patryk\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{1638DE90-0E0A-4A13-96E4-9AF2E1BB6C0E}C:\program files (x86)\ubisoft\heroes of might and magic iii - zlota edycja\heroes3.exe] => C:\program files (x86)\ubisoft\heroes of might and magic iii - zlota edycja\heroes3.exe
FirewallRules: [UDP Query User{FC26935D-E617-4E8B-951B-DA1DF3DB2F71}C:\program files (x86)\ubisoft\heroes of might and magic iii - zlota edycja\heroes3.exe] => C:\program files (x86)\ubisoft\heroes of might and magic iii - zlota edycja\heroes3.exe
FirewallRules: [{C3B707E7-8B1E-4303-B777-AE99128A9F70}] => C:\program files (x86)\ubisoft\heroes of might and magic iii - zlota edycja\heroes3.exe
FirewallRules: [{DA019F56-4ED4-4979-AABD-904AEC29724C}] => C:\program files (x86)\ubisoft\heroes of might and magic iii - zlota edycja\heroes3.exe
FirewallRules: [TCP Query User{51C48168-7FC8-4BA4-99B7-1F350403F317}C:\users\patryk\appdata\roaming\gameranger\gameranger\gameranger.exe] => C:\users\patryk\appdata\roaming\gameranger\gameranger\gameranger.exe
FirewallRules: [UDP Query User{0313D5F4-258A-49F0-B4DA-F3347EB3E116}C:\users\patryk\appdata\roaming\gameranger\gameranger\gameranger.exe] => C:\users\patryk\appdata\roaming\gameranger\gameranger\gameranger.exe
FirewallRules: [TCP Query User{01DE3538-3095-407D-894B-86BB7D3ED67A}C:\windows\syswow64\dplaysvr.exe] => C:\windows\syswow64\dplaysvr.exe
FirewallRules: [UDP Query User{B3CF4500-374F-4562-B615-5D45DC424D90}C:\windows\syswow64\dplaysvr.exe] => C:\windows\syswow64\dplaysvr.exe
FirewallRules: [TCP Query User{720B42B6-CFD6-44C5-B12A-C542C99D60DD}C:\users\patryk\appdata\roaming\gameranger\gameranger\gameranger.exe] => C:\users\patryk\appdata\roaming\gameranger\gameranger\gameranger.exe
FirewallRules: [UDP Query User{FD8DC02A-03C6-4F6C-96B2-F4B0D7DCE815}C:\users\patryk\appdata\roaming\gameranger\gameranger\gameranger.exe] => C:\users\patryk\appdata\roaming\gameranger\gameranger\gameranger.exe
FirewallRules: [TCP Query User{5B23B6DF-96C3-42A2-BB09-C6D05B734675}D:\xbox 360\starcraft no install\starcraft.exe] => D:\xbox 360\starcraft no install\starcraft.exe
FirewallRules: [UDP Query User{FB04D8D8-CB53-414F-BAF3-24B12EB3C0FF}D:\xbox 360\starcraft no install\starcraft.exe] => D:\xbox 360\starcraft no install\starcraft.exe
FirewallRules: [TCP Query User{30D2F699-03CB-4D38-803A-6826E4C839E1}C:\users\patryk\appdata\local\akamai\netsession_win.exe] => C:\users\patryk\appdata\local\akamai\netsession_win.exe
FirewallRules: [UDP Query User{02FF1337-3B7C-42EB-A2DD-CC479F6625D1}C:\users\patryk\appdata\local\akamai\netsession_win.exe] => C:\users\patryk\appdata\local\akamai\netsession_win.exe
FirewallRules: [TCP Query User{0D34856B-6761-42E1-8C6F-B3B2D335D772}C:\users\patryk\appdata\local\akamai\netsession_win.exe] => C:\users\patryk\appdata\local\akamai\netsession_win.exe
FirewallRules: [UDP Query User{0E46801B-6329-4D55-A7AB-FF298DCFB5CE}C:\users\patryk\appdata\local\akamai\netsession_win.exe] => C:\users\patryk\appdata\local\akamai\netsession_win.exe
FirewallRules: [TCP Query User{6CD76F2E-D1D2-4BF9-94BF-45A6C304F7D1}D:\starcraft ii\sc2-x.x.x.x-1.5.0.22342-enus-downloader.exe] => D:\starcraft ii\sc2-x.x.x.x-1.5.0.22342-enus-downloader.exe
FirewallRules: [UDP Query User{BBEF43F4-0A68-4002-A7B4-3D3BFC93ED08}D:\starcraft ii\sc2-x.x.x.x-1.5.0.22342-enus-downloader.exe] => D:\starcraft ii\sc2-x.x.x.x-1.5.0.22342-enus-downloader.exe
FirewallRules: [{5222FAF5-EF0E-4F0C-970B-099C743040E2}] => C:\Program Files (x86)\NapiProjekt\napisy.exe
FirewallRules: [{E45359B7-3FB0-41CA-B0D2-8969233BD3A1}] => C:\Program Files (x86)\NapiProjekt\napisy.exe
FirewallRules: [{52CAB3AD-C0CD-48A4-874B-3BDDDCF3628E}] => C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{5D93E0EF-D02D-4C6A-9FFF-D8D64D48ECE1}] => C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{06F2BB3C-8BF8-4395-B497-8CCB44EE5FA1}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{73CF9443-2BB9-455E-A9FD-2274AB9F8C8D}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{6D6AE697-62E8-494F-ACDE-014296D827A0}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{810048CC-A363-4EBB-A3CE-F84F61201E68}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [TCP Query User{FE62A381-0237-4979-A60B-16B9B68E379F}C:\program files (x86)\alien nations 2 pl\bin\game.exe] => C:\program files (x86)\alien nations 2 pl\bin\game.exe
FirewallRules: [UDP Query User{3C81E05C-8826-49B2-9A6D-EDA4621391CC}C:\program files (x86)\alien nations 2 pl\bin\game.exe] => C:\program files (x86)\alien nations 2 pl\bin\game.exe
FirewallRules: [{FA12A029-E12A-472E-9A0B-72B1ABC22D1C}] => C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [TCP Query User{4C1FB7CA-BCAB-433F-A6B7-B2490DF67128}D:\xbox 360\warcraft iii roc + tft v1.26 complete -iceblitz\warcraft iii 1.26 -iceblitz\war3.exe] => D:\xbox 360\warcraft iii roc + tft v1.26 complete -iceblitz\warcraft iii 1.26 -iceblitz\war3.exe
FirewallRules: [UDP Query User{6E33786F-8F0E-40CC-938A-8145AB5C87BE}D:\xbox 360\warcraft iii roc + tft v1.26 complete -iceblitz\warcraft iii 1.26 -iceblitz\war3.exe] => D:\xbox 360\warcraft iii roc + tft v1.26 complete -iceblitz\warcraft iii 1.26 -iceblitz\war3.exe
FirewallRules: [TCP Query User{15B4F4F4-C5F0-4DCC-9886-0220E6283A0F}D:\star wars battlefront ii\gamedata\battlefrontii.exe] => D:\star wars battlefront ii\gamedata\battlefrontii.exe
FirewallRules: [UDP Query User{771BB475-8B9A-45E6-9ABA-6DD873A91B14}D:\star wars battlefront ii\gamedata\battlefrontii.exe] => D:\star wars battlefront ii\gamedata\battlefrontii.exe
FirewallRules: [TCP Query User{449D6474-897F-4910-99A4-B4E4D0478900}D:\cod 4\call of duty modern warfare\iw3mp.exe] => D:\cod 4\call of duty modern warfare\iw3mp.exe
FirewallRules: [UDP Query User{6B412FDE-8D9A-442E-BE9F-165183F6492D}D:\cod 4\call of duty modern warfare\iw3mp.exe] => D:\cod 4\call of duty modern warfare\iw3mp.exe
FirewallRules: [TCP Query User{84AB5431-A3A6-459E-80E0-038B345CACA5}C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe] => C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe
FirewallRules: [UDP Query User{E7D7520A-08C1-49B8-BBB6-CF487A03A37E}C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe] => C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe
FirewallRules: [TCP Query User{2B5E5FE5-2C71-44D1-9F41-7042A2D1F867}C:\team17\worms armageddon\wa.exe] => C:\team17\worms armageddon\wa.exe
FirewallRules: [UDP Query User{A9A2A528-9126-4CC5-896D-A265F21B91EF}C:\team17\worms armageddon\wa.exe] => C:\team17\worms armageddon\wa.exe
FirewallRules: [TCP Query User{6DBCAEAD-C257-4823-9FD3-5F5DD3D0C094}C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe] => C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe
FirewallRules: [UDP Query User{443E21D1-F991-4C1A-8215-60647FAC4B56}C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe] => C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe
FirewallRules: [TCP Query User{627A7081-F1FE-4CF0-BD0C-A2FE9E2FCCAA}D:\the guild 2\guildii.exe] => D:\the guild 2\guildii.exe
FirewallRules: [UDP Query User{9A41B3B6-F682-4FA7-BA47-5AD26C7569AC}D:\the guild 2\guildii.exe] => D:\the guild 2\guildii.exe
FirewallRules: [TCP Query User{546FC917-55BE-464F-94D2-93269E7A768B}D:\gothic ii nk\_work\tools\zspy\zspy.exe] => D:\gothic ii nk\_work\tools\zspy\zspy.exe
FirewallRules: [UDP Query User{5E67CF88-A89B-4E74-B3CC-4FAAF4A894EB}D:\gothic ii nk\_work\tools\zspy\zspy.exe] => D:\gothic ii nk\_work\tools\zspy\zspy.exe
FirewallRules: [{89D76B5A-BA88-4DB9-A304-47FB58605597}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [TCP Query User{995F7538-3D8D-4741-9E1D-759EB3FF27BF}C:\program files (x86)\mouse server\mouseserver.exe] => C:\program files (x86)\mouse server\mouseserver.exe
FirewallRules: [UDP Query User{97EE4183-3B99-4542-A616-B693545385BB}C:\program files (x86)\mouse server\mouseserver.exe] => C:\program files (x86)\mouse server\mouseserver.exe
FirewallRules: [TCP Query User{F51427CD-BE1E-400B-9C11-73111187418D}C:\program files (x86)\mouse server\mouseserver.exe] => C:\program files (x86)\mouse server\mouseserver.exe
FirewallRules: [UDP Query User{5B564C88-96EF-47AA-8FC3-2866E8CD2BA8}C:\program files (x86)\mouse server\mouseserver.exe] => C:\program files (x86)\mouse server\mouseserver.exe
 
==================== Restore Points =========================
 
08-12-2016 04:10:05 Windows Update
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/10/2016 01:12:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/10/2016 01:11:49 PM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) Nie można odnaleźć określonego pliku. 
(Can't find specific file)
 
Error: (12/10/2016 01:04:05 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/10/2016 01:02:36 PM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) Nie można odnaleźć określonego pliku. 
(Can't find specific file)
 
Error: (12/09/2016 11:05:53 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/09/2016 11:04:37 AM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) Nie można odnaleźć określonego pliku.
(Can't find specific file)
 
Error: (12/08/2016 10:36:53 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/08/2016 10:35:28 AM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) Nie można odnaleźć określonego pliku.
(Can't find specific file)
 
Error: (12/07/2016 12:45:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nazwa aplikacji powodującej błąd: explorer.exe, wersja: 6.1.7601.23537, sygnatura czasowa: 0x57c44cc4
                   (Name of application making error:                     version                                          timestamp:)
Nazwa modułu powodującego błąd: unknown, wersja: 0.0.0.0, sygnatura czasowa: 0x00000000
(Name of module making error:                       version                            timestamp:)
Kod wyjątku: 0xc0000005
(Exception code:)
Przesunięcie błędu: 0x0010f766
(Error shift:)
Identyfikator procesu powodującego błąd: 0x1248
(ID of process making error:)
Godzina uruchomienia aplikacji powodującej błąd: 0x01d2507f5d688b6f
(Time of start-up application making error:)
Ścieżka aplikacji powodującej błąd: C:\Windows\SysWOW64\explorer.exe
(Path of application making error:)
Ścieżka modułu powodującego błąd: unknown
(Path of module making error:)
Identyfikator raportu: a689f7eb-bc72-11e6-afd2-001a6badcf7d
(Raport ID:)
 
Error: (12/07/2016 12:21:37 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
 
System errors:
=============
Error: (12/10/2016 01:11:49 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Nie można uruchomić usługi atksgt z powodu następującego błędu: 
Nastąpiło zablokowanie ładowania sterownika
(Can't run service atksgt becouse of this error: Driver loading has been blocked)
 
Error: (12/10/2016 01:11:49 PM) (Source: Application Popup) (EventID: 875) (User: )
Description: Sterownik atksgt.sys został zablokowany dla ładowania.
(Driver atksgt.sys was blocked for loading)
 
Error: (12/10/2016 01:02:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Nie można uruchomić usługi atksgt z powodu następującego błędu: 
Nastąpiło zablokowanie ładowania sterownika
(Can't run service atksgt becouse of this error: Driver loading has been blocked)
 
Error: (12/10/2016 01:02:36 PM) (Source: Application Popup) (EventID: 875) (User: )
Description: Sterownik atksgt.sys został zablokowany dla ładowania.
(Driver atksgt.sys was blocked for loading)
 
Error: (12/09/2016 11:04:37 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Nie można uruchomić usługi atksgt z powodu następującego błędu: 
Nastąpiło zablokowanie ładowania sterownika
(Driver loading has been blocked)
 
Error: (12/09/2016 11:04:37 AM) (Source: Application Popup) (EventID: 875) (User: )
Description: Sterownik atksgt.sys został zablokowany dla ładowania.
(Driver atksgt.sys has been bolcked for loading)
 
Error: (12/08/2016 10:35:27 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Nie można uruchomić usługi atksgt z powodu następującego błędu: 
Nastąpiło zablokowanie ładowania sterownika
(Can't run service atksgt, becouse this error: Loading of the driver has been blocked)
 
Error: (12/08/2016 10:35:27 AM) (Source: Application Popup) (EventID: 875) (User: )
Description: Sterownik atksgt.sys został zablokowany dla ładowania.
(Driver atksgt.sys was blocked for loading)
 
Error: (12/08/2016 01:11:50 AM) (Source: volsnap) (EventID: 36) (User: )
Description: Wykonywanie kopii w tle woluminu C: zostało przerwane, ponieważ nie można powiększyć magazynu kopii w tle z powodu limitu wprowadzonego przez użytkownika.
(Making a copy in background of volume C was stopped, becouse it can't enlarge strage of copy in background, becouse of limit put by user)
 
Error: (12/07/2016 12:24:52 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: Serwer {752073A1-23F2-4396-85F0-8FDB879ED0ED} nie zarejestrował się w modelu DCOM w wymaganym czasie.
(Didn't register in model DCOM in expected time).
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 Duo CPU T7300 @ 2.00GHz
Percentage of memory in use: 32%
Total physical RAM: 4094.43 MB
Available physical RAM: 2755.02 MB
Total Virtual: 8187.04 MB
Available Virtual: 6807.66 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:186.21 GB) (Free:111.1 GB) NTFS
Drive d: (DATA) (Fixed) (Total:186.31 GB) (Free:94.21 GB) NTFS
Drive e: (SAGA_GOTHIC) (CDROM) (Total:3.76 GB) (Free:0 GB) CDFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 186.3 GB) (Disk ID: 28784FD5)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=186.2 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 186.3 GB) (Disk ID: C336658F)
Partition 1: (Not Active) - (Size=186.3 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

Edited by PatryKing, 10 December 2016 - 08:01 AM.


#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:01 PM

Posted 10 December 2016 - 11:57 AM

Patryk:

 

Thank you for your logs and permission to address you by your first name.  Please give some time to examine your FRST logs.  I will post back today or tomorrow, when my analysis is completed.

 

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:01 PM

Posted 10 December 2016 - 01:56 PM

Patryk:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: In going over your logs I noticed that you have uTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

.

:step2: Please upload the following files to VirusTotal. Press the "Scan it!" button. Please copy and paste the URL link into your next post for each individual scan result, so that I can review the results.

  • C:\Windows\System32\DRIVERS\atksgt.sys
  • C:\Windows\system32\perfh015.dat
  • C:\Windows\system32\perfc015.dat
  • C:\Users\Patryk\AppData\Roaming\MouseServer.ini
  • C:\Users\Patryk\AppData\Local\Temp\_is9F63.exe
  • C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe
  • D:\gothic ii nk\_work\tools\zspy\zspy.exe

.

:step3: In going over your logs, I noted nine separate Avast entries. The Addition.txt log does not show AVAST as an installed program; or, as your anti-virus solution. In my fixlist.txt file, I am therefore "cleaning up" by removing the AVAST entries. If you want to keep the AVAST entries, then please delete the AVAST lines from the fixlist.txt file below, under the FRST step :step5:.

.

:step4: I see that you have these programs installed on your computer.

  • Akamai NetSession Interface (HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\Akamai) (Version: - Akamai Technologies, Inc)
  • SlimDrivers (HKLM-x32\...\{746AB259-6474-4111-8966-1C62F9A6E063}) (Version: 2.3.1 - SlimWare Utilities, Inc.)

You can find more information about the first program at this link. Personally, if this was my computer, I would go to the Control Panel, Add/Remove Programs, and uninstall it. Your call though, because it is YOUR computer.

Likewise, for Slimdrivers. See this link for more information. If you need to update computer drivers, your first stop should be the website of your computer manufacturer. Most times, drivers do not need updating. As it has been wisely stated: "If it is not broken, do not fix it!"

.

:step5: Please copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the Desktop.

NOTE: It's important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

CreateRestorePoint:
CloseProcesses:

HKLM\...\Run: [hshhsaaaws] => [X]
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\Run: [{ED63C89B-B475-4607-9A8D-008CDD26D45F}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex 
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
BootExecute: autocheck autochk * aswBoot.exe /M:b0d1878ca /wow /dir:"C:\Program Files\AVAST Software\Avast"
U0 aswVmm; no ImagePath
File: C:\Windows\System32\DRIVERS\atksgt.sys
S3 dbx; system32\DRIVERS\dbx.sys [X]
S3 dcdbas; system32\DRIVERS\dcdbas64.sys [X]
File: C:\Windows\system32\perfh015.dat
File: C:\Windows\system32\perfc015.dat
File: C:\Users\Patryk\AppData\Roaming\MouseServer.ini
File: C:\Users\Patryk\AppData\Local\Temp\_is9F63.exe
2016-11-25 21:59 - 2016-11-25 21:59 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-11-25 21:55 - 2016-11-25 23:57 - 00000000 ____D C:\ProgramData\AVAST Software
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0215A4C0-5431-4FD0-9B06-46589B5C4939}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{048ED0E0-12CF-4C0F-9FFA-947C2FBE8C8E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{071339A1-1946-44B2-B63E-50459B15DB86}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{08A60FF7-BB37-44F4-9759-0ADA6C7B9CC9}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0B38CACA-3D3C-48EA-BEB5-7D95F4F6EE15}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0C3393F8-94F5-4B79-8C01-49A2D0CC0FE9}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0D555CE0-304A-47A6-858B-B145209A3982}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{12545889-6D32-4424-9967-1E1D7BD1F809}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{14679E3B-C952-4998-8E13-4B1286E6DD99}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1481B385-759A-4B00-9257-E96357563999}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{162EF0A1-5A33-46F2-ACCF-CA388B084A09}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1D625598-C876-4C51-8EF5-F9D8F96F62AA}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1D6DFD6A-9E16-435A-9327-6FFEC6BA372F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1E5724EA-3423-4BD3-ABD6-46E650D2DC66}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1E8A29BA-827D-4031-A4A3-AE7999B402F6}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1EA072EE-57FD-495E-889C-8243C3BDBDBC}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1FD7F53F-7ED5-439C-9A77-A3821CD09E98}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{20E47D5B-529A-45BD-8E77-BF1A3064A008}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2709544A-5B24-4F9F-A5DA-CEC7297D3A4E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2BCA857B-A18B-4AFA-B183-CC0E49C12058}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2C74F89E-7421-46B4-BA54-F86F1BD9F237}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2C7D1157-7D50-4A88-9777-5EBBA3189AB8}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{3497C2EC-5684-4B21-AF74-F6760E0221DC}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{38C8B14E-7879-4DA9-8C3F-8CAAC359293A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{3FCEB42C-9B98-486A-BED7-FD7F3ADB7291}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{40770568-0D5E-49D4-BE47-BC47A4F0B0A4}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{44A52280-AE56-490D-890C-89FB7279ED6B}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{46C56738-39C6-4240-8B9B-008CCD769A84}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{47179DDE-10AC-4737-97C9-8CE5379343EA}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{475C7B4A-6964-4F9E-9708-05A16EAC31D0}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{48270F9E-CCF6-4C79-B6FF-267C960E6425}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{48FEFCD7-5D7C-4E4A-9F11-60E69A31D4B1}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{49998808-648A-4A9C-A7A5-B1672775D9AB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{4A756F5F-CBA4-428B-B17F-AF80C0C8502D}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{4B40437B-8972-4444-BBE3-1588FF55F203}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{4BD03680-3C0F-4501-AFF7-3D008586917F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{5544903C-2CCC-487C-91BB-F310B72A8E9B}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{59A224A2-BEF8-4C89-96E0-83A5411ABB6C}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{622F6193-E4DD-46E6-BC66-2ED88E9FD28D}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{6451051B-AD22-4C6A-ACCE-013A0E1DDBC3}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{64B99FDB-1D85-447F-98C7-569DBDA723DB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{6BCE6F6E-C050-4F39-BD98-E2743949F724}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{6F56D7C9-18DD-4C15-9FA8-C54E3610EC40}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{70DBCAE8-8C2B-450C-9E1D-43E4686C6512}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{713C0E8A-5AE8-4695-B442-5ED6C4FE5C42}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{7293E009-3015-4AD3-96EC-D42C36B5FCE3}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{72EFC580-D085-4B81-8C55-26A79E445338}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{750AEC19-2E4C-4ED9-9B9F-F9CAFCD060F3}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{794199C5-827C-41C8-8CB2-3A1EA056AF5E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{798391FE-4AF2-4851-9DDA-1F0D70C02A9E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{7C239DAB-BC87-45F3-B7B1-FCC1541A235B}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{834CE679-2E47-49DE-9E41-FEC87E9192EB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{849AFB5B-D6C9-4924-A712-F7118FF9611F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{85452F88-5071-492E-B850-2E3C586DCBD8}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{87F5CF8F-A06D-498F-A05F-E520E6B570DB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{89F0FC31-3B1D-494B-A75B-6BD4FA527B8A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{8AA16DFC-DFC6-4B51-8FA2-A5D812BE33BF}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{8ED07FEF-E1B0-4CC3-B2BA-D354828AB952}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{988F4102-E6E3-4282-ACAC-55270827F2A8}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{9906CDFC-DB2C-4126-9422-13139B148495}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{9A21C6C5-27FC-4442-8590-575E7AFD73BB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{9ECF83FB-23C5-43B6-83DE-93CFBDD74D4A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{A58F47CC-FF65-4152-B0B1-666C643A5BFC}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{A6A3D586-44CF-44C2-A92C-620BB713B4F2}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{ABBE3F83-D585-4A50-9B69-198B0F566F2E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{AC5CECFA-F03A-41D2-A89C-704C44935941}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B1560245-190E-4BBD-81DF-9B642D0E5325}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B2A579E0-A797-40B1-8AEE-A8F6404719F8}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B47196BC-D4AB-41BB-A771-543D67CFC9F5}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B53CEF4B-1A13-49DE-BBC5-A7100FB2F38C}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B5EE2B68-9A23-4BCD-BB77-FEA6DFB24DD6}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B80687F9-FA4C-4735-9DC4-E5715F2BC698}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BAE5802A-CF21-4F9C-AE04-D98F4036AC31}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BBF6A206-CB04-479D-96AE-349E1E83319A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BC71DEA1-D6FB-48B8-AB06-D151C81BBCDD}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BF224DC3-B602-4EEE-BFE9-9E4E0AED6837}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BF4CC07E-E9BB-40D6-873F-855B211033B9}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C061C82C-D041-4214-BB07-B608107CEFCB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C2D4ACCC-A3D1-4A0A-AD59-0DD8BA3D5EE1}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C8C18F89-794D-466B-8B97-95634D9890EF}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C8EC7647-1E79-4F13-81D7-2EED803D0D22}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{CC23CA32-9892-4FBA-A108-FE31CA0F35A6}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{CD865713-70D6-4E15-BB7B-9B99AD9DEB85}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{D56F5AB3-9C4D-4F1A-A851-A671D9FE8C22}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{D66873EA-AAE5-41CC-8DD2-8CE3228E9F89}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{D86B6C47-11F2-4D95-B635-EA575F0892FC}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{DB207560-8449-4FAF-BDC2-61676EB012D4}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{DE74F5AD-DA2F-429F-BAF9-850A2808D585}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{DF6525C2-6358-4B07-813D-708120C5FE1A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E177A457-9EAA-43C3-A3CE-84874A28F6CA}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E29F6C45-6927-4508-8F3F-34105FD3FC5F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E4222C78-3670-4BB1-9AD4-7D8F3E581F2D}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E70DE962-842A-4488-9481-1D0FD72A020F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E9C07CEC-7B82-49E4-BBA2-7533B88E9D64}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{EA34A0C0-5CE7-4701-A6FA-117D25CD5EBB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{EF01D98A-747B-4522-AD70-991B90855DBF}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F196F03F-651A-43AF-BE34-D11942F24445}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F2DB0EE3-7137-4CB0-8349-483C4FF2143A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F40E2FF0-4D77-40B2-9A44-A3AEECCE8EFF}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F5522F0C-962A-48AC-9992-E81B07628F1F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F78DCF7C-043D-45FC-9D21-676FC307BA3F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F868EAEC-1B73-4F5E-BA73-90EBA94E75BE}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FA97F7A7-FD19-4D55-ABF2-CFEFFF777426}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FD51ED8A-D518-4554-B236-B6E9D234FD03}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FE054BB2-AF94-40AC-88AA-2F59F7018B1D}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FE317223-8EDE-4684-B424-E48B9EA90220}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FE718E8F-C3AA-4F30-9103-432450CF1DA1}\InprocServer32 -> axdb.dll => No File
C:\Users\Patryk\AppData\Local\Temp\Temp1_theguild2add_210_pl.zip\theguild2add_210_pl.exe <==== ATTENTION
Task: {D1926604-9ADE-4FC2-809E-7AEB42FE2659} - System32\Tasks\DriverToolkit Autorun => C:\Program Files (x86)\DriverToolkit\DriverToolkit.exe
C:\Program Files (x86)\DriverToolkit
Task: {E3F17B12-666F-4D48-8704-3DF1CE9CFDA1} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-11-25] (AVAST Software)
C:\Program Files\Common Files\AV\avast! Antivirus
File: C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe
File: D:\gothic ii nk\_work\tools\zspy\zspy.exe

Right click FRST64.exe, and select "Run as Administrator".
Then press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste it into your reply.

.

Please reboot your computer, Patryk, and let me know how it is running after you have followed these instructions.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#6 PatryKing

PatryKing
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 11 December 2016 - 07:31 AM

Phil

 

First I would like to thank You again for time and work put into fixing my computer. I've deleted SlimDrivers program before I found bleepingcomputer forum (I don't know if that changes anything so I'm just writing it down). I have done step by step everything You wrote, and here are the results:

 

 

VirusTotal URL links:

 

1. https://www.virustotal.com/en/file/34332e0ddca5229da8a0661f74d7fd2f6757cdd37081fe13b3358a7ab59f0ae0/analysis/1481456052/

 

2. https://www.virustotal.com/en/file/4c7b7b8c37686489323e223a5262006cde2bef270faaf9cede1f58d1a3c41342/analysis/1481456188/

 

3. https://www.virustotal.com/en/file/618daa0cd1097f949326289966468592660e46a60868484c2279f599efda5426/analysis/1481456265/

 

4. https://www.virustotal.com/en/file/51f6ea77c7e40564540f1d1072c12425657728ed54443b9c02e2f0326979b2dc/analysis/1481456344/

 

5. https://www.virustotal.com/en/file/36dfc2084c1cc8da4b1f1836c8ca91cd871292344e27d74d2f3ed025abd457db/analysis/1481456428/

 

6. The folder was empty ( I've checked if the file was hidden, still didn't find it)

 

7. https://www.virustotal.com/en/file/b7c463bc0a2f5e28eec9e68d241e9f6c5ce924b24639a3c413754fbb644160f5/analysis/1481456948/

 

 

And here is the fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 07-12-2016
Ran by Patryk (11-12-2016 12:53:22) Run:1
Running from C:\Users\Patryk\Desktop\FRST
Loaded Profiles: Patryk (Available Profiles: Patryk)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
 
HKLM\...\Run: [hshhsaaaws] => [X]
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\...\Run: [{ED63C89B-B475-4607-9A8D-008CDD26D45F}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex 
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
BootExecute: autocheck autochk * aswBoot.exe /M:b0d1878ca /wow /dir:"C:\Program Files\AVAST Software\Avast"
U0 aswVmm; no ImagePath
File: C:\Windows\System32\DRIVERS\atksgt.sys
S3 dbx; system32\DRIVERS\dbx.sys [X]
S3 dcdbas; system32\DRIVERS\dcdbas64.sys [X]
File: C:\Windows\system32\perfh015.dat
File: C:\Windows\system32\perfc015.dat
File: C:\Users\Patryk\AppData\Roaming\MouseServer.ini
File: C:\Users\Patryk\AppData\Local\Temp\_is9F63.exe
2016-11-25 21:59 - 2016-11-25 21:59 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-11-25 21:55 - 2016-11-25 23:57 - 00000000 ____D C:\ProgramData\AVAST Software
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0215A4C0-5431-4FD0-9B06-46589B5C4939}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{048ED0E0-12CF-4C0F-9FFA-947C2FBE8C8E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{071339A1-1946-44B2-B63E-50459B15DB86}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{08A60FF7-BB37-44F4-9759-0ADA6C7B9CC9}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0B38CACA-3D3C-48EA-BEB5-7D95F4F6EE15}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0C3393F8-94F5-4B79-8C01-49A2D0CC0FE9}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0D555CE0-304A-47A6-858B-B145209A3982}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{12545889-6D32-4424-9967-1E1D7BD1F809}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{14679E3B-C952-4998-8E13-4B1286E6DD99}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1481B385-759A-4B00-9257-E96357563999}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{162EF0A1-5A33-46F2-ACCF-CA388B084A09}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1D625598-C876-4C51-8EF5-F9D8F96F62AA}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1D6DFD6A-9E16-435A-9327-6FFEC6BA372F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1E5724EA-3423-4BD3-ABD6-46E650D2DC66}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1E8A29BA-827D-4031-A4A3-AE7999B402F6}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1EA072EE-57FD-495E-889C-8243C3BDBDBC}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1FD7F53F-7ED5-439C-9A77-A3821CD09E98}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{20E47D5B-529A-45BD-8E77-BF1A3064A008}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2709544A-5B24-4F9F-A5DA-CEC7297D3A4E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2BCA857B-A18B-4AFA-B183-CC0E49C12058}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2C74F89E-7421-46B4-BA54-F86F1BD9F237}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2C7D1157-7D50-4A88-9777-5EBBA3189AB8}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{3497C2EC-5684-4B21-AF74-F6760E0221DC}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{38C8B14E-7879-4DA9-8C3F-8CAAC359293A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{3FCEB42C-9B98-486A-BED7-FD7F3ADB7291}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{40770568-0D5E-49D4-BE47-BC47A4F0B0A4}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{44A52280-AE56-490D-890C-89FB7279ED6B}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{46C56738-39C6-4240-8B9B-008CCD769A84}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{47179DDE-10AC-4737-97C9-8CE5379343EA}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{475C7B4A-6964-4F9E-9708-05A16EAC31D0}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{48270F9E-CCF6-4C79-B6FF-267C960E6425}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{48FEFCD7-5D7C-4E4A-9F11-60E69A31D4B1}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{49998808-648A-4A9C-A7A5-B1672775D9AB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{4A756F5F-CBA4-428B-B17F-AF80C0C8502D}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{4B40437B-8972-4444-BBE3-1588FF55F203}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{4BD03680-3C0F-4501-AFF7-3D008586917F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{5544903C-2CCC-487C-91BB-F310B72A8E9B}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{59A224A2-BEF8-4C89-96E0-83A5411ABB6C}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{622F6193-E4DD-46E6-BC66-2ED88E9FD28D}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{6451051B-AD22-4C6A-ACCE-013A0E1DDBC3}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{64B99FDB-1D85-447F-98C7-569DBDA723DB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{6BCE6F6E-C050-4F39-BD98-E2743949F724}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{6F56D7C9-18DD-4C15-9FA8-C54E3610EC40}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{70DBCAE8-8C2B-450C-9E1D-43E4686C6512}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{713C0E8A-5AE8-4695-B442-5ED6C4FE5C42}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{7293E009-3015-4AD3-96EC-D42C36B5FCE3}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{72EFC580-D085-4B81-8C55-26A79E445338}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{750AEC19-2E4C-4ED9-9B9F-F9CAFCD060F3}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{794199C5-827C-41C8-8CB2-3A1EA056AF5E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{798391FE-4AF2-4851-9DDA-1F0D70C02A9E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{7C239DAB-BC87-45F3-B7B1-FCC1541A235B}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{834CE679-2E47-49DE-9E41-FEC87E9192EB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{849AFB5B-D6C9-4924-A712-F7118FF9611F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{85452F88-5071-492E-B850-2E3C586DCBD8}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{87F5CF8F-A06D-498F-A05F-E520E6B570DB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{89F0FC31-3B1D-494B-A75B-6BD4FA527B8A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{8AA16DFC-DFC6-4B51-8FA2-A5D812BE33BF}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{8ED07FEF-E1B0-4CC3-B2BA-D354828AB952}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{988F4102-E6E3-4282-ACAC-55270827F2A8}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{9906CDFC-DB2C-4126-9422-13139B148495}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{9A21C6C5-27FC-4442-8590-575E7AFD73BB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{9ECF83FB-23C5-43B6-83DE-93CFBDD74D4A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{A58F47CC-FF65-4152-B0B1-666C643A5BFC}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{A6A3D586-44CF-44C2-A92C-620BB713B4F2}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{ABBE3F83-D585-4A50-9B69-198B0F566F2E}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{AC5CECFA-F03A-41D2-A89C-704C44935941}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B1560245-190E-4BBD-81DF-9B642D0E5325}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B2A579E0-A797-40B1-8AEE-A8F6404719F8}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B47196BC-D4AB-41BB-A771-543D67CFC9F5}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B53CEF4B-1A13-49DE-BBC5-A7100FB2F38C}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B5EE2B68-9A23-4BCD-BB77-FEA6DFB24DD6}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B80687F9-FA4C-4735-9DC4-E5715F2BC698}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BAE5802A-CF21-4F9C-AE04-D98F4036AC31}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BBF6A206-CB04-479D-96AE-349E1E83319A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BC71DEA1-D6FB-48B8-AB06-D151C81BBCDD}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BF224DC3-B602-4EEE-BFE9-9E4E0AED6837}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BF4CC07E-E9BB-40D6-873F-855B211033B9}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C061C82C-D041-4214-BB07-B608107CEFCB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C2D4ACCC-A3D1-4A0A-AD59-0DD8BA3D5EE1}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C8C18F89-794D-466B-8B97-95634D9890EF}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C8EC7647-1E79-4F13-81D7-2EED803D0D22}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{CC23CA32-9892-4FBA-A108-FE31CA0F35A6}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{CD865713-70D6-4E15-BB7B-9B99AD9DEB85}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{D56F5AB3-9C4D-4F1A-A851-A671D9FE8C22}\InprocServer32 -> AcETransmit.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{D66873EA-AAE5-41CC-8DD2-8CE3228E9F89}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{D86B6C47-11F2-4D95-B635-EA575F0892FC}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{DB207560-8449-4FAF-BDC2-61676EB012D4}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{DE74F5AD-DA2F-429F-BAF9-850A2808D585}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{DF6525C2-6358-4B07-813D-708120C5FE1A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E177A457-9EAA-43C3-A3CE-84874A28F6CA}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E29F6C45-6927-4508-8F3F-34105FD3FC5F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E4222C78-3670-4BB1-9AD4-7D8F3E581F2D}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E70DE962-842A-4488-9481-1D0FD72A020F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E9C07CEC-7B82-49E4-BBA2-7533B88E9D64}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{EA34A0C0-5CE7-4701-A6FA-117D25CD5EBB}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{EF01D98A-747B-4522-AD70-991B90855DBF}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F196F03F-651A-43AF-BE34-D11942F24445}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F2DB0EE3-7137-4CB0-8349-483C4FF2143A}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F40E2FF0-4D77-40B2-9A44-A3AEECCE8EFF}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F5522F0C-962A-48AC-9992-E81B07628F1F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F78DCF7C-043D-45FC-9D21-676FC307BA3F}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F868EAEC-1B73-4F5E-BA73-90EBA94E75BE}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FA97F7A7-FD19-4D55-ABF2-CFEFFF777426}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FD51ED8A-D518-4554-B236-B6E9D234FD03}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FE054BB2-AF94-40AC-88AA-2F59F7018B1D}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FE317223-8EDE-4684-B424-E48B9EA90220}\InprocServer32 -> axdb.dll => No File
CustomCLSID: HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FE718E8F-C3AA-4F30-9103-432450CF1DA1}\InprocServer32 -> axdb.dll => No File
C:\Users\Patryk\AppData\Local\Temp\Temp1_theguild2add_210_pl.zip\theguild2add_210_pl.exe <==== ATTENTION
Task: {D1926604-9ADE-4FC2-809E-7AEB42FE2659} - System32\Tasks\DriverToolkit Autorun => C:\Program Files (x86)\DriverToolkit\DriverToolkit.exe
C:\Program Files (x86)\DriverToolkit
Task: {E3F17B12-666F-4D48-8704-3DF1CE9CFDA1} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-11-25] (AVAST Software)
C:\Program Files\Common Files\AV\avast! Antivirus
File: C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe
File: D:\gothic ii nk\_work\tools\zspy\zspy.exe
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\hshhsaaaws => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value removed successfully
HKU\S-1-5-21-3442756476-2532682054-792797034-1000\Software\Microsoft\Windows\CurrentVersion\Run\\{ED63C89B-B475-4607-9A8D-008CDD26D45F} => value removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
hklm\System\CurrentControlSet\Control\Session Manager\\BootExecute => value restored successfully
aswVmm => service removed successfully
 
========================= File: C:\Windows\System32\DRIVERS\atksgt.sys ========================
 
File is digitally signed
MD5: 54494B93BB5AD74C807100144EC30D64
Creation and modification date: 2016-05-29 20:36 - 2016-05-29 20:36
Size: 0310728
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
 
====== End of File: ======
 
dbx => service removed successfully
dcdbas => service removed successfully
 
========================= File: C:\Windows\system32\perfh015.dat ========================
 
File not signed
MD5: 03559E3E7DD3D6CBFD16A9942466DFDE
Creation and modification date: 2011-04-12 14:21 - 2016-11-12 11:04
Size: 0740348
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
 
====== End of File: ======
 
 
========================= File: C:\Windows\system32\perfc015.dat ========================
 
File not signed
MD5: D80E74D312BD0480CC8DD3BFBE7A5AC6
Creation and modification date: 2011-04-12 14:21 - 2016-11-12 11:04
Size: 0155890
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
 
====== End of File: ======
 
 
========================= File: C:\Users\Patryk\AppData\Roaming\MouseServer.ini ========================
 
File not signed
MD5: D38E5A3C06DB832B9B9D267BE5064CCB
Creation and modification date: 2016-11-23 14:28 - 2016-11-23 14:28
Size: 0000055
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
 
====== End of File: ======
 
 
========================= File: C:\Users\Patryk\AppData\Local\Temp\_is9F63.exe ========================
 
File is digitally signed
MD5: C3067498A6DB394BC02BE7FE627FA47E
Creation and modification date: 2010-07-15 10:55 - 2010-07-15 10:55
Size: 0456024
Attributes: ---RA
Company Name: Macrovision Corporation
Internal Name: Setup
Original Name: Setup.exe
Product: InstallShield
Description: Setup.exe
File Version: 12.0.58849
Product Version: 12.0
Copyright: Copyright © 2006 Macrovision Corporation
 
====== End of File: ======
 
C:\Windows\System32\Tasks\AVAST Software => moved successfully
C:\ProgramData\AVAST Software => moved successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0215A4C0-5431-4FD0-9B06-46589B5C4939}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{048ED0E0-12CF-4C0F-9FFA-947C2FBE8C8E}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{071339A1-1946-44B2-B63E-50459B15DB86}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{08A60FF7-BB37-44F4-9759-0ADA6C7B9CC9}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0B38CACA-3D3C-48EA-BEB5-7D95F4F6EE15}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0C3393F8-94F5-4B79-8C01-49A2D0CC0FE9}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{0D555CE0-304A-47A6-858B-B145209A3982}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{12545889-6D32-4424-9967-1E1D7BD1F809}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{14679E3B-C952-4998-8E13-4B1286E6DD99}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1481B385-759A-4B00-9257-E96357563999}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{162EF0A1-5A33-46F2-ACCF-CA388B084A09}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1D625598-C876-4C51-8EF5-F9D8F96F62AA}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1D6DFD6A-9E16-435A-9327-6FFEC6BA372F}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1E5724EA-3423-4BD3-ABD6-46E650D2DC66}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1E8A29BA-827D-4031-A4A3-AE7999B402F6}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1EA072EE-57FD-495E-889C-8243C3BDBDBC}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{1FD7F53F-7ED5-439C-9A77-A3821CD09E98}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{20E47D5B-529A-45BD-8E77-BF1A3064A008}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2709544A-5B24-4F9F-A5DA-CEC7297D3A4E}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2BCA857B-A18B-4AFA-B183-CC0E49C12058}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2C74F89E-7421-46B4-BA54-F86F1BD9F237}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{2C7D1157-7D50-4A88-9777-5EBBA3189AB8}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{3497C2EC-5684-4B21-AF74-F6760E0221DC}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{38C8B14E-7879-4DA9-8C3F-8CAAC359293A}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{3FCEB42C-9B98-486A-BED7-FD7F3ADB7291}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{40770568-0D5E-49D4-BE47-BC47A4F0B0A4}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{44A52280-AE56-490D-890C-89FB7279ED6B}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{46C56738-39C6-4240-8B9B-008CCD769A84}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{47179DDE-10AC-4737-97C9-8CE5379343EA}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{475C7B4A-6964-4F9E-9708-05A16EAC31D0}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{48270F9E-CCF6-4C79-B6FF-267C960E6425}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{48FEFCD7-5D7C-4E4A-9F11-60E69A31D4B1}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{49998808-648A-4A9C-A7A5-B1672775D9AB}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{4A756F5F-CBA4-428B-B17F-AF80C0C8502D}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{4B40437B-8972-4444-BBE3-1588FF55F203}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{4BD03680-3C0F-4501-AFF7-3D008586917F}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{5544903C-2CCC-487C-91BB-F310B72A8E9B}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{59A224A2-BEF8-4C89-96E0-83A5411ABB6C}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{622F6193-E4DD-46E6-BC66-2ED88E9FD28D}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{6451051B-AD22-4C6A-ACCE-013A0E1DDBC3}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{64B99FDB-1D85-447F-98C7-569DBDA723DB}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{6BCE6F6E-C050-4F39-BD98-E2743949F724}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{6F56D7C9-18DD-4C15-9FA8-C54E3610EC40}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{70DBCAE8-8C2B-450C-9E1D-43E4686C6512}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{713C0E8A-5AE8-4695-B442-5ED6C4FE5C42}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{7293E009-3015-4AD3-96EC-D42C36B5FCE3}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{72EFC580-D085-4B81-8C55-26A79E445338}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{750AEC19-2E4C-4ED9-9B9F-F9CAFCD060F3}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{794199C5-827C-41C8-8CB2-3A1EA056AF5E}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{798391FE-4AF2-4851-9DDA-1F0D70C02A9E}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{7C239DAB-BC87-45F3-B7B1-FCC1541A235B}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{834CE679-2E47-49DE-9E41-FEC87E9192EB}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{849AFB5B-D6C9-4924-A712-F7118FF9611F}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{85452F88-5071-492E-B850-2E3C586DCBD8}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{87F5CF8F-A06D-498F-A05F-E520E6B570DB}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{89F0FC31-3B1D-494B-A75B-6BD4FA527B8A}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{8AA16DFC-DFC6-4B51-8FA2-A5D812BE33BF}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{8ED07FEF-E1B0-4CC3-B2BA-D354828AB952}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{988F4102-E6E3-4282-ACAC-55270827F2A8}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{9906CDFC-DB2C-4126-9422-13139B148495}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{9A21C6C5-27FC-4442-8590-575E7AFD73BB}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{9ECF83FB-23C5-43B6-83DE-93CFBDD74D4A}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{A58F47CC-FF65-4152-B0B1-666C643A5BFC}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{A6A3D586-44CF-44C2-A92C-620BB713B4F2}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{ABBE3F83-D585-4A50-9B69-198B0F566F2E}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{AC5CECFA-F03A-41D2-A89C-704C44935941}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B1560245-190E-4BBD-81DF-9B642D0E5325}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B2A579E0-A797-40B1-8AEE-A8F6404719F8}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B47196BC-D4AB-41BB-A771-543D67CFC9F5}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B53CEF4B-1A13-49DE-BBC5-A7100FB2F38C}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B5EE2B68-9A23-4BCD-BB77-FEA6DFB24DD6}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{B80687F9-FA4C-4735-9DC4-E5715F2BC698}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BAE5802A-CF21-4F9C-AE04-D98F4036AC31}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BBF6A206-CB04-479D-96AE-349E1E83319A}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BC71DEA1-D6FB-48B8-AB06-D151C81BBCDD}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BF224DC3-B602-4EEE-BFE9-9E4E0AED6837}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{BF4CC07E-E9BB-40D6-873F-855B211033B9}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C061C82C-D041-4214-BB07-B608107CEFCB}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C2D4ACCC-A3D1-4A0A-AD59-0DD8BA3D5EE1}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C8C18F89-794D-466B-8B97-95634D9890EF}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{C8EC7647-1E79-4F13-81D7-2EED803D0D22}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{CC23CA32-9892-4FBA-A108-FE31CA0F35A6}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{CD865713-70D6-4E15-BB7B-9B99AD9DEB85}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{D56F5AB3-9C4D-4F1A-A851-A671D9FE8C22}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{D66873EA-AAE5-41CC-8DD2-8CE3228E9F89}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{D86B6C47-11F2-4D95-B635-EA575F0892FC}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{DB207560-8449-4FAF-BDC2-61676EB012D4}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{DE74F5AD-DA2F-429F-BAF9-850A2808D585}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{DF6525C2-6358-4B07-813D-708120C5FE1A}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E177A457-9EAA-43C3-A3CE-84874A28F6CA}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E29F6C45-6927-4508-8F3F-34105FD3FC5F}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E4222C78-3670-4BB1-9AD4-7D8F3E581F2D}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E70DE962-842A-4488-9481-1D0FD72A020F}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{E9C07CEC-7B82-49E4-BBA2-7533B88E9D64}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{EA34A0C0-5CE7-4701-A6FA-117D25CD5EBB}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{EF01D98A-747B-4522-AD70-991B90855DBF}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F196F03F-651A-43AF-BE34-D11942F24445}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F2DB0EE3-7137-4CB0-8349-483C4FF2143A}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F40E2FF0-4D77-40B2-9A44-A3AEECCE8EFF}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F5522F0C-962A-48AC-9992-E81B07628F1F}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F78DCF7C-043D-45FC-9D21-676FC307BA3F}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{F868EAEC-1B73-4F5E-BA73-90EBA94E75BE}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FA97F7A7-FD19-4D55-ABF2-CFEFFF777426}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FD51ED8A-D518-4554-B236-B6E9D234FD03}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FE054BB2-AF94-40AC-88AA-2F59F7018B1D}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FE317223-8EDE-4684-B424-E48B9EA90220}" => key removed successfully
"HKU\S-1-5-21-3442756476-2532682054-792797034-1000_Classes\CLSID\{FE718E8F-C3AA-4F30-9103-432450CF1DA1}" => key removed successfully
"C:\Users\Patryk\AppData\Local\Temp\Temp1_theguild2add_210_pl.zip\theguild2add_210_pl.exe <==== ATTENTION" => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D1926604-9ADE-4FC2-809E-7AEB42FE2659}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D1926604-9ADE-4FC2-809E-7AEB42FE2659}" => key removed successfully
C:\Windows\System32\Tasks\DriverToolkit Autorun => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DriverToolkit Autorun" => key removed successfully
C:\Program Files (x86)\DriverToolkit => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{E3F17B12-666F-4D48-8704-3DF1CE9CFDA1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E3F17B12-666F-4D48-8704-3DF1CE9CFDA1}" => key removed successfully
C:\Windows\System32\Tasks\AVAST Software\Avast settings backup => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AVAST Software\Avast settings backup" => key removed successfully
C:\Program Files\Common Files\AV\avast! Antivirus => moved successfully
 
========================= File: C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe ========================
 
"C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe" => not found.
====== End of File: ======
 
 
========================= File: D:\gothic ii nk\_work\tools\zspy\zspy.exe ========================
 
File not signed
MD5: 612A13ACA12CC395B6A0446710F71AAF
Creation and modification date: 2016-09-22 12:19 - 2003-07-17 03:04
Size: 0307200
Attributes: ----A
Company Name: 
Internal Name: ZSPY
Original Name: ZSPY.EXE
Product: ZSPY Application
Description: ZSPY MFC Application
File Version: 1, 3, 0, 0
Product Version: 1, 3, 0, 0
Copyright: Copyright © 1997
 
====== End of File: ======
 
 
 
The system needed a reboot.
 
==== End of Fixlog 12:53:58 ====

 

 

 

After the reboot computer isn't running any faster (but I don't expect it to, it's an old laptop), but I've noticed that powershell.exe isn't showing up on taskbar when i start up my computer.



#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:01 PM

Posted 11 December 2016 - 08:38 AM

Patryk:

 

Thank you for the fixlog.txt.  Looks good.  Glad to hear that the Powershell pop-ups have stopped.

 

Did you remove any, one, or both of the programs that I recommended that you uninstall in my Step :step4: of my previous post?

 

Also I am missing that VirusTotal scan result URL links for the files that I asked you to upload and scan there in Step :step2:.

 

Please give me some time to review the fixlog.txt.  I will await your response and the URL links to the VirusTotal scans.

 

Hopefully I will be able to post back this afternoon after you have provided the missing information.

 

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#8 PatryKing

PatryKing
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 11 December 2016 - 11:43 AM

Phil:

 

I have removed SlimDrivers program before I came to this forum, and I removed Akamai NetSession Interface during Step  :step4: of your post.

Also I have posted the VirusTotal URL links in my previous post, but I can post them again here and in attach Files:

 

VirusTotal URL links:

 

1. https://www.virustotal.com/en/file/34332e0ddca5229da8a0661f74d7fd2f6757cdd37081fe13b3358a7ab59f0ae0/analysis/1481456052/

 

2. https://www.virustotal.com/en/file/4c7b7b8c37686489323e223a5262006cde2bef270faaf9cede1f58d1a3c41342/analysis/1481456188/

 

3. https://www.virustotal.com/en/file/618daa0cd1097f949326289966468592660e46a60868484c2279f599efda5426/analysis/1481456265/

 

4. https://www.virustotal.com/en/file/51f6ea77c7e40564540f1d1072c12425657728ed54443b9c02e2f0326979b2dc/analysis/1481456344/

 

5. https://www.virustotal.com/en/file/36dfc2084c1cc8da4b1f1836c8ca91cd871292344e27d74d2f3ed025abd457db/analysis/1481456428/

 

6. The folder was empty ( I've checked if the file was hidden, still didn't find it)

 

7. https://www.virustotal.com/en/file/b7c463bc0a2f5e28eec9e68d241e9f6c5ce924b24639a3c413754fbb644160f5/analysis/1481456948/



Attached File  VirusTotal URL.txt   883bytes   0 downloads



#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:01 PM

Posted 11 December 2016 - 02:09 PM

Patryk:

Thank you for your post. Please accept my sincere apologies: you did indeed include the VT analysis URLs in the your second last post. I don't know how I missed them. Your posts are well written and constructed. I can make any good excuses. :blush:

By the way, your English is great. You write better than many English speakers!


:step1: As I indicated in my fixlist post, SlimDrivers is showing as installed on your computer, in the Addition.txt log.
 

I have removed SlimDrivers program before I came to this forum, ...


SlimDrivers (HKLM-x32\...\{746AB259-6474-4111-8966-1C62F9A6E063}) (Version: 2.3.1 - SlimWare Utilities, Inc.)


Please double check the Control Panel, Add/Remove Programs for "SlimDrivers" Slimware does make another software utility as well; see this link.

.

:step2: I am concerned about that syshost.exe file. See this link for more information as to why I am concerned. Your version was showing in a different location; and, given where it was located, it could be "spawned" in a different location each time the computer reboots, which is why you could not find it. On the other hand, the only reference that I found was in the Firewall Rules, listed in Addition.txt. Those Firewall rules could be remnants of removed malware, but I want to be sure.

FirewallRules: [TCP Query User{6DBCAEAD-C257-4823-9FD3-5F5DD3D0C094}C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe] => C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe
FirewallRules: [UDP Query User{443E21D1-F991-4C1A-8215-60647FAC4B56}C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe] => C:\users\patryk\appdata\local\{07916d2d-ff3e-3cbe-2dce-7a6c0d86d5dd}\syshost.exe


Please download SystemLook from one of the links below and save it to your Desktop.
For 64-bit versions of Windows: SystemLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    syshost.*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please copy and paste this log into your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

.

:step3: I would like to run some standard scans to continue the process of ensuring that there is no active malware on your computer.
ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were found.

Don't forget to re-enable your antivirus when finished!

.

:step4: Malwarebytes Anti-Malware Free and Malwarebytes Chameleon Including External Drive

----------

  • Download Malwarebytes Anti-Malware and save it to your Desktop.
  • Double click the desktop icon, click Run, then Yes.
  • Click OK for English, then click Next.
  • Select I accept the agreement, then continue to click Next, then finally click Install.
  • Uncheck Enable free trial of Malwarebytes Anti-Malware Premium, if you do not want the free trial of the paid version, then click Finish.
  • On the Dashboard, select Settings.
  • Click on the Protection tab.
  • Ensure that Scan for rootkits is checked. If not, check it.
  • If you are notified the Database is out of date, click Update Now.
  • Attach any external drives you want to scan, if not already attached.
  • Click the Scan button near the top.
  • Select Custom Scan, then click Configure Scan.
  • Place a check mark in any additonal drives you would like to scan.
  • Click Scan now.

----------
Note: If Malwarebytes will not launch please do the following to launch Malwarebytes Chameleon:
Click Start (Start, Search, All files and folders for Windows XP), then type mbam.
Double click one of the four following files (if one does not work try the next one, and so on) - A black command window will open. Follow those instructions until the Malwarebytes program starts the scan.

mbam-chameleon.scr
mbam-chameleon
mbam-chameleon.exe
mbam-chameleon.com

----------

  • When completed, click the down arrow on Export Log and select Text file (*.txt).
  • Save the file to your desktop as MBAM.txt.
  • Click Apply Actions, then restart your computer, if requested.
  • Please copy and paste the contents of MBAM.txt into your next reply.

These instructions were written for the older version of MBAM. The new Version is 3.0,#.####, which was just released. If there are mistakes in the instructions, please let me know. You seem to be VERY computer-literate, so I am sure that you will be able to install it and run it, mistakes or not. I don't have a virtual machine, and I already have the paid version of MBAM, and have had it for years. It is a real "must" for computer security, in my personal opinion. Therefore, I am not sure of what screens and prompts appear with the newest version - I simply upgraded my old version of MBAM last week.

.

Please reboot your computer, if it did not reboot after the MBAM scan, which it does not do, if no malware is detected.

If you are having any issues with your computer now, please let me know.

Thank you, Patryk. Have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#10 PatryKing

PatryKing
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 12 December 2016 - 12:33 PM

Phil:

 

I'm currently running scans from  :step3: and  :step4:, knowing my computer it could take couple of hours. 

 

About  :step2: I have problems with codebox, when I copy and paste " syshost.* " program gives me this:

 

SystemLook 30.07.11 by jpshortstuff

Log created at 16:16 on 12/12/2016 by Patryk
Administrator - Elevation successful
 
No Context: syshost.*
 
-= EOF =-
 
 
And about the SlimDrivers program, I was pretty sure I unistall it before, but when I checked after your last post, it was still installed. Also when I clicked unistall SlimDrivers in Add/Remove Programs all that happened was computer asked for administratior premission and that's all. I didn't saw any uninstall setup, I didn't had to press any "next" or "finish" button. Is that a sign of any malvare/virus problems? Can this kind of program avoid uninstalling or install itself again?


#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:01 PM

Posted 12 December 2016 - 01:27 PM

Patryk:
 
Thank you for your post.
 
Once again, please accept my apologies.  I did not include the correct SystemLookX64.exe code script in my previous post. :blush:  I must have been very distracted the last two days.  Let's try this again.  Here is the correct SystemLook_64.exe script.  I have added some queries to look for what remains of SlimDrivers and enhance the syshost.exe search.
 

:filefind
syshost.*
Slim*.*

:regfind
Slim*.*

:process
syshost.*

 
Please run SystemLook_64.exe again. The above script should work.  It is possible that you did indeed uninstall SlimDrivers, but that it did not uninstall cleanly.  The program is considered a "PUP" (Potentially Unwanted Program) because it can cause more trouble than it is worth, particularly if it overwrites proprietary drivers with generic ones.  It is not malevolent.  It is quite common for some programs not to uninstall cleanly.  Do not be concerned.  We can get rid of the remnants, once we have located them.  It won't install itself again, unless you download it either deliberately; or it is openly or secretly "bundled" with some other program that you download.  P2P sharing is a common attack vector.

 

Thank you for your patience while I got my attention focused again on your issues.

 

Have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#12 PatryKing

PatryKing
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 13 December 2016 - 02:55 AM

Phil:

 

Finally the scans are done, here are the results:

 

 

SystemLook.exe

 

SystemLook 30.07.11 by jpshortstuff

Log created at 08:33 on 13/12/2016 by Patryk
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "syshost.*"
No files found.
 
Searching for "Slim*.*"
C:\Users\Patryk\Desktop\Programy\SlimDrivers.lnk --a---- 2483 bytes [13:21 15/01/2016] [13:21 15/01/2016] AA14F4A9B798F1372B6BA8FCA4D5EBD3
 
========== regfind ==========
 
Searching for "Slim*.*"
No data found.
 
========== process ==========
 
syshost.* - Unable to open process handle.
 
-= EOF =-
 
 
 
 
ESET Online Scanner:
 
C:\Users\Patryk\Downloads\YTDSetup.exe a variant of Win32/Toolbar.Widgi.W potentially unwanted application
D:\Civilization V\Civilization V\steam_api.dll a variant of Win32/HackTool.Crack.DW potentially unsafe application
D:\Cod 4\Call of Duty Modern Warfare\key generator.exe Win32/Keygen.DK potentially unsafe application
D:\Xbox 360\SolidWorks 2014 SP3 x64.iso Win32/Toolbar.Widgi potentially unwanted application,a variant of Win32/Keygen.PK potentially unsafe application,Win32/OpenCandy potentially unsafe application
 


Malwarebytes Anti-Malware:
 
 
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 12/13/16
Scan Time: 2:00 AM
Logfile: MBAM.txt
Administrator: Yes
 
-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.708
License: Trial
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 335398
Time Elapsed: 5 min, 45 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 3
PUP.Optional.DriverAssist, HKLM\SOFTWARE\MICROSOFT\TRACING\DriverAssist_RASAPI32, No Action By User, [1880], [345024],1.0.708
PUP.Optional.DriverAssist, HKLM\SOFTWARE\MICROSOFT\TRACING\DriverAssist_RASMANCS, No Action By User, [1880], [345024],1.0.708
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\WOW6432NODE\SLIMWARE UTILITIES? INC.\DriverApp, No Action By User, [1209], [341522],1.0.708
 
Registry Value: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 3
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\PROGRAMDATA\SlimWare Utilities, Inc, No Action By User, [1656], [334848],1.0.708
 
File: 13
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\00156998F44ADDD8296E09474D3991E7930000000001307B88.exe, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\00403CDC63856F73FB741BEAFDFCB12D8000000000002AF2EE.exe, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\0049AD3F4BB3F1CCC9D8350974ABC954E9000000000031565D.exe, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\007CABA9D1EBFD9D519C55376E7717AE820000000000133AAA.exe, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\0081003665241EEBF09C919F886B24133B00000000155E3802.exe, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\009D35962D1BFCF6E14708C9625BE33C7F000000000AB16870.exe, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\00B7C26F5A8101EC26C1C3FD23864603520000000000A62DC8.exe, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\00B8BA14031A3DC7480B89D9B3E6A40CAF000000001116DEE0.exe, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\00DB5EAC1973399BB63B0E992553E893E600000000000E97B5.exe, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\00DB8EC08FA9337EA9586D9AF15E184878000000000041D6E5.exe, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\00F7CA2C90FC594E90645C02EA99A66031000000000E57190F.exe, No Action By User, [1656], [334848],1.0.708
PUP.Optional.SlimCleanerPlus, C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\00FBDE286B13AD2D5585CE8908C77A68580000000008CD0A13.exe, No Action By User, [1656], [334848],1.0.708
Worm.Agent.AutoIt, C:\WIN\NAMES.TXT, No Action By User, [9361], [253462],1.0.708
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


 
 

Edited by PatryKing, 13 December 2016 - 02:55 AM.


#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:01 PM

Posted 13 December 2016 - 01:31 PM

Patryk:

 

Thank you for your post.  I am assuming that you had ESET quarantine or otherwise eliminate the four threats that it detected.  If not, please re-run the scan and ensure that Remove found threats is checked, under "Advanced Settings."

 

According to the MBAM scan log, you apparently did not have Rootkit scan enabled when you ran Malwarebytes Anti-Malware (see "Settings", "Scan for Rootkits", under "Scan Options")  scan.

 

Also you did not, apparently, have Treat PUMs and PUPs as malware.  Please go to "Settings", click on the "Protection" tab, then under "Potential Threat Detection", there are two "switches", one for PUMs and one for PUPs.  Please ensure that they are both set to "Treat PUMs/PUPs as malware (recommended)."

 

Both the rootkit and PUM/PUP detection settings are set, by default, to what I have recommended.  It is possible, with MBAM 3.0.4 being a new product, that your version (Malwarebytes is updating it constantly) did not have those settings set to the defaults; or, you could have changed them.  Their Forum is full of reports of issues that they are diligently and quickly addressing.  Please download the the latest version of MBAM 3.0.4, and ensure that the settings are as I have recommended.

 

Then please re-run the MBAM scan.  Please copy and paste the results of the new scan into your next reply.

 

Thank you and have a great day.

 

Regards,

-Phil

 

 


Graduate of the Bleeping Computer Malware Removal Study Hall


#14 PatryKing

PatryKing
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 14 December 2016 - 09:51 AM

Phil:

 

I have deleted the threats found by ESET.

Here are the new MBAM results:

 
 
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 12/14/16
Scan Time: 11:31 AM
Logfile: new MBAM.txt
Administrator: Yes
 
-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.726
License: Trial
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Patryk-PC\Patryk
 
-Scan Summary-
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 248505
Time Elapsed: 2 hr, 12 min, 51 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 1
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\WOW6432NODE\SLIMWARE UTILITIES? INC.\DriverApp, No Action By User, [1210], [341522],1.0.726
 
Registry Value: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#15 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:01 PM

Posted 14 December 2016 - 01:02 PM

Patryk:
 
Thank you for your MBAM log.  It is looking good.
 
.
 
:step1: I would like to check that we have eliminated the SlimDrivers remnants.
 
Would you be so kind as to run SystemLook_64.exe again?  Please copy and paste the following into the code box.
 
:dir
C:\ProgramData\SlimWare Utilities, Inc

:reg
HKLM\SOFTWARE\WOW6432NODE\SLIMWARE UTILITIES? INC.
Please copy and past the results of scan into your next reply.
 
.

:step2: Let's run a few more scans to make sure that there is no adware or other junk cluttering up your computer.

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
.

:step3: Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, 8, or 10; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please copy and paste the contents of JRT.txt into your next message.
.

:step4: Please provide me with an update as to how your computer is working now. Are you having any issues? If so, please describe them in detail.

.

Thank you and have a great day.

Regards,
-Phil

Graduate of the Bleeping Computer Malware Removal Study Hall





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users