Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange outgoing traffic from svchost.exe(netsvcs), possible infection


  • This topic is locked This topic is locked
44 replies to this topic

#1 HairyApricot

HairyApricot

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 10 December 2016 - 01:39 PM

I made this post: https://www.bleepingcomputer.com/forums/t/634268/strange-outgoing-traffic-from-svchostexenetsvcs/#entry4136314 in networking, and the only reply said malware. Still not sure about that, and I am not going to run combofix so readily.

 

To outline the issue. I usually update my PC every few weeks or so, keeping windows update and the like disabled until I need them. I got it to check for updates, and netsvcs made connections. One was to an IP microsoft own, so that is normal, as it was updates I was checking for. However the other one was to mail.FGSfurnishings.co.uk. Now this seems very unusual to me, and I haven't seen it do this before. I believe it was the BITS that made this connection, as the other connection was a Microsoft server.

 

I am on windows 7 64-bit. I ran full scans with Malwarebytes and Avast and nothing has came up. No strange programs are on startup, nor are there any new tasks or services.

 

FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-12-2016
Ran by Apricot (administrator) on THATCOMPUTER (10-12-2016 18:24:35)
Running from C:\Users\Apricot\Downloads
Loaded Profiles: Apricot (Available Profiles: Apricot & DefaultAppPool)
Platform: Windows 7 Professional N Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Advanced Micro Devices) C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Audition CC 2015\Adobe Audition CC.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Audition CC 2015\32\dynamiclinkmanager.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Audition CC 2015\32\Adobe QT32 Server.exe
(Microsoft Corporation) C:\Windows\System32\perfmon.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MBCfg64] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\MBCfg64.dll,RunDLLEntry MBCfg64
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9083840 2016-10-22] (AVAST Software)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2014-02-21] (Intel Corporation)
HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-10-22] (AVAST Software)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-20] (Microsoft Corporation)
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{05A38786-1F62-4F92-8173-D22E437F635D}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{3A65B9BC-ADC6-43D5-9E84-DFFA3F2F58CB}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
 
FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension.15@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat DC - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Browser\WCFirefoxExtn [2016-07-10]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2016-08-24] (Adobe Systems)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-11-03] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll [2012-04-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-03-03] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Air\nppdf32.dll [2016-09-30] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2016-08-24] (Adobe Systems)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Apricot\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.885\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.75\PepperFlash\pepflashplayer.dll => No File
CHR Profile: C:\Users\Apricot\AppData\Local\Google\Chrome\User Data\Default [2016-12-10]
CHR Extension: (uBlock Origin) - C:\Users\Apricot\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2016-12-05]
CHR Extension: (Do Not Track) - C:\Users\Apricot\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckdcpbflcbeillmamogkpmdhnbeggfja [2015-01-04]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Apricot\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2016-12-08]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Apricot\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Privacy Badger) - C:\Users\Apricot\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkehgijcmpdhfbdbbnkijodmdjhbjlgp [2016-11-04]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [744640 2016-08-24] (Adobe Systems Incorporated)
S3 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2207960 2016-09-26] (Adobe Systems, Incorporated)
R2 amdacpusrsvc; C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe [121856 2016-11-08] (Advanced Micro Devices) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-10-22] (AVAST Software)
R3 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2829552 2016-03-08] (Microsoft Corporation)
S4 Creative ALchemy AL6 Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2015-01-04] (Creative Labs) [File not signed]
S4 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2015-01-04] (Creative Labs) [File not signed]
S4 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [406016 2011-09-14] (Creative Technology Ltd) [File not signed]
S3 fussvc; C:\Program Files (x86)\Windows Kits\8.0\App Certification Kit\fussvc.exe [139776 2012-07-25] (Microsoft Corporation) [File not signed]
S3 GalaxyClientService; C:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe [245312 2016-06-18] (GOG.com)
S3 GalaxyCommunication; C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [6211648 2016-06-18] (GOG.com)
S4 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [355232 2015-08-09] (Intel Corporation)
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-11-29] (Malwarebytes)
S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [126976 2012-07-25] (Microsoft Corporation) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 AvastVBoxSvc; "C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe" [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 amdacpksd; C:\Windows\system32\drivers\amdacpksd.sys [305544 2016-11-08] (Advanced Micro Devices)
S3 arusb_win7x; C:\Windows\System32\DRIVERS\arusb_win7x.sys [769024 2010-02-23] (Atheros Communications, Inc.)
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-10-22] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108816 2016-10-22] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-10-22] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-10-22] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [969184 2016-10-22] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [513632 2016-10-22] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [163416 2016-10-22] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [293352 2016-10-22] (AVAST Software)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2014-04-11] (Intel Corporation)
R2 IntelHaxm; C:\Windows\System32\DRIVERS\IntelHaxm.sys [84992 2014-11-18] (Intel  Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-06-22] (Corel Corporation)
R3 RTL8192cu; C:\Windows\System32\DRIVERS\RTL8192cu.sys [926824 2014-04-08] (Realtek Semiconductor Corporation                           )
S3 VSPerfDrv110; C:\Program Files (x86)\Microsoft Visual Studio 11.0\Team Tools\Performance Tools\x64\VSPerfDrv110.sys [70264 2012-07-13] (Microsoft Corporation)
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S2 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-10 18:23 - 2016-12-10 18:24 - 00000000 ____D C:\FRST
2016-12-09 10:04 - 2016-12-09 10:04 - 00176064 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2016-12-09 10:04 - 2016-12-09 10:04 - 00102856 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2016-12-09 10:04 - 2016-12-09 10:04 - 00081696 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2016-12-09 10:04 - 2016-12-09 10:04 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-12-09 10:03 - 2016-12-09 10:03 - 00001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2016-12-09 10:03 - 2016-12-09 10:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2016-12-09 10:03 - 2016-12-09 10:03 - 00000000 ____D C:\Program Files\Malwarebytes
2016-12-09 10:03 - 2016-11-29 06:27 - 00077408 _____ C:\Windows\system32\Drivers\mbae64.sys
2016-12-09 10:02 - 2016-12-09 10:03 - 51969976 _____ (Malwarebytes ) C:\Users\Apricot\Downloads\mb3-setup-consumer-3.0.4.1269.exe
2016-12-04 15:19 - 2016-12-04 15:19 - 00006341 _____ C:\Users\Apricot\AppData\Local\recently-used.xbel
2016-12-04 11:58 - 2016-12-04 11:58 - 00003512 _____ C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-THATCOMPUTER-Apricot
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-10 18:24 - 2016-06-15 16:40 - 00013328 _____ C:\Users\Apricot\Downloads\FRST.txt
2016-12-10 18:21 - 2016-06-11 16:33 - 02420224 _____ (Farbar) C:\Users\Apricot\Downloads\FRST64.exe
2016-12-10 18:13 - 2009-07-14 05:12 - 00863968 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-10 18:13 - 2009-07-14 03:20 - 00000000 ____D C:\Windows\inf
2016-12-10 18:11 - 2016-10-20 15:59 - 00000000 ____D C:\Users\Public\Documents\AdobeGC
2016-12-10 18:10 - 2015-01-04 21:56 - 00007628 _____ C:\Users\Apricot\AppData\Local\Resmon.ResmonCfg
2016-12-10 17:50 - 2015-01-04 21:40 - 00000000 ____D C:\Users\Apricot\AppData\Local\Adobe
2016-12-10 17:47 - 2009-07-14 04:50 - 00020336 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-10 17:47 - 2009-07-14 04:50 - 00020336 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-10 17:40 - 2015-01-26 15:41 - 00000091 _____ C:\HaxLogs.txt
2016-12-10 17:40 - 2009-07-14 05:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-09 12:34 - 2015-01-04 19:09 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2016-12-09 11:13 - 2015-01-04 20:31 - 00000000 ____D C:\Users\Apricot\AppData\Roaming\Audacity
2016-12-09 10:04 - 2016-03-19 13:22 - 00250816 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-09 10:03 - 2015-01-04 20:28 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-12-08 19:59 - 2015-01-04 16:54 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-12-08 19:59 - 2015-01-04 16:54 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-12-08 17:29 - 2015-01-04 20:15 - 00000000 ____D C:\Program Files (x86)\Steam
2016-12-04 15:19 - 2015-01-10 20:27 - 00000000 ____D C:\Users\Apricot\AppData\Local\gtk-2.0
2016-12-04 15:19 - 2015-01-10 20:25 - 00000000 ____D C:\Users\Apricot\.gimp-2.8
2016-12-04 15:14 - 2015-01-04 20:46 - 00000000 ____D C:\Users\Apricot\AppData\Roaming\vlc
2016-12-04 13:55 - 2015-01-07 16:10 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-11-23 20:43 - 2015-08-27 20:33 - 00000000 ____D C:\Users\Apricot\Documents\Outlook Files
2016-11-17 10:24 - 2009-07-14 03:20 - 00000000 ____D C:\Windows\rescache
2016-11-11 12:28 - 2015-09-03 19:39 - 00000000 ____D C:\Users\Apricot\AppData\Local\AMD
2016-11-11 12:24 - 2016-02-17 21:52 - 00004224 _____ C:\Windows\System32\Tasks\AMD Updater
2016-11-11 12:23 - 2016-10-26 13:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Settings
2016-11-11 12:23 - 2015-01-04 22:49 - 00000000 ____D C:\Program Files\AMD
2016-11-11 12:15 - 2015-01-04 19:06 - 00000000 ____D C:\AMD
 
==================== Files in the root of some directories =======
 
2016-12-04 15:19 - 2016-12-04 15:19 - 0006341 _____ () C:\Users\Apricot\AppData\Local\recently-used.xbel
2015-01-04 21:56 - 2016-12-10 18:10 - 0007628 _____ () C:\Users\Apricot\AppData\Local\Resmon.ResmonCfg
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-12-04 16:17
 
==================== End of FRST.txt ============================

 

 

Any help is greatly appreciated, thankyou  :)



BC AdBot (Login to Remove)

 


#2 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 10 December 2016 - 01:43 PM

Addition.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-12-2016
Ran by Apricot (10-12-2016 18:25:01)
Running from C:\Users\Apricot\Downloads
Windows 7 Professional N Service Pack 1 (X64) (2015-01-04 16:43:54)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2976423211-1815451802-357841541-500 - Administrator - Disabled)
Apricot (S-1-5-21-2976423211-1815451802-357841541-1000 - Administrator - Enabled) => C:\Users\Apricot
Guest (S-1-5-21-2976423211-1815451802-357841541-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avast Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
ACP Application (Version: 2016.1108.1439.07 - Advanced Micro Devices, Inc.) Hidden
Adobe Acrobat DC (HKLM-x32\...\{AC76BA86-1033-FFFF-7760-0C0F074E4100}) (Version: 15.020.20039 - Adobe Systems Incorporated)
Adobe Audition CC 2015 (HKLM-x32\...\{839A3566-AED6-4787-A849-5CBE2B1DC6AE}) (Version: 8.0 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 3.8.0.310 - Adobe Systems Incorporated)
Adobe Media Encoder CC 2015.3 (HKLM-x32\...\AME_10_4_0) (Version: 10.4.0 - Adobe Systems Incorporated)
Adobe Photoshop CC 2015 (HKLM-x32\...\{793C2BF7-A4FE-4608-91C9-9282C5801C21}) (Version: 16.1 - Adobe Systems Incorporated)
Adobe Premiere Pro CC 2015 (HKLM-x32\...\{38C72D42-0672-43B1-9E05-E7631684F9A1}) (Version: 9.0.0 - Adobe Systems Incorporated)
Adobe Premiere Pro CC 2015.3 (HKLM-x32\...\PPRO_10_4_0) (Version: 10.4.0 - Adobe Systems Incorporated)
Alternative Look for Yennefer (HKLM-x32\...\Alternative Look for Yennefer_is1) (Version: 1.0.0.0 - GOG.com)
AMD Install Manager (HKLM\...\AMD Catalyst Install Manager) (Version: 9.0.000.4 - Advanced Micro Devices, Inc.)
Audacity 2.0.6 (HKLM-x32\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 12.3.2280 - AVAST Software)
Beard and Hairstyle Set (HKLM-x32\...\Beard and Hairstyle Set_is1) (Version: 1.0.0.0 - GOG.com)
BioShock Infinite (HKLM-x32\...\Steam App 8870) (Version:  - Irrational Games)
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
Blend for Visual Studio 2012 (x32 Version: 5.0.30709.0 - Microsoft Corporation) Hidden
Blend for Visual Studio 2012 ENU resources (x32 Version: 5.0.30709.0 - Microsoft Corporation) Hidden
Catalyst Control Center Next Localization BR (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (Version: 2016.1108.1446.26563 - Advanced Micro Devices, Inc.) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.17 - Piriform)
DARK SOULS III (HKLM\...\Steam App 374320) (Version:  - FromSoftware, Inc.)
Dishonored (HKLM-x32\...\Steam App 205100) (Version: 1.0 - Bethesda Softworks)
Dishonored 2 (HKLM\...\Steam App 403640) (Version:  - Arkane Studios)
DOOM (HKLM\...\Steam App 379720) (Version:  - id Software)
Dotfuscator and Analytics Community Edition (x32 Version: 5.5.4521.29298 - PreEmptive Solutions) Hidden
Dxtory version 2.0.126 (HKLM-x32\...\Dxtory2.0_is1) (Version: 2.0.126 - ExKode Co. Ltd.)
Elgato Game Capture HD (HKLM-x32\...\{BE184330-F4FA-439D-9FBC-6A621D069668}) (Version: 2.10.64.871 - Elgato Systems GmbH)
Entity Framework Designer for Visual Studio 2012 - enu (HKLM-x32\...\{0A1A1D48-DB23-443A-BC7B-49255D138020}) (Version: 11.1.20702.00 - Microsoft Corporation)
F.E.A.R. 3 (HKLM-x32\...\Steam App 21100) (Version:  - Day 1 Studios)
Fallout 3 - Game of the Year Edition (HKLM-x32\...\Steam App 22370) (Version:  - Bethesda Game Studios)
Fallout 4 (HKLM-x32\...\Steam App 377160) (Version:  - Bethesda Game Studios)
Fallout: New Vegas (HKLM-x32\...\Steam App 22380) (Version:  - Obsidian Entertainment)
Game Capture HD v2.3.3.38 (HKLM-x32\...\Software_Elgato_Game Capture HD) (Version: 2.3.3.38 - Elgato Systems)
Game Capture HD60 v2.1.1.3 (HKLM-x32\...\Software_Elgato_Game Capture HD60) (Version: 2.1.1.3 - Elgato Systems)
GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)
GOG Galaxy (HKLM-x32\...\{7258BA11-600C-430E-A759-27E2C691A335}_is1) (Version:  - GOG.com)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 55.0.2883.75 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
Hyper Light Drifter (HKLM\...\Steam App 257850) (Version:  - Heart Machine)
IIS 8.0 Express (HKLM\...\{7BF61FA9-BDFB-4563-98AD-FCB0DA28CCC7}) (Version: 8.0.1557 - Microsoft Corporation)
IIS Express Application Compatibility Database for x64 (HKLM\...\{9f4f4a9b-eec5-4906-92fe-d1f43ccf5c8d}.sdb) (Version:  - )
IIS Express Application Compatibility Database for x86 (HKLM\...\{fdfba1f3-74ae-4255-9c10-a0f552b4610f}.sdb) (Version:  - )
Intel® Chipset Device Software (x32 Version: 10.0.13 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.0.1204 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4264 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 3.0.0.16 - Intel Corporation)
Intel® Hardware Accelerated Execution Manager (HKLM\...\{ECCB31F5-435D-4F37-A98D-5854D3C62718}) (Version: 1.1.1 - Intel Corporation)
Lagarith Lossless Codec (1.3.27) (HKLM-x32\...\{F59AC46C-10C3-4023-882C-4212A92283B3}_is1) (Version:  - )
LocalESPC (x32 Version: 8.59.25584 - Microsoft Corporation) Hidden
LocalESPCui for en-us (x32 Version: 8.59.25584 - Microsoft) Hidden
Malwarebytes version 3.0.4.1269 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.4.1269 - Malwarebytes)
Matrox VFW Software Codecs, build 2.0.0.11381  (HKLM\...\Matrox VFW Software Codecs) (Version:  - Matrox Electronic Systems)
Microsoft .NET Framework 4.5 Multi-Targeting Pack (HKLM-x32\...\{5CBFF3F3-2D40-34EE-BCA5-A95BC19E400D}) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft .NET Framework 4.5 SDK (HKLM-x32\...\{1948E039-EC79-4591-951D-9867A8C14C90}) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft ASP.NET MVC 3 (HKLM-x32\...\{DCDEC776-BADD-48B9-8F9A-DFF513C3D7FA}) (Version: 3.0.20105.0 - Microsoft Corporation)
Microsoft ASP.NET Web Pages (HKLM-x32\...\{631471BE-DEAB-454B-A9AC-CE3EB42C28B3}) (Version: 1.0.20105.0 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{59E4543A-D49D-4489-B445-473D763C79AF}) (Version: 2.0.672.0 - Microsoft Corporation)
Microsoft Help Viewer 2.0 (HKLM-x32\...\Microsoft Help Viewer 2.0) (Version: 2.0.50727 - Microsoft Corporation)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 15.0.4815.1001 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.10411.0 - Microsoft Corporation)
Microsoft Silverlight 4 SDK (HKLM-x32\...\{189AEA94-DAFB-487A-8CEE-F9D3DDE0A748}) (Version: 4.0.60310.0 - Microsoft Corporation)
Microsoft Silverlight 5 SDK (HKLM-x32\...\{E1FBB3D4-ADB0-4949-B101-855DA061C735}) (Version: 5.0.61118.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Command Line Utilities  (HKLM\...\{9D573E71-1077-4C7E-B4DB-4E22A5D2B48B}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (HKLM\...\{36E619BC-A234-4EC3-849B-779A7C865A45}) (Version: 11.0.2316.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (HKLM-x32\...\{FBA6F90E-36EC-4FC9-9B25-3834E3BD46A8}) (Version: 11.0.2316.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Express LocalDB  (HKLM\...\{13D558FE-A863-402C-B115-160007277033}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (HKLM-x32\...\{DA1C1761-5F4F-4332-AB9D-29EDF3F8EA0A}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (x64) (HKLM\...\{FA0A244E-F3C2-4589-B42A-3D522DE79A42}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client  (HKLM\...\{49D665A2-4C2A-476E-9AB8-FCC425F526FC}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL Compiler Service  (HKLM\...\{BEB0F91E-F2EA-48A1-B938-7857ABF2A93D}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL ScriptDom  (HKLM\...\{0E8670B8-3965-4930-ADA6-570348B67153}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 T-SQL Language Service  (HKLM-x32\...\{6D6D43E5-218C-4B05-92D3-2240810F4760}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server Compact 4.0 SP1 x64 ENU (HKLM\...\{78909610-D229-459C-A936-25D92283D3FD}) (Version: 4.0.8876.1 - Microsoft Corporation)
Microsoft SQL Server Data Tools - enu (11.1.20627.00) (HKLM-x32\...\{FA804794-2CCB-4301-954F-2C2894698876}) (Version: 11.1.20627.00 - Microsoft Corporation)
Microsoft SQL Server Data Tools Build Utilities - enu (11.1.20627.00) (HKLM-x32\...\{790E9425-8570-493F-9AE7-81AFC9E46930}) (Version: 11.1.20627.00 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (HKLM-x32\...\{A47FD1BF-A815-4A76-BE65-53A15BD5D25D}) (Version: 10.50.1600.1 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (x64) (HKLM\...\{4701DEDE-1888-49E0-BAE5-857875924CA2}) (Version: 10.50.1600.1 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (HKLM-x32\...\{E2082604-4BA5-44BB-BBFB-AF0F3CB8C6AB}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (x64) (HKLM\...\{F1949145-EB64-4DE7-9D81-E6D27937146C}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23918 (HKLM-x32\...\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}) (Version: 14.0.23918.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918 (HKLM-x32\...\{2e085fd2-a3e4-4b39-8e10-6b8d35f55244}) (Version: 14.0.23918.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.31125 - Microsoft Corporation)
Microsoft Visual Studio Professional 2012 (HKLM-x32\...\{20fc1ec7-3058-48d4-80f8-e1cfd52391c7}) (Version: 11.0.50727.26 - Microsoft Corporation)
Microsoft Web Deploy 3.0 (HKLM\...\{AA72C306-30BE-4BB1-9E42-59552BAD2CDF}) (Version: 3.1236.1631 - Microsoft Corporation)
Microsoft Web Deploy dbSqlPackage Provider - enu (HKLM-x32\...\{E4C33F5B-1B2F-466E-957E-B274F08151A0}) (Version: 10.3.20225.0 - Microsoft Corporation)
Microsoft Web Platform Installer 4.0 (HKLM\...\{E2B8249D-895C-4685-8C83-00F3B1A13028}) (Version: 4.0.1622 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
New Quest - Contract Missing Miners (HKLM-x32\...\New Quest - Contract Missing Miners_is1) (Version: 1.0.0.0 - GOG.com)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.7.3 - Notepad++ Team)
NVIDIA PhysX (HKLM-x32\...\{46ED2B64-85C7-4E1F-920C-A555B21F2E4C}) (Version: 9.11.1111 - NVIDIA Corporation)
OBS Studio (HKLM-x32\...\OBS Studio) (Version: 0.15.4 - OBS Project)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4815.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4815.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4815.1001 - Microsoft Corporation) Hidden
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
Portal (HKLM-x32\...\Steam App 400) (Version:  - Valve)
Portal 2 (HKLM-x32\...\Steam App 620) (Version:  - Valve)
PreEmptive Analytics Visual Studio Components (x32 Version: 1.0.2180.1 - PreEmptive Solutions) Hidden
Prerequisites for SSDT  (HKLM-x32\...\{9169C939-ED01-446A-BD0C-29873BAF4E48}) (Version: 11.0.2100.60 - Microsoft Corporation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7256 - Realtek Semiconductor Corp.)
SHENZHEN I/O (HKLM\...\Steam App 504210) (Version:  - Zachtronics)
Sound Blaster X-Fi MB3 (HKLM-x32\...\{3689CE39-3173-4952-B7AF-F1A9D6F9A288}) (Version: 1.00.03 - Creative Technology Limited)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Temerian Armor Set (HKLM-x32\...\Temerian Armor Set_is1) (Version: 1.0.0.0 - GOG.com)
The Elder Scrolls V: Skyrim (HKLM-x32\...\Steam App 72850) (Version:  - Bethesda Game Studios)
The Witcher 3 - Wild Hunt (HKLM-x32\...\1207664643_is1) (Version: 1.0.6.0 - GOG.com)
TP-LINK TL-WN821N©_TL-WN822N_TL-WN823N Driver (HKLM-x32\...\{852E893E-E4FD-45BB-8B17-72ADDF686974}) (Version: 1.3.1 - TP-LINK)
Undertale (HKLM-x32\...\Steam App 391540) (Version:  - tobyfox)
Update for  (KB2504637) (HKLM-x32\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}.KB2504637) (Version: 1 - Microsoft Corporation)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Vulkan Run Time Libraries 1.0.26.0 (HKLM\...\VulkanRT1.0.26.0-2) (Version: 1.0.26.0 - LunarG, Inc.)
Vulkan Run Time Libraries 1.0.26.0 (Version: 1.0.26.0 - LunarG, Inc.) Hidden
WCF Data Services 5.0 (for OData v3) Primary Components (x32 Version: 5.0.50628.0 - Microsoft Corporation) Hidden
WCF Data Services Tools for Microsoft Visual Studio 2012 (x32 Version: 5.0.50710.0 - Microsoft Corporation) Hidden
WCF RIA Services V1.0 SP2 (HKLM-x32\...\{3A523AF9-D32F-4C85-8388-0335731F3405}) (Version: 4.1.61829.0 - Microsoft Corporation)
WhoCrashed 5.03 (HKLM\...\WhoCrashed_is1) (Version:  - Resplendence Software Projects Sp.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-2976423211-1815451802-357841541-1000_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {060C4E3E-8B93-4E83-8004-948B4AD3E63C} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2015-10-28] (Microsoft Corporation)
Task: {2400F326-A83A-4CA5-9D73-3CF640E415AC} - System32\Tasks\AdobeAAMUpdater-1.0-Hairy-Apricot => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2016-07-01] (Adobe Systems Incorporated)
Task: {5624929B-BB5F-4AB7-A8DC-8F42139016CC} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2015-10-28] (Microsoft Corporation)
Task: {5681E3BC-CCA2-4659-AFC5-FBE46C976729} - System32\Tasks\AMD Updater => C:\Program Files\AMD\CIM\\Bin64\InstallManagerApp.exe [2016-11-08] (Advanced Micro Devices, Inc.)
Task: {832CA505-DB04-4991-BC1B-9B1926AEA987} - System32\Tasks\AdobeAAMUpdater-1.0-THATCOMPUTER-Apricot => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2016-07-01] (Adobe Systems Incorporated)
Task: {AF9FF0DB-1C47-4A67-A639-A5D1ACD2AC6C} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-02-09] (Microsoft Corporation)
Task: {BFBB0EC3-6B0E-4D26-9385-A88189F71ABD} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-09-16] (Adobe Systems Incorporated)
Task: {EC3C55AF-96BB-4686-8A24-AF36BF31FE97} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-02-09] (Microsoft Corporation)
Task: {FC0A3372-690F-44E9-ADFB-EF8FEB8956D0} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2016-03-16] (Microsoft Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-10-28 18:12 - 2015-09-01 16:04 - 08901184 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2015-01-04 17:07 - 2013-01-25 11:08 - 00089600 _____ () C:\Windows\SYSTEM32\CmdRtr64.DLL
2015-01-04 17:07 - 2013-01-25 11:06 - 00328704 _____ () C:\Windows\SYSTEM32\APOMgr64.DLL
2015-03-03 16:30 - 2015-10-13 04:34 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2015-05-26 11:51 - 2015-05-26 11:51 - 03499008 _____ () C:\Program Files\Adobe\Adobe Audition CC 2015\DNxHDCodec.dll
2016-10-22 09:27 - 2016-10-22 09:27 - 00169064 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-12-10 17:41 - 2016-12-10 17:41 - 03067904 _____ () C:\Program Files\AVAST Software\Avast\defs\16120901\algo.dll
2016-10-22 09:27 - 2016-10-22 09:27 - 00482928 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-10-22 09:27 - 2016-10-22 09:27 - 48936448 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2015-10-28 18:12 - 2015-09-01 12:25 - 08901184 _____ () C:\Program Files\Microsoft Office 15\root\Office15\1033\GrooveIntlResource.dll
2016-09-07 12:00 - 2016-09-06 11:00 - 05197312 _____ () C:\Users\Apricot\AppData\Local\Google\Chrome\User Data\SwiftShader\3.3.0.1\libglesv2.dll
2016-09-07 12:00 - 2016-09-06 11:00 - 00147456 _____ () C:\Users\Apricot\AppData\Local\Google\Chrome\User Data\SwiftShader\3.3.0.1\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\31289661.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\31289661.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-2976423211-1815451802-357841541-1000\...\sharepoint.com -> hxxps://qubstudentcloud.sharepoint.com
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 02:34 - 2009-06-10 21:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2976423211-1815451802-357841541-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Apricot\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeUpdateService => 2
MSCONFIG\Services: cphs => 3
MSCONFIG\Services: Creative ALchemy AL6 Licensing Service => 3
MSCONFIG\Services: Creative Audio Engine Licensing Service => 3
MSCONFIG\Services: CTAudSvcService => 3
MSCONFIG\Services: GalaxyClientService => 3
MSCONFIG\Services: GalaxyCommunication => 3
MSCONFIG\Services: gupdate => 3
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: IAStorDataMgrSvc => 2
MSCONFIG\Services: igfxCUIService1.0.0.0 => 3
MSCONFIG\Services: RzWizardService => 2
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: Steam Client Service => 3
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Killer Network Manager.lnk => C:\Windows\pss\Killer Network Manager.lnk.CommonStartup
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: Adobe Acrobat Synchronizer => "C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Creative Cloud => "C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" --showwindow=false --onOSstartup=true
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: Dxtory Update Checker 2.0 => C:\Program Files (x86)\ExKode\Dxtory2.0\UpdateChecker.exe
MSCONFIG\startupreg: GalaxyClient => 
MSCONFIG\startupreg: Raptr => "C:\Program Files (x86)\Raptr\raptrstub.exe" --startup
MSCONFIG\startupreg: RTHDVCPL => "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
MSCONFIG\startupreg: RzWizard => C:\Program Files (x86)\Razer\RzWizard\RzWizard.exe
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: Sound Blaster X-Fi MB 3 => "C:\Program Files (x86)\Creative\Sound Blaster X-Fi MB3\Sound Blaster X-Fi MB3\SBXFIMB3.exe" /r
MSCONFIG\startupreg: StartCCC => "C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
MSCONFIG\startupreg: StartCN => "C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe" atlogon
MSCONFIG\startupreg: UpdReg => C:\Windows\UpdReg.EXE
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{7F27600A-A4C4-4D58-9D00-B368F0B33634}] => C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{8C7A04CF-6A37-4935-B882-56EDCC17EEAB}] => C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{71D642AA-4E80-4744-A8DD-2A5ACB28BA0A}] => C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{A19655D6-4F03-46F1-9226-019FC8FA333D}] => C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{91DB82A9-25C9-4B55-8526-ECAAC06DCBF6}] => C:\Program Files (x86)\Steam\steamapps\common\Skyrim\SkyrimLauncher.exe
FirewallRules: [{55378C91-6C4B-4E85-9CA4-BFA31DD3ECB6}] => C:\Program Files (x86)\Steam\steamapps\common\Skyrim\SkyrimLauncher.exe
FirewallRules: [{6A161F3E-7880-4311-B15A-B8193319157C}] => C:\Program Files (x86)\Steam\steamapps\common\Fallout New Vegas\FalloutNVLauncher.exe
FirewallRules: [{6F29D556-4E19-4E96-833A-2F3DF98ACD35}] => C:\Program Files (x86)\Steam\steamapps\common\Fallout New Vegas\FalloutNVLauncher.exe
FirewallRules: [{F5B2237D-60C5-425E-AC9D-18679AA07FD9}] => C:\Program Files (x86)\Steam\steamapps\common\Fallout 3 goty\FalloutLauncher.exe
FirewallRules: [{F3F90EC4-2CDE-41A3-9AFA-7DF904DA1DC9}] => C:\Program Files (x86)\Steam\steamapps\common\Fallout 3 goty\FalloutLauncher.exe
FirewallRules: [{D9370DB5-2696-42C5-BC97-E9026A986506}] => C:\Program Files (x86)\Steam\steamapps\common\Portal 2\portal2.exe
FirewallRules: [{0AD95419-B843-4C5C-9575-D2773D65D6E7}] => C:\Program Files (x86)\Steam\steamapps\common\Portal 2\portal2.exe
FirewallRules: [{E31C3393-F40C-422D-B090-3D5D40A52986}] => C:\Program Files (x86)\Steam\steamapps\common\Portal\hl2.exe
FirewallRules: [{760B06BF-46FC-4A07-8942-6B92594A972A}] => C:\Program Files (x86)\Steam\steamapps\common\Portal\hl2.exe
FirewallRules: [{25370342-0BE2-4ABB-91FC-D99CF971C4FD}] => C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\IDE\devenv.exe
FirewallRules: [{A6D28DAC-4F9E-46AD-A3AE-3180A17FEBB7}] => C:\Program Files (x86)\Steam\steamapps\common\BioShock Infinite\Binaries\Win32\BioShockInfinite.exe
FirewallRules: [{FFD043AF-CBB8-43D6-A832-1652CB29C6BD}] => C:\Program Files (x86)\Steam\steamapps\common\BioShock Infinite\Binaries\Win32\BioShockInfinite.exe
FirewallRules: [{71083E46-92FD-43B8-8472-69E2E44B7FB2}] => C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [TCP Query User{170D81C3-BE21-4542-8ED5-982F1F21407B}C:\users\Apricot\downloads\eclipse-java-luna-sr2-win32-x86_64\eclipse\eclipse.exe] => C:\users\Apricot\downloads\eclipse-java-luna-sr2-win32-x86_64\eclipse\eclipse.exe
FirewallRules: [UDP Query User{452FE1D6-9EBC-4CD8-8F25-C326C2380290}C:\users\Apricot\downloads\eclipse-java-luna-sr2-win32-x86_64\eclipse\eclipse.exe] => C:\users\Apricot\downloads\eclipse-java-luna-sr2-win32-x86_64\eclipse\eclipse.exe
FirewallRules: [{4C7C0C4E-C4EA-4636-A29E-FD55D1F63A9E}] => C:\Program Files (x86)\Steam\steamapps\common\F.E.A.R. 3\F.E.A.R. 3.exe
FirewallRules: [{3DD72C96-1820-4956-ABC3-ABEAF09B268C}] => C:\Program Files (x86)\Steam\steamapps\common\F.E.A.R. 3\F.E.A.R. 3.exe
FirewallRules: [TCP Query User{13F44B19-FADD-4917-AC4B-24C374183626}C:\users\Apricot\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => C:\users\Apricot\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{0D6CC184-05B6-4D60-A9FF-669D6573E67E}C:\users\Apricot\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => C:\users\Apricot\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [{ED44E0F5-455E-45AA-890E-B52BE7B8A6FE}] => E:\SteamLibrary\steamapps\common\Fallout 4\Fallout4Launcher.exe
FirewallRules: [{E5F185D2-66D2-4826-A4A3-5EE26785DE25}] => E:\SteamLibrary\steamapps\common\Fallout 4\Fallout4Launcher.exe
FirewallRules: [{B78BF348-11B1-4E1E-B297-5F752BEBE2A7}] => C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{653B8535-B69D-4176-8E74-2E253BD82AEC}] => C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{E93333D7-DAB6-4647-9158-2C33C1F5BEE6}] => C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{30AEF147-EA88-46EA-8B40-031AC07E61FF}] => C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{DEC54F7F-C313-4FB7-BB5D-4F70307F0D86}] => E:\SteamLibrary\steamapps\common\Undertale\UNDERTALE.exe
FirewallRules: [{05E56975-2B15-41B9-A424-B4CD68053583}] => E:\SteamLibrary\steamapps\common\Undertale\UNDERTALE.exe
FirewallRules: [{CC00B484-A4BD-4B2E-8C0D-116CE6FFBBA2}] => C:\Windows\explorer.exe
FirewallRules: [{F7236924-C0DD-4E6A-9ED0-734DCCF5A43E}] => C:\Program Files (x86)\Steam\steamapps\common\HyperLightDrifter\HyperLightDrifter.exe
FirewallRules: [{54713672-BB5B-4630-A5C3-A7A24A6C3255}] => C:\Program Files (x86)\Steam\steamapps\common\HyperLightDrifter\HyperLightDrifter.exe
FirewallRules: [{23605C17-633A-4E7A-9A81-C2ECE234021C}] => %ProgramFiles% (x86)\ExKode\Dxtory2.0\Dxtory.exe
FirewallRules: [{A3CD5B15-2A83-4477-B94E-FA7DD6959D5E}] => %ProgramFiles% (x86)\ExKode\Dxtory2.0\Dxtory64.exe
FirewallRules: [{63964C9E-3589-4DB9-B0D2-C39672232917}] => %SystemRoot%\System32\DeviceDisplayObjectProvider.exe
FirewallRules: [{2E53B0AB-776B-4706-BB05-6A53FEE812C3}] => E:\SteamLibrary\steamapps\common\DOOM\DOOMx64.exe
FirewallRules: [{272855A6-EAA8-45F6-A53F-B7F4B1B26987}] => E:\SteamLibrary\steamapps\common\DOOM\DOOMx64.exe
FirewallRules: [{2642DDA6-B596-4F25-8A6A-C340ADBC512B}] => C:\Program Files (x86)\Steam\steamapps\common\SHENZHEN IO\Shenzhen.exe
FirewallRules: [{53BEAF28-9E42-4A9B-A529-8A3738483F19}] => C:\Program Files (x86)\Steam\steamapps\common\SHENZHEN IO\Shenzhen.exe
FirewallRules: [{1972049E-0D81-46D4-BA4C-A536CE5488CB}] => E:\SteamLibrary\steamapps\common\Dishonored\Binaries\Win32\Dishonored.exe
FirewallRules: [{0C684375-8BFC-4D1A-AD8D-DC3AB39FD9D2}] => E:\SteamLibrary\steamapps\common\Dishonored\Binaries\Win32\Dishonored.exe
FirewallRules: [{FD8CE73E-B5C0-485C-B072-D31377846F67}] => E:\SteamLibrary\steamapps\common\Dishonored2\Dishonored2.exe
FirewallRules: [{BF2345E0-507C-4F15-9703-B5205031794D}] => E:\SteamLibrary\steamapps\common\Dishonored2\Dishonored2.exe
FirewallRules: [{7A189740-6A04-4067-994D-B9BE9271F2DD}] => E:\SteamLibrary\steamapps\common\DARK SOULS III\Game\DarkSoulsIII.exe
FirewallRules: [{C819622B-4B62-4653-B4EE-D3593E3E172E}] => E:\SteamLibrary\steamapps\common\DARK SOULS III\Game\DarkSoulsIII.exe
FirewallRules: [{A09351CA-7596-49DF-8435-98EC019F8C6B}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
10-07-2016 19:30:35 Windows Modules Installer
11-07-2016 11:35:41 Installed DirectX
19-07-2016 12:10:38 Windows Modules Installer
28-07-2016 12:28:28 Windows Backup
29-07-2016 14:58:51 Windows Update
12-08-2016 15:19:13 Scheduled Checkpoint
15-08-2016 18:45:52 Installed TP-LINK Wireless Configuration Utility and Driver
23-08-2016 11:40:30 Windows Update
27-08-2016 18:02:00 Removed Skype™ 7.8
11-09-2016 11:03:07 Windows Update
12-10-2016 10:53:25 Windows Backup
19-10-2016 20:09:50 Windows Update
09-11-2016 11:55:51 Windows Update
09-11-2016 12:01:51 Windows Update
11-11-2016 12:20:17 Device Driver Package Install: Advanced Micro Devices, Inc. Display adapters
26-11-2016 18:43:39 Scheduled Checkpoint
 
==================== Faulty Device Manager Devices =============
 
Name: Microsoft Virtual WiFi Miniport Adapter #2
Description: Microsoft Virtual WiFi Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: vwifimp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: Ethernet Controller
Description: Ethernet Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/01/2016 07:06:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (11/30/2016 10:31:05 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (11/26/2016 02:51:20 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (11/23/2016 05:53:55 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (11/20/2016 02:51:21 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (11/19/2016 11:07:55 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (11/18/2016 10:17:25 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (11/16/2016 10:08:33 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (11/14/2016 07:52:49 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (11/13/2016 09:22:37 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
 
System errors:
=============
Error: (12/10/2016 05:40:16 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The VBoxAsw Support Driver service failed to start due to the following error: 
The system cannot find the path specified.
 
Error: (12/10/2016 05:40:03 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.
 
Module Path: C:\Windows\system32\Rtlihvs.dll
Error Code: 126
 
Error: (12/09/2016 09:47:12 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The VBoxAsw Support Driver service failed to start due to the following error: 
The system cannot find the path specified.
 
Error: (12/09/2016 09:46:40 AM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.
 
Module Path: C:\Windows\system32\Rtlihvs.dll
Error Code: 126
 
Error: (12/08/2016 07:52:10 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Modules Installer service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
Error: (12/08/2016 03:35:13 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The VBoxAsw Support Driver service failed to start due to the following error: 
The system cannot find the path specified.
 
Error: (12/08/2016 03:35:04 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.
 
Module Path: C:\Windows\system32\Rtlihvs.dll
Error Code: 126
 
Error: (12/07/2016 05:45:02 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The AMD External Events Utility service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (12/07/2016 05:39:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The VBoxAsw Support Driver service failed to start due to the following error: 
The system cannot find the path specified.
 
Error: (12/07/2016 05:39:13 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.
 
Module Path: C:\Windows\system32\Rtlihvs.dll
Error Code: 126
 
 
CodeIntegrity:
===================================
  Date: 2015-11-07 16:40:13.303
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.299
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.295
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.284
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.278
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.274
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.058
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.054
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.050
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.040
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-4690K CPU @ 3.50GHz
Percentage of memory in use: 37%
Total physical RAM: 8077.24 MB
Available physical RAM: 5012.88 MB
Total Virtual: 16152.66 MB
Available Virtual: 13051.86 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:1862.79 GB) (Free:1614.44 GB) NTFS
Drive e: (Elements) (Fixed) (Total:931.48 GB) (Free:418.4 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: B61EB419)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================


#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:32 PM

Posted 11 December 2016 - 09:33 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Apricot\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.885\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.75\PepperFlash\pepflashplayer.dll => No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Apricot\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
S3 AvastVBoxSvc; "C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe" [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S2 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please let me know what problem persists with this computer.

#4 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 11 December 2016 - 02:53 PM

Hello Nasdaq, thank you for your help. I assume the fix file is meant to remove these entries so they no longer show up as errors. I ran one of these about six months ago. The avast virtual box one won't be removed. As for the rest of them, is there a reason you need me to remove them and then wipe chrome?

 

Thanks :)



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:32 PM

Posted 12 December 2016 - 08:38 AM

The fix is mostly a cleanup of registry items that are not required or empty.
A Restore point will be created i case anything goes wrong.

As for Chrome I'm only resetting the Default values.

Your Cache etc... will not be affected.

#6 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 12 December 2016 - 11:04 AM

But when I got to reset chrome it says all extension and cookies will be wiped?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:32 PM

Posted 12 December 2016 - 01:51 PM

Try this this for now.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#8 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 13 December 2016 - 08:27 AM

Here is the log file. Computer seems OK, rebooted fine:
 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by Apricot on 13/12/2016 at 13:02:45.62.
Microsoft Windows 7 Professional N  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Apricot\Downloads\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
13/12/2016 13:05:49 Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\Program Files\ATI Technologies deleted successfully
C:\Program Files\Epic Games deleted successfully
C:\Users\Apricot\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\Apricot\AppData\Local\EmieSiteList deleted successfully
C:\Users\Apricot\AppData\Local\EmieUserList deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\Users\Apricot\.android deleted
C:\install.exe deleted
C:\PROGRA~3\Package Cache deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted
C:\Windows\Syswow64\SET7560.tmp deleted
C:\Windows\Syswow64\SETB982.tmp deleted
C:\Windows\Syswow64\SETBF15.tmp deleted
C:\Windows\Syswow64\SETC018.tmp deleted
C:\Windows\Syswow64\SETC0B6.tmp deleted
C:\Windows\Syswow64\SETC3EB.tmp deleted
C:\Windows\Syswow64\SETDC29.tmp deleted
C:\Windows\Syswow64\SETE054.tmp deleted
C:\Windows\Syswow64\SETE20B.tmp deleted
C:\Windows\Syswow64\tmp3745.tmp deleted
C:\Windows\Syswow64\tmp3821.tmp deleted
"C:\Users\Apricot\AppData\Roaming\PlaysTV\playstv.cfg" deleted
"C:\Users\Apricot\AppData\Roaming\PlaysTV" deleted
 
==== Orphaned Tasks deleted from Registry ======================
 
AdobeAAMUpdater-1.0 Fallback-THATCOMPUTER-Apricot deleted
AdobeAAMUpdater-1.0 Fallback-THATCOMPUTER-Apricot deleted
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"web2pdfextension.15@web2pdf.adobedotcom"="C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Browser\WCFirefoxExtn" 
 
[10/07/2016 19:11]
 
==== Chromium Look ======================
 
Google Chrome Version: 46.0.2490.86
 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
efaidnbmnnnibpcajpcglclefindmkaj - No path found[]
gomekmidlodglbbmalcneegieacbdmki - No path found[]
 
uBlock₀ - Apricot\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm
Do Not Track - Apricot\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckdcpbflcbeillmamogkpmdhnbeggfja
Reddit Enhancement Suite - Apricot\AppData\Local\Google\Chrome\User Data\Default\Extensions
 
\kbmfpngjjgdllneeigpgjifpgocmfgmb
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKLM and HKCU SearchScopes ======================
 
HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}
 
&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-
 
SearchBox&FORM=IESR02
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Raptr deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC deleted successfully
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 
 
emptied successfully
C:\Users\Apricot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 
 
emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\Apricot\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=456 folders=423 1839586436 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\DefaultAppPool\AppData\Local\Temp emptied successfully
C:\Users\Apricot\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\Apricot\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on 13/12/2016 at 13:17:53.83 ======================


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:32 PM

Posted 13 December 2016 - 01:26 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#10 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 14 December 2016 - 10:35 AM

Are you saying all is well or asking me if it is? I am still confused as to why this connection happened from netsvcs in the first place,


Edited by HairyApricot, 14 December 2016 - 10:35 AM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:32 PM

Posted 14 December 2016 - 01:31 PM

Sorry, I do not know either.

#12 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 14 December 2016 - 03:02 PM

So what are my options now then? Is this malware or not, and how do I go about finding out? Would their be any other forum sections on this site that may know?



#13 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 15 December 2016 - 05:12 AM

So I just ran a scan with Malwarebytes. Came back and it was stuck on heuristics. Event viewer says it crashed and then restarted. Is this a known issue with MBAM 3.0? Thanks :)



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:32 PM

Posted 15 December 2016 - 09:31 AM



This can happen with any version of Malwarebytes.

Google this string.
Malwarebytes and heuristics

Boot to safe mode and run MBAM. Make sure you have the latest version.

Clean everything that is identified.

After a Startup of the computer run MBAM in normal mode.

Any luck?

#15 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 15 December 2016 - 03:50 PM

Running another scan now. Notice that while I do, gpsvs and sqlwriter seem to be taking up about 7% of the CPU each according to resource monitor. However, upon exiting, and starting it up again, they were back down to 0. Apologies if this sounds odd or paranoid, but I would like to confirm if my PC is clean.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users