Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows live photos and hidden wild tangent games app


  • This topic is locked This topic is locked
17 replies to this topic

#1 pacha34

pacha34

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 19 December 2016 - 11:50 PM

Hi again

I just ran frst.exe and i can see straight away that there are loads of hidden entries for windows live photo gallery in several languages,

which were not there before.

Also, in windows games a hidden app for wild tangent games has appeared.

the computer has been freezing a lot but otherwise running not bad.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-12-2016
Ran by Frank (administrator) on FRANK-PC (20-12-2016 10:48:02)
Running from C:\Users\Frank\Desktop
Loaded Profiles: Frank (Available Profiles: Frank)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMutilps32.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2588968 2010-11-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [Power Management] => C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1831016 2011-08-02] (Acer Incorporated)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [1103440 2011-07-01] (Dritek System Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-05-25] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AVG_TRAY] => "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [60136 2016-11-15] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [917576 2016-12-16] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-21-1637433389-394192189-160962988-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8641240 2016-02-13] (Piriform Ltd)
HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE ->
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 203.189.128.1 203.189.128.2 124.248.160.1
Tcpip\..\Interfaces\{0D0746BA-2739-4106-BC8D-90903D8FCEA8}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{64761325-686B-4B74-8973-77BE82251C4E}: [DhcpNameServer] 203.189.128.1 203.189.128.2 124.248.160.1

Internet Explorer:
==================
HKU\S-1-5-21-1637433389-394192189-160962988-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com
HKU\S-1-5-21-1637433389-394192189-160962988-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://acer.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO-x32: AVG Do Not Track -> {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -> C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll => No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File

FireFox:
========
FF ProfilePath: C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558 [2016-12-20]
FF Homepage: Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558 -> hxxps://login.yahoo.com/?.src=ym&.intl=us&.lang=en-US&.done=https%3a//mail.yahoo.com
FF Extension: (Thumbnail Zoom Plus) - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558\Extensions\thumbnailZoom@dadler.github.com.xpi [2016-12-16]
FF Extension: (1-Click YouTube Video Downloader) - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558\Extensions\YoutubeDownloader@PeterOlayev.com.xpi [2016-10-01]
FF Extension: (Youtube Converter MP3) - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558\Extensions\{a3a5c777-f583-4fef-9380-ab4add1bc2a5}.xpi [2016-10-01]
FF Extension: (Download YouTube Videos as MP4) - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558\Extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi [2016-10-07]
FF Extension: (Video DownloadHelper) - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2016-12-15]
FF Extension: (Adblock Plus) - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-24]
FF HKLM-x32\...\Firefox\Extensions: [{F53C93F1-07D5-430c-86D4-C9531B27DFAF}] - C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack => not found
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\McSiteAdvisor.xml [2014-03-12]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_186.dll [2016-12-14] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_186.dll [2016-12-14] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-10-13] (Google, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL [2010-03-25] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-14] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-14] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.2.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\2\NP_wtapp.dll [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1637433389-394192189-160962988-1001: SkypePlugin -> C:\Users\Frank\AppData\Local\SkypePlugin\7.28.0.46\npGatewayNpapi.dll [2016-11-03] (Skype Technologies S.A.)
FF Plugin HKU\S-1-5-21-1637433389-394192189-160962988-1001: SkypePlugin64 -> C:\Users\Frank\AppData\Local\SkypePlugin\7.28.0.46\npGatewayNpapi-x64.dll [2016-11-03] (Skype Technologies S.A.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1089592 2016-12-16] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [476736 2016-12-16] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [476736 2016-12-16] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1490296 2016-12-16] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [350528 2016-11-24] (Avira Operations GmbH & Co. KG)
R2 RS_Service; C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [260640 2010-01-30] (Acer Incorporated)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 GamesAppService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [176464 2016-12-16] (Avira Operations GmbH & Co. KG)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-09-04] (AVG Technologies)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [148032 2016-12-16] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2016-10-17] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [79696 2016-10-17] (Avira Operations GmbH & Co. KG)
R0 avusbflt; C:\Windows\System32\Drivers\avusbflt.sys [35864 2016-12-16] (Avira Operations GmbH & Co. KG)
S3 pfc; C:\Windows\SysWOW64\drivers\pfc.sys [14604 2003-08-11] (Padus, Inc.) [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-20 10:48 - 2016-12-20 10:50 - 00012120 _____ C:\Users\Frank\Desktop\FRST.txt
2016-12-20 10:47 - 2016-12-20 10:47 - 00000000 ____D C:\Users\Frank\Desktop\FRST-OlderVersion
2016-12-19 23:08 - 2016-12-19 23:08 - 00000167 _____ C:\Users\Frank\Documents\i-bog.txt
2016-12-19 21:52 - 2016-12-19 21:52 - 00000218 _____ C:\Users\Frank\AppData\Local\recently-used.xbel
2016-12-18 15:05 - 2016-12-18 15:05 - 00182308 _____ C:\Users\Frank\Documents\At Last! Natural Herpes Cure Discovered.htm
2016-12-18 15:05 - 2016-12-18 15:05 - 00000000 ____D C:\Users\Frank\Documents\At Last! Natural Herpes Cure Discovered_files
2016-12-18 15:03 - 2016-12-18 15:03 - 00035717 _____ C:\Users\Frank\Documents\Olive Leaf Side Effects.htm
2016-12-18 15:03 - 2016-12-18 15:03 - 00000000 ____D C:\Users\Frank\Documents\Olive Leaf Side Effects_files
2016-12-18 14:56 - 2016-12-18 14:56 - 00051672 _____ C:\Users\Frank\Documents\Olivus Inc. - Healthiest Olive Leaf Source.htm
2016-12-18 14:56 - 2016-12-18 14:56 - 00000000 ____D C:\Users\Frank\Documents\Olivus Inc. - Healthiest Olive Leaf Source_files
2016-12-17 18:47 - 2016-12-17 18:48 - 52772545 _____ C:\Users\Frank\Documents\PizzaGate This bleep is Wicked!!! 2645 will SHOCK you!!!.mp4
2016-12-15 14:20 - 2016-12-15 14:20 - 00000000 ____D C:\Users\Frank\dwhelper
2016-12-12 23:00 - 2016-12-12 23:00 - 00000000 ____D C:\Users\Frank\AppData\Local\{3EBE67E8-9F24-4C5F-90F3-17C2E55EE772}
2016-12-08 20:15 - 2016-12-08 20:15 - 00000833 _____ C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Tor Browser.lnk
2016-12-08 20:15 - 2016-12-08 20:15 - 00000785 _____ C:\Users\Frank\Desktop\Start Tor Browser.lnk
2016-12-08 20:14 - 2016-12-08 20:15 - 00000000 ____D C:\Users\Frank\Desktop\Tor Browser
2016-12-08 11:28 - 2016-12-08 11:28 - 00000000 ____D C:\Users\Frank\AppData\Local\{35E63FC7-E7D5-4CDF-843D-8768993407E6}
2016-12-08 08:31 - 2016-12-08 08:31 - 00000336 _____ C:\Users\Frank\Documents\berrys bus march 4.txt
2016-12-08 08:26 - 2016-12-08 08:26 - 00000139 _____ C:\Users\Frank\Documents\bristol to bez.txt
2016-12-07 23:27 - 2016-12-07 23:27 - 00000000 ____D C:\Users\Frank\AppData\Local\{A3EFF8DC-9E5C-4A66-A679-D89503DBAE75}
2016-12-07 06:59 - 2016-12-07 06:59 - 00000000 ____D C:\Users\Frank\AppData\Local\{DF698B45-11C6-469D-87C6-CFC01771181B}
2016-12-03 19:23 - 2016-12-03 19:23 - 00000000 ____D C:\Users\Frank\AppData\Local\{0D2CC5EC-AB55-4154-8430-A040A0369820}
2016-11-27 07:34 - 2016-11-27 07:34 - 00002697 _____ C:\Users\Public\Desktop\Skype.lnk
2016-11-27 07:34 - 2016-11-27 07:34 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-11-27 07:34 - 2016-11-27 07:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2016-11-25 06:40 - 2016-11-25 06:40 - 00000000 ____D C:\Users\Frank\AppData\Local\{5A219E89-B088-4B16-BB85-87E152F9D61A}
2016-11-22 06:30 - 2016-12-14 21:38 - 00010752 _____ C:\Users\Frank\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-11-22 06:29 - 2016-11-22 06:29 - 00000000 ____D C:\Users\Frank\AppData\Local\ezvid,_inc
2016-11-22 06:28 - 2016-11-22 06:06 - 00753847 _____ C:\Windows\unins000.exe
2016-11-22 06:03 - 2016-12-14 21:40 - 00000000 ____D C:\Users\Frank\Documents\ezvid
2016-11-22 06:03 - 2016-11-22 06:28 - 00179172 _____ C:\Windows\unins000.dat
2016-11-22 06:03 - 2016-11-22 06:28 - 00001033 _____ C:\Users\Public\Desktop\ezvid.lnk
2016-11-22 06:03 - 2016-11-22 06:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ezvid
2016-11-22 06:03 - 2015-03-10 19:29 - 00462584 _____ (Bytescout) C:\Windows\SysWOW64\BytescoutScreenCapturing.dll
2016-11-22 06:03 - 2015-03-10 19:29 - 00360184 _____ (Bytescout) C:\Windows\SysWOW64\BytescoutScreenCapturingFilter.dll
2016-11-22 06:03 - 2015-03-10 19:29 - 00196344 _____ (Bytescout) C:\Windows\SysWOW64\BytescoutVideoMixerFilter.dll
2016-11-22 06:03 - 2013-04-07 17:09 - 00216064 _____ ( ) C:\Windows\SysWOW64\Lagarith.dll
2016-11-22 06:03 - 2013-04-07 17:09 - 00148992 _____ ( ) C:\Windows\system32\Lagarith.dll
2016-11-22 05:57 - 2016-11-22 06:28 - 00000000 ____D C:\Program Files (x86)\ezvid

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-20 10:48 - 2016-11-06 18:01 - 00000000 ____D C:\FRST
2016-12-20 10:47 - 2016-11-06 17:59 - 02420224 _____ (Farbar) C:\Users\Frank\Desktop\FRST64.exe
2016-12-20 10:46 - 2016-11-18 12:08 - 00000000 ____D C:\Users\Frank\AppData\LocalLow\Mozilla
2016-12-20 10:44 - 2015-08-24 17:51 - 00000000 ____D C:\Users\Frank\Documents\New folder
2016-12-20 10:38 - 2012-09-11 05:09 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-12-20 10:35 - 2016-03-19 21:08 - 00000000 ____D C:\Users\Frank\AppData\Roaming\vlc
2016-12-20 07:29 - 2016-05-09 22:30 - 00000000 ____D C:\Users\Frank\AppData\Roaming\MPC-HC
2016-12-19 16:46 - 2009-07-14 12:13 - 00006490 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-17 08:26 - 2016-11-11 16:56 - 00001164 _____ C:\Users\Frank\Documents\pw2016.txt
2016-12-16 09:04 - 2016-11-18 10:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-12-16 09:04 - 2016-11-06 17:37 - 00000415 _____ C:\Windows\wininit.ini
2016-12-16 09:04 - 2012-08-26 02:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-12-16 08:32 - 2009-07-14 10:20 - 00000000 ____D C:\Windows\inf
2016-12-16 07:25 - 2009-07-14 11:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-16 07:25 - 2009-07-14 11:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-16 05:03 - 2009-07-14 12:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-16 04:55 - 2016-11-05 17:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2016-12-16 04:49 - 2016-11-05 17:23 - 00035864 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avusbflt.sys
2016-12-16 04:49 - 2016-11-05 17:21 - 00176464 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2016-12-16 04:49 - 2016-11-05 17:21 - 00148032 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2016-12-15 14:20 - 2012-08-22 13:57 - 00000000 ____D C:\Users\Frank
2016-12-15 06:20 - 2016-09-15 17:21 - 00000000 ____D C:\Users\Frank\Documents\Travel
2016-12-14 16:38 - 2012-09-11 05:09 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-12-14 16:38 - 2012-09-11 05:09 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-12-14 16:38 - 2011-10-20 00:05 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-12-14 16:38 - 2011-10-20 00:05 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-12-14 16:38 - 2011-10-20 00:04 - 00000000 ____D C:\Windows\system32\Macromed
2016-12-11 07:37 - 2016-11-06 20:24 - 00000000 ____D C:\Users\Frank\AppData\Roaming\deluge
2016-12-11 06:11 - 2016-03-22 04:28 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-11 06:09 - 2016-11-05 17:15 - 00000000 ____D C:\ProgramData\Package Cache
2016-12-11 05:57 - 2009-07-14 12:08 - 00032656 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-12-08 20:14 - 2016-03-20 13:25 - 00000000 ____D C:\Progs
2016-12-06 21:15 - 2016-03-20 14:28 - 00000000 ____D C:\Users\Frank\AppData\Roaming\WinFF
2016-11-29 08:02 - 2013-06-16 01:51 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-11-29 08:02 - 2013-06-16 01:51 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-11-27 08:06 - 2016-03-22 13:25 - 00000000 ____D C:\Windows\system32\MRT
2016-11-27 07:37 - 2016-03-22 13:24 - 143495576 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-11-27 07:34 - 2011-10-19 23:15 - 00000000 ____D C:\ProgramData\Skype
2016-11-27 07:30 - 2013-06-16 01:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight

==================== Files in the root of some directories =======

2016-03-26 21:07 - 2016-03-26 21:08 - 0008704 ___SH () C:\Users\Frank\AppData\Roaming\Thumbs.db
2015-06-01 00:36 - 2015-06-01 00:36 - 0033134 _____ () C:\Users\Frank\AppData\Roaming\UserTile.png
2016-11-22 06:30 - 2016-12-14 21:38 - 0010752 _____ () C:\Users\Frank\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-12-19 21:52 - 2016-12-19 21:52 - 0000218 _____ () C:\Users\Frank\AppData\Local\recently-used.xbel
2016-11-19 14:35 - 2016-11-19 14:35 - 0000032 _____ () C:\ProgramData\Temp.log

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-04-18 05:28

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 pacha34

pacha34
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 19 December 2016 - 11:51 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 17-12-2016
Ran by Frank (20-12-2016 10:51:31)
Running from C:\Users\Frank\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2012-08-22 06:57:47)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1637433389-394192189-160962988-500 - Administrator - Disabled)
Frank (S-1-5-21-1637433389-394192189-160962988-1001 - Administrator - Enabled) => C:\Users\Frank
Guest (S-1-5-21-1637433389-394192189-160962988-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1637433389-394192189-160962988-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Antivirus (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Antivirus (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acer Crystal Eye Webcam (HKLM-x32\...\InstallShield_{A0382E3C-7384-429A-9BFA-AF5888E5A193}) (Version: 1.5.2904.00 - CyberLink Corp.)
Acer Crystal Eye Webcam (x32 Version: 1.5.2904.00 - CyberLink Corp.) Hidden
Acer ePower Management (HKLM-x32\...\{3DB0448D-AD82-4923-B305-D001E521A964}) (Version: 6.00.3008 - Acer Incorporated)
Acer eRecovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 5.00.3504 - Acer Incorporated)
Acer Games (HKLM-x32\...\WildTangent acer Master Uninstall) (Version: 1.0.2.5 - WildTangent)
Acer Registration (HKLM-x32\...\Acer Registration) (Version: 1.04.3504 - Acer Incorporated)
Acer ScreenSaver (HKLM-x32\...\Acer Screensaver) (Version: 1.1.0517.2011 - Acer Incorporated)
Acer VCM (HKLM-x32\...\{047F790A-7A2A-4B6A-AD02-38092BA63DAC}) (Version: 4.05.3501 - Acer Incorporated)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.020.20042 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.7.1.19610 - Adobe Systems Incorporated)
Adobe Community Help (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.0.0.400 - Adobe Systems Incorporated)
Adobe Flash Player 24 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 24.0.0.186 - Adobe Systems Incorporated)
Adobe Flash Player 24 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 24.0.0.186 - Adobe Systems Incorporated)
Adobe Media Player (HKLM-x32\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.8 - Adobe Systems Incorporated)
Adobe Photoshop 7.0 (HKLM-x32\...\Adobe Photoshop 7.0) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Premiere Pro (HKLM-x32\...\{084709F7-38C5-4609-B55F-2417939315EB}) (Version: 7.0 - Adobe Systems, Inc.)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.39 - Atheros Communications Inc.)
ATI Catalyst Install Manager (HKLM\...\{3605D89A-BD66-F5C5-779B-BE9110B41077}) (Version: 3.0.829.0 - ATI Technologies, Inc.)
AVG 2012 (Version: 12.1.2250 - AVG Technologies) Hidden
AVG Protection (HKLM\...\AVG) (Version: 2016.121.7859 - AVG Technologies)
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.24.146 - Avira Operations GmbH & Co. KG)
Avira Connect (HKLM-x32\...\{707e8edf-9482-4417-ae39-c9b5fe605e87}) (Version: 1.2.76.27124 - Avira Operations GmbH & Co. KG)
Avira Connect (x32 Version: 1.2.76.27124 - Avira Operations GmbH & Co. KG) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.15 - Piriform)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.54.8.50 - Conexant)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Deluge 1.3.13 (HKLM-x32\...\Deluge) (Version:  - )
ETDWare PS/2-X64 8.0.6.0_WHQL (HKLM\...\Elantech) (Version: 8.0.6.0 - ELAN Microelectronic Corp.)
Ezvid (HKLM-x32\...\{F96D619D-99D6-4C9C-A393-0CD22DE1CA66}_is1) (Version: 1.003 - Ezvid, inc.)
Fotogalerija Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galeria de Fotografias do Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galería fotográfica de Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galeria fotogràfica del Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galeria fotografii usługi Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galerie de photos Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galerie foto Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3501 - Acer Incorporated)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Launch Manager (HKLM-x32\...\LManager) (Version: 5.1.7 - Acer Inc.)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.5131.5000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mixxx 1.11.0 (HKLM-x32\...\Mixxx (1.11.0)) (Version: 1.11.0 - The Mixxx Development Team)
Mozilla Firefox 50.1.0 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 50.1.0 (x86 en-GB)) (Version: 50.1.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 50.1.0.6186 - Mozilla)
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9.141.259 - Google, Inc.)
Poczta usługi Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Podstawowe programy Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Pošta Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Raccolta foto di Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30127 - Realtek Semiconductor Corp.)
Skype Web Plugin (HKLM-x32\...\{70257DA6-C358-4634-B15D-C42C3B564149}) (Version: 7.28.0.46 - Skype Technologies S.A.)
Skype Web Plugin (HKLM-x32\...\{AC7406B6-BB3B-4CD1-AEBA-0527B9CB16FE}) (Version: 7.27.0.105 - Skype Technologies S.A.)
Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
SoulSeek 157 NS 13e (HKLM-x32\...\Soulseek2) (Version:  - )
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Visual Studio 2008 x64 Redistributables (HKLM-x32\...\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}) (Version: 10.0.0.2 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
WildTangent Games App (x32 Version: 4.0.10.17 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
WinRAR 5.31 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.31.0 - win.rar GmbH)
Συλλογή φωτογραφιών του Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Основные компоненты Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Почта Windows Live (x32 Version: 15.4.3502.0922 - Корпорация Майкрософт) Hidden
Фотоальбом Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Фотогалерия на Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
גלריית התמונות של Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
بريد Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
معرض صور Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1637433389-394192189-160962988-1001_Classes\CLSID\{58743271-597A-401B-AF4A-1450179151C0}\InprocServer32 -> C:\Users\Frank\AppData\Local\SkypePlugin\7.27.0.105\GatewayActiveX-x64.dll (Skype Technologies S.A.)
CustomCLSID: HKU\S-1-5-21-1637433389-394192189-160962988-1001_Classes\CLSID\{8AAE6BAC-FCFC-49E7-940C-B11668616323}\InprocServer32 -> C:\Users\Frank\AppData\Local\SkypePlugin\7.28.0.46\GatewayActiveX-x64.dll (Skype Technologies S.A.)
CustomCLSID: HKU\S-1-5-21-1637433389-394192189-160962988-1001_Classes\CLSID\{9206EDB2-DB9E-4AE0-A821-5048667D3A17}\localserver32 -> C:\Users\Frank\AppData\Local\SkypePlugin\7.28.0.46\GatewayVersion-x64.exe (Skype Technologies S.A.)
CustomCLSID: HKU\S-1-5-21-1637433389-394192189-160962988-1001_Classes\CLSID\{CBF9CD8C-2714-4F36-B76A-43E6C7547BC2}\localserver32 -> C:\Users\Frank\AppData\Local\SkypePlugin\7.28.0.46\EdgeCalling.exe (Skype Technologies S.A.)
CustomCLSID: HKU\S-1-5-21-1637433389-394192189-160962988-1001_Classes\CLSID\{D0FC4B60-C60D-4908-8365-0C64C03E0291}\localserver32 -> C:\Users\Frank\AppData\Local\SkypePlugin\7.27.0.105\GatewayVersion-x64.exe (Skype Technologies S.A.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {2E5086CD-B74B-4CC7-9295-99E4171561A7} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-12-14] (Adobe Systems Incorporated)
Task: {4D07B0A3-2B44-4D40-AF40-CFEE16D0ECF4} - System32\Tasks\UALU notificatin => C:\Program Files\Acer\Acer Updater\UALU.exe
Task: {90C21936-A901-48C0-911C-ABC8D2DC8ED3} - System32\Tasks\Games\UpdateCheck_S-1-5-21-1637433389-394192189-160962988-1001
Task: {B4CA2FED-6DE4-4290-ADAD-FB5220FC7409} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-02-13] (Piriform Ltd)
Task: {C7551242-B8CF-4617-8741-8D30FF050FD7} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-10-21] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2016-04-23 01:09 - 2010-04-30 19:56 - 00001798 ____N C:\Windows\system32\Drivers\etc\hosts

127.0.0.1                activate.adobe.com
127.0.0.1                practivate.adobe.com
127.0.0.1                ereg.adobe.com
127.0.0.1                activate.wip3.adobe.com
127.0.0.1                wip3.adobe.com
127.0.0.1                3dns-3.adobe.com
127.0.0.1                3dns-2.adobe.com
127.0.0.1                adobe-dns.adobe.com
127.0.0.1                adobe-dns-2.adobe.com
127.0.0.1                adobe-dns-3.adobe.com
127.0.0.1                ereg.wip3.adobe.com
127.0.0.1                activate-sea.adobe.com
127.0.0.1                wwis-dubc1-vip60.adobe.com
127.0.0.1                activate-sjc0.adobe.com
127.0.0.1                               adobe.activate.com
127.0.0.1                               adobeereg.com                        
127.0.0.1                               www.adobeereg.com                    
127.0.0.1                               wwis-dubc1-vip60.adobe.com           
127.0.0.1                               125.252.224.90                       
127.0.0.1                               125.252.224.91
127.0.0.1                               hl2rcv.adobe.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1637433389-394192189-160962988-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 203.189.128.1 - 203.189.128.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: BDESVC => 3
MSCONFIG\Services: bthserv => 3
MSCONFIG\Services: defragsvc => 3
MSCONFIG\Services: ShellHWDetection => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acer VCM.lnk => C:\Windows\pss\Acer VCM.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk => C:\Windows\pss\Adobe Gamma Loader.lnk.CommonStartup
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: SpybotPostWindows10UpgradeReInstall => "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe"
MSCONFIG\startupreg: SuiteTray => "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{BDA55964-E36B-4D3E-A150-EB9447CB71E1}] => C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{A0EB5225-ECA4-4E72-A807-B2A0D720DE0C}] => C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{E4ABE5FA-29D3-48E4-A4ED-BB4088B229FD}] => C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{9C54E2A1-EA53-4886-BBF9-C63846423A8E}] => LPort=2869
FirewallRules: [{DED78336-AC18-4590-83FA-38F20C7C19DD}] => LPort=1900
FirewallRules: [{7772C5B9-AA06-4179-9156-1E0F36114D51}] => C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{7B30285B-703D-4FE5-B257-DCE8F373B87A}] => C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
FirewallRules: [{8A6734F7-220D-4C62-808B-5B97571689CC}] => C:\Program Files (x86)\Acer\Acer VCM\VC.exe
FirewallRules: [{65F332E7-19CF-49AD-A1BC-B340C4705750}] => C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
FirewallRules: [{8271084C-49D9-48B4-92A5-29C40FE71E92}] => C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
FirewallRules: [{FBA78FB6-4BAC-4700-B31C-A703A2AF69DA}] => C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
FirewallRules: [{784F5ED0-626F-4E1F-9322-4F452BDD90D0}] => C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
FirewallRules: [{2B85A8E9-66F6-437D-92ED-16698A2D718B}] => C:\Program Files (x86)\AVG\AVG2012\avgdiagex.exe
FirewallRules: [{36FED8C1-52BB-4162-9843-30F6A09A1BC3}] => C:\Program Files (x86)\AVG\AVG2012\avgdiagex.exe
FirewallRules: [{8D9FEF95-0366-47C9-AA3D-6F602BD3DC81}] => C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
FirewallRules: [{E059D5C1-BD45-4A82-A23E-9EC946B8F491}] => C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
FirewallRules: [{B3106EBD-C4DE-4138-9D02-DDAD6F69D8AB}] => C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
FirewallRules: [{701A12C6-0FD9-443D-8DE1-73E20439A60C}] => C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
FirewallRules: [{8CD1A2D5-D95F-45A7-AD7F-65B4D6317CA7}] => C:\Program Files (x86)\AVG\AVG2012\avgdiagex.exe
FirewallRules: [{13EF2A1F-55FF-4355-B2B6-2B1B5CC6D315}] => C:\Program Files (x86)\AVG\AVG2012\avgdiagex.exe
FirewallRules: [{2C3998B0-D631-4852-845D-F42E53070AE2}] => C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
FirewallRules: [{70F6EC53-DF44-4ECD-85EF-3A04666C7403}] => C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
FirewallRules: [{058094AB-630F-443D-8F95-7563D2DF814D}] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{52A8ADCC-6ECB-40D6-80DD-D7BBBE59798A}] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{8721ECB9-2094-48C8-A852-28D3DEC92A4D}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{BD2365CA-46B9-442A-BC71-9690325888D2}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{4CBBAD33-484B-4837-91BB-DE0ED907EDBF}C:\program files (x86)\soulseekqt\soulseekqt.exe] => C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [UDP Query User{204B451D-32C5-4030-9B37-59BD3EF28D67}C:\program files (x86)\soulseekqt\soulseekqt.exe] => C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [TCP Query User{544841E3-3FD6-4319-8BFA-6FD9D41A837E}C:\program files (x86)\soulseekns\slsk.exe] => C:\program files (x86)\soulseekns\slsk.exe
FirewallRules: [UDP Query User{C07F1F58-99F8-44E9-9C92-8E1A5D460622}C:\program files (x86)\soulseekns\slsk.exe] => C:\program files (x86)\soulseekns\slsk.exe
FirewallRules: [{35C76EAC-118C-433F-AD13-C4814FFA6EA5}] => C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{B0D63B15-AD81-496D-B4E5-FDEC29447D8B}] => C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [TCP Query User{E96126CA-E8B8-4957-95E8-EFC679EF7CF6}C:\users\frank\appdata\local\skypeplugin\pluginhost.exe] => C:\users\frank\appdata\local\skypeplugin\pluginhost.exe
FirewallRules: [UDP Query User{1857ADAF-889A-4AAD-A70D-DAA2678ACAAD}C:\users\frank\appdata\local\skypeplugin\pluginhost.exe] => C:\users\frank\appdata\local\skypeplugin\pluginhost.exe
FirewallRules: [{9C695AE1-F7CD-4F5C-B79E-209DC02B67EC}] => C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [TCP Query User{45D59338-DAB7-4A00-B0B1-8BD961673C66}C:\program files (x86)\deluge\deluge.exe] => C:\program files (x86)\deluge\deluge.exe
FirewallRules: [UDP Query User{E8A03AAD-728B-4D31-82FD-B26B845203F0}C:\program files (x86)\deluge\deluge.exe] => C:\program files (x86)\deluge\deluge.exe
FirewallRules: [{6DAD2F6E-1FD0-4FDE-B451-718E249C094C}] => C:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro 2\Apowersoft Screen Recorder Pro 2.exe
FirewallRules: [{C3254D6B-1224-4D4E-8650-EF1D1928F6C9}] => C:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro 2\Apowersoft Screen Recorder Pro 2.exe

==================== Restore Points =========================

27-11-2016 07:15:17 Windows Update

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/19/2016 04:46:52 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (12/19/2016 04:46:52 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (12/19/2016 03:55:21 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (12/19/2016 03:55:21 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (12/19/2016 03:52:46 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed:

Error: (12/19/2016 07:47:21 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (12/19/2016 07:47:21 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (12/19/2016 07:09:30 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (12/19/2016 07:09:30 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (12/16/2016 05:04:03 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.


System errors:
=============
Error: (12/19/2016 11:06:21 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.

Error: (12/19/2016 09:52:56 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (12/19/2016 09:52:56 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1068" attempting to start the service stisvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (12/16/2016 11:56:50 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (12/16/2016 11:56:45 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1068" attempting to start the service stisvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (12/16/2016 11:56:45 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (12/16/2016 05:05:51 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Application Information service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (12/16/2016 05:05:51 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Appinfo service.

Error: (12/16/2016 05:05:21 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IKEEXT service.

Error: (12/16/2016 05:04:49 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the iphlpsvc service.


==================== Memory info ===========================

Processor: AMD C-60 APU with Radeon™ HD Graphics
Percentage of memory in use: 44%
Total physical RAM: 1770.9 MB
Available physical RAM: 980.03 MB
Total Virtual: 3541.8 MB
Available Virtual: 1993.82 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:283.99 GB) (Free:29.58 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 86DE2CAA)
Partition 1: (Not Active) - (Size=14 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=284 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



#3 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:05 AM

Posted 23 December 2016 - 11:48 AM

Hi pacha34

P2P Warning
Please note that as long as you're using any form of Peer-to-Peer networking ( SoulSeek, Bearshare, Bit Torrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.
P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you.

If you do decide (unwisely) to keep these programs, please refrain from using them until we have finished cleaning your system.

 

I just ran frst.exe and i can see straight away that there are loads of hidden entries for windows live photo gallery in several languages,
which were not there before.

Also, in windows games a hidden app for wild tangent games has appeared.

This doesn't necessarily mean there's something untoward going on.
This can occur if the program creates a registry key name that is longer than 60 characters in length.
Add/Remove Programs only lists program names it locates up to the point it encounters this situation.
Windows Live program is showing.... it's the extra languages that are hidden.
 

The computer has been freezing a lot but otherwise running not bad.

You had AVG installed previously and it hasn't removed all of the registry entries.
This can cause system problems.
We'll remove the leftover AVG entries and then run the AVG removal tool just to make sure:

Step 1
Please download the attached fixlist.txt file (bottom of this post) and save it to the Desktop.
NOTE.
It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait.

frstfix_zps7db0c905.png

The tool will make a log on the Desktop (Fixlog.txt). Please post this in your next reply.


Step 2
You can download the AVG removal tool from:
Here

download to your desktop.
then double click to start the uninstaller....Vista/Windows 7/8/10 users should right-click and select Run As Administrator.
Reboot the system when completed.


In your next reply, please submit:
Fixlog.txt

and let me know if the system is running any better.


Thanks.

Attached Files


BBPP6nz.png


#4 pacha34

pacha34
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 23 December 2016 - 06:32 PM

The day after I posted this thread, I opened the laptop and couldnt input the password. The box was blocked. So I logged in as a guest then went to change the password.

In user accounts/credential manager under generic credentials I saw an 'app' had been installed on the 14th December.

I deleted it, without taking note of what it was exactly. But I just looked again and something is there again.

This time it says virtualapp/didlogical - modified 22/12/2016.

 

Another thing I noticed was that every time I ran ccleaner, it was apparently, repeatedly deleting a list of files, which I deleted weeks ago.

 

I was getting nervous about getting locked out of my own computer so, while waiting for you to reply, I ran adwcleaner, then JRT.exe and hitman pro. I also changed my email password, the laptop password and uninstalled a few programmes which I never use.

 

When i run ccleaner now, the list of old files does not appear.

 

When I ran fixlist.txt, Avira blocked the hosts file.

 

I will post the logs below but one more question. Would running vlc player 32 bit make it run badly?

because when I watch video clips they are always freezing.

I tried downloading the 64 bit version four times last night but the download failed every time.

 

By the way, i understand the problems with p2p programmes now and I see that recent infections have come from them.

Not from soulseek though, just from torrent downloads and I am going to stop using them.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 7 Home Premium x64
Ran by Frank (Administrator) on 22/12/2016 at 11:14:08.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 36

Successfully deleted: C:\Users\Frank\AppData\Local\{09885837-EDE2-4AE4-9346-734EB6572701} (Empty Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\{0D2CC5EC-AB55-4154-8430-A040A0369820} (Empty Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\{21F50688-4023-43C2-A709-FDF6A09CAF75} (Empty Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\{35E63FC7-E7D5-4CDF-843D-8768993407E6} (Empty Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\{3CD99816-A145-494E-AB2B-1C217F68C599} (Empty Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\{3EBE67E8-9F24-4C5F-90F3-17C2E55EE772} (Empty Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\{5A219E89-B088-4B16-BB85-87E152F9D61A} (Empty Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\{A3EFF8DC-9E5C-4A66-A679-D89503DBAE75} (Empty Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\{DF698B45-11C6-469D-87C6-CFC01771181B} (Empty Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\{FB983602-65CC-453A-B890-1E9C40C9F1FE} (Empty Folder)
Successfully deleted: C:\Windows\wininit.ini (File)
Successfully deleted: C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1TIBTGTV (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3R8KOSCG (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7HPH7L1G (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F4MNF13X (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9GY4J5C (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MH0265ZU (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PM3VPL4H (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PWV93PQA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QVWBOBWS (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SCGWMVY6 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YGT6CDUF (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZR0988ZH (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1TIBTGTV (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3R8KOSCG (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7HPH7L1G (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F4MNF13X (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9GY4J5C (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MH0265ZU (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PM3VPL4H (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PWV93PQA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QVWBOBWS (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SCGWMVY6 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YGT6CDUF (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZR0988ZH (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\SysWOW64\shoB008.tmp (File)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 22/12/2016 at 11:19:14.54
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

HitmanPro 3.7.15.281
www.hitmanpro.com

   Computer name . . . . : FRANK-PC
   Windows . . . . . . . : 6.1.1.7601.X64/2
   User name . . . . . . : Frank-PC\Frank
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2016-12-23 07:52:06
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 9m 37s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 1

   Objects scanned . . . : 1,451,627
   Files scanned . . . . : 57,039
   Remnants scanned  . . : 327,771 files / 1,066,817 keys

Suspicious files ____________________________________________________________

   C:\Users\Frank\Desktop\FRST64.exe
      Size . . . . . . . : 2,420,224 bytes
      Age  . . . . . . . : 2.9 days (2016-12-20 10:47:37)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 19088BDC4C7EDDBD5E07855948449EF17583D52AF2F7EC201301F0C42FCE8B2A
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -0.5s C:\Users\Frank\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_556BB0FF4D382D90E7703209690E089E
         -0.5s C:\Users\Frank\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_556BB0FF4D382D90E7703209690E089E
          0.0s C:\Users\Frank\Desktop\FRST64.exe
         24.8s C:\Users\Frank\Desktop\FRST.txt
 

#5 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:05 AM

Posted 23 December 2016 - 06:56 PM

Hi pacha34
 

When I ran fixlist.txt, Avira blocked the hosts file.

Some security programs may protect system changes like the Hosts file.... this isn't unusual.
Can you post the fixlog.txt that was produced after the run.
 

Would running vlc player 32 bit make it run badly?

No, it shouldn't do.
32bit programs can run on a 64bit system (just not the other way around )
 

By the way, i understand the problems with p2p programmes now and I see that recent infections have come from them.

Not from soulseek though, just from torrent downloads and I am going to stop using them.

:thumbup2:


In user accounts/credential manager under generic credentials I saw an 'app' had been installed on the 14th December.
I deleted it, without taking note of what it was exactly. But I just looked again and something is there again.

This time it says virtualapp/didlogical - modified 22/12/2016.

Virtualapp/Didlogical is a credential that is stored when you use any of the Windows Live products, this can include Windows Live Messenger, Windows Live Mail, Windows Live Sign-In Assisstant, Windows XP Mode and other Microsoft services.
So it need not have been deleted.

Let me have the fixlog.txt and let me know if there's any improvement since running the FRST fix.

Thanks

Edited by Starbuck, 23 December 2016 - 06:57 PM.

BBPP6nz.png


#6 pacha34

pacha34
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 24 December 2016 - 07:06 AM

Sorry, I forgot to post the fixlog.

You didnt comment on the deleted files showing up over and over in ccleaner.

I've never seen that before.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-12-2016
Ran by Frank (24-12-2016 05:56:51) Run:1
Running from C:\Users\Frank\Desktop
Loaded Profiles: Frank (Available Profiles: Frank)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKLM-x32\...\Run: [AVG_TRAY] => "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
BootExecute: autocheck autochk * sdnclean64.exe
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: AVG Do Not Track -> {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -> C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll => No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
FF HKLM-x32\...\Firefox\Extensions: [{F53C93F1-07D5-430c-86D4-C9531B27DFAF}] - C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack => not found
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\2\NP_wtapp.dll [No File]
S3 GamesAppService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" [X]
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-09-04] (AVG Technologies)
MSCONFIG\startupreg: SpybotPostWindows10UpgradeReInstall => "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe"
FirewallRules: [{65F332E7-19CF-49AD-A1BC-B340C4705750}] => C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
FirewallRules: [{8271084C-49D9-48B4-92A5-29C40FE71E92}] => C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
FirewallRules: [{FBA78FB6-4BAC-4700-B31C-A703A2AF69DA}] => C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
FirewallRules: [{784F5ED0-626F-4E1F-9322-4F452BDD90D0}] => C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
FirewallRules: [{2B85A8E9-66F6-437D-92ED-16698A2D718B}] => C:\Program Files (x86)\AVG\AVG2012\avgdiagex.exe
FirewallRules: [{36FED8C1-52BB-4162-9843-30F6A09A1BC3}] => C:\Program Files (x86)\AVG\AVG2012\avgdiagex.exe
FirewallRules: [{8D9FEF95-0366-47C9-AA3D-6F602BD3DC81}] => C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
FirewallRules: [{E059D5C1-BD45-4A82-A23E-9EC946B8F491}] => C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
FirewallRules: [{B3106EBD-C4DE-4138-9D02-DDAD6F69D8AB}] => C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
FirewallRules: [{701A12C6-0FD9-443D-8DE1-73E20439A60C}] => C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
FirewallRules: [{8CD1A2D5-D95F-45A7-AD7F-65B4D6317CA7}] => C:\Program Files (x86)\AVG\AVG2012\avgdiagex.exe
FirewallRules: [{13EF2A1F-55FF-4355-B2B6-2B1B5CC6D315}] => C:\Program Files (x86)\AVG\AVG2012\avgdiagex.exe
FirewallRules: [{2C3998B0-D631-4852-845D-F42E53070AE2}] => C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
FirewallRules: [{70F6EC53-DF44-4ECD-85EF-3A04666C7403}] => C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
FirewallRules: [{35C76EAC-118C-433F-AD13-C4814FFA6EA5}] => C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{B0D63B15-AD81-496D-B4E5-FDEC29447D8B}] => C:\Program Files (x86)\AVG\Av\avgmfapx.exe
C:\Program Files (x86)\AVG
C:\Program Files\Common Files\AV\Spybot - Search and Destroy
CMD: ipconfig /flushdns
Hosts:
EmptyTemp:

*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AVG_TRAY => value removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\IsMyWinLockerReboot => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\IsMyWinLockerReboot => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\IsMyWinLockerReboot => value removed successfully
hklm\System\CurrentControlSet\Control\Session Manager\\BootExecute => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}" => key removed successfully
"HKCR\PROTOCOLS\Handler\linkscanner" => key removed successfully
"HKCR\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}" => key removed successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF} => value removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0" => key removed successfully
GamesAppService => service removed successfully
avgtp => Service stopped successfully.
avgtp => service removed successfully
"HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpybotPostWindows10UpgradeReInstall" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{65F332E7-19CF-49AD-A1BC-B340C4705750} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8271084C-49D9-48B4-92A5-29C40FE71E92} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FBA78FB6-4BAC-4700-B31C-A703A2AF69DA} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{784F5ED0-626F-4E1F-9322-4F452BDD90D0} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2B85A8E9-66F6-437D-92ED-16698A2D718B} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{36FED8C1-52BB-4162-9843-30F6A09A1BC3} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8D9FEF95-0366-47C9-AA3D-6F602BD3DC81} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E059D5C1-BD45-4A82-A23E-9EC946B8F491} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B3106EBD-C4DE-4138-9D02-DDAD6F69D8AB} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{701A12C6-0FD9-443D-8DE1-73E20439A60C} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8CD1A2D5-D95F-45A7-AD7F-65B4D6317CA7} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{13EF2A1F-55FF-4355-B2B6-2B1B5CC6D315} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2C3998B0-D631-4852-845D-F42E53070AE2} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{70F6EC53-DF44-4ECD-85EF-3A04666C7403} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{35C76EAC-118C-433F-AD13-C4814FFA6EA5} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B0D63B15-AD81-496D-B4E5-FDEC29447D8B} => value removed successfully
"C:\Program Files (x86)\AVG" => not found.
C:\Program Files\Common Files\AV\Spybot - Search and Destroy => moved successfully

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

"C:\Windows\System32\Drivers\etc\hosts" => Could not move.
Could not restore Hosts.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 4807636 B
Java, Flash, Steam htmlcache => 512 B
Windows/system/drivers => -1052 B
Edge => 0 B
Chrome => 0 B
Firefox => 11602038 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 60287399 B
systemprofile32 => 120719 B
LocalService => 0 B
NetworkService => 0 B
Frank => 3985393 B

RecycleBin => 1529 B
EmptyTemp: => 85.1 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 05:57:16 ====



#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:05 AM

Posted 24 December 2016 - 04:51 PM

Hi pacha34
 

You didnt comment on the deleted files showing up over and over in ccleaner.

Simply because It wouldn't be anything to worry about.
CCleaner will search for and remove temp files.
It helps to understand how and why these temp files are created.
These are files created to hold information temporarily while a file is being created.
After the program has been closed, the temporary file should be deleted.... but doesn't always happen.
Temporary files are used to help recover lost data if the program or computer is abnormally halted.
Also if you are working on a document and want to undo something.... you use the undo button.
Only one document is actually open.... but the program creates a temp file so that you can re-work something.... like using undo.

So for the same things to come up in the report is fairly normal.

Earlier is asked:

let me know if there's any improvement since running the FRST fix

you haven't given me an update yet.
Remember, I can't see your system so I have to rely on you to let me know if things are working or not.

Thanks.

Edited by Starbuck, 24 December 2016 - 04:51 PM.

BBPP6nz.png


#8 pacha34

pacha34
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 24 December 2016 - 07:27 PM

I'm 6 or 7 hours ahead of you here so please excuse the delays in replying.

The system seems to be working ok but have we actually fixed anything or was i just being paranoid?

 

the most recent torrent sites area all riddled with redirected pages to movielab and such like.

I felt sure that they were installing something on my system.

 

 

 

 



#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:05 AM

Posted 24 December 2016 - 07:56 PM

I'm 6 or 7 hours ahead of you here so please excuse the delays in replying.

That's not a problem, we're used to these different time zones.
Plus Christmas time is very busy for most people, so if there's no reply I'll just wait.
 
BTW:

Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)

Did you realise that this is a discontinued suite now.
It's been discontinued for some time.

have we actually fixed anything or was i just being paranoid?

We've removed some possible conflicts, but there was no sign of serious infection.
It doesn't hurt to be a bit paranoid at times..... it's a lot better than not bothering.
But we'll run a double check for anything that maybe trying to hide.

Please download RogueKiller Anti-malware (Free) onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on RogueKiller Anti-malware to install the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator.
  • Select Accept the User Agreement then continue to click Next then finally click Install
  • Click Finish
    .
  • When the program opens..... click Scan

    rk1_zpsn7bfbew7.png
  • Click Start Scan

    rk2_zpszu8aygv0.png

    rk4_zpsj0fwsy1w.png
  • Double check anything found and tick to select items to be removed

    rk3_zps0k0uqbtb.png
  • Click Remove Selected
  • When the items have been removed.... Click Open Report >> Open TXT.
  • Copy and paste that report into your next reply.
Thanks

Edited by Starbuck, 24 December 2016 - 07:59 PM.

BBPP6nz.png


#10 pacha34

pacha34
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 25 December 2016 - 09:12 PM

Re, windows live essentials.

If I delete the whole package does that mean I'm going to lose my contacts in Outlook?

I don't mind deleting windows photo gallery but I use windows movie maker.

If I delete it does that mean I cant have it back as a stand alone programme?

 

firefox opened about 5 pop up pages after the scan, all related to the add ons I use.

 

here's the rogue killer log

RogueKiller V12.8.6.0 (x64) [Dec 19 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Frank [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 12/26/2016 07:59:25 (Duration : 01:01:31)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1637433389-394192189-160962988-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1637433389-394192189-160962988-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][Firefox:Config] fj9u9zet.default-1475320115558 : user_pref("browser.startup.homepage", "https://login.yahoo.com/?.src=ym&.intl=us&.lang=en-US&.done=https%3a//mail.yahoo.com"); -> Replaced (about:home)

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BPVT-22JJ5T0 ATA Device +++++
--- User ---
[MBR] 707fc66d15091b311c35bc21d14f1187
[BSP] e00f5bc48018bad9991fc2e16cad6fc6 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 14336 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 29362176 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 29566976 | Size: 290807 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 



#11 pacha34

pacha34
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 25 December 2016 - 09:27 PM

Unrelated question but do you know how I can change the main user's name on here?

The computer is second hand and I don't know who Frank is but every time I see his name on my files

I want to change it.



#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:05 AM

Posted 26 December 2016 - 04:04 AM

Hi pacha34
 

Re, windows live essentials.

If I delete the whole package does that mean I'm going to lose my contacts in Outlook?
I don't mind deleting windows photo gallery but I use windows movie maker.
If I delete it does that mean I cant have it back as a stand alone programme?

Sorry, I should have made myself a bit clearer.
What I meant was that because it's discontinued you won't get any updates for it now.
Plus it'll no longer be available for download from January 10, 2017
More info here... Windows Essentials
You have Microsoft Office 2010 installed..... I presume you use Outlook from here for your mail?
If so this won't effect your contacts.
A stand alone version of Movie Maker can be downloaded from...... Windows Movie Maker
 

firefox opened about 5 pop up pages after the scan, all related to the add ons I use.

Saying what?
What addons?

 

Unrelated question but do you know how I can change the main user's name on here?

Are you talking about the actual name of the computer or the name of the user account?
If you mean the actual computer name... that's easy.

Open up the Run menu by pressing the Windows + R keys, type in sysdm.cpl into the window and click OK.

VAG3pZ_zps1yblskk3.png

Make sure you are on the Computer Name tab.
Click on the Change button to open the edit option.

jNate_zpsw6h8sjwp.png

Type in your new Computer name and then click on OK.
Restart your computer

-----

If you are talking about the user account name...... that's a bit more involved.
Because it can cause problems with permissions if not done correctly.
This link will explain exactly how to accomplish this:

How to Rename a Windows 7 User Account and Related Profile Folder

BBPP6nz.png


#13 pacha34

pacha34
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 26 December 2016 - 08:51 AM

The pop ups just said things like, 'thanks for using adblock plus'

 

This is the third time I've tried to post this reply. The pointer keeps freezing on a spot

and the only way out seems to be shut the computer down.

 

The thing I wanted to change was 'Full Computer Name'

If its too much hassle i won't bother



#14 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:05 AM

Posted 26 December 2016 - 09:42 AM

If it's the full system name... that's the easy part. Change the name and then let me have a fresh set of FRST reports and I'll just check it over.

BBPP6nz.png


#15 pacha34

pacha34
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 26 December 2016 - 04:15 PM

There seems to be a new problem now. The laptop froze after a few minutes use several times last night.

It was doing it in firefox, then started freezing on vlc. In the end I took the battery out, thinking it might be overheating.

That worked for about 40 minutes then it made a loud electrical 'crash' noise and it froze again.

So i gave up and went to sleep.

 

I changed the computer name but as you can see from the scan, Frank is still listed as administrator.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-12-2016
Ran by Frank (administrator) on BOB (27-12-2016 03:53:37)
Running from C:\Users\Frank\Desktop
Loaded Profiles: Frank (Available Profiles: Frank)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMutilps32.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2588968 2010-11-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [Power Management] => C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1831016 2011-08-02] (Acer Incorporated)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [1103440 2011-07-01] (Dritek System Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-05-25] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [60136 2016-11-15] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [917576 2016-12-16] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE ->

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 202.58.98.202 202.58.98.203
Tcpip\..\Interfaces\{0D0746BA-2739-4106-BC8D-90903D8FCEA8}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{64761325-686B-4B74-8973-77BE82251C4E}: [DhcpNameServer] 202.58.98.202 202.58.98.203

Internet Explorer:
==================
HKU\S-1-5-21-1637433389-394192189-160962988-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKU\S-1-5-21-1637433389-394192189-160962988-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://acer.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)

FireFox:
========
FF ProfilePath: C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558 [2016-12-27]
FF Homepage: Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558 -> hxxps://www.google.com.kh/?gws_rd=cr&ei=FntgWPDoDoaa0gSJwLXAAw
FF Extension: (Thumbnail Zoom Plus) - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558\Extensions\thumbnailZoom@dadler.github.com.xpi [2016-12-16]
FF Extension: (1-Click YouTube Video Downloader) - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558\Extensions\YoutubeDownloader@PeterOlayev.com.xpi [2016-10-01]
FF Extension: (Youtube Converter MP3) - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558\Extensions\{a3a5c777-f583-4fef-9380-ab4add1bc2a5}.xpi [2016-10-01]
FF Extension: (Download YouTube Videos as MP4) - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558\Extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi [2016-10-07]
FF Extension: (Video DownloadHelper) - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2016-12-15]
FF Extension: (Adblock Plus) - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\fj9u9zet.default-1475320115558\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-24]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\McSiteAdvisor.xml [2014-03-12]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_186.dll [2016-12-14] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_186.dll [2016-12-14] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-10-13] (Google, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL [2010-03-25] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-14] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-14] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.2.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1637433389-394192189-160962988-1001: SkypePlugin -> C:\Users\Frank\AppData\Local\SkypePlugin\7.28.0.46\npGatewayNpapi.dll [2016-11-03] (Skype Technologies S.A.)
FF Plugin HKU\S-1-5-21-1637433389-394192189-160962988-1001: SkypePlugin64 -> C:\Users\Frank\AppData\Local\SkypePlugin\7.28.0.46\npGatewayNpapi-x64.dll [2016-11-03] (Skype Technologies S.A.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1089592 2016-12-16] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [476736 2016-12-16] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [476736 2016-12-16] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1490296 2016-12-16] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [350528 2016-11-24] (Avira Operations GmbH & Co. KG)
R2 RS_Service; C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [260640 2010-01-30] (Acer Incorporated)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [176464 2016-12-16] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [148032 2016-12-16] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2016-10-17] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [79696 2016-10-17] (Avira Operations GmbH & Co. KG)
R0 avusbflt; C:\Windows\System32\Drivers\avusbflt.sys [35864 2016-12-16] (Avira Operations GmbH & Co. KG)
S3 pfc; C:\Windows\SysWOW64\drivers\pfc.sys [14604 2003-08-11] (Padus, Inc.) [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-27 03:53 - 2016-12-27 04:01 - 00010953 _____ C:\Users\Frank\Desktop\FRST.txt
2016-12-26 19:30 - 2016-12-26 19:30 - 00000000 ____D C:\Users\Frank\AppData\Local\{78453D86-B342-4913-8CC4-A4C42D1DB214}
2016-12-26 13:47 - 2016-12-26 13:47 - 00000000 ____D C:\Users\Frank\AppData\Local\{51D37F82-89B6-40EF-BC8D-A7849EC855AA}
2016-12-26 09:22 - 2016-12-26 09:22 - 00000000 ____D C:\Program Files\VideoLAN
2016-12-26 09:03 - 2016-12-26 09:03 - 00004064 _____ C:\Users\Frank\Desktop\rk_D88C..txt
2016-12-26 07:59 - 2016-12-26 07:59 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-12-26 07:57 - 2016-12-26 09:02 - 00000000 ____D C:\ProgramData\RogueKiller
2016-12-26 07:57 - 2016-12-26 07:57 - 00000862 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2016-12-26 07:57 - 2016-12-26 07:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2016-12-26 07:57 - 2016-12-26 07:57 - 00000000 ____D C:\Program Files\RogueKiller
2016-12-26 07:53 - 2016-12-26 07:53 - 00000218 _____ C:\Users\Frank\AppData\Local\recently-used.xbel
2016-12-25 19:16 - 2016-12-25 19:17 - 34221208 _____ (Adlice Software ) C:\Users\Frank\Desktop\setup.exe
2016-12-25 15:46 - 2016-12-25 15:46 - 00000000 ____D C:\Users\Frank\AppData\Local\{274A78ED-E0C7-4CAD-AF79-9EC32E2C161D}
2016-12-25 09:56 - 2016-12-23 07:06 - 00001170 _____ C:\Users\Frank\Documents\pw2016.txt
2016-12-24 14:23 - 2016-12-24 14:23 - 00000000 ____D C:\Users\Frank\AppData\Local\{0C13E61D-9341-455D-BDBA-150AFF33B4D5}
2016-12-24 07:48 - 2016-12-24 07:48 - 00000820 _____ C:\Users\Frank\Documents\pw2016.rar
2016-12-24 06:05 - 2016-12-24 06:12 - 00000000 ____D C:\AVG_Remover
2016-12-23 21:14 - 2016-12-23 21:14 - 00001008 _____ C:\Users\Frank\advanced_ip_scanner_MAC.bin
2016-12-23 21:14 - 2016-12-23 21:14 - 00000015 _____ C:\Users\Frank\advanced_ip_scanner_Aliases.bin
2016-12-23 20:55 - 2016-12-23 20:55 - 00000000 ____D C:\Program Files (x86)\Advanced IP Scanner
2016-12-23 20:54 - 2016-12-23 20:54 - 00000000 ____D C:\Users\Frank\AppData\Local\Advanced IP Scanner 2
2016-12-23 07:52 - 2016-12-23 07:52 - 00000000 ____D C:\Program Files\HitmanPro
2016-12-23 07:45 - 2016-12-23 08:07 - 00000000 ____D C:\ProgramData\HitmanPro
2016-12-22 17:53 - 2016-12-22 17:53 - 00002790 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-12-22 17:53 - 2016-12-22 17:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-12-22 17:53 - 2016-12-22 17:53 - 00000000 ____D C:\Program Files\CCleaner
2016-12-22 03:51 - 2016-12-22 03:51 - 03977168 _____ C:\Users\Frank\Desktop\adwcleaner_6.041.exe
2016-12-20 18:27 - 2016-12-20 18:28 - 14520092 _____ C:\Users\Frank\Documents\Docs wrapped.rar
2016-12-20 18:27 - 2016-12-20 18:27 - 00004996 _____ C:\Users\Frank\Documents\ppl.rar
2016-12-15 14:20 - 2016-12-26 06:45 - 00000000 ____D C:\Users\Frank\dwhelper
2016-12-08 20:15 - 2016-12-08 20:15 - 00000833 _____ C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Tor Browser.lnk
2016-12-08 08:26 - 2016-12-08 08:26 - 00000139 _____ C:\Users\Frank\Documents\bristol to bez.txt
2016-11-27 07:34 - 2016-11-27 07:34 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-11-27 07:34 - 2016-11-27 07:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-27 03:55 - 2009-07-14 11:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-27 03:55 - 2009-07-14 11:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-27 03:53 - 2016-11-06 18:01 - 00000000 ____D C:\FRST
2016-12-27 03:52 - 2016-11-18 12:08 - 00000000 ____D C:\Users\Frank\AppData\LocalLow\Mozilla
2016-12-27 03:45 - 2009-07-14 12:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-27 03:38 - 2012-09-11 05:09 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-12-26 21:07 - 2009-07-14 10:20 - 00000000 ____D C:\Windows\inf
2016-12-26 20:46 - 2016-03-19 21:08 - 00000000 ____D C:\Users\Frank\AppData\Roaming\vlc
2016-12-26 19:37 - 2015-08-24 17:51 - 00000000 ____D C:\Users\Frank\Documents\New folder
2016-12-26 19:22 - 2016-05-09 22:30 - 00000000 ____D C:\Users\Frank\AppData\Roaming\MPC-HC
2016-12-26 09:23 - 2016-03-20 13:25 - 00000000 ____D C:\Progs
2016-12-25 19:11 - 2009-07-14 12:13 - 00006490 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-25 09:58 - 2016-11-06 20:24 - 00000000 ____D C:\Users\Frank\AppData\Roaming\deluge
2016-12-24 06:15 - 2016-04-22 02:13 - 00000000 ____D C:\Users\Frank\AppData\Roaming\AVG
2016-12-24 05:56 - 2016-11-06 17:59 - 02420736 _____ (Farbar) C:\Users\Frank\Desktop\FRST64.exe
2016-12-24 05:56 - 2016-11-05 18:21 - 00000000 ____D C:\Program Files\Common Files\AV
2016-12-23 21:14 - 2012-08-22 13:57 - 00000000 ____D C:\Users\Frank
2016-12-22 17:56 - 2016-03-20 14:34 - 00000000 ____D C:\Program Files (x86)\Google
2016-12-22 17:55 - 2016-03-20 14:34 - 00000000 ____D C:\Users\Frank\AppData\Local\Google
2016-12-22 11:28 - 2016-03-22 04:28 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-22 11:03 - 2016-09-15 17:21 - 00000000 ____D C:\Users\Frank\Documents\Travel
2016-12-22 11:02 - 2016-09-15 17:24 - 00000000 ____D C:\Users\Frank\Documents\Soubes
2016-12-22 04:08 - 2016-11-18 10:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-12-22 04:08 - 2012-08-26 02:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-12-22 04:06 - 2016-03-22 05:08 - 00000000 ____D C:\AdwCleaner
2016-12-21 13:58 - 2016-03-20 14:28 - 00000000 ____D C:\Users\Frank\AppData\Roaming\WinFF
2016-12-16 04:55 - 2016-11-05 17:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2016-12-16 04:49 - 2016-11-05 17:23 - 00035864 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avusbflt.sys
2016-12-16 04:49 - 2016-11-05 17:21 - 00176464 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2016-12-16 04:49 - 2016-11-05 17:21 - 00148032 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2016-12-14 21:40 - 2016-11-22 06:03 - 00000000 ____D C:\Users\Frank\Documents\ezvid
2016-12-14 21:38 - 2016-11-22 06:30 - 00010752 _____ C:\Users\Frank\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-12-14 16:38 - 2012-09-11 05:09 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-12-14 16:38 - 2012-09-11 05:09 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-12-14 16:38 - 2011-10-20 00:05 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-12-14 16:38 - 2011-10-20 00:05 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-12-14 16:38 - 2011-10-20 00:04 - 00000000 ____D C:\Windows\system32\Macromed
2016-12-11 06:09 - 2016-11-05 17:15 - 00000000 ____D C:\ProgramData\Package Cache
2016-12-11 05:57 - 2009-07-14 12:08 - 00032656 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-11-29 08:02 - 2013-06-16 01:51 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-11-29 08:02 - 2013-06-16 01:51 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-11-27 08:06 - 2016-03-22 13:25 - 00000000 ____D C:\Windows\system32\MRT
2016-11-27 07:37 - 2016-03-22 13:24 - 143495576 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-11-27 07:34 - 2011-10-19 23:15 - 00000000 ____D C:\ProgramData\Skype
2016-11-27 07:30 - 2013-06-16 01:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight

==================== Files in the root of some directories =======

2016-03-26 21:07 - 2016-03-26 21:08 - 0008704 ___SH () C:\Users\Frank\AppData\Roaming\Thumbs.db
2015-06-01 00:36 - 2015-06-01 00:36 - 0033134 _____ () C:\Users\Frank\AppData\Roaming\UserTile.png
2016-11-22 06:30 - 2016-12-14 21:38 - 0010752 _____ () C:\Users\Frank\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-12-26 07:53 - 2016-12-26 07:53 - 0000218 _____ () C:\Users\Frank\AppData\Local\recently-used.xbel
2016-11-19 14:35 - 2016-11-19 14:35 - 0000032 _____ () C:\ProgramData\Temp.log

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-04-18 05:28

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21-12-2016
Ran by Frank (27-12-2016 04:05:03)
Running from C:\Users\Frank\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2012-08-22 06:57:47)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1637433389-394192189-160962988-500 - Administrator - Disabled)
Frank (S-1-5-21-1637433389-394192189-160962988-1001 - Administrator - Enabled) => C:\Users\Frank
Guest (S-1-5-21-1637433389-394192189-160962988-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1637433389-394192189-160962988-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Antivirus (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Antivirus (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acer Crystal Eye Webcam (HKLM-x32\...\InstallShield_{A0382E3C-7384-429A-9BFA-AF5888E5A193}) (Version: 1.5.2904.00 - CyberLink Corp.)
Acer Crystal Eye Webcam (x32 Version: 1.5.2904.00 - CyberLink Corp.) Hidden
Acer ePower Management (HKLM-x32\...\{3DB0448D-AD82-4923-B305-D001E521A964}) (Version: 6.00.3008 - Acer Incorporated)
Acer eRecovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 5.00.3504 - Acer Incorporated)
Acer Games (HKLM-x32\...\WildTangent acer Master Uninstall) (Version: 1.0.2.5 - WildTangent)
Acer Registration (HKLM-x32\...\Acer Registration) (Version: 1.04.3504 - Acer Incorporated)
Acer ScreenSaver (HKLM-x32\...\Acer Screensaver) (Version: 1.1.0517.2011 - Acer Incorporated)
Acer VCM (HKLM-x32\...\{047F790A-7A2A-4B6A-AD02-38092BA63DAC}) (Version: 4.05.3501 - Acer Incorporated)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.020.20042 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.7.1.19610 - Adobe Systems Incorporated)
Adobe Community Help (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.0.0.400 - Adobe Systems Incorporated)
Adobe Flash Player 24 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 24.0.0.186 - Adobe Systems Incorporated)
Adobe Flash Player 24 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 24.0.0.186 - Adobe Systems Incorporated)
Adobe Media Player (HKLM-x32\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.8 - Adobe Systems Incorporated)
Adobe Photoshop 7.0 (HKLM-x32\...\Adobe Photoshop 7.0) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Premiere Pro (HKLM-x32\...\{084709F7-38C5-4609-B55F-2417939315EB}) (Version: 7.0 - Adobe Systems, Inc.)
Advanced IP Scanner 2.4 (HKLM-x32\...\{2E644D2D-993F-43B4-B85A-15363CA777C3}) (Version: 2.4.3021 - Famatech)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.39 - Atheros Communications Inc.)
ATI Catalyst Install Manager (HKLM\...\{3605D89A-BD66-F5C5-779B-BE9110B41077}) (Version: 3.0.829.0 - ATI Technologies, Inc.)
AVG 2012 (Version: 12.1.2250 - AVG Technologies) Hidden
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.24.146 - Avira Operations GmbH & Co. KG)
Avira Connect (HKLM-x32\...\{707e8edf-9482-4417-ae39-c9b5fe605e87}) (Version: 1.2.76.27124 - Avira Operations GmbH & Co. KG)
Avira Connect (x32 Version: 1.2.76.27124 - Avira Operations GmbH & Co. KG) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.25 - Piriform)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.54.8.50 - Conexant)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Deluge 1.3.13 (HKLM-x32\...\Deluge) (Version:  - )
ETDWare PS/2-X64 8.0.6.0_WHQL (HKLM\...\Elantech) (Version: 8.0.6.0 - ELAN Microelectronic Corp.)
Ezvid (HKLM-x32\...\{F96D619D-99D6-4C9C-A393-0CD22DE1CA66}_is1) (Version: 1.003 - Ezvid, inc.)
Fotogalerija Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galeria de Fotografias do Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galería fotográfica de Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galeria fotogràfica del Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galeria fotografii usługi Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galerie de photos Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galerie foto Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.15.281 - SurfRight B.V.)
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3501 - Acer Incorporated)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Launch Manager (HKLM-x32\...\LManager) (Version: 5.1.7 - Acer Inc.)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.5131.5000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mixxx 1.11.0 (HKLM-x32\...\Mixxx (1.11.0)) (Version: 1.11.0 - The Mixxx Development Team)
Mozilla Firefox 50.1.0 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 50.1.0 (x86 en-GB)) (Version: 50.1.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 50.1.0.6186 - Mozilla)
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9.141.259 - Google, Inc.)
Poczta usługi Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Podstawowe programy Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Pošta Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Raccolta foto di Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30127 - Realtek Semiconductor Corp.)
RogueKiller version 12.8.6.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.8.6.0 - Adlice Software)
Skype Web Plugin (HKLM-x32\...\{70257DA6-C358-4634-B15D-C42C3B564149}) (Version: 7.28.0.46 - Skype Technologies S.A.)
Skype Web Plugin (HKLM-x32\...\{AC7406B6-BB3B-4CD1-AEBA-0527B9CB16FE}) (Version: 7.27.0.105 - Skype Technologies S.A.)
Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
SoulSeek 157 NS 13e (HKLM-x32\...\Soulseek2) (Version:  - )
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Visual Studio 2008 x64 Redistributables (HKLM-x32\...\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}) (Version: 10.0.0.2 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.4 - VideoLAN)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
WildTangent Games App (x32 Version: 4.0.10.17 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
WinRAR 5.31 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.31.0 - win.rar GmbH)
Συλλογή φωτογραφιών του Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Основные компоненты Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Почта Windows Live (x32 Version: 15.4.3502.0922 - Корпорация Майкрософт) Hidden
Фотоальбом Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Фотогалерия на Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
גלריית התמונות של Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
بريد Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
معرض صور Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1637433389-394192189-160962988-1001_Classes\CLSID\{58743271-597A-401B-AF4A-1450179151C0}\InprocServer32 -> C:\Users\Frank\AppData\Local\SkypePlugin\7.27.0.105\GatewayActiveX-x64.dll (Skype Technologies S.A.)
CustomCLSID: HKU\S-1-5-21-1637433389-394192189-160962988-1001_Classes\CLSID\{8AAE6BAC-FCFC-49E7-940C-B11668616323}\InprocServer32 -> C:\Users\Frank\AppData\Local\SkypePlugin\7.28.0.46\GatewayActiveX-x64.dll (Skype Technologies S.A.)
CustomCLSID: HKU\S-1-5-21-1637433389-394192189-160962988-1001_Classes\CLSID\{9206EDB2-DB9E-4AE0-A821-5048667D3A17}\localserver32 -> C:\Users\Frank\AppData\Local\SkypePlugin\7.28.0.46\GatewayVersion-x64.exe (Skype Technologies S.A.)
CustomCLSID: HKU\S-1-5-21-1637433389-394192189-160962988-1001_Classes\CLSID\{CBF9CD8C-2714-4F36-B76A-43E6C7547BC2}\localserver32 -> C:\Users\Frank\AppData\Local\SkypePlugin\7.28.0.46\EdgeCalling.exe (Skype Technologies S.A.)
CustomCLSID: HKU\S-1-5-21-1637433389-394192189-160962988-1001_Classes\CLSID\{D0FC4B60-C60D-4908-8365-0C64C03E0291}\localserver32 -> C:\Users\Frank\AppData\Local\SkypePlugin\7.27.0.105\GatewayVersion-x64.exe (Skype Technologies S.A.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {2E5086CD-B74B-4CC7-9295-99E4171561A7} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-12-14] (Adobe Systems Incorporated)
Task: {4D07B0A3-2B44-4D40-AF40-CFEE16D0ECF4} - System32\Tasks\UALU notificatin => C:\Program Files\Acer\Acer Updater\UALU.exe
Task: {666104E5-26A7-4850-A0B1-491EBD38C8B2} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-12-06] (Piriform Ltd)
Task: {90C21936-A901-48C0-911C-ABC8D2DC8ED3} - System32\Tasks\Games\UpdateCheck_S-1-5-21-1637433389-394192189-160962988-1001
Task: {C7551242-B8CF-4617-8741-8D30FF050FD7} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-10-21] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2016-04-23 01:09 - 2010-04-30 19:56 - 00001798 ____N C:\Windows\system32\Drivers\etc\hosts

127.0.0.1                activate.adobe.com
127.0.0.1                practivate.adobe.com
127.0.0.1                ereg.adobe.com
127.0.0.1                activate.wip3.adobe.com
127.0.0.1                wip3.adobe.com
127.0.0.1                3dns-3.adobe.com
127.0.0.1                3dns-2.adobe.com
127.0.0.1                adobe-dns.adobe.com
127.0.0.1                adobe-dns-2.adobe.com
127.0.0.1                adobe-dns-3.adobe.com
127.0.0.1                ereg.wip3.adobe.com
127.0.0.1                activate-sea.adobe.com
127.0.0.1                wwis-dubc1-vip60.adobe.com
127.0.0.1                activate-sjc0.adobe.com
127.0.0.1                               adobe.activate.com
127.0.0.1                               adobeereg.com                        
127.0.0.1                               www.adobeereg.com                    
127.0.0.1                               wwis-dubc1-vip60.adobe.com           
127.0.0.1                               125.252.224.90                       
127.0.0.1                               125.252.224.91
127.0.0.1                               hl2rcv.adobe.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1637433389-394192189-160962988-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 202.58.98.202 - 202.58.98.203
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: BDESVC => 3
MSCONFIG\Services: bthserv => 3
MSCONFIG\Services: defragsvc => 3
MSCONFIG\Services: ShellHWDetection => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acer VCM.lnk => C:\Windows\pss\Acer VCM.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk => C:\Windows\pss\Adobe Gamma Loader.lnk.CommonStartup
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: SuiteTray => "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{BDA55964-E36B-4D3E-A150-EB9447CB71E1}] => C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{A0EB5225-ECA4-4E72-A807-B2A0D720DE0C}] => C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{E4ABE5FA-29D3-48E4-A4ED-BB4088B229FD}] => C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{9C54E2A1-EA53-4886-BBF9-C63846423A8E}] => LPort=2869
FirewallRules: [{DED78336-AC18-4590-83FA-38F20C7C19DD}] => LPort=1900
FirewallRules: [{7772C5B9-AA06-4179-9156-1E0F36114D51}] => C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{7B30285B-703D-4FE5-B257-DCE8F373B87A}] => C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
FirewallRules: [{8A6734F7-220D-4C62-808B-5B97571689CC}] => C:\Program Files (x86)\Acer\Acer VCM\VC.exe
FirewallRules: [{058094AB-630F-443D-8F95-7563D2DF814D}] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{52A8ADCC-6ECB-40D6-80DD-D7BBBE59798A}] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{8721ECB9-2094-48C8-A852-28D3DEC92A4D}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{BD2365CA-46B9-442A-BC71-9690325888D2}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{4CBBAD33-484B-4837-91BB-DE0ED907EDBF}C:\program files (x86)\soulseekqt\soulseekqt.exe] => C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [UDP Query User{204B451D-32C5-4030-9B37-59BD3EF28D67}C:\program files (x86)\soulseekqt\soulseekqt.exe] => C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [TCP Query User{544841E3-3FD6-4319-8BFA-6FD9D41A837E}C:\program files (x86)\soulseekns\slsk.exe] => C:\program files (x86)\soulseekns\slsk.exe
FirewallRules: [UDP Query User{C07F1F58-99F8-44E9-9C92-8E1A5D460622}C:\program files (x86)\soulseekns\slsk.exe] => C:\program files (x86)\soulseekns\slsk.exe
FirewallRules: [TCP Query User{E96126CA-E8B8-4957-95E8-EFC679EF7CF6}C:\users\frank\appdata\local\skypeplugin\pluginhost.exe] => C:\users\frank\appdata\local\skypeplugin\pluginhost.exe
FirewallRules: [UDP Query User{1857ADAF-889A-4AAD-A70D-DAA2678ACAAD}C:\users\frank\appdata\local\skypeplugin\pluginhost.exe] => C:\users\frank\appdata\local\skypeplugin\pluginhost.exe
FirewallRules: [{9C695AE1-F7CD-4F5C-B79E-209DC02B67EC}] => C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [TCP Query User{45D59338-DAB7-4A00-B0B1-8BD961673C66}C:\program files (x86)\deluge\deluge.exe] => C:\program files (x86)\deluge\deluge.exe
FirewallRules: [UDP Query User{E8A03AAD-728B-4D31-82FD-B26B845203F0}C:\program files (x86)\deluge\deluge.exe] => C:\program files (x86)\deluge\deluge.exe
FirewallRules: [{6DAD2F6E-1FD0-4FDE-B451-718E249C094C}] => C:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro 2\Apowersoft Screen Recorder Pro 2.exe
FirewallRules: [{C3254D6B-1224-4D4E-8650-EF1D1928F6C9}] => C:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro 2\Apowersoft Screen Recorder Pro 2.exe

==================== Restore Points =========================


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/27/2016 03:47:20 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/27/2016 03:36:28 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/26/2016 09:09:43 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/26/2016 09:07:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/26/2016 08:58:59 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/26/2016 08:24:35 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/26/2016 08:07:18 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/25/2016 07:11:19 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (12/25/2016 07:11:19 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (12/25/2016 03:23:44 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.


System errors:
=============
Error: (12/27/2016 03:46:11 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (12/27/2016 03:44:20 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} did not register with DCOM within the required timeout.

Error: (12/27/2016 03:36:01 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (12/27/2016 03:35:44 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 21:54:54 on ‎26/‎12/‎2016 was unexpected.

Error: (12/26/2016 09:09:21 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (12/26/2016 09:07:34 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} did not register with DCOM within the required timeout.

Error: (12/26/2016 09:06:44 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (12/26/2016 09:06:29 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 21:04:56 on ‎26/‎12/‎2016 was unexpected.

Error: (12/26/2016 09:02:54 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X64 service to connect.

Error: (12/26/2016 08:58:35 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


==================== Memory info ===========================

Processor: AMD C-60 APU with Radeon™ HD Graphics
Percentage of memory in use: 61%
Total physical RAM: 1770.9 MB
Available physical RAM: 685.19 MB
Total Virtual: 3541.8 MB
Available Virtual: 1995.93 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:283.99 GB) (Free:63.57 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 86DE2CAA)
Partition 1: (Not Active) - (Size=14 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=284 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users