Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't delete Ludashi Malware/Adware


  • This topic is locked This topic is locked
20 replies to this topic

#1 DesperateMeasures

DesperateMeasures

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 29 December 2016 - 03:27 AM

Hello!
Two days ago while playing a game on steam, my in game crosshair changed to the wait cursor, and as soon as exited Steam I was greeted with some apps that I never installed on my desktop. When i opened my browser (Firefox), my home page was changed to some chinese search engine, the browser was crashing every 2 minutes, and every new tab opened would redirect to chinese websites. I followed some instructions I found online (including from this site) and installed malware removal tools - Rkill, Malwarebytes and Adwcleaner. These took care of most of my problems, detecting and quarantining hundreds of PUP's. My browser was fixed, and my computer seemed to be running fine. I also did and ESET Online Scan and Hitman pro scans. While ESET did found some problems, as of today Hitman tells me I've got no threats. Now, here comes the tricky part.
 
Now,both Malwarebytes and Adwcleaner always identify the same threat remaining regardless of how many times I clean, delete or quarantine it. They call it Ludashi and its a folder that persistently reappears in Appdata/Roaming and then spawns another one in the same directory called Lockedhomepage. Even if they are deleted or quarantined, they always appear on system reboot, and I'm afraid these are somehow the starting point of the infection. Also, as soon as Windows loads (after the login screen, when my desktop and taskbar complete loading), i get a warning related to some sys32 thing that cannot be loaded (I could make a screenshot if necessary). I also noticed in the Addition.txt of Farbar some hosts called Baidu, which from my online reading , might have something to do with this Ludashi thing.
 
Thanks for your time!
 
 
 
 
 
 
Anyway, here are the results of the FRST:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-12-2016
Ran by Alex (administrator) on ALEX-PC (29-12-2016 10:23:35)
Running from C:\Users\Alex\Desktop\FRST
Loaded Profiles: Alex & NeroMediaHomeUser.4 (Available Profiles: Alex & NeroMediaHomeUser.4)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Nero AG) C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Samsung) C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Nero AG) C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Nero AG) C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
(Nero AG) C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_186.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_186.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12460136 2012-06-21] (Realtek Semiconductor)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [1020064 2012-02-13] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [800416 2012-02-13] (Atheros Commnucations)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2816336 2012-06-21] (ELAN Microelectronics Corp.)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2465088 2014-11-17] (NVIDIA Corporation)
HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2776528 2016-12-14] (Malwarebytes)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14064880 2016-12-27] (Zemana Ltd.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40336 2015-09-24] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM-x32\...\Run: [Nero MediaHome 4] => C:\Program Files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe [5179880 2012-12-20] (Nero AG)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\Run: [DAEMON Tools Pro Agent] => C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe [3111744 2012-04-26] (DT Soft Ltd)
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe [202024 2007-08-03] (Nero AG)
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\Run: [KSS] => "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe" autorun
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\Run: [Ezttion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Alex\AppData\Local\YdbvPack\qwjzegpq.dll
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\MountPoints2: {fe0bc157-4c1c-11e4-99b9-806e6f6e6963} - E:\SecSWMgrGuide.exe
HKU\S-1-5-18\...\Run: [360wp-srv] => C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi\360wpsrv.exe [1636264 2016-12-09] (360.cn)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [174856 2014-11-13] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [156840 2014-11-13] (NVIDIA Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{7B861873-A710-43E4-A477-60B6DF42D03E}: [DhcpNameServer] 192.168.1.1 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-139745227-2284625060-2539193485-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-10-04] (Oracle Corporation)
BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-02-13] (Atheros Commnucations)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-10-04] (Oracle Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default [2016-12-29]
FF Homepage: Mozilla\Firefox\Profiles\fu1vpkaw.default -> about:home
FF Extension: (EPUBReader) - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\Extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F} [2016-08-16]
FF Extension: (Rename command invocation) - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\Extensions\{81005532-A277-0574-A3A9-44D6D7619194} [2016-12-27] [not signed]
FF Extension: (Bitdefender QuickScan) - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2016-09-21]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_186.dll [2016-12-28] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_186.dll [2016-12-28] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-10-04] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-10-04] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-139745227-2284625060-2539193485-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Alex\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-07-15] (Unity Technologies ApS)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [106144 2012-02-13] (Atheros Commnucations) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-06-21] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-06-21] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-12-14] (Malwarebytes)
R2 NeroMediaHomeService.4; C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe [518632 2012-12-20] (Nero AG)
R3 NMIndexingService; C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe [382248 2007-08-03] (Nero AG)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1796928 2014-11-17] (NVIDIA Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
R2 WpSvc; C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi\lpi\WpSvc.dll [253352 2016-11-17] ()
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14064880 2016-12-27] (Zemana Ltd.)
R2 ZAtheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [158880 2012-02-13] (Atheros) [File not signed]
S2 GmSvc; C:\Program Files (x86)\LDSGameCenter\GmSvc.dll [X]
S2 upuste; C:\Windows\system32\config\systemprofile\AppData\Local\Mathtam.exe prodrco upuste [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2015-07-18] ()
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2014-10-04] (DT Soft Ltd)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77416 2016-12-14] ()
R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2015-07-18] ()
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [176064 2016-12-28] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [102856 2016-12-29] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2016-12-29] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [250816 2016-12-29] (Malwarebytes)
R0 pwdrvio; C:\Windows\System32\pwdrvio.sys [19152 2013-09-30] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [12504 2013-09-30] ()
R3 ScpVBus; C:\Windows\System32\DRIVERS\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
S1 VBoxNetAdp; C:\Windows\System32\DRIVERS\VBoxNetAdp6.sys [117768 2015-09-08] (Oracle Corporation)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2016-12-28] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2016-12-28] (Zemana Ltd.)
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVCx32: HpSvc -> no filepath.
NETSVCx32: GmSvc -> C:\Program Files (x86)\LDSGameCenter\GmSvc.dll ==> No File
NETSVCx32: WpSvc -> C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi\lpi\WpSvc.dll ()

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-29 09:41 - 2016-12-29 10:23 - 00000000 ____D C:\FRST
2016-12-29 09:38 - 2016-12-29 10:23 - 00000000 ____D C:\Users\Alex\Desktop\FRST
2016-12-29 09:35 - 2016-12-29 09:36 - 00000000 ____D C:\Users\Alex\AppData\Roaming\Ludashi
2016-12-29 09:35 - 2016-12-29 09:36 - 00000000 ____D C:\Users\Alex\AppData\Roaming\lockhomepage
2016-12-28 17:58 - 2016-12-29 10:23 - 00064355 _____ C:\Windows\ZAM.krnl.trace
2016-12-28 17:58 - 2016-12-29 10:23 - 00029001 _____ C:\Windows\ZAM_Guard.krnl.trace
2016-12-28 17:57 - 2016-12-28 17:57 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2016-12-28 17:57 - 2016-12-28 17:57 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2016-12-28 17:57 - 2016-12-28 17:57 - 00001148 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2016-12-28 17:57 - 2016-12-28 17:57 - 00000000 ____D C:\Users\Alex\AppData\Local\Zemana
2016-12-28 17:57 - 2016-12-28 17:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2016-12-28 17:57 - 2016-12-28 17:57 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2016-12-28 17:55 - 2016-12-28 17:55 - 05462216 _____ ( ) C:\Users\Alex\Downloads\Zemana.AntiMalware.Setup.exe
2016-12-28 11:17 - 2016-12-28 11:17 - 00000000 ____D C:\Users\Alex\AppData\Local\ESET
2016-12-28 11:16 - 2016-12-28 11:17 - 06771840 _____ (ESET spol. s r.o.) C:\Users\Alex\Downloads\esetonlinescanner_enu.exe
2016-12-28 10:05 - 2016-12-28 10:05 - 01106888 _____ (Bleeping Computer, LLC) C:\Users\Alex\Downloads\rkill64.exe
2016-12-28 09:02 - 2016-12-29 09:36 - 00000000 ____D C:\Users\Alex\Desktop\Raport
2016-12-28 07:27 - 2016-12-28 07:27 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2016-12-28 07:05 - 2016-12-28 07:05 - 00000000 ____D C:\Program Files\HitmanPro
2016-12-27 20:28 - 2016-12-27 20:28 - 00010130 _____ C:\Windows\system32\.crusader
2016-12-27 20:04 - 2016-12-27 20:29 - 00000000 ____D C:\ProgramData\HitmanPro
2016-12-27 20:03 - 2016-12-27 20:03 - 11581544 _____ (SurfRight B.V.) C:\Users\Alex\Downloads\hitmanpro_x64.exe
2016-12-27 17:58 - 2016-12-29 09:33 - 00000000 ____D C:\AdwCleaner
2016-12-27 17:21 - 2016-12-28 16:04 - 00176064 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2016-12-27 17:20 - 2016-12-29 09:34 - 00250816 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-27 17:20 - 2016-12-29 09:34 - 00102856 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2016-12-27 17:20 - 2016-12-29 09:34 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-12-27 17:20 - 2016-12-29 07:02 - 00081696 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2016-12-27 17:20 - 2016-12-27 17:20 - 00001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2016-12-27 17:20 - 2016-12-27 17:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2016-12-27 17:20 - 2016-12-27 17:20 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-12-27 17:20 - 2016-12-27 17:20 - 00000000 ____D C:\Program Files\Malwarebytes
2016-12-27 17:20 - 2016-12-14 12:55 - 00077416 _____ C:\Windows\system32\Drivers\mbae64.sys
2016-12-27 17:19 - 2016-12-27 17:19 - 01663040 _____ (Malwarebytes) C:\Users\Alex\Downloads\JRT.exe
2016-12-27 17:18 - 2016-12-27 17:20 - 54199488 _____ (Malwarebytes ) C:\Users\Alex\Downloads\mb3-setup-consumer-3.0.5.1299.exe
2016-12-27 17:18 - 2016-12-27 17:19 - 03977168 _____ C:\Users\Alex\Downloads\adwcleaner_6.041.exe
2016-12-27 17:16 - 2016-12-27 17:16 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Alex\Downloads\rkill.exe
2016-12-27 17:14 - 2016-12-27 17:14 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Alex\Downloads\rkill.com
2016-12-27 16:58 - 2016-12-29 09:25 - 00000458 _____ C:\Windows\Tasks\UCBrowserUpdater.job
2016-12-27 16:58 - 2016-12-27 16:58 - 00003454 _____ C:\Windows\System32\Tasks\UCBrowserUpdater
2016-12-27 16:52 - 2016-12-27 16:52 - 00000000 ____D C:\Program Files\BitTorrent
2016-12-27 16:50 - 2016-12-27 16:50 - 00000004 _____ C:\Users\Alex\AppData\Roaming\4E9225DA0A29463E8AD95A233536E924.dat
2016-12-26 17:52 - 2016-12-26 17:52 - 00001788 _____ C:\Users\Public\Desktop\The Little Acre.lnk
2016-12-26 17:49 - 2016-12-26 17:52 - 00000000 ____D C:\Program Files\The Little Acre
2016-12-26 17:49 - 2016-12-26 17:49 - 00003326 _____ C:\Windows\System32\Tasks\SoundsSystemService
2016-12-20 18:20 - 2016-12-20 18:20 - 29950551 _____ (KLCP ) C:\Users\Alex\Downloads\K-Lite_Codec_Pack_1270_Standard.exe
2016-12-20 18:03 - 2016-12-20 18:03 - 00000000 ____D C:\Users\Alex\Documents\Cloud
2016-12-14 14:58 - 2016-12-20 17:25 - 00000000 ____D C:\Program Files\Shardlight
2016-12-13 16:32 - 2016-12-13 16:32 - 00000000 ____D C:\Users\Alex\AppData\Local\Chromium
2016-12-10 15:07 - 2016-12-10 15:09 - 00000000 ____D C:\Users\Alex\AppData\Local\MomodoraRUtM
2016-12-10 14:50 - 2016-12-16 18:41 - 00000000 ____D C:\Program Files\Momodora - Reverie Under the Moonlight
2016-12-09 14:16 - 2016-12-09 14:16 - 00000000 ____D C:\Users\Alex\AppData\LocalLow\Vonsnake
2016-12-08 14:40 - 2016-12-09 19:43 - 00000000 ____D C:\Program Files\Chronology
2016-12-07 15:17 - 2016-12-07 15:31 - 00000000 ____D C:\Users\Alex\AppData\Local\DontTouchAnything
2016-12-02 14:24 - 2016-12-02 14:24 - 00000000 ____D C:\ProgramData\Solidshield

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-29 09:50 - 2016-11-16 10:27 - 00000000 ____D C:\Users\Alex\AppData\LocalLow\Mozilla
2016-12-29 09:34 - 2014-10-04 15:51 - 00000828 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2016-12-29 09:34 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-29 08:58 - 2014-10-12 09:12 - 00000000 ____D C:\Program Files (x86)\Steam
2016-12-29 08:15 - 2014-10-30 08:50 - 00000000 ____D C:\Users\Alex\Documents\My Games
2016-12-29 08:15 - 2014-10-04 18:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2016-12-29 08:15 - 2013-08-19 16:47 - 00000000 ____D C:\GOG Games
2016-12-29 08:15 - 2009-07-14 07:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-12-29 08:13 - 2014-10-05 01:57 - 00000000 ____D C:\Windows.old
2016-12-28 18:58 - 2015-02-18 21:43 - 00000983 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-12-28 17:59 - 2014-10-04 15:40 - 00000000 ____D C:\Users\Alex
2016-12-28 14:54 - 2014-10-04 15:51 - 00000830 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2016-12-28 11:00 - 2014-10-04 16:08 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2016-12-28 09:43 - 2015-02-11 15:42 - 00000000 ____D C:\Users\NeroMediaHomeUser.4
2016-12-28 09:18 - 2013-03-03 08:40 - 00000000 ____D C:\Filme
2016-12-28 09:07 - 2014-10-04 16:09 - 00000000 ____D C:\Users\Alex\AppData\Local\Adobe
2016-12-28 09:06 - 2014-10-04 16:10 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-12-28 09:06 - 2014-10-04 16:10 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-12-28 09:06 - 2014-10-04 16:10 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-12-28 09:06 - 2014-10-04 16:10 - 00000000 ____D C:\Windows\system32\Macromed
2016-12-27 18:30 - 2014-10-04 16:37 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2016-12-27 18:29 - 2014-10-04 16:38 - 00000000 ____D C:\ProgramData\Yahoo!
2016-12-27 18:21 - 2015-04-19 10:05 - 00000000 ____D C:\Users\Alex\AppData\Local\CrashRpt
2016-12-27 18:10 - 2014-10-04 16:38 - 00000000 ____D C:\Users\Alex\AppData\Roaming\Yahoo!
2016-12-27 18:10 - 2014-10-04 15:41 - 00001170 _____ C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-12-27 18:08 - 2014-10-04 16:38 - 00000000 ____D C:\Users\Alex\AppData\LocalLow\Yahoo!
2016-12-26 08:33 - 2014-10-04 17:59 - 00000000 ____D C:\Users\Alex\AppData\Local\CrashDumps
2016-12-26 08:33 - 2014-10-04 17:24 - 00000000 ____D C:\Users\Alex\AppData\Local\Battle.net
2016-12-26 08:06 - 2014-10-04 17:24 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-12-24 08:18 - 2014-10-04 18:21 - 00000000 ____D C:\Users\Alex\AppData\Roaming\vlc
2016-12-20 18:35 - 2016-02-16 09:38 - 00000000 ___SD C:\Users\Alex\AppData\LocalLow\Temp
2016-12-20 17:59 - 2014-10-30 08:49 - 00000000 ____D C:\ProgramData\Package Cache
2016-12-15 10:31 - 2016-11-16 09:03 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-12-15 10:31 - 2014-10-15 07:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-12-13 16:32 - 2015-02-07 10:48 - 00000000 ____D C:\Users\Alex\AppData\Local\Steam
2016-12-08 12:24 - 2009-07-14 07:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-08 12:24 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\inf
2016-12-01 18:32 - 2016-11-08 13:31 - 00000000 ____D C:\Program Files\Clive Barker's Undying
2016-11-30 08:44 - 2014-10-04 17:36 - 00000000 ____D C:\Program Files (x86)\Hearthstone

==================== Files in the root of some directories =======

2016-12-27 16:50 - 2016-12-27 16:50 - 0000004 _____ () C:\Users\Alex\AppData\Roaming\4E9225DA0A29463E8AD95A233536E924.dat
2014-11-21 12:31 - 2014-11-21 12:31 - 0000057 _____ () C:\ProgramData\Ament.ini

Some files in TEMP:
====================
C:\Users\Alex\AppData\Local\Temp\cres.dll
C:\Users\Alex\AppData\Local\Temp\cshell.dll
C:\Users\Alex\AppData\Local\Temp\Gw2.exe
C:\Users\Alex\AppData\Local\Temp\HiPatchSelfUpdateWindow.exe
C:\Users\Alex\AppData\Local\Temp\HiRezLauncherControls.dll
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.10.317.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.10.631.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.10.764.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.183.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.188.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.196.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.204.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.277.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.308.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.328.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.369.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.595.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.9.789.exe
C:\Users\Alex\AppData\Local\Temp\libeay32.dll
C:\Users\Alex\AppData\Local\Temp\msvcr120.dll
C:\Users\Alex\AppData\Local\Temp\ose00000.exe
C:\Users\Alex\AppData\Local\Temp\sqlite3.dll
C:\Users\Alex\AppData\Local\Temp\sres.dll
C:\Users\Alex\AppData\Local\Temp\SRLDetectionLibrary2242945265252583203.dll
C:\Users\Alex\AppData\Local\Temp\ubiE6D.tmp.exe
C:\Users\Alex\AppData\Local\Temp\Uninstall.exe


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll
[2010-11-21 05:24] - [2014-10-04 15:39] - 1008640 ____A (Microsoft Corporation) 2C353B6CE0C8D03225CAA2AF33B68D79

C:\Windows\SysWOW64\User32.dll
[2010-11-21 05:24] - [2014-10-04 15:39] - 0833024 ____A (Microsoft Corporation) 861C4346F9281DC0380DE72C8D55D6BE

C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-12-17 13:10

==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21-12-2016
Ran by Alex (29-12-2016 10:24:00)
Running from C:\Users\Alex\Desktop\FRST
Windows 7 Ultimate Service Pack 1 (X64) (2014-10-04 13:39:42)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-139745227-2284625060-2539193485-500 - Administrator - Disabled)
Alex (S-1-5-21-139745227-2284625060-2539193485-1000 - Administrator - Enabled) => C:\Users\Alex
Guest (S-1-5-21-139745227-2284625060-2539193485-501 - Limited - Disabled)
NeroMediaHomeUser.4 (S-1-5-21-139745227-2284625060-2539193485-1002 - Limited - Enabled) => C:\Users\NeroMediaHomeUser.4

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 21.0.0.215 - Adobe Systems Incorporated)
Adobe Flash Player 24 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 24.0.0.186 - Adobe Systems Incorporated)
Adobe Flash Player 24 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 24.0.0.186 - Adobe Systems Incorporated)
Adobe Reader X (10.1.16) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.16 - Adobe Systems Incorporated)
Advertising Center (x32 Version: 0.0.0.2 - Nero AG) Hidden
Alpha Protocol (HKLM-x32\...\{D37FE0E3-B1A9-4E41-AB5D-DA62E04D2C42}) (Version: 1.00.0000 - SEGA Corporation)
Arx Fatalis (HKLM-x32\...\{96443F45-13E2-11D6-AC87-00D0B7A9E540}) (Version: 1.0.0 - JoWood)
Atheros Bluetooth Suite (64) (HKLM\...\{230D1595-57DA-4933-8C4E-375797EBB7E1}) (Version: 7.4.0.122 - Atheros)
Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 9.0 - Atheros)
Battle.net (HKLM-x32\...\Battle.net) (Version: - Blizzard Entertainment)
Ben There, Dan That! pack (HKLM-x32\...\GOGPACKBTDTTGP_is1) (Version: 2.0.0.6 - GOG.com)
Combined Community Codec Pack 2014-07-13 (HKLM-x32\...\Combined Community Codec Pack_is1) (Version: 2014.07.13.0 - CCCP Project)
DAEMON Tools Pro (HKLM-x32\...\DAEMON Tools Pro) (Version: 5.1.0.0333 - DT Soft Ltd)
DuckTales Remastered (HKLM-x32\...\RHVja1RhbGVzUmVtYXN0ZXJlZA==_is1) (Version: 1 - )
Easy Software Manager (HKLM-x32\...\{DE256D8B-D971-456D-BC02-CB64DA24F115}) (Version: 1.2.10.7 - Samsung Electronics Co., Ltd.)
EAX4 Unified Redist (HKLM-x32\...\{89661B04-C646-4412-B6D3-5E19F02F1F37}) (Version: 4.001 - Creative Labs)
Epic Games Launcher Prerequisites (x64) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Escape Goat (HKLM-x32\...\GOGPACKESCAPEGOAT_is1) (Version: 2.0.0.3 - GOG.com)
Escape Goat 2 (HKLM\...\Steam App 255340) (Version: - MagicalTimeBean)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version: - )
ETDWare PS/2-X64 10.7.13.1_WHQL (HKLM\...\Elantech) (Version: 10.7.13.1 - ELAN Microelectronic Corp.)
Expand (HKLM\...\Steam App 399780) (Version: - Chris Johnson)
Fraps (remove only) (HKLM-x32\...\Fraps) (Version: - )
Grand Theft Auto: Episodes from Liberty City (x32 Version: 1.0.0002.135 - Rockstar Games Inc.) Hidden
Grand Theft Auto: Episodes from Liberty City (x32 Version: 1.0.0003.135 - Rockstar Games Inc.) Hidden
Hearthstone (HKLM-x32\...\Hearthstone) (Version: - Blizzard Entertainment)
HP Deskjet 2050 J510 series Basic Device Software (HKLM\...\{73B1AC18-614F-42CD-A798-4BA214586406}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Deskjet 2050 J510 series Help (HKLM-x32\...\{7A3DF2E2-CF13-44FB-A93E-F71D5381DB3F}) (Version: 140.0.61.61 - Hewlett Packard)
Intel® Manageability Engine Firmware Recovery Agent (HKLM-x32\...\{A6C48A9F-694A-4234-B3AA-62590B668927}) (Version: 1.0.0.35342 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.2.1410 - Intel Corporation)
Intel® OpenCL CPU Runtime (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2712 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.0.0.1032 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{09536BA1-E498-4CC3-B834-D884A67D7E34}) (Version: 1.23.605.1 - Intel Corporation)
Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
King of Dragon Pass (HKLM-x32\...\King of Dragon Pass_is1) (Version: - GOG.com)
Launcher Prerequisites (x64) (x32 Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Lost Horizon (HKLM-x32\...\Lost Horizon) (Version: - Animation Arts)
Malwarebytes version 3.0.5.1299 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.5.1299 - Malwarebytes)
Master Spy (HKLM\...\Steam App 331190) (Version: - TURBOGUN)
Microsoft .NET Compact Framework 2.0 SP1 (HKLM-x32\...\{625386A4-B6B6-4911-A6E8-23189C3F2D15}) (Version: 2.0.6129 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Games for Windows - LIVE (HKLM-x32\...\{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}) (Version: 3.1.186.0 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}) (Version: 3.1.99.0 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24210 (HKLM-x32\...\{f144e08f-9cbe-4f09-9a8c-f2b858b7ee7f}) (Version: 14.0.24210.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24210 (HKLM-x32\...\{23658c02-145e-483d-ba6b-1eb82c580529}) (Version: 14.0.24210.0 - Microsoft Corporation)
Microsoft Xbox 360 Accessories 1.2 (HKLM\...\{D9C50188-12D5-4D3E-8F00-682346C2AA5F}) (Version: 1.20.146.0 - Microsoft)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
Mozilla Firefox 50.1.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 50.1.0 (x86 en-US)) (Version: 50.1.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 50.1.0.6186 - Mozilla)
Nero 8 (HKLM-x32\...\{8AEA4BE2-2B52-41C0-BB7D-9F2D17AF1033}) (Version: 8.0.182 - Nero AG)
Nero MediaHome 4 Essentials (HKLM-x32\...\{b65b6fb1-1bdc-4294-ad85-e53a5fec1889}) (Version: - Nero AG)
Neverwinter Nights 2 Complete (HKLM-x32\...\GOGPACKNWN2COMPLETE_is1) (Version: 2.1.0.6 - GOG.com)
NVIDIA Graphics Driver 344.75 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 344.75 - NVIDIA Corporation)
NVIDIA PhysX (HKLM-x32\...\{8A809006-C25A-4A3A-9DAB-94659BCDB107}) (Version: 9.10.0224 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.15.0428 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0428 - NVIDIA Corporation)
Odallus - The Dark Call (HKLM-x32\...\1435937720_is1) (Version: 2.3.0.4 - GOG.com)
Oniken (HKLM-x32\...\Steam App 252010) (Version: - JoyMasher)
OpenAL (HKLM-x32\...\OpenAL) (Version: - )
Ori and the Blind Forest (HKLM-x32\...\Ori and the Blind Forest_is1) (Version: - )
Quake Live (HKLM-x32\...\Steam App 282440) (Version: - id Software)
Rapture3D 2.4.11 Game (HKLM-x32\...\{D2FCA41E-AC01-4DCD-B3A7-DC9E32363065}}_is1) (Version: - Blue Ripple Sound)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.50.1123.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6608 - Realtek Semiconductor Corp.)
Rockstar Games Social Club (HKLM-x32\...\Rockstar Games Social Club) (Version: 1.1.7.8 - Rockstar Games)
ScummVM 1.7.0 (HKLM-x32\...\ScummVM_is1) (Version: - The ScummVM Team)
Snakebird (HKLM\...\Steam App 357300) (Version: - Noumenon Games)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
SumatraPDF (HKLM-x32\...\SumatraPDF) (Version: 3.0 - Krzysztof Kowalczyk)
Super Hexagon (HKLM-x32\...\Steam App 221640) (Version: - Terry Cavanagh)
System Requirements Lab CYRI (HKLM-x32\...\{6C8C4577-8E15-4C63-96ED-D40F2072FF74}) (Version: 6.0.19.0 - Husdawg, LLC)
The Little Acre (HKLM-x32\...\1950015716_is1) (Version: 2.0.0.3 - GOG.com)
Thief 2: The Metal Age (HKLM-x32\...\Thief 2: The Metal Age_is1) (Version: - GOG.com)
Tom Clancy's Splinter Cell Double Agent (HKLM-x32\...\{CAD1691A-FA24-4B95-9009-3257B8440ECC}) (Version: 1.00.0000 - Ubisoft)
Unity Web Player (HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\UnityWebPlayer) (Version: 4.5.5f1 - Unity Technologies ApS)
Unreal Development Kit: 2015-01 (HKLM\...\UDK-7dce4c9e-12b8-476c-9c83-2a773c22f42f) (Version: - Epic Games, Inc.)
Uplay (HKLM-x32\...\Uplay) (Version: 3.0 - Ubisoft)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.0 - VideoLAN)
WinRAR 5.11 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.11.0 - win.rar GmbH)
Yahoo! Software Update (HKLM-x32\...\Yahoo! Software Update) (Version: - )
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.70.244 - Zemana Ltd.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {30803AC4-B5D1-42AD-9017-4656BDF1401B} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
Task: {375C34EC-F26B-4DD5-B04A-821A71D73846} - System32\Tasks\SoundsSystemService => C:\windows\rsdsrv.exe
Task: {8D61CBB4-B2F8-4D45-920A-FC9C076F83E2} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25] (Intel Corporation)
Task: {CBF3F8D5-076A-42CC-81DF-871946ECA93B} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25] (Intel Corporation)
Task: {DBA64D4E-26BA-477C-AFAD-DC08EAD6AC52} - System32\Tasks\Easy Software Manager Agent => C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe [2012-02-27] (Samsung)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe
Task: C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe
Task: C:\Windows\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2014-12-17 10:05 - 2014-11-13 02:20 - 00013120 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2014-12-17 10:10 - 2014-11-12 23:56 - 00118080 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2014-10-04 15:50 - 2012-06-21 10:18 - 00128280 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
2016-12-28 17:57 - 2016-12-28 17:57 - 00152944 _____ () C:\Program Files (x86)\Zemana AntiMalware\ZAMShellExt64.dll
2016-12-27 17:20 - 2016-12-14 12:55 - 02259232 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
2016-12-27 17:20 - 2016-12-14 12:55 - 02813904 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\arwlib.dll
2012-03-26 11:33 - 2012-03-26 11:33 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2014-12-17 10:05 - 2014-11-13 02:20 - 00010952 _____ () C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll
2014-10-04 15:46 - 2012-02-08 10:00 - 00755280 _____ () C:\Program Files (x86)\Samsung\Easy Software Manager\SWMFuncDLL.dll
2007-03-13 11:28 - 2007-03-13 11:28 - 00823296 _____ () C:\Program Files (x86)\Common Files\Nero\Lib\log4cxx.dll
2014-10-04 15:50 - 2012-02-07 11:39 - 01198872 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
2016-12-28 09:06 - 2016-12-28 09:06 - 19761240 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_186.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [80850]
AlternateDataStreams: C:\Windows\system32\drivers:x64 [360536]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1156450]
AlternateDataStreams: C:\ProgramData\TEMP:C2FF2B0A [118]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\hola.org -> hxxp://hola.org

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2016-12-27 16:49 - 00001006 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 down.baidu2016.com
127.0.0.1 123.sogou.com
127.0.0.1 www.czzsyzgm.com
127.0.0.1 www.czzsyzxl.com
127.0.0.1 union.baidu2019.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-139745227-2284625060-2539193485-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{02A2EE4E-3881-42E0-A6C1-DBF793CC070B}] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{05DA2C95-7B2D-4AD2-A39B-9947C3065931}] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{CF805753-3B6B-46D3-898A-2B855DC6927A}] => C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe
FirewallRules: [{5EF22086-F982-42D4-BCCC-0262C460F7A5}] => C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe
FirewallRules: [{96BA98F1-FCD1-4A22-B59B-12662D7079C8}] => C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{086CAB11-3FFC-4E98-BCBC-B7022E5870D6}] => C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{6B8C75C6-B09B-459C-8176-78C53FB08027}] => C:\Program Files (x86)\Hearthstone\Hearthstone.exe
FirewallRules: [{85BF109C-1CBC-4A5B-9263-E773B445DD42}] => C:\Program Files (x86)\Hearthstone\Hearthstone.exe
FirewallRules: [{13C1FD73-50DE-472B-840A-3A7065442B55}] => C:\Users\Alex\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BBA917B2-FA6D-4D4B-B5E4-59200AD471F0}] => C:\Users\Alex\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{82BFFD3C-6321-4851-ACB3-16E19790662F}C:\users\alex\appdata\local\id software\quakelive\quakelive.exe] => C:\users\alex\appdata\local\id software\quakelive\quakelive.exe
FirewallRules: [UDP Query User{D7A665A1-0598-4235-BC62-F9E61FCF974D}C:\users\alex\appdata\local\id software\quakelive\quakelive.exe] => C:\users\alex\appdata\local\id software\quakelive\quakelive.exe
FirewallRules: [TCP Query User{C167CA27-333C-4654-BC75-8DD2E7C6D5C0}C:\program files (x86)\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\splintercell4.exe] => C:\program files (x86)\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\splintercell4.exe
FirewallRules: [UDP Query User{1DDD4408-5AF9-4B06-B83F-79F194F5188C}C:\program files (x86)\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\splintercell4.exe] => C:\program files (x86)\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\splintercell4.exe
FirewallRules: [{07C519EC-719D-4FDE-931C-D68DC28A4A32}] => C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe
FirewallRules: [{F5CF10E0-ED59-4D9F-8D15-8DA5CB3B190B}] => C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe
FirewallRules: [TCP Query User{C8E68BE1-EBC0-44A3-8C6A-B7D66BAB781B}C:\program files (x86)\hearthstone\hearthstone.exe] => C:\program files (x86)\hearthstone\hearthstone.exe
FirewallRules: [UDP Query User{35C8F5B1-CF97-481D-AC03-71B83DD823D8}C:\program files (x86)\hearthstone\hearthstone.exe] => C:\program files (x86)\hearthstone\hearthstone.exe
FirewallRules: [TCP Query User{DB708BB5-687D-4C06-8698-059A10F9033E}C:\users\alex\appdata\local\id software\quakelive\quakelive.exe] => C:\users\alex\appdata\local\id software\quakelive\quakelive.exe
FirewallRules: [UDP Query User{FCF30968-5467-4103-8F74-ACF151322BC7}C:\users\alex\appdata\local\id software\quakelive\quakelive.exe] => C:\users\alex\appdata\local\id software\quakelive\quakelive.exe
FirewallRules: [TCP Query User{45CD37BD-4E6C-421A-A3AF-A0EB549E2948}C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe] => C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe
FirewallRules: [UDP Query User{917372D2-DDFA-4B89-8458-51C529D9AAAA}C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe] => C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe
FirewallRules: [{80E7DBAD-8587-4705-A2C4-5F4567DF5DD3}] => C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe
FirewallRules: [{D66B072B-5535-4A9D-B8C3-9C4BEB30B91B}] => C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe
FirewallRules: [TCP Query User{698C8A9D-B7CD-4E28-8033-3E92C892C492}C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe] => C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe
FirewallRules: [UDP Query User{F5DE9143-12F1-4B83-81C6-8A0562D1FFA6}C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe] => C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe
FirewallRules: [{06E4BDE8-0D4B-4344-A19B-0CC65C7BDC7A}] => C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe
FirewallRules: [{38F04E03-476A-426D-8B81-A564A151AD22}] => C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe
FirewallRules: [{A4F9A5F3-3144-4407-9F39-EBCA11D8BAEC}] => C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe
FirewallRules: [{C602E3F6-CAD7-4DB8-830E-4FB97D78C006}] => C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe
FirewallRules: [{7C919915-5AAB-4A02-9CE1-D6639BCB1D3C}] => C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{5D90AE03-10E3-4DFE-94DB-EDC321840985}] => C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{27A6E520-F510-4841-AE97-932F687BAAF0}] => C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{BC50901D-A776-4AA2-B74E-C5D488836D1C}] => C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{61ACE77C-501A-4C7D-9F10-52514A33E34D}] => C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe
FirewallRules: [{103B2E22-C12E-40F0-B3FF-5141DA02B8B6}] => C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe
FirewallRules: [{7274972C-EA8D-4FAC-B23C-7C56A475FC7E}] => C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe
FirewallRules: [{ED22699D-EEF1-4F15-868F-18CC5D5AA68F}] => C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe
FirewallRules: [{6837CD8A-17D7-4BCE-B986-A0FF6CA35770}] => C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe
FirewallRules: [{9E3018B5-CE0E-462C-8B72-3C8E316879D8}] => C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe
FirewallRules: [{B296DEFD-8F00-4DE0-AB7B-DB6FF1CFAA14}] => C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe
FirewallRules: [{3FB8BEB0-51C5-4AFC-B6F8-F197C12D4507}] => C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe
FirewallRules: [{B57A9476-74E0-46E7-AFBC-BAE17015326F}] => C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe
FirewallRules: [{D6D92956-4F98-4CC3-ACF8-92D5BC8E91A4}] => C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe
FirewallRules: [{497E0128-41B9-44C7-A7B3-E54B647347EC}] => C:\Program Files\HP\HP Deskjet 2050 J510 series\Bin\USBSetup.exe
FirewallRules: [{86343E7A-ADDC-45FE-A040-177A4E7389F4}] => C:\ProgramData\Battle.net\Agent\Agent.3632\Agent.exe
FirewallRules: [{72F99E6E-0FE5-43BB-8A26-FE6416467CAE}] => C:\ProgramData\Battle.net\Agent\Agent.3632\Agent.exe
FirewallRules: [{2285FCE0-A605-45C7-97AE-10CEB9268977}] => C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe
FirewallRules: [{BB3CEF4B-DB06-404E-BA1B-2EA42EC2A967}] => C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe
FirewallRules: [{787F333B-1C4E-4432-8003-7F6673DB45A1}] => C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{7E9E0AFE-37C7-4002-8AD7-C48E4AD946A8}] => C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{F4B4C29E-9BA5-44B9-BAA3-2C7FDE0B4DEA}] => C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe
FirewallRules: [{709C6462-4A05-49AE-AA0F-3BEFDF4880BA}] => C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe
FirewallRules: [{D4478C8B-0E80-4616-A4BC-9AD1630E8283}] => C:\GOG Games\Stacking\stack.exe
FirewallRules: [TCP Query User{0D1165FE-B8F7-4C31-87DC-935240022F86}D:\downloads\quake3\quake3.exe] => D:\downloads\quake3\quake3.exe
FirewallRules: [UDP Query User{5C6A0AB3-E9FA-4BA3-800C-69EB790C6A48}D:\downloads\quake3\quake3.exe] => D:\downloads\quake3\quake3.exe
FirewallRules: [TCP Query User{903B2BCB-AF2A-440D-828C-4344811DE376}C:\program files (x86)\counter strike pro\hl.exe] => C:\program files (x86)\counter strike pro\hl.exe
FirewallRules: [UDP Query User{3CED8B4D-175E-4B1F-B935-EDBBDCA823C9}C:\program files (x86)\counter strike pro\hl.exe] => C:\program files (x86)\counter strike pro\hl.exe
FirewallRules: [{0920347A-F208-4CA3-A170-F28953EC6C72}] => C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe
FirewallRules: [{A0BE2381-E9DE-4B6D-95B7-BFE5E6994AB6}] => C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe
FirewallRules: [{DD485D39-C768-43DD-A8EE-0717DBC2049A}] => C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe
FirewallRules: [{92C9A074-85D7-4080-9755-89AA83E31C9F}] => C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe
FirewallRules: [{CE9C09D8-A53C-49F5-A712-8E538246BB6F}] => C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe
FirewallRules: [{E5018AA5-8723-4CC8-BC5D-3A273AD6F86A}] => C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe
FirewallRules: [{8EE88042-39C3-4502-A057-EEB0AD3D6F58}] => C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe
FirewallRules: [{5EDE8515-8AF3-4192-A0A2-9E2882610C91}] => C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe
FirewallRules: [{9EBB3175-D9D3-42C6-8461-FD567C62B0EA}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{5F11150C-5A8C-4964-A91C-B0119057558D}] => C:\ProgramData\Battle.net\Agent\Agent.3689\Agent.exe
FirewallRules: [{941027A9-36EE-42BA-B222-67124F660F62}] => C:\ProgramData\Battle.net\Agent\Agent.3689\Agent.exe
FirewallRules: [TCP Query User{B67C9907-3917-4465-B468-5E1147964D24}C:\program files (x86)\might and magic x legacy\might and magic x legacy.exe] => C:\program files (x86)\might and magic x legacy\might and magic x legacy.exe
FirewallRules: [UDP Query User{8997F599-30CB-4E1E-AAC2-1A97AAB660BD}C:\program files (x86)\might and magic x legacy\might and magic x legacy.exe] => C:\program files (x86)\might and magic x legacy\might and magic x legacy.exe
FirewallRules: [{B1DC75E0-C770-4D7B-82AC-CC4011284A42}] => C:\ProgramData\Battle.net\Agent\Agent.3715\Agent.exe
FirewallRules: [{74110D87-1D85-47CD-B031-40C6B02CD3B3}] => C:\ProgramData\Battle.net\Agent\Agent.3715\Agent.exe
FirewallRules: [TCP Query User{94ADD653-AB77-44A3-8EB6-FD03931513BD}C:\program files (x86)\nero\nero8\nero mediahome\nmmediaserver.exe] => C:\program files (x86)\nero\nero8\nero mediahome\nmmediaserver.exe
FirewallRules: [UDP Query User{B9D55E1B-A3DA-4976-915C-9794679F7F34}C:\program files (x86)\nero\nero8\nero mediahome\nmmediaserver.exe] => C:\program files (x86)\nero\nero8\nero mediahome\nmmediaserver.exe
FirewallRules: [{338E81FF-0BCA-4C09-BB68-F8E4DBA43D91}] => C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe
FirewallRules: [{48A34691-2E4E-402A-A53E-3CF62D88EE52}] => C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe
FirewallRules: [TCP Query User{FD96C08A-3CCF-42A0-9E50-024CF55EA199}C:\programdata\battle.net\agent\agent.3715\agent.exe] => C:\programdata\battle.net\agent\agent.3715\agent.exe
FirewallRules: [UDP Query User{744E3A9B-54D8-4FB7-8BEB-01681C850EDF}C:\programdata\battle.net\agent\agent.3715\agent.exe] => C:\programdata\battle.net\agent\agent.3715\agent.exe
FirewallRules: [TCP Query User{7F5C68D7-1B4B-4D7A-ADE7-B0ED40ACA0B7}C:\program files\fox\no one lives forever\nolfserv.exe] => C:\program files\fox\no one lives forever\nolfserv.exe
FirewallRules: [UDP Query User{B736D539-754C-4095-93EE-FA043B3E92DB}C:\program files\fox\no one lives forever\nolfserv.exe] => C:\program files\fox\no one lives forever\nolfserv.exe
FirewallRules: [TCP Query User{63EFBAB6-E1E5-4CEA-8E83-713A3BC90556}C:\program files (x86)\mozilla firefox\firefox.exe] => C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{E9F3FA62-36E7-4C37-9CB8-256E66F6ED6F}C:\program files (x86)\mozilla firefox\firefox.exe] => C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [TCP Query User{16150232-B68F-430D-8F35-C5D157093962}C:\program files (x86)\gog.com\xiii\system\xiii.exe] => C:\program files (x86)\gog.com\xiii\system\xiii.exe
FirewallRules: [UDP Query User{F1EC0CE4-2FAA-4CD1-9EC2-18A2EBC3762F}C:\program files (x86)\gog.com\xiii\system\xiii.exe] => C:\program files (x86)\gog.com\xiii\system\xiii.exe
FirewallRules: [TCP Query User{33B5DBA8-1FA2-4074-926E-2FF63D24E2A2}C:\program files (x86)\gog.com\xiii\system\xiii.exe] => C:\program files (x86)\gog.com\xiii\system\xiii.exe
FirewallRules: [UDP Query User{96A30D0D-9A85-4A78-BC27-2AD7FE88D8B9}C:\program files (x86)\gog.com\xiii\system\xiii.exe] => C:\program files (x86)\gog.com\xiii\system\xiii.exe
FirewallRules: [{7AEF8269-45AB-4EA8-9F5D-B1A718875E33}] => C:\Program Files (x86)\Rockstar Games\EFLC\LaunchEFLC.exe
FirewallRules: [{CEB91767-B874-49A1-9802-AA339AD1B014}] => C:\Program Files (x86)\Rockstar Games\EFLC\LaunchEFLC.exe
FirewallRules: [TCP Query User{AEAEE0EB-5757-4996-94C3-524EB5827AFD}C:\program files (x86)\rockstar games\eflc\eflc.exe] => C:\program files (x86)\rockstar games\eflc\eflc.exe
FirewallRules: [UDP Query User{271C56A7-8794-4954-B2A7-E547271159D7}C:\program files (x86)\rockstar games\eflc\eflc.exe] => C:\program files (x86)\rockstar games\eflc\eflc.exe
FirewallRules: [TCP Query User{C62C61A5-75C1-4170-AF2C-FC1B42316CC4}C:\program files (x86)\thq\saints row the third\saintsrowthethird_dx11.exe] => C:\program files (x86)\thq\saints row the third\saintsrowthethird_dx11.exe
FirewallRules: [UDP Query User{44C4119C-827B-42F5-B87A-5820E05CD510}C:\program files (x86)\thq\saints row the third\saintsrowthethird_dx11.exe] => C:\program files (x86)\thq\saints row the third\saintsrowthethird_dx11.exe
FirewallRules: [{03B4BEAC-C7B3-4EFF-B267-AD2BC54F079E}] => C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp\CnetInstaller-10263702.exe
FirewallRules: [{56E74837-DC92-4F46-BA3D-A9A43FAE7CC5}] => C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp\CnetInstaller-10263702.exe
FirewallRules: [TCP Query User{C773E41B-AA29-4EB9-91E7-924BDFEAB535}C:\gog games\the rise of the triad\binaries\win32\rott.exe] => C:\gog games\the rise of the triad\binaries\win32\rott.exe
FirewallRules: [UDP Query User{55E5D707-296A-45C6-850A-D95159AC8A2A}C:\gog games\the rise of the triad\binaries\win32\rott.exe] => C:\gog games\the rise of the triad\binaries\win32\rott.exe
FirewallRules: [{411A2ADF-D1A4-4D63-8BE6-B38E5C9E3297}] => C:\GOG Games\The Rise of the Triad\Binaries\ROTTLauncher.exe
FirewallRules: [{3B78FD9E-4E70-41A5-80A9-DCD0A07C8D65}] => C:\GOG Games\The Rise of the Triad\Binaries\ROTTLauncher.exe
FirewallRules: [{9DE5AE39-F99A-43A2-AB58-B059334AD3D2}] => C:\GOG Games\The Rise of the Triad\Binaries\ROTTLauncher.exe
FirewallRules: [{B9BABF32-53CA-48F2-BF11-9B99E476AB98}] => C:\GOG Games\The Rise of the Triad\Binaries\ROTTLauncher.exe
FirewallRules: [{D8EB163C-D53D-45EB-871C-CEE5EB81F400}] => C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{D802D0E7-2A01-431A-8C99-CBB9C09588D6}] => C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{B62B7088-1573-4353-A324-FE5442F0BE0A}] => C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{D7A43650-7B35-4EB9-B3DE-4BBD2202BF6A}] => C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [TCP Query User{E5F492DC-2255-48FB-BD55-8DD9C009AE8C}C:\program files (x86)\saints row iv\saintsrowiv.exe] => C:\program files (x86)\saints row iv\saintsrowiv.exe
FirewallRules: [UDP Query User{D9F68E8F-32D4-430C-95A1-2883364FD1DC}C:\program files (x86)\saints row iv\saintsrowiv.exe] => C:\program files (x86)\saints row iv\saintsrowiv.exe
FirewallRules: [TCP Query User{822CE36E-743F-47E3-B77D-2441BDD7A19B}C:\program files (x86)\electronic arts\crytek\crysis 2\bin32\crysis2.exe] => C:\program files (x86)\electronic arts\crytek\crysis 2\bin32\crysis2.exe
FirewallRules: [UDP Query User{12219DA7-4556-494F-B631-3620C6AF2FEA}C:\program files (x86)\electronic arts\crytek\crysis 2\bin32\crysis2.exe] => C:\program files (x86)\electronic arts\crytek\crysis 2\bin32\crysis2.exe
FirewallRules: [TCP Query User{401D12B6-24A2-45C4-9828-A7745E38787D}C:\program files (x86)\double dragon neon\bin\doubledragon.exe] => C:\program files (x86)\double dragon neon\bin\doubledragon.exe
FirewallRules: [UDP Query User{46A6A0BC-D8E9-46F5-98D1-C39BBADFC871}C:\program files (x86)\double dragon neon\bin\doubledragon.exe] => C:\program files (x86)\double dragon neon\bin\doubledragon.exe
FirewallRules: [TCP Query User{FC6D73B2-AE18-4F99-A2AB-959EB7B5EFA0}C:\program files (x86)\dishonored\binaries\win32\dishonored.exe] => C:\program files (x86)\dishonored\binaries\win32\dishonored.exe
FirewallRules: [UDP Query User{1893CB8C-7F87-473C-B9E6-1F1284CF92C6}C:\program files (x86)\dishonored\binaries\win32\dishonored.exe] => C:\program files (x86)\dishonored\binaries\win32\dishonored.exe
FirewallRules: [TCP Query User{DE124580-A054-4936-8C5D-118F726F5A68}C:\gog games\super time force ultra\stf_win32.exe] => C:\gog games\super time force ultra\stf_win32.exe
FirewallRules: [UDP Query User{8438F1C3-1DC1-4ED8-92DA-80B646668EDA}C:\gog games\super time force ultra\stf_win32.exe] => C:\gog games\super time force ultra\stf_win32.exe
FirewallRules: [TCP Query User{B4BB49A0-DB6F-49E0-9ECB-6B66AD248B43}C:\gog games\rise of the triad (2013)\binaries\win64\rott.exe] => C:\gog games\rise of the triad (2013)\binaries\win64\rott.exe
FirewallRules: [UDP Query User{03092A0F-008D-4BCD-81D9-33B264318BFF}C:\gog games\rise of the triad (2013)\binaries\win64\rott.exe] => C:\gog games\rise of the triad (2013)\binaries\win64\rott.exe
FirewallRules: [TCP Query User{108C8E02-9FAD-45C8-B6A1-20E77B2451DD}C:\program files (x86)\activision\call of duty - black ops\blackops.exe] => C:\program files (x86)\activision\call of duty - black ops\blackops.exe
FirewallRules: [UDP Query User{CDACE3E1-764A-49AB-948E-442FC389939C}C:\program files (x86)\activision\call of duty - black ops\blackops.exe] => C:\program files (x86)\activision\call of duty - black ops\blackops.exe
FirewallRules: [TCP Query User{BFA2F76C-E5BE-4FAA-ABF3-527B062F34E5}C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe] => C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe
FirewallRules: [UDP Query User{DAE66FEE-7E8C-489F-820F-878DC4664C9C}C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe] => C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe
FirewallRules: [TCP Query User{D9829DC7-3352-4842-9F6B-59A8791480D3}C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe] => C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe
FirewallRules: [UDP Query User{1CB5F277-2D4F-4C03-A888-051EA6F866E4}C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe] => C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe
FirewallRules: [TCP Query User{6A1B0730-17E0-4FB9-A3A8-9378155B3EB3}C:\gog games\warsow\warsow.exe] => C:\gog games\warsow\warsow.exe
FirewallRules: [UDP Query User{9AB9FEE8-7525-4426-A09A-E83DB71070F1}C:\gog games\warsow\warsow.exe] => C:\gog games\warsow\warsow.exe
FirewallRules: [TCP Query User{8777973E-F74C-4577-9A81-0741CA941D8D}C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe] => C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe
FirewallRules: [UDP Query User{A08696BD-1F02-4CB9-B47E-075393AD35C9}C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe] => C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe
FirewallRules: [TCP Query User{CF86CAE0-F30A-402A-AF54-BF668CBAA578}C:\program files (x86)\heroes of the storm\versions\base35702\heroesofthestorm_x64.exe] => C:\program files (x86)\heroes of the storm\versions\base35702\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{48050E04-60E3-4CB6-9CCE-F20BA1517E17}C:\program files (x86)\heroes of the storm\versions\base35702\heroesofthestorm_x64.exe] => C:\program files (x86)\heroes of the storm\versions\base35702\heroesofthestorm_x64.exe
FirewallRules: [{3D1AE4C1-599A-4045-BDD3-D1A2875747A6}] => C:\Program Files (x86)\Steam\SteamApps\common\The Talos Principle\Bin\Talos.exe
FirewallRules: [{93D8224F-09BE-4BAD-9130-551426364AD7}] => C:\Program Files (x86)\Steam\SteamApps\common\The Talos Principle\Bin\Talos.exe
FirewallRules: [{D55669B2-1D99-4681-ADA0-FAA7C3C162D8}] => C:\Program Files (x86)\Steam\SteamApps\common\The Talos Principle\Bin\Talos_Unrestricted.exe
FirewallRules: [{4C42317A-8379-4D2E-B1A5-E6C5A19EA0E4}] => C:\Program Files (x86)\Steam\SteamApps\common\The Talos Principle\Bin\Talos_Unrestricted.exe
FirewallRules: [TCP Query User{F538B5FA-D818-47B8-8763-120C64B89B68}C:\users\alex\appdata\roaming\utorrent\updates\3.4.3_40298.exe] => C:\users\alex\appdata\roaming\utorrent\updates\3.4.3_40298.exe
FirewallRules: [UDP Query User{438645F2-FFBD-480A-9B11-74A07E1621D5}C:\users\alex\appdata\roaming\utorrent\updates\3.4.3_40298.exe] => C:\users\alex\appdata\roaming\utorrent\updates\3.4.3_40298.exe
FirewallRules: [TCP Query User{9BC5B26F-7644-4C93-A239-07B53CCE66ED}C:\gog games\shadowrun returns\shadowrun.exe] => C:\gog games\shadowrun returns\shadowrun.exe
FirewallRules: [UDP Query User{ACD779B0-9F1F-422E-8F92-82A97A8A7B49}C:\gog games\shadowrun returns\shadowrun.exe] => C:\gog games\shadowrun returns\shadowrun.exe
FirewallRules: [{5E1CA349-DB9E-4F23-9F1D-91A7FFD1A867}] => C:\Program Files (x86)\SEGA\Alpha Protocol\Binaries\APGame.exe
FirewallRules: [{3FF6002A-B5B3-420F-A94B-9032CBEC7956}] => C:\Program Files (x86)\SEGA\Alpha Protocol\Binaries\APGame.exe
FirewallRules: [TCP Query User{803588B6-718B-467A-9183-248DBE2A0FF2}C:\program files (x86)\radiant\rising thunder\radiantgames\rising thunder\windowsnoeditor\risingthunder\binaries\win64\risingthunder-win64-shipping.exe] => C:\program files (x86)\radiant\rising thunder\radiantgames\rising thunder\windowsnoeditor\risingthunder\binaries\win64\risingthunder-win64-shipping.exe
FirewallRules: [UDP Query User{FB4949EA-246F-473F-B365-604FE3D27BD1}C:\program files (x86)\radiant\rising thunder\radiantgames\rising thunder\windowsnoeditor\risingthunder\binaries\win64\risingthunder-win64-shipping.exe] => C:\program files (x86)\radiant\rising thunder\radiantgames\rising thunder\windowsnoeditor\risingthunder\binaries\win64\risingthunder-win64-shipping.exe
FirewallRules: [{312874E2-E1BD-4B57-B4BA-EB32A066E5E7}] => C:\Program Files (x86)\Electronic Arts\Battlefield Bad Company 2\BFBC2Updater.exe
FirewallRules: [{8B033EED-AF00-47B6-9991-F8149F3E1063}] => C:\Program Files (x86)\Electronic Arts\Battlefield Bad Company 2\BFBC2Updater.exe
FirewallRules: [TCP Query User{F09528EB-DA9D-482F-8D2E-B77E34375D6E}C:\program files\epic games\unrealtournamentdev\engine\binaries\win64\ue4-win64-test.exe] => C:\program files\epic games\unrealtournamentdev\engine\binaries\win64\ue4-win64-test.exe
FirewallRules: [UDP Query User{02A9AEE4-16D0-4891-A48E-4419304D1B8E}C:\program files\epic games\unrealtournamentdev\engine\binaries\win64\ue4-win64-test.exe] => C:\program files\epic games\unrealtournamentdev\engine\binaries\win64\ue4-win64-test.exe
FirewallRules: [{BCFCAFBE-FB01-47EB-A1E2-B6F0EF475CC3}] => C:\Program Files (x86)\Steam\SteamApps\common\Super Hexagon\superhexagon.exe
FirewallRules: [{2ACEF5F2-1AEF-41CC-A4E6-233B18F4B2A5}] => C:\Program Files (x86)\Steam\SteamApps\common\Super Hexagon\superhexagon.exe
FirewallRules: [{65C71C70-7A4B-48FE-B1DC-D6227F227A2B}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{02397B2E-3B12-43B8-8C74-8758EA7E03C8}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{5E48B757-7CE2-4904-8429-3D1F680BA314}C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe] => C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe
FirewallRules: [UDP Query User{B63A66BD-CBA9-4759-8994-60E7652941B6}C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe] => C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe
FirewallRules: [TCP Query User{AA407032-E52C-4028-908A-4ED315C90A59}C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe] => C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe
FirewallRules: [UDP Query User{CF1AB386-13FB-4D81-AE26-F1937F116200}C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe] => C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe
FirewallRules: [{6EA6A2FF-1F56-4CDB-9AA2-981508178A8F}] => C:\Program Files (x86)\Steam\SteamApps\common\Quake Live\quakelive_steam.exe
FirewallRules: [{E4B8B4C9-7957-43C7-B357-E2E82D1BE599}] => C:\Program Files (x86)\Steam\SteamApps\common\Quake Live\quakelive_steam.exe
FirewallRules: [TCP Query User{D21BE33E-5CEB-47FB-9C35-549C4F623179}C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe] => C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe
FirewallRules: [UDP Query User{3C8B72BB-6A9E-4C17-B444-EA7A56C31667}C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe] => C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe
FirewallRules: [{C3B76347-27EB-433E-9C05-070AB622B8D9}] => C:\Program Files (x86)\Steam\SteamApps\common\Oniken\Oniken.exe
FirewallRules: [{6AB90514-4C75-4F2C-B260-633E69D212D9}] => C:\Program Files (x86)\Steam\SteamApps\common\Oniken\Oniken.exe
FirewallRules: [TCP Query User{662206FC-86C9-4121-A9EA-5D3450FF0486}C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe] => C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe
FirewallRules: [UDP Query User{FDDF7C78-947F-4388-A2A1-CF64C5988B9F}C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe] => C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe
FirewallRules: [TCP Query User{2D1E4BB1-794D-4581-8CC9-4B9C4809E9FD}C:\users\alex\appdata\roaming\utorrent\updates\3.4.5_41372.exe] => C:\users\alex\appdata\roaming\utorrent\updates\3.4.5_41372.exe
FirewallRules: [UDP Query User{72916D0F-FA4C-4C75-A43F-CCA5041B7383}C:\users\alex\appdata\roaming\utorrent\updates\3.4.5_41372.exe] => C:\users\alex\appdata\roaming\utorrent\updates\3.4.5_41372.exe
FirewallRules: [TCP Query User{2F3F2B89-A7DE-4BF0-B1D3-DEE5A394DF93}C:\program files (x86)\the vanishing of ethan carter redux\ethancarter\binaries\win64\ethancarter-win64-shipping.exe] => C:\program files (x86)\the vanishing of ethan carter redux\ethancarter\binaries\win64\ethancarter-win64-shipping.exe
FirewallRules: [UDP Query User{D86B2970-16F4-48FD-B517-A9C0AD5DDBD5}C:\program files (x86)\the vanishing of ethan carter redux\ethancarter\binaries\win64\ethancarter-win64-shipping.exe] => C:\program files (x86)\the vanishing of ethan carter redux\ethancarter\binaries\win64\ethancarter-win64-shipping.exe
FirewallRules: [{DAA0DB05-C81E-4610-96FF-FF136DCD24EA}] => C:\Program Files (x86)\Steam\SteamApps\common\rocketleague\Binaries\Win32\RocketLeague.exe
FirewallRules: [{D3714FD3-B1AE-4251-A9B3-E133C0D8E422}] => C:\Program Files (x86)\Steam\SteamApps\common\rocketleague\Binaries\Win32\RocketLeague.exe
FirewallRules: [TCP Query User{38CB6B56-1993-4BAD-A4BC-A8BB06C26BF9}C:\program files (x86)\overwatch\overwatch.exe] => C:\program files (x86)\overwatch\overwatch.exe
FirewallRules: [UDP Query User{E62A31BA-F624-4165-ABAB-6D8E3EA6D8E7}C:\program files (x86)\overwatch\overwatch.exe] => C:\program files (x86)\overwatch\overwatch.exe
FirewallRules: [{7997A107-095E-46CD-95B8-E2381FB186C7}] => C:\Program Files (x86)\Steam\SteamApps\common\Escape Goat 2\EscapeGoat2.exe
FirewallRules: [{1FE6EF57-8C70-471B-AEFF-F374572496F9}] => C:\Program Files (x86)\Steam\SteamApps\common\Escape Goat 2\EscapeGoat2.exe
FirewallRules: [{9FB6AFDE-7F05-4153-8EC7-40DCEDA41AA2}] => C:\Program Files (x86)\Steam\SteamApps\common\Master Spy\MasterSpy.exe
FirewallRules: [{77285005-0E93-4F65-A3B0-3DC68C75BFE8}] => C:\Program Files (x86)\Steam\SteamApps\common\Master Spy\MasterSpy.exe
FirewallRules: [TCP Query User{8DBCC493-EC64-4C5E-B7AD-7B15280F4FA9}C:\program files (x86)\steam\steamapps\common\consortium\consortium.exe] => C:\program files (x86)\steam\steamapps\common\consortium\consortium.exe
FirewallRules: [UDP Query User{799ABB68-FEF4-4B2C-A62D-B70178E238FE}C:\program files (x86)\steam\steamapps\common\consortium\consortium.exe] => C:\program files (x86)\steam\steamapps\common\consortium\consortium.exe
FirewallRules: [TCP Query User{F29DC2C4-2979-4915-96C6-B66DFAB82611}C:\program files (x86)\gog.com\unreal gold\system\unreal.exe] => C:\program files (x86)\gog.com\unreal gold\system\unreal.exe
FirewallRules: [UDP Query User{72E14C88-50D7-45D8-B440-7DD0ED1F8FCD}C:\program files (x86)\gog.com\unreal gold\system\unreal.exe] => C:\program files (x86)\gog.com\unreal gold\system\unreal.exe
FirewallRules: [{DB6C824D-9456-4F5B-9DAB-D276960F91B9}] => C:\Program Files (x86)\Steam\SteamApps\common\Snakebird\Snakebird.exe
FirewallRules: [{C7A5E3DD-B73F-49B4-B06B-9A678E3BD161}] => C:\Program Files (x86)\Steam\SteamApps\common\Snakebird\Snakebird.exe
FirewallRules: [{9AC2948E-983D-47FB-B934-64D9F9946E60}] => C:\Program Files (x86)\Steam\SteamApps\common\Bleed\Bleed.exe
FirewallRules: [{E4CD90EC-C44F-43B8-966C-F43CE6AA65C7}] => C:\Program Files (x86)\Steam\SteamApps\common\Bleed\Bleed.exe
FirewallRules: [TCP Query User{5CB9B892-7064-46E1-A98D-4E560CC5CC71}C:\users\alex\desktop\toybox\toybox64.exe] => C:\users\alex\desktop\toybox\toybox64.exe
FirewallRules: [UDP Query User{8AC9902C-DBCC-463E-A790-56B9FD973FCF}C:\users\alex\desktop\toybox\toybox64.exe] => C:\users\alex\desktop\toybox\toybox64.exe
FirewallRules: [TCP Query User{EE12A618-EFAB-46D6-9E0F-162490C13D1B}C:\program files (x86)\id software\quake 4\quake4.exe] => C:\program files (x86)\id software\quake 4\quake4.exe
FirewallRules: [UDP Query User{ABFC0704-A078-4F59-BF3F-290A7E6C4B19}C:\program files (x86)\id software\quake 4\quake4.exe] => C:\program files (x86)\id software\quake 4\quake4.exe
FirewallRules: [TCP Query User{E6EA501C-4FB9-48E2-8A2A-5076E3628FB6}C:\program files (x86)\id software\quake 4\quake4ded.exe] => C:\program files (x86)\id software\quake 4\quake4ded.exe
FirewallRules: [UDP Query User{9FC44D23-F263-4846-9BD3-A5B5A8C5D3A9}C:\program files (x86)\id software\quake 4\quake4ded.exe] => C:\program files (x86)\id software\quake 4\quake4ded.exe
FirewallRules: [TCP Query User{E070DE1B-8296-4729-A900-0CC78A71FA1D}C:\program files (x86)\ubisoft\tom clancy's splinter cell chaos theory\system\splintercell3.exe] => C:\program files (x86)\ubisoft\tom clancy's splinter cell chaos theory\system\splintercell3.exe
FirewallRules: [UDP Query User{6315DF07-1D18-48D0-A52F-B3D90D7CEF40}C:\program files (x86)\ubisoft\tom clancy's splinter cell chaos theory\system\splintercell3.exe] => C:\program files (x86)\ubisoft\tom clancy's splinter cell chaos theory\system\splintercell3.exe
FirewallRules: [{9296F4D6-713E-440E-A4FD-F18720FA2E32}] => C:\Program Files (x86)\Steam\SteamApps\common\CastlevaniaLoS_Demo\bin\DemoCastlevaniaLoSUE.exe
FirewallRules: [{2979AFC9-E716-4220-92C7-490E21CC74EE}] => C:\Program Files (x86)\Steam\SteamApps\common\CastlevaniaLoS_Demo\bin\DemoCastlevaniaLoSUE.exe
FirewallRules: [TCP Query User{888405F5-16CE-49E9-A81F-0CDD4CB32728}C:\gog games\blade of darkness\bin\blade.exe] => C:\gog games\blade of darkness\bin\blade.exe
FirewallRules: [UDP Query User{B0EB281F-D810-4457-84D4-345BB7896C30}C:\gog games\blade of darkness\bin\blade.exe] => C:\gog games\blade of darkness\bin\blade.exe
FirewallRules: [{744F52EA-A494-41F6-A8F6-6A3C01E0C83D}] => C:\Program Files (x86)\Steam\SteamApps\common\Expand\expand.exe
FirewallRules: [{458DA4FA-B814-4B25-9734-50F190D97F40}] => C:\Program Files (x86)\Steam\SteamApps\common\Expand\expand.exe
FirewallRules: [TCP Query User{CA4727ED-5796-4776-A55A-6E8F69C12FD3}C:\program files (x86)\steam\steamapps\common\unbox demo\boxjumpdemo\binaries\win64\boxjumpdemo-win64-shipping.exe] => C:\program files (x86)\steam\steamapps\common\unbox demo\boxjumpdemo\binaries\win64\boxjumpdemo-win64-shipping.exe
FirewallRules: [UDP Query User{1F3A2B13-46A2-40AB-ADD4-F9DB2E01E2F4}C:\program files (x86)\steam\steamapps\common\unbox demo\boxjumpdemo\binaries\win64\boxjumpdemo-win64-shipping.exe] => C:\program files (x86)\steam\steamapps\common\unbox demo\boxjumpdemo\binaries\win64\boxjumpdemo-win64-shipping.exe
FirewallRules: [{45803361-75C1-4A1D-A930-AD2A0A0BD1B5}] => C:\Program Files (x86)\Steam\SteamApps\common\TOXIKK\Binaries\ToxikkLauncher.exe
FirewallRules: [{A96AF2A9-5084-47CB-B3BC-05778E467C06}] => C:\Program Files (x86)\Steam\SteamApps\common\TOXIKK\Binaries\ToxikkLauncher.exe
FirewallRules: [TCP Query User{0C610AA5-FA55-4BCC-9891-2369B0E5BF09}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe] => C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe
FirewallRules: [UDP Query User{21ADB2E7-977E-4A36-B95E-4A6737CB9E01}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe] => C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe
FirewallRules: [TCP Query User{43E5BEF7-F781-4E0F-BADC-0F5C5F249EF5}C:\program files (x86)\gog galaxy\games\warsow\warsow_x64.exe] => C:\program files (x86)\gog galaxy\games\warsow\warsow_x64.exe
FirewallRules: [UDP Query User{DF84BD07-4C4E-4D32-93EC-C50ED294CEA0}C:\program files (x86)\gog galaxy\games\warsow\warsow_x64.exe] => C:\program files (x86)\gog galaxy\games\warsow\warsow_x64.exe
FirewallRules: [TCP Query User{067B2AF4-6C66-4EE0-AD96-8ABC674BD649}C:\program files\we happy few\glimpsegame\binaries\win64\glimpsegame.exe] => C:\program files\we happy few\glimpsegame\binaries\win64\glimpsegame.exe
FirewallRules: [UDP Query User{F8B4E364-5B14-49FD-890E-A29933F37050}C:\program files\we happy few\glimpsegame\binaries\win64\glimpsegame.exe] => C:\program files\we happy few\glimpsegame\binaries\win64\glimpsegame.exe
FirewallRules: [{4C9ECA39-DC5B-48EC-869A-59C97E6FCD2F}] => C:\Program Files (x86)\Steam\SteamApps\common\Magic Duels\MagicDuels.exe
FirewallRules: [{FBDABDCC-130F-4850-B155-8A23B0A15DDB}] => C:\Program Files (x86)\Steam\SteamApps\common\Magic Duels\MagicDuels.exe
FirewallRules: [{03327A80-862D-41FD-836E-D4BB4F4E715A}] => C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{4EAF9DCF-0068-49C7-9CA6-BC58B8EA768D}] => C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{B82C808A-EDD2-4BBD-B276-B5E429BECBEB}] => C:\Program Files (x86)\Maoha\MaohaAP\MaohaWifiSvr.exe
FirewallRules: [{F32EDB33-D5DA-4775-B641-856696B06728}] => C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe

==================== Restore Points =========================

12-11-2016 10:20:26 Scheduled Checkpoint
20-12-2016 17:57:26 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610
20-12-2016 17:59:00 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610
27-12-2016 18:20:00 JRT Pre-Junkware Removal
27-12-2016 20:26:32 Checkpoint by HitmanPro
27-12-2016 20:28:11 Checkpoint by HitmanPro
28-12-2016 07:27:05 Checkpoint by HitmanPro

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/29/2016 09:35:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/29/2016 09:34:11 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.

Error: (12/29/2016 07:03:16 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/29/2016 07:02:45 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.

Error: (12/28/2016 05:20:14 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/28/2016 05:18:39 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.

Error: (12/28/2016 04:22:41 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/28/2016 04:21:05 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.

Error: (12/28/2016 04:04:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/28/2016 04:03:24 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.


System errors:
=============
Error: (12/29/2016 09:34:21 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
VBoxNetAdp

Error: (12/29/2016 09:34:14 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Drip Latlab service failed to start due to the following error:
The system cannot find the file specified.

Error: (12/29/2016 09:34:09 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Game Protection Service service terminated with the following error:
The specified module could not be found.

Error: (12/29/2016 09:33:20 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Management and Security Application User Notification Service service terminated unexpectedly. It has done this 1 time(s).

Error: (12/29/2016 09:33:18 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (12/29/2016 09:33:18 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (12/29/2016 09:33:18 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NMIndexingService service terminated unexpectedly. It has done this 1 time(s).

Error: (12/29/2016 09:33:14 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The ZAM Controller Service service terminated unexpectedly. It has done this 1 time(s).

Error: (12/29/2016 09:33:14 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Network Service service terminated unexpectedly. It has done this 1 time(s).

Error: (12/29/2016 09:33:14 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Nero MediaHome 4 Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1 milliseconds: Restart the service.


==================== Memory info ===========================

Processor: Intel® Core™ i3-3110M CPU @ 2.40GHz
Percentage of memory in use: 56%
Total physical RAM: 3877.54 MB
Available physical RAM: 1675.25 MB
Total Virtual: 7753.27 MB
Available Virtual: 5431.64 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:488.18 GB) (Free:311.03 GB) NTFS
Drive d: (Backup) (Fixed) (Total:195.31 GB) (Free:148.97 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 698.6 GB) (Disk ID: A33B6C03)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=488.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=195.3 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 31 December 2016 - 08:34 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,789 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:32 AM

Posted 31 December 2016 - 08:43 PM

Greetings DesperateMeasures and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Do you recognize these?

Shardlight
Vonsnake


Please consider and do this.

===================================================

Peer to Peer (P2P) Warning

--------------------

Going over your logs I noticed that you have Peer 2 Peer (torrent) program(s) installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall Peer 2 Peer programs, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about CryptoLocker Ransomware, a type of Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities.

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\Run: [Ezttion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Alex\AppData\Local\YdbvPack\qwjzegpq.dll
C:\Users\Alex\AppData\Local\YdbvPack
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\MountPoints2: {fe0bc157-4c1c-11e4-99b9-806e6f6e6963} - E:\SecSWMgrGuide.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-139745227-2284625060-2539193485-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
S2 GmSvc; C:\Program Files (x86)\LDSGameCenter\GmSvc.dll [X]
S2 upuste; C:\Windows\system32\config\systemprofile\AppData\Local\Mathtam.exe prodrco upuste [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
NETSVCx32: HpSvc -> no filepath.
NETSVCx32: GmSvc -> C:\Program Files (x86)\LDSGameCenter\GmSvc.dll ==> No File
2016-12-29 09:35 - 2016-12-29 09:36 - 00000000 ____D C:\Users\Alex\AppData\Roaming\Ludashi
2016-12-29 09:35 - 2016-12-29 09:36 - 00000000 ____D C:\Users\Alex\AppData\Roaming\lockhomepage
2016-12-27 16:58 - 2016-12-29 09:25 - 00000458 _____ C:\Windows\Tasks\UCBrowserUpdater.job
2016-12-27 16:58 - 2016-12-27 16:58 - 00003454 _____ C:\Windows\System32\Tasks\UCBrowserUpdater
2016-12-27 16:50 - 2016-12-27 16:50 - 00000004 _____ C:\Users\Alex\AppData\Roaming\4E9225DA0A29463E8AD95A233536E924.dat
C:\Users\Alex\AppData\Local\Temp\ubiE6D.tmp.exe
C:\Users\Alex\AppData\Local\Temp\Uninstall.exe
C:\Users\Alex\AppData\Local\Temp\cres.dll
C:\Users\Alex\AppData\Local\Temp\cshell.dll
C:\Users\Alex\AppData\Local\Temp\Gw2.exe
C:\Users\Alex\AppData\Local\Temp\HiPatchSelfUpdateWindow.exe
C:\Users\Alex\AppData\Local\Temp\HiRezLauncherControls.dll
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.10.317.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.10.631.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.10.764.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.183.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.188.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.196.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.204.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.277.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.308.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.328.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.369.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.8.595.exe
C:\Users\Alex\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.9.789.exe
C:\Users\Alex\AppData\Local\Temp\libeay32.dll
C:\Users\Alex\AppData\Local\Temp\msvcr120.dll
C:\Users\Alex\AppData\Local\Temp\ose00000.exe
C:\Users\Alex\AppData\Local\Temp\sqlite3.dll
C:\Users\Alex\AppData\Local\Temp\sres.dll
C:\Users\Alex\AppData\Local\Temp\SRLDetectionLibrary2242945265252583203.dll
C:\Users\Alex\AppData\Local\Temp\ubiE6D.tmp.exe
C:\Users\Alex\AppData\Local\Temp\Uninstall.exe
Task: {30803AC4-B5D1-42AD-9017-4656BDF1401B} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
C:\Program Files (x86)\UCBrowser
Task: C:\Windows\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [80850]
AlternateDataStreams: C:\Windows\system32\drivers:x64 [360536]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1156450]
AlternateDataStreams: C:\ProgramData\TEMP:C2FF2B0A [118]
File: C:\windows\rsdsrv.exe
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Recognize entries?
  • Fixlog.txt
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 DesperateMeasures

DesperateMeasures
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 01 January 2017 - 07:45 AM

Hi Gary. Thanks for your assistance and I want to wish you a happy new year!

 

I'm afraid I can only provide a partial update to my situation.

 

First of all, regarding Shardlight and Vonsnake. Yes, I do recognize them, they're directories for games that I;ve installed, played and subsequently uninstalled in the past month. Both were "official" installations so to speak, one directly from Steam and one from GoG.

 

I've also deleted my P2P program (uTorrent) in the meantime and the files associated with it.

 

My current problem has to do with the fix that you've provided. I followed your instructions, created the fixlist.txt in the same location and ran FRST as admin. But the fix has been stuck at "Fixing is in progress, please wait" for more than 5 hours and I just want to check with you if this is normal. I'm using FRST while also having Malwarebytes active so I;m wondering if that might be the problem. I ask this because I need to leave soon so I might need to shut down the PC. Should I let it run for a while longer or terminate it and run it again without any other antiviurs/removal tool active or in safe mode?

 

Later Edit - I had to close FRST manually in Task Manager (after 6 hours of it "fixing") but it still generated a fixlog that I have attached. I also attached the sys info required. If you want me to redo the FRST fix I'm waiting for new instructions

Attached Files


Edited by DesperateMeasures, 01 January 2017 - 09:22 AM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,789 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:32 AM

Posted 01 January 2017 - 11:44 AM

Please run the fix again after booting into Safe Mode. Malwarebytes shouldn't be an issue.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 DesperateMeasures

DesperateMeasures
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 02 January 2017 - 03:57 AM

Same thing in Safe Mode I'm afraid. The fix starts, it generates a fixlog almost immediately, and then goes on with "Fixing in progress, please wait" for hours on end  with no progress in sight.



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,789 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:32 AM

Posted 02 January 2017 - 03:49 PM

Please try to run this modified version in Normal Boot.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
CreateRestorePoint:
CloseProcesses:
2016-12-29 09:35 - 2016-12-29 09:36 - 00000000 ____D C:\Users\Alex\AppData\Roaming\Ludashi
2016-12-29 09:35 - 2016-12-29 09:36 - 00000000 ____D C:\Users\Alex\AppData\Roaming\lockhomepage
2016-12-27 16:58 - 2016-12-29 09:25 - 00000458 _____ C:\Windows\Tasks\UCBrowserUpdater.job
2016-12-27 16:58 - 2016-12-27 16:58 - 00003454 _____ C:\Windows\System32\Tasks\UCBrowserUpdater
Task: {30803AC4-B5D1-42AD-9017-4656BDF1401B} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
C:\Program Files (x86)\UCBrowser
Task: C:\Windows\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [80850]
AlternateDataStreams: C:\Windows\system32\drivers:x64 [360536]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1156450]
AlternateDataStreams: C:\ProgramData\TEMP:C2FF2B0A [118]
emptytemp:
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 DesperateMeasures

DesperateMeasures
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 03 January 2017 - 03:12 AM

Everything went well this time, took less than 5 minutes.

 

Here's the fixlog contents :

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by Alex (03-01-2017 09:59:33) Run:4
Running from C:\Users\Alex\Desktop
Loaded Profiles: Alex & NeroMediaHomeUser.4 (Available Profiles: Alex & NeroMediaHomeUser.4)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
2016-12-29 09:35 - 2016-12-29 09:36 - 00000000 ____D C:\Users\Alex\AppData\Roaming\Ludashi
2016-12-29 09:35 - 2016-12-29 09:36 - 00000000 ____D C:\Users\Alex\AppData\Roaming\lockhomepage
2016-12-27 16:58 - 2016-12-29 09:25 - 00000458 _____ C:\Windows\Tasks\UCBrowserUpdater.job
2016-12-27 16:58 - 2016-12-27 16:58 - 00003454 _____ C:\Windows\System32\Tasks\UCBrowserUpdater
Task: {30803AC4-B5D1-42AD-9017-4656BDF1401B} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
C:\Program Files (x86)\UCBrowser
Task: C:\Windows\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [80850]
AlternateDataStreams: C:\Windows\system32\drivers:x64 [360536]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1156450]
AlternateDataStreams: C:\ProgramData\TEMP:C2FF2B0A [118]
emptytemp:
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Users\Alex\AppData\Roaming\Ludashi => moved successfully
C:\Users\Alex\AppData\Roaming\lockhomepage => moved successfully
C:\Windows\Tasks\UCBrowserUpdater.job => moved successfully
C:\Windows\System32\Tasks\UCBrowserUpdater => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{30803AC4-B5D1-42AD-9017-4656BDF1401B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{30803AC4-B5D1-42AD-9017-4656BDF1401B} => key removed successfully
C:\Windows\System32\Tasks\UCBrowserUpdater => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserUpdater => key removed successfully
"C:\Program Files (x86)\UCBrowser" => not found.
C:\Windows\Tasks\UCBrowserUpdater.job => not found.
C:\Windows\system32\drivers => ":ucdrv-x64.sys" ADS removed successfully.
C:\Windows\system32\drivers => ":x64" ADS removed successfully.
C:\Windows\system32\drivers => ":x86" ADS removed successfully.
C:\ProgramData\TEMP => ":C2FF2B0A" ADS removed successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 212192347 B
Java, Flash, Steam htmlcache => 771352600 B
Windows/system/drivers => 39023072 B
Edge => 0 B
Chrome => 0 B
Firefox => 858817660 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66388 B
systemprofile32 => 461871 B
LocalService => 132244 B
NetworkService => 66228 B
Alex => 1200688887 B
UpdatusUser => 0 B
NeroMediaHomeUser.4 => 83398 B

RecycleBin => 0 B
EmptyTemp: => 2.9 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 10:05:35 ====



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,789 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:32 AM

Posted 03 January 2017 - 10:31 AM

Thank you. Can you provide an update on your computer behavior please?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 DesperateMeasures

DesperateMeasures
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 03 January 2017 - 10:50 AM

Sure. Since I ran your fix that missing dll error (it had to do with some deleted Ydbv pack) that appeared when starting Windows has completely dissapeared ! Thing is, your fix and the Farbar scan (and i assume fix ) deleted a Ludashi folder dated 29 December,which is when I  initially ran the Farbar scan, as that was also the date I last did a Malwarebytes scan ( I didnt want to interfere with any of your instructions doing additional scans). Upon system boot after running the fix (today) I still have a Ludashi and Lockhomepage folder and they both appear to be modified 10:08 AM (my timezone, roughly 7;40 hours ago) when I last booted my computer today, so they appeared or were modified again after boot. Other than that, the computer is running perfectly, browsers are ok, etc. This is exactly the problem I had to begin with- Malwarebytes or some other cleaner quarantine it or delete it and then it reappears on boot, showing that it was last modified by boot time.

 

So should I do some other scan with some other software?  Thanks for what you provided so far and I'm waiting for further instructions



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,789 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:32 AM

Posted 03 January 2017 - 11:08 AM

Thanks for the update.

This doesn't surprise me since we weren't able to run the entire fixlist.

Please do these things.

===================================================

Rkill

-------------------
  • Please download Rkill by Grinler from one of the 3 links below (if one of them does not work try another...) and save it to your desktop:

rkill.scr
rkill.com
rkill.exe

  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista or above, please right-click on it and select Run As Administrator)
  • Note: You may have to run Rkill a few times before it is successful. As a reminder, you may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
===================================================

RogueKiller

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • Right click on the setup.exe icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • Click OK on English
  • Select Install 32 and 64 bits versions (Recommended for Technicians), then click Next 2 times
  • Click Install
  • Click Finish
  • Click Start Scan twice
  • When completed click Open Report
  • Click Export Text and save the file on your Desktop as RK.txt
  • Close all open RogueKiller windows
  • Copy and paste the contents of the report in your reply
===================================================

Zoek by Smeenk - Scan and Automatic Cleanup

--------------------
  • Download Zoek and save it to your Desktop
  • Right click the icon, select Run as Admistrator, and wait for the Program to appear on your Desktop (may take 15 seconds or so)
  • Verify Scan All Users is selected then click Run Script
  • Type 4 in the lower box to Do a Deep Scan and Automated Cleanup then click OK
  • Wait patiently for the program to run
  • Do not use your computer while the scan is running
  • When completed a zoek-results.txt report will appear on your desktop. Copy and paste the contents in your reply
===================================================

Rerun a FRST scan and copy/paste both logs in your reply.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • RKill log
  • RogueKiller log
  • Zoek Report
  • FRST log
  • Addition log
  • Update on computer behavior

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 DesperateMeasures

DesperateMeasures
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 04 January 2017 - 03:06 AM

I did all the scans, no problems encountered. However, there's a step where I dont know if I should've proceeded differently. Your instructions specify that after finishing the Roguekiller scan, I should just open the report and export its contents. During this step (After the scan) I also had the option to remove the threats detected but I didnt (although I assume that I can still do that now if I open the application again). Other than that, here's everything :

 

Rkill

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/03/2017 07:29:50 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * C:\Windows\System32\user32.dll : 1,008,640 : 10/04/2014 03:39 PM : 2c353b6ce0c8d03225caa2af33b68d79 [NoSig]
 +-> C:\Windows\SysWOW64\user32.dll : 833,024 : 10/04/2014 03:39 PM : 861c4346f9281dc0380de72c8d55d6be [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll : 1,008,128 : 11/21/2010 05:24 AM : fe70103391a64039a921dbfff9c7ab1b [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll : 833,024 : 11/21/2010 05:24 AM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl]

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       down.baidu2016.com
  127.0.0.1       123.sogou.com
  127.0.0.1       www.czzsyzgm.com
  127.0.0.1       www.czzsyzxl.com
  127.0.0.1       union.baidu2019.com

Program finished at: 01/03/2017 07:31:00 PM
Execution time: 0 hours(s), 1 minute(s), and 10 seconds(s)

 

Roguekiller

 

RogueKiller V12.9.1.0 (x64) [Jan  2 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Alex [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/03/2017 19:34:04 (Duration : 01:16:59)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 88 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upuste (C:\Windows\system32\config\systemprofile\AppData\Local\Mathtam.exe prodrco upuste) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WpSvc (C:\Windows\system32\config\systemprofile\AppData\Roaming\360bizhi\lpi\WpSvc.dll) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\upuste (C:\Windows\system32\config\systemprofile\AppData\Local\Mathtam.exe prodrco upuste) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WpSvc (C:\Windows\system32\config\systemprofile\AppData\Roaming\360bizhi\lpi\WpSvc.dll) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CF805753-3B6B-46D3-898A-2B855DC6927A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5EF22086-F982-42D4-BCCC-0262C460F7A5} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {07C519EC-719D-4FDE-931C-D68DC28A4A32} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F5CF10E0-ED59-4D9F-8D15-8DA5CB3B190B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {80E7DBAD-8587-4705-A2C4-5F4567DF5DD3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D66B072B-5535-4A9D-B8C3-9C4BEB30B91B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {06E4BDE8-0D4B-4344-A19B-0CC65C7BDC7A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {38F04E03-476A-426D-8B81-A564A151AD22} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A4F9A5F3-3144-4407-9F39-EBCA11D8BAEC} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C602E3F6-CAD7-4DB8-830E-4FB97D78C006} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {61ACE77C-501A-4C7D-9F10-52514A33E34D} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {103B2E22-C12E-40F0-B3FF-5141DA02B8B6} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7274972C-EA8D-4FAC-B23C-7C56A475FC7E} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {ED22699D-EEF1-4F15-868F-18CC5D5AA68F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6837CD8A-17D7-4BCE-B986-A0FF6CA35770} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9E3018B5-CE0E-462C-8B72-3C8E316879D8} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B296DEFD-8F00-4DE0-AB7B-DB6FF1CFAA14} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3FB8BEB0-51C5-4AFC-B6F8-F197C12D4507} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B57A9476-74E0-46E7-AFBC-BAE17015326F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D6D92956-4F98-4CC3-ACF8-92D5BC8E91A4} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {86343E7A-ADDC-45FE-A040-177A4E7389F4} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3632\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {72F99E6E-0FE5-43BB-8A26-FE6416467CAE} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3632\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2285FCE0-A605-45C7-97AE-10CEB9268977} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BB3CEF4B-DB06-404E-BA1B-2EA42EC2A967} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F4B4C29E-9BA5-44B9-BAA3-2C7FDE0B4DEA} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {709C6462-4A05-49AE-AA0F-3BEFDF4880BA} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0920347A-F208-4CA3-A170-F28953EC6C72} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A0BE2381-E9DE-4B6D-95B7-BFE5E6994AB6} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DD485D39-C768-43DD-A8EE-0717DBC2049A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {92C9A074-85D7-4080-9755-89AA83E31C9F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CE9C09D8-A53C-49F5-A712-8E538246BB6F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E5018AA5-8723-4CC8-BC5D-3A273AD6F86A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {8EE88042-39C3-4502-A057-EEB0AD3D6F58} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5EDE8515-8AF3-4192-A0A2-9E2882610C91} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5F11150C-5A8C-4964-A91C-B0119057558D} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3689\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {941027A9-36EE-42BA-B222-67124F660F62} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3689\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B1DC75E0-C770-4D7B-82AC-CC4011284A42} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3715\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {74110D87-1D85-47CD-B031-40C6B02CD3B3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3715\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {03B4BEAC-C7B3-4EFF-B267-AD2BC54F079E} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp\CnetInstaller-10263702.exe|Name=proinstaller1599900278| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {56E74837-DC92-4F46-BA3D-A9A43FAE7CC5} : v2.10|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp\CnetInstaller-10263702.exe|Name=proinstaller1599900278| [x] -> Found
[PUP.Gen1|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{8777973E-F74C-4577-9A81-0741CA941D8D}C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe|Name=Hola Better Internet Engine|Desc=Hola Better Internet Engine|Defer=User| [x] -> Found
[PUP.Gen1|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A08696BD-1F02-4CB9-B47E-075393AD35C9}C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe|Name=Hola Better Internet Engine|Desc=Hola Better Internet Engine|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CF805753-3B6B-46D3-898A-2B855DC6927A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5EF22086-F982-42D4-BCCC-0262C460F7A5} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {07C519EC-719D-4FDE-931C-D68DC28A4A32} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F5CF10E0-ED59-4D9F-8D15-8DA5CB3B190B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {80E7DBAD-8587-4705-A2C4-5F4567DF5DD3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D66B072B-5535-4A9D-B8C3-9C4BEB30B91B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {06E4BDE8-0D4B-4344-A19B-0CC65C7BDC7A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {38F04E03-476A-426D-8B81-A564A151AD22} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A4F9A5F3-3144-4407-9F39-EBCA11D8BAEC} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C602E3F6-CAD7-4DB8-830E-4FB97D78C006} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {61ACE77C-501A-4C7D-9F10-52514A33E34D} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {103B2E22-C12E-40F0-B3FF-5141DA02B8B6} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7274972C-EA8D-4FAC-B23C-7C56A475FC7E} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {ED22699D-EEF1-4F15-868F-18CC5D5AA68F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6837CD8A-17D7-4BCE-B986-A0FF6CA35770} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9E3018B5-CE0E-462C-8B72-3C8E316879D8} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B296DEFD-8F00-4DE0-AB7B-DB6FF1CFAA14} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3FB8BEB0-51C5-4AFC-B6F8-F197C12D4507} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B57A9476-74E0-46E7-AFBC-BAE17015326F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D6D92956-4F98-4CC3-ACF8-92D5BC8E91A4} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {86343E7A-ADDC-45FE-A040-177A4E7389F4} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3632\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {72F99E6E-0FE5-43BB-8A26-FE6416467CAE} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3632\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2285FCE0-A605-45C7-97AE-10CEB9268977} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BB3CEF4B-DB06-404E-BA1B-2EA42EC2A967} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F4B4C29E-9BA5-44B9-BAA3-2C7FDE0B4DEA} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {709C6462-4A05-49AE-AA0F-3BEFDF4880BA} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0920347A-F208-4CA3-A170-F28953EC6C72} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A0BE2381-E9DE-4B6D-95B7-BFE5E6994AB6} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DD485D39-C768-43DD-A8EE-0717DBC2049A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {92C9A074-85D7-4080-9755-89AA83E31C9F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CE9C09D8-A53C-49F5-A712-8E538246BB6F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E5018AA5-8723-4CC8-BC5D-3A273AD6F86A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {8EE88042-39C3-4502-A057-EEB0AD3D6F58} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5EDE8515-8AF3-4192-A0A2-9E2882610C91} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5F11150C-5A8C-4964-A91C-B0119057558D} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3689\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {941027A9-36EE-42BA-B222-67124F660F62} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3689\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B1DC75E0-C770-4D7B-82AC-CC4011284A42} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3715\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {74110D87-1D85-47CD-B031-40C6B02CD3B3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3715\Agent.exe|Name=Battle.net Update Agent| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {03B4BEAC-C7B3-4EFF-B267-AD2BC54F079E} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp\CnetInstaller-10263702.exe|Name=proinstaller1599900278| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {56E74837-DC92-4F46-BA3D-A9A43FAE7CC5} : v2.10|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp\CnetInstaller-10263702.exe|Name=proinstaller1599900278| [x] -> Found
[PUP.Gen1|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{8777973E-F74C-4577-9A81-0741CA941D8D}C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe|Name=Hola Better Internet Engine|Desc=Hola Better Internet Engine|Defer=User| [x] -> Found
[PUP.Gen1|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A08696BD-1F02-4CB9-B47E-075393AD35C9}C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe|Name=Hola Better Internet Engine|Desc=Hola Better Internet Engine|Defer=User| [x] -> Found

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \SoundsSystemService -- "C:\windows\rsdsrv.exe" -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD7500BPVT-35HXZT3 +++++
--- User ---
[MBR] f7d62b62e4ef2bee2f68cbaa713fed39
[BSP] 4e8ca65792a94f4994d4cd7ef06a12af : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 499900 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1024002048 | Size: 200000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 

 

Zoek

 

 

Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by Alex on Tue 01/03/2017 at 20:59:36.12.
Microsoft Windows 7 Ultimate  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Alex\Desktop\zoek.exe [Scan all users]   [Deep Scan] [Auto Clean]

==== System Restore Info ======================

1/3/2017 9:01:55 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\JoWooD deleted successfully
C:\PROGRA~2\Overwatch deleted successfully
C:\Program Files\Clive Barker's Undying deleted successfully
C:\Program Files\Epic Games deleted successfully
C:\Program Files\Fox deleted successfully
C:\Program Files\HitmanPro deleted successfully
C:\Program Files\Momodora - Reverie Under the Moonlight deleted successfully
C:\Program Files\Shardlight deleted successfully
C:\Program Files\The Shivah deleted successfully
C:\PROGRA~3\JustAdventure deleted successfully
C:\PROGRA~3\Oracle deleted successfully
C:\Users\Alex\AppData\Roaming\capy deleted successfully
C:\Users\Alex\AppData\Roaming\com.studio-fizbin.InnerWorld deleted successfully
C:\Users\Alex\AppData\Roaming\Crazy Viking Studios deleted successfully
C:\Users\Alex\AppData\Roaming\Victor VranVictor Vran deleted successfully
C:\Users\Alex\AppData\Local\CrashRpt deleted successfully
C:\Users\Alex\AppData\Local\GlimpseGame deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-139745227-2284625060-2539193485-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E66592B-8E7C-4A14-88A5-8BF21032F651} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Running Processes ======================

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\SysWOW64\svchost.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe
C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe
C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Users\Alex\Desktop\zoek.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe

==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default

user.js not found
---- Lines yahoo removed from prefs.js ----
user_pref("yahoo.ytff.general.dontshowhpoffer", true);
---- FireFox user.js and prefs.js backups ----

prefs_20170103_0920_.backup

==== Deleting Files \ Folders ======================

C:\PROGRA~2\JoWooD not found
C:\PROGRA~2\Overwatch not found
C:\Users\Alex\.android deleted
C:\PROGRA~2\Yahoo! deleted
C:\install.exe deleted
C:\Users\Alex\AppData\Roaming\Yahoo! deleted
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\uninstall_temp.ico deleted
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Yahoo! deleted
C:\PROGRA~3\Yahoo! deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Alex\AppData\Local\Unity deleted
C:\Windows\SysNative\config\systemprofile\AppData\Local\Mathtam.exe.config deleted
C:\Users\Alex\AppData\LocalLow\Unity deleted
C:\Users\Alex\AppData\LocalLow\Yahoo! deleted
C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow\Yahoo! deleted
C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\jetpack deleted
"C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\yahooToolbarSettings" deleted

==== System Specs ======================

Windows: Windows 7 Ultimate Edition (64-bit) Service Pack 1 (Build 7601)
Memory (RAM): 3878 MB
CPU Info: Intel® Core™ i3-3110M CPU @ 2.40GHz
CPU Speed: 2414.7 MHz
Sound Card: Speakers (Realtek High Definiti |
Display Adapters: Intel® HD Graphics 4000 | Intel® HD Graphics 4000 | Intel® HD Graphics 4000 | NVIDIA GeForce GT 620M   | RDPDD Chained DD | RDP Encoder Mirror Driver | RDP Reflector Display Driver
Monitors: 1x; Generic PnP Monitor |
Screen Resolution: 1366 X 768 - 32 bit
Network: Network Present
Network Adapters: Microsoft Virtual WiFi Miniport Adapter | Atheros AR9485WB-EG Wireless Network Adapter | Realtek PCIe GBE Family Controller
CD / DVD Drives: 2x (E: | F: | ) E: TSSTcorpCDDVDW SN-208BB  | F: DTSOFT  BDROM
Ports: COM Ports NOT Present. LPT Port NOT Present.
Mouse: 5 Button Wheel Mouse Present
Hard Disks: C:  488.2GB | D:  195.3GB
Hard Disks - Free: C:  338.3GB | D:  163.0GB
Manufacturer *: Phoenix Technologies Ltd.
BIOS Info: AT/AT COMPATIBLE | 10/25/12 | SECCSD - 2
Time Zone: GTB Standard Time
Motherboard *: SAMSUNG ELECTRONICS CO., LTD. NP300E5X-S02RO
Country: United States
Language: ENU

==== System Specs (Software) ======================

AV: Malwarebytes *Disabled/Updated* {23007AD3-69FE-687C-2629-D584AFFAF72B}
SP: Malwarebytes *Disabled/Updated* {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
Default Browser: Firefox    50.1.0
Internet Explorer version: 8.0.7601.17514
Mozilla Firefox version: 50.1.0 (x86 en-US)
Adobe Reader version: 10.1.16.13
Sun Java version: 1.7.0_67 (32-bit)
Flash Player version: 24.0.0.186

==== Files Recently Created / Modified ======================

====== C:\Windows ====
2016-12-28 15:58:00    B8F4001FE4DA791857959982694AD4E1    2787288    ----a-w-    C:\Windows\ZAM.krnl.trace
2016-12-28 15:58:00    3DF575806A6939CF969E92A5E7261EE9    2898395    ----a-w-    C:\Windows\ZAM_Guard.krnl.trace
====== C:\Users\Alex\AppData\Local\Temp ====
2017-01-03 17:33:29    3556D5A8BF2CC508BDAB51DEC38D7C61    1731936    ----a-w-    C:\Users\Alex\AppData\Local\Temp\dllnt_dump.dll
====== Java Cache =====
====== C:\Windows\SysWOW64 =====
2017-01-01 07:46:44    7A9405D459C2A928B12952E276F9A8F5    1    ----a-w-    C:\Windows\SysWOW64\SI.bin
====== C:\Windows\SysWOW64\drivers =====
====== C:\Windows\Sysnative =====
2016-12-28 05:27:32    5614386D4CFDF9E56F355C45BEEBC976    12872    ----a-w-    C:\Windows\Sysnative\bootdelete.exe
2016-12-27 18:28:34    DD08CD4E9E3D4C6B705A1B2109FAC966    10130    ----a-w-    C:\Windows\Sysnative\.crusader
====== C:\Windows\Sysnative\drivers =====
2017-01-03 17:34:05    0D5A09B08568760AE85A801FCBC0F83D    28272    ----a-w-    C:\Windows\Sysnative\drivers\TrueSight.sys
2016-12-28 15:57:55    21E13F2CB269DEFEAE5E1D09887D47BB    203680    ----a-w-    C:\Windows\Sysnative\drivers\zamguard64.sys
2016-12-28 15:57:55    21E13F2CB269DEFEAE5E1D09887D47BB    203680    ----a-w-    C:\Windows\Sysnative\drivers\zam64.sys
2016-12-27 15:21:21    3BEC6134F1E45AEF5E971F69F0D38510    176064    ----a-w-    C:\Windows\Sysnative\drivers\MBAMChameleon.sys
2016-12-27 15:20:59    F3960CA85778E5D7611EE0F501972340    102856    ----a-w-    C:\Windows\Sysnative\drivers\farflt.sys
2016-12-27 15:20:59    90AF4ED8A8D28C40F162DDC1ABD49C42    81696    ----a-w-    C:\Windows\Sysnative\drivers\mwac.sys
2016-12-27 15:20:54    88BD122C3A35DE63D75D382DF75554CE    43968    ----a-w-    C:\Windows\Sysnative\drivers\mbam.sys
2016-12-27 15:20:48    ABB371D9AEF728B0489B0E6872B4A1C0    250816    ----a-w-    C:\Windows\Sysnative\drivers\MBAMSwissArmy.sys
2016-12-27 15:20:38    047244823B2EA707E1F6076CA20DEF90    77408    ----a-w-    C:\Windows\Sysnative\drivers\mbae64.sys
====== C:\Windows\Tasks ======
2016-12-26 15:49:22    2A14A56E6A76AAD31F15D01E1973EB01    3326    ----a-w-    C:\Windows\Sysnative\Tasks\SoundsSystemService
====== C:\Windows\Temp ======
======= C:\Program Files =====
2017-01-03 17:33:05    --------    d-----w-    C:\Program Files\RogueKiller
2016-12-26 15:49:26    --------    d-----w-    C:\Program Files\The Little Acre
2016-12-08 12:40:20    --------    d-----w-    C:\Program Files\Chronology
======= C:\PROGRA~2 =====
2016-12-28 15:57:52    --------    d-----w-    C:\PROGRA~2\Zemana AntiMalware
======= C: =====
====== C:\Users\Alex\AppData\Roaming ======
2017-01-03 08:07:45    --------    d-----w-    C:\Users\Alex\AppData\Roaming\Ludashi
2017-01-03 08:07:45    --------    d-----w-    C:\Users\Alex\AppData\Roaming\lockhomepage
2016-12-28 15:57:56    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Zemana
2016-12-28 15:57:36    --------    d-----w-    C:\Users\Alex\AppData\Local\Zemana
2016-12-28 09:17:19    --------    d-----w-    C:\Users\Alex\AppData\Local\ESET
2016-12-28 07:49:13    --------    d-----w-    C:\Windows\SysNative\config\systemprofile\AppData\Local\CrashDumps
2016-12-27 15:24:21    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC???
2016-12-27 15:01:08    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\LDSGameAssistant
2016-12-27 15:01:08    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\360wp
2016-12-27 15:01:08    --------    d-----w-    C:\Windows\SysNative\config\systemprofile\AppData\Roaming\LDSGameAssistant
2016-12-27 15:01:07    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\360bizhi
2016-12-27 15:00:29    2094097465A3EE2AFA6FA13E307A79AF    91688    ----a-w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
2016-12-27 14:57:55    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Local\UCBrowser
2016-12-27 14:54:22    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Adobe
2016-12-27 14:53:27    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Local\app
2016-12-27 14:52:51    9E05DBFCFA6314A41D949552DC98640B    41472    ----a-w-    C:\Windows\SysNative\config\systemprofile\AppData\Local\Mathtam.dat
2016-12-27 14:52:15    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Local\CrashDumps
2016-12-27 14:52:02    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Programs
2016-12-27 14:52:02    --------    d-----w-    C:\Windows\SysNative\config\systemprofile\AppData\Roaming\gplyra
2016-12-27 14:51:56    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Luwosplersock
2016-12-27 14:51:54    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Profiles
2016-12-27 14:51:54    --------    d-----w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Tuzersppazot
2016-12-27 14:50:53    FE544CEC0835173620D087BD061E2C8D    1907234    ----a-w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\PlusSanit.tst
2016-12-27 14:50:53    B740BA3DEBD61187D6B2EF17D21991DB    5568    ----a-w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\md.xml
2016-12-27 14:50:53    A699BCCD64F55AF274C6441E9C5DB39D    18432    ----a-w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Main.dat
2016-12-27 14:50:53    89EEFDEDCF58BE22AECC052A232DFA44    126464    ----a-w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\noah.dat
2016-12-27 14:50:53    83A0DC585F06E3057E53B2F76CE31D12    7316480    ----a-w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\agent.dat
2016-12-27 14:50:53    11041D924C7DB7C8F25D5A9695C72023    70704    ----a-w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Config.xml
2016-12-27 14:50:47    --------    d-----w-    C:\Windows\SysNative\config\systemprofile\AppData\Roaming\NUIns
2016-12-27 14:50:10    B326B5062B2F0E69046810717534CB09    4    ----a-w-    C:\Users\Alex\AppData\Roaming\4E9225DA0A29463E8AD95A233536E924.dat
2016-12-27 14:49:25    47086CA137DCFAB12FA199E53C4657B6    140288    ----a-w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Installer.dat
2016-12-27 14:49:25    24CB5BEFA4AFC23099ACDF8E5168250E    19056    ----a-w-    C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\InstallationConfiguration.xml
2016-12-13 14:32:40    --------    d-----w-    C:\Users\Alex\AppData\Local\Chromium
2016-12-10 13:07:46    --------    d-----w-    C:\Users\Alex\AppData\Local\MomodoraRUtM
2016-12-09 12:16:27    --------    d-----w-    C:\Users\Alex\AppData\Locallow\Vonsnake
2016-12-07 13:17:43    --------    d-----w-    C:\Users\Alex\AppData\Local\DontTouchAnything
====== C:\Users\Alex ======
2017-01-03 17:33:10    --------    d-----w-    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-01-03 17:32:03    --------    d-----w-    C:\ProgramData\RogueKiller
2017-01-03 17:23:52    902E3C2DA229D4DD1AEB03BD97924A52    34631352    ----a-w-    C:\Users\Alex\Desktop\setup(1).exe
2017-01-03 17:23:00    DD56EC4F23743414581E3E3B8BFF5EFA    2030536    ----a-w-    C:\Users\Alex\Desktop\rkill.exe
2016-12-28 15:57:53    --------    d-----w-    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2016-12-28 15:55:35    658E926F0C8CEBE759F715B0DC0489BB    5462216    ----a-w-    C:\Users\Alex\Downloads\Zemana.AntiMalware.Setup.exe
2016-12-28 09:16:59    D05632ACA626ABB1104B80C03A141002    6771840    ----a-w-    C:\Users\Alex\Downloads\esetonlinescanner_enu.exe
2016-12-27 18:04:07    --------    d-----w-    C:\ProgramData\HitmanPro
2016-12-27 18:03:09    76ACA89383D1B0EE9FD71F7603DAA7B4    11581544    ----a-w-    C:\Users\Alex\Downloads\hitmanpro_x64.exe
2016-12-27 15:19:29    9DF1469E76C21CFB43017D04847F6782    1663040    ----a-w-    C:\Users\Alex\Downloads\JRT.exe
2016-12-27 15:18:56    77388F14CF6F3E9B1739E8F53B34B3CF    3977168    ----a-w-    C:\Users\Alex\Downloads\adwcleaner_6.041.exe
2016-12-27 15:18:36    C5EE10B806249B92666E8AA1415C6FBC    54199488    ----a-w-    C:\Users\Alex\Downloads\mb3-setup-consumer-3.0.5.1299.exe
2016-12-27 14:54:15    --------    d-----r-    C:\Windows\sysWoW64\config\systemprofile\Favorites
2016-12-27 14:51:22    --------    d-----r-    C:\Windows\sysWoW64\config\systemprofile\Desktop

====== C: exe-files ==
2017-01-03 17:33:09    5BD0D4E39A36DD86016DC762D49BB157    13425224    ----a-w-    C:\Program Files\RogueKiller\Updater.exe
2017-01-03 17:33:08    ACFDBE1100338CEC063350196E523836    9048648    ----a-w-    C:\Program Files\RogueKiller\RogueKillerCMD.exe
2017-01-03 17:33:08    AA4C2FF934E4D064D4DCFDB46D33D81C    10638408    ----a-w-    C:\Program Files\RogueKiller\RogueKillerCMD64.exe
2017-01-03 17:33:06    96C2A06979F2E2EDE07407C52CD512AE    25846856    ----a-w-    C:\Program Files\RogueKiller\RogueKiller64.exe
2017-01-03 17:33:05    AA86EC43675EF465E44404264AEB5C9A    21526600    ----a-w-    C:\Program Files\RogueKiller\RogueKiller.exe
2017-01-03 17:33:05    A46A455F72E526CFAB9D5B736ED31B4D    799304    ----a-w-    C:\Program Files\RogueKiller\unins000.exe
2016-12-28 15:57:52    8BFACD24609F77877D68D25CCC402C95    1188552    ----a-w-    C:\Program Files (x86)\Zemana AntiMalware\unins000.exe
2016-12-28 15:57:52    13012A461506333817D41F272D79FC26    14064880    ----a-w-    C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
2016-12-28 08:59:03    31657ADA786863B73FAC28E5BD0753AD    382168    ----a-w-    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
=== C: other files ==
2017-01-03 17:34:05    0D5A09B08568760AE85A801FCBC0F83D    28272    ----a-w-    C:\Windows\System32\drivers\TrueSight.sys
2016-12-28 15:57:55    21E13F2CB269DEFEAE5E1D09887D47BB    203680    ----a-w-    C:\Windows\System32\drivers\zamguard64.sys
2016-12-28 15:57:55    21E13F2CB269DEFEAE5E1D09887D47BB    203680    ----a-w-    C:\Windows\System32\drivers\zam64.sys

==== Startup Registry Enabled ======================

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"360wp-srv"="C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi\360wpsrv.exe /autorun"

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-21-139745227-2284625060-2539193485-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe -autorun"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe"
"KSS"="C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe autorun"

[HKEY_USERS\S-1-5-21-139745227-2284625060-2539193485-1002\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"360wp-srv"="C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi\360wpsrv.exe /autorun"

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\Windows\System32\mctadmin.exe"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\Windows\System32\mctadmin.exe"

[HKEY_USERS\S-1-5-21-139745227-2284625060-2539193485-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\Windows\System32\mctadmin.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
"Nero MediaHome 4"="C:\Program Files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe /AUTORUN"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe -autorun"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe"
"KSS"="C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe autorun"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\Windows\\SysWOW64\\nvinit.dll"

==== Startup Registry Enabled x64 ======================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe"
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe"
"Persistence"="C:\Windows\system32\igfxpers.exe"
"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s"
"AtherosBtStack"="C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe"
"AthBtTray"="C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe"
"NvBackend"="C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
"XboxStat"="C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe silentrun"
"ZAM"="C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe /minimized"
"ETDCtrl"="%ProgramFiles%\Elantech\ETDCtrl.exe "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\Windows\\system32\\nvinitx.dll"

==== Task Scheduler Jobs ======================

C:\Windows\tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job --a------ C:\Program Files (x86)\Intel\IntelR ME FW Recovery Agent\bin\Bootstrap.exe []
C:\Windows\tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job --a------ C:\Program Files (x86)\Intel\IntelR ME FW Recovery Agent\bin\Bootstrap.exe []

==== Other Scheduled Tasks ======================

"C:\Windows\SysNative\tasks\Easy Software Manager Agent" ["%ProgramFiles(x86)%\Samsung\Easy Software Manager\SWMAgent.exe"]
"C:\Windows\SysNative\tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d" [C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe]
"C:\Windows\SysNative\tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon" [C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe]
"C:\Windows\SysNative\tasks\SoundsSystemService" ["C:\windows\rsdsrv.exe"]

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default
user_pref("browser.startup.homepage", "about:home");

==== Firefox Extensions ======================

ProfilePath: C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default
- EPUBReader - %ProfilePath%\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
- Rename command invocation - %ProfilePath%\extensions\{81005532-A277-0574-A3A9-44D6D7619194}
- Bitdefender QuickScan - %ProfilePath%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default
E8D38E8FB6EC88E7B0E0B4D9AC9B0725    - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_186.dll -    Shockwave Flash


==== Chromium Look ======================


UC浏览器活动 - C:\Windows\sysWoW64\config\systemprofile\AppData\Local\UCBrowser\User Data\Default\Extensions\acbckhilidhkcoenjgmejpgnnmcbhjhi
Wiki-Search.me - C:\Windows\sysWoW64\config\systemprofile\AppData\Local\UCBrowser\User Data\Default\Extensions\fcgnigmofekcllgbiejhmigggmgehkip
UC Image Previewer - C:\Windows\sysWoW64\config\systemprofile\AppData\Local\UCBrowser\User Data\Default\Extensions\hdgdpmpallofembldhflnlkcfappghhc
UC Resource Hunter - C:\Windows\sysWoW64\config\systemprofile\AppData\Local\UCBrowser\User Data\Default\Extensions\hkmogefbfdmboplojeicpibfpcndjjbm
Generate QR code of this webpage - C:\Windows\sysWoW64\config\systemprofile\AppData\Local\UCBrowser\User Data\Default\Extensions\pbnmnlipmkfkadfcdocgblonoccmolpe
UC Nexus - C:\Windows\sysWoW64\config\systemprofile\AppData\Local\UCBrowser\User Data\Default\Extensions\pogijhnlcfmcppgimcaccdkmbedjkmhi

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Use Search Asst"="yes"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl]
"Default"=""
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl]
"Default"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
"Use Search Asst"="no"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl]
"(Default)"="http://search.msn.com/results.asp?q=%s"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl]
"(Default)"="http://search.msn.com/results.asp?q=%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"

==== All HKLM and HKCU SearchScopes ======================

HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

==== Deleting Registry Keys ======================

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\UnityWebPlayer deleted successfully

==== HijackThis Entries ======================

F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: IESpeakDoc - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Nero MediaHome 4] "C:\Program Files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUN
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [KSS] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe" autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-139745227-2284625060-2539193485-1002\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NeroMediaHomeUser.4')
O4 - HKUS\S-1-5-21-139745227-2284625060-2539193485-1002\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NeroMediaHomeUser.4')
O4 - HKUS\S-1-5-18\..\Run: [360wp-srv] "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi\360wpsrv.exe" /autorun (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [360wp-srv] "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi\360wpsrv.exe" /autorun (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {7815BE26-237D-41A8-A98F-F7BD75F71086} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
O9 - Extra 'Tools' menuitem: Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://*.hola.org
O20 - AppInit_DLLs: C:\Windows\SysWOW64\nvinit.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AtherosSvc - Atheros Commnucations - C:\Program Files (x86)\Bluetooth Suite\adminservice.exe
O23 - Service: Intel® Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Intel® Capability Licensing Service Interface - Intel® Corporation - C:\Program Files\Intel\iCLS Client\HeciServer.exe
O23 - Service: Intel® ME Service - Unknown owner - C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
O23 - Service: Intel® Dynamic Application Loader Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: Malwarebytes Service (MBAMService) - Malwarebytes - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero MediaHome 4 Service (NeroMediaHomeService.4) - Nero AG - C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Network Service (NvNetworkService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: Drip Latlab (upuste) - Unknown owner - C:\Windows\system32\config\systemprofile\AppData\Local\Mathtam.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: ZAM Controller Service (ZAMSvc) - Zemana Ltd. - C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
O23 - Service: ZAtheros Bt&Wlan Coex Agent - Atheros - C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Alex\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Users\Alex\AppData\Local\Mozilla\Firefox\Profiles\fu1vpkaw.default\cache2 emptied successfully
C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\storage\default\https+++ageofbleeplords.com\cache emptied successfully
C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\storage\default\https+++forums.anandtech.com\cache emptied successfully
C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\storage\default\https+++mobiforge.com\cache emptied successfully
C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\storage\default\https+++myanimelist.net\cache emptied successfully
C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\storage\default\https+++plus.google.com\cache emptied successfully
C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\storage\default\https+++www.dropbox.com\cache emptied successfully
C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\storage\default\https+++www.pinterest.com\cache emptied successfully
C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\storage\default\https+++www.theguardian.com\cache emptied successfully
C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\storage\default\https+++www.youtube.com\cache emptied successfully

==== Empty Chrome Cache ======================

C:\Windows\sysWoW64\config\systemprofile\AppData\Local\UCBrowser\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=172 folders=116 858776021 bytes)

==== Empty Temp Folders ======================

C:\Users\Alex\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\NeroMediaHomeUser.4\AppData\Local\Temp emptied successfully
C:\Users\NEROME~1.4\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Alex\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\Alex\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found

==== EOF on Tue 01/03/2017 at 21:46:01.74 ======================
 

FRST log

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 01-01-2017
Ran by Alex (administrator) on ALEX-PC (04-01-2017 07:59:38)
Running from C:\Users\Alex\Desktop
Loaded Profiles: Alex & NeroMediaHomeUser.4 (Available Profiles: Alex & NeroMediaHomeUser.4)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Nero AG) C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
(Nero AG) C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Samsung) C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe
(Nero AG) C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
(Nero AG) C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12460136 2012-06-21] (Realtek Semiconductor)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [1020064 2012-02-13] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [800416 2012-02-13] (Atheros Commnucations)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2816336 2012-06-21] (ELAN Microelectronics Corp.)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2465088 2014-11-17] (NVIDIA Corporation)
HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14064880 2016-12-27] (Zemana Ltd.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40336 2015-09-24] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM-x32\...\Run: [Nero MediaHome 4] => C:\Program Files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe [5179880 2012-12-20] (Nero AG)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\Run: [DAEMON Tools Pro Agent] => C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe [3111744 2012-04-26] (DT Soft Ltd)
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe [202024 2007-08-03] (Nero AG)
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\Run: [KSS] => "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe" autorun
HKU\S-1-5-18\...\Run: [360wp-srv] => C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi\360wpsrv.exe [1636264 2016-12-09] (360.cn)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [174856 2014-11-13] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [156840 2014-11-13] (NVIDIA Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{7B861873-A710-43E4-A477-60B6DF42D03E}: [DhcpNameServer] 192.168.1.1 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKU\S-1-5-21-139745227-2284625060-2539193485-1000 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-139745227-2284625060-2539193485-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-10-04] (Oracle Corporation)
BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-02-13] (Atheros Commnucations)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-10-04] (Oracle Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default [2017-01-04]
FF Homepage: Mozilla\Firefox\Profiles\fu1vpkaw.default -> about:home
FF Extension: (EPUBReader) - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\Extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F} [2016-08-16]
FF Extension: (Rename command invocation) - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\Extensions\{81005532-A277-0574-A3A9-44D6D7619194} [2016-12-27] [not signed]
FF Extension: (Bitdefender QuickScan) - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2016-09-21]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_186.dll [2016-12-28] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_186.dll [2016-12-28] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-10-04] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-10-04] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-139745227-2284625060-2539193485-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Alex\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [No File]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [106144 2012-02-13] (Atheros Commnucations) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-06-21] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-06-21] (Intel Corporation)
R3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-12-14] (Malwarebytes)
R2 NeroMediaHomeService.4; C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe [518632 2012-12-20] (Nero AG)
R3 NMIndexingService; C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe [382248 2007-08-03] (Nero AG)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1796928 2014-11-17] (NVIDIA Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
R2 WpSvc; C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi\lpi\WpSvc.dll [253352 2016-11-17] ()
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14064880 2016-12-27] (Zemana Ltd.)
R2 ZAtheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [158880 2012-02-13] (Atheros) [File not signed]
S2 GmSvc; C:\Program Files (x86)\LDSGameCenter\GmSvc.dll [X]
S2 upuste; C:\Windows\system32\config\systemprofile\AppData\Local\Mathtam.exe prodrco upuste [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2015-07-18] ()
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2014-10-04] (DT Soft Ltd)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77408 2017-01-02] ()
R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2015-07-18] ()
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [176064 2017-01-01] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [102856 2017-01-04] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2017-01-04] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [250816 2017-01-04] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [81696 2017-01-04] (Malwarebytes)
R0 pwdrvio; C:\Windows\System32\pwdrvio.sys [19152 2013-09-30] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [12504 2013-09-30] ()
R3 ScpVBus; C:\Windows\System32\DRIVERS\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
S1 VBoxNetAdp; C:\Windows\System32\DRIVERS\VBoxNetAdp6.sys [117768 2015-09-08] (Oracle Corporation)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2016-12-28] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2016-12-28] (Zemana Ltd.)
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVCx32: HpSvc -> no filepath.
NETSVCx32: GmSvc -> C:\Program Files (x86)\LDSGameCenter\GmSvc.dll ==> No File
NETSVCx32: WpSvc -> C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi\lpi\WpSvc.dll ()

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-04 07:59 - 2017-01-04 08:00 - 00013466 _____ C:\Users\Alex\Desktop\FRST.txt
2017-01-03 20:59 - 2017-01-03 21:20 - 00000000 ____D C:\zoek_backup
2017-01-03 20:57 - 2017-01-03 20:57 - 00061598 _____ C:\Users\Alex\Desktop\RK.txt
2017-01-03 19:34 - 2017-01-03 19:34 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-01-03 19:33 - 2017-01-03 19:33 - 00001011 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2017-01-03 19:33 - 2017-01-03 19:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-01-03 19:33 - 2017-01-03 19:33 - 00000000 ____D C:\Program Files\RogueKiller
2017-01-03 19:32 - 2017-01-03 20:58 - 00000000 ____D C:\ProgramData\RogueKiller
2017-01-03 19:29 - 2017-01-03 19:31 - 00003628 _____ C:\Users\Alex\Desktop\Rkill.txt
2017-01-03 19:26 - 2017-01-03 19:26 - 01309184 _____ C:\Users\Alex\Desktop\zoek.exe
2017-01-03 19:23 - 2017-01-03 19:26 - 34631352 _____ (Adlice Software ) C:\Users\Alex\Desktop\setup(1).exe
2017-01-03 19:23 - 2017-01-03 19:23 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Alex\Desktop\rkill.exe
2017-01-03 10:07 - 2017-01-04 07:03 - 00000000 ____D C:\Users\Alex\AppData\Roaming\Ludashi
2017-01-03 10:07 - 2017-01-03 10:08 - 00000000 ____D C:\Users\Alex\AppData\Roaming\lockhomepage
2017-01-02 08:55 - 2017-01-02 09:37 - 00435114 _____ C:\Windows\ntbtlog.txt
2017-01-01 09:46 - 2017-01-01 09:46 - 00000001 _____ C:\Windows\SysWOW64\SI.bin
2016-12-29 09:41 - 2017-01-04 07:59 - 00000000 ____D C:\FRST
2016-12-29 09:38 - 2017-01-04 07:58 - 00000000 ____D C:\Users\Alex\Desktop\FRST
2016-12-29 09:37 - 2017-01-03 09:59 - 02418176 _____ (Farbar) C:\Users\Alex\Desktop\FRST64.exe
2016-12-28 17:58 - 2017-01-04 07:59 - 00060768 _____ C:\Windows\ZAM.krnl.trace
2016-12-28 17:58 - 2017-01-04 07:59 - 00030369 _____ C:\Windows\ZAM_Guard.krnl.trace
2016-12-28 17:57 - 2016-12-28 17:57 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2016-12-28 17:57 - 2016-12-28 17:57 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2016-12-28 17:57 - 2016-12-28 17:57 - 00001148 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2016-12-28 17:57 - 2016-12-28 17:57 - 00000000 ____D C:\Users\Alex\AppData\Local\Zemana
2016-12-28 17:57 - 2016-12-28 17:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2016-12-28 17:57 - 2016-12-28 17:57 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2016-12-28 17:55 - 2016-12-28 17:55 - 05462216 _____ ( ) C:\Users\Alex\Downloads\Zemana.AntiMalware.Setup.exe
2016-12-28 11:17 - 2016-12-28 11:17 - 00000000 ____D C:\Users\Alex\AppData\Local\ESET
2016-12-28 11:16 - 2016-12-28 11:17 - 06771840 _____ (ESET spol. s r.o.) C:\Users\Alex\Downloads\esetonlinescanner_enu.exe
2016-12-28 09:43 - 2016-12-28 09:44 - 00524288 ___SH C:\Users\NeroMediaHomeUser.4\NTUSER.DAT{a07de5b7-ccb9-11e6-af8f-50b7c3887200}.TMContainer00000000000000000002.regtrans-ms
2016-12-28 09:43 - 2016-12-28 09:44 - 00524288 ___SH C:\Users\NeroMediaHomeUser.4\NTUSER.DAT{a07de5b7-ccb9-11e6-af8f-50b7c3887200}.TMContainer00000000000000000001.regtrans-ms
2016-12-28 09:43 - 2016-12-28 09:44 - 00065536 ___SH C:\Users\NeroMediaHomeUser.4\NTUSER.DAT{a07de5b7-ccb9-11e6-af8f-50b7c3887200}.TM.blf
2016-12-28 07:27 - 2016-12-28 07:27 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2016-12-27 20:28 - 2016-12-27 20:28 - 00010130 _____ C:\Windows\system32\.crusader
2016-12-27 20:04 - 2016-12-27 20:29 - 00000000 ____D C:\ProgramData\HitmanPro
2016-12-27 20:03 - 2016-12-27 20:03 - 11581544 _____ (SurfRight B.V.) C:\Users\Alex\Downloads\hitmanpro_x64.exe
2016-12-27 17:58 - 2016-12-29 09:33 - 00000000 ____D C:\AdwCleaner
2016-12-27 17:21 - 2017-01-01 13:53 - 00176064 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2016-12-27 17:20 - 2017-01-04 07:59 - 00102856 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2016-12-27 17:20 - 2017-01-04 07:59 - 00081696 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2016-12-27 17:20 - 2017-01-04 07:58 - 00250816 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-27 17:20 - 2017-01-04 07:58 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-12-27 17:20 - 2017-01-02 11:17 - 00077408 _____ C:\Windows\system32\Drivers\mbae64.sys
2016-12-27 17:20 - 2016-12-27 17:20 - 00001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2016-12-27 17:20 - 2016-12-27 17:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2016-12-27 17:20 - 2016-12-27 17:20 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-12-27 17:20 - 2016-12-27 17:20 - 00000000 ____D C:\Program Files\Malwarebytes
2016-12-27 17:19 - 2016-12-27 17:19 - 01663040 _____ (Malwarebytes) C:\Users\Alex\Downloads\JRT.exe
2016-12-27 17:18 - 2016-12-27 17:20 - 54199488 _____ (Malwarebytes ) C:\Users\Alex\Downloads\mb3-setup-consumer-3.0.5.1299.exe
2016-12-27 17:18 - 2016-12-27 17:19 - 03977168 _____ C:\Users\Alex\Downloads\adwcleaner_6.041.exe
2016-12-27 16:50 - 2016-12-27 16:50 - 00000004 _____ C:\Users\Alex\AppData\Roaming\4E9225DA0A29463E8AD95A233536E924.dat
2016-12-26 17:49 - 2016-12-30 15:53 - 00000000 ____D C:\Program Files\The Little Acre
2016-12-26 17:49 - 2016-12-26 17:49 - 00003326 _____ C:\Windows\System32\Tasks\SoundsSystemService
2016-12-20 18:20 - 2016-12-20 18:20 - 29950551 _____ (KLCP ) C:\Users\Alex\Downloads\K-Lite_Codec_Pack_1270_Standard.exe
2016-12-20 18:03 - 2016-12-20 18:03 - 00000000 ____D C:\Users\Alex\Documents\Cloud
2016-12-13 16:32 - 2016-12-13 16:32 - 00000000 ____D C:\Users\Alex\AppData\Local\Chromium
2016-12-10 15:07 - 2016-12-10 15:09 - 00000000 ____D C:\Users\Alex\AppData\Local\MomodoraRUtM
2016-12-09 14:16 - 2016-12-09 14:16 - 00000000 ____D C:\Users\Alex\AppData\LocalLow\Vonsnake
2016-12-08 14:40 - 2016-12-09 19:43 - 00000000 ____D C:\Program Files\Chronology
2016-12-07 15:17 - 2016-12-07 15:31 - 00000000 ____D C:\Users\Alex\AppData\Local\DontTouchAnything

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-04 07:58 - 2016-11-16 10:27 - 00000000 ____D C:\Users\Alex\AppData\LocalLow\Mozilla
2017-01-04 07:01 - 2014-10-04 15:51 - 00000828 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2017-01-04 06:59 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-03 21:20 - 2014-10-04 15:40 - 00000000 ____D C:\Users\Alex
2017-01-03 17:08 - 2014-10-12 09:12 - 00000000 ____D C:\Program Files (x86)\Steam
2017-01-03 14:54 - 2014-10-04 15:51 - 00000830 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2017-01-03 10:00 - 2015-02-11 15:42 - 00000000 ____D C:\Users\NeroMediaHomeUser.4
2017-01-03 09:48 - 2014-10-04 17:24 - 00000000 ____D C:\Users\Alex\AppData\Local\Battle.net
2017-01-03 09:27 - 2014-10-04 17:24 - 00000000 ____D C:\Program Files (x86)\Battle.net
2017-01-01 13:52 - 2014-10-04 17:59 - 00000000 ____D C:\Users\Alex\AppData\Local\CrashDumps
2017-01-01 09:47 - 2014-10-05 12:28 - 00000000 ____D C:\ProgramData\Ubisoft
2017-01-01 09:47 - 2014-10-04 15:46 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-01-01 09:46 - 2014-10-04 18:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2016-12-30 15:52 - 2009-07-14 07:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-12-29 08:15 - 2014-10-30 08:50 - 00000000 ____D C:\Users\Alex\Documents\My Games
2016-12-29 08:15 - 2013-08-19 16:47 - 00000000 ____D C:\GOG Games
2016-12-29 08:13 - 2014-10-05 01:57 - 00000000 ____D C:\Windows.old
2016-12-28 18:58 - 2015-02-18 21:43 - 00000983 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-12-28 11:00 - 2014-10-04 16:08 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2016-12-28 11:00 - 2014-10-04 15:50 - 00000000 __SHD C:\Windows\Installer
2016-12-28 10:47 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\System32
2016-12-28 09:18 - 2013-03-03 10:51 - 00000000 ____D C:\Downloads
2016-12-28 09:18 - 2013-03-03 08:40 - 00000000 ____D C:\Filme
2016-12-28 09:07 - 2014-10-04 16:09 - 00000000 ____D C:\Users\Alex\AppData\Local\Adobe
2016-12-28 09:06 - 2014-10-04 16:10 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-12-28 09:06 - 2014-10-04 16:10 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-12-28 09:06 - 2014-10-04 16:10 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-12-28 09:06 - 2014-10-04 16:10 - 00000000 ____D C:\Windows\system32\Macromed
2016-12-27 18:48 - 2014-10-04 15:40 - 00000000 ___RD C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
2016-12-27 18:10 - 2015-02-11 15:42 - 00000000 ___RD C:\Users\NeroMediaHomeUser.4\Desktop
2016-12-27 18:10 - 2014-10-04 15:41 - 00001170 _____ C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-12-27 17:57 - 2009-07-14 05:20 - 00000000 ____D C:\Program Files (x86)\Common Files
2016-12-27 16:57 - 2009-07-14 05:20 - 00000000 ____D C:\Program Files\Internet Explorer
2016-12-27 16:53 - 2009-07-14 05:20 - 00000000 ___SD C:\ProgramData\Microsoft
2016-12-27 16:49 - 2009-07-14 04:34 - 00001006 _____ C:\Windows\system32\Drivers\etc\hosts
2016-12-24 08:18 - 2014-10-04 18:21 - 00000000 ____D C:\Users\Alex\AppData\Roaming\vlc
2016-12-20 18:35 - 2016-02-16 09:38 - 00000000 ___SD C:\Users\Alex\AppData\LocalLow\Temp
2016-12-17 13:09 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\config\RegBack
2016-12-15 10:31 - 2016-11-16 09:03 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-12-15 10:31 - 2014-10-15 07:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-12-14 15:23 - 2014-10-04 15:40 - 00000000 ___RD C:\Users\Alex\Saved Games
2016-12-13 16:32 - 2015-02-07 10:48 - 00000000 ____D C:\Users\Alex\AppData\Local\Steam
2016-12-08 12:24 - 2009-07-14 07:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-08 12:24 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\inf
2016-12-08 12:24 - 2009-07-14 04:36 - 00661894 _____ C:\Windows\system32\perfh009.dat
2016-12-08 12:24 - 2009-07-14 04:36 - 00121730 _____ C:\Windows\system32\perfc009.dat

==================== Files in the root of some directories =======

2016-12-27 16:50 - 2016-12-27 16:50 - 0000004 _____ () C:\Users\Alex\AppData\Roaming\4E9225DA0A29463E8AD95A233536E924.dat
2014-11-21 12:31 - 2014-11-21 12:31 - 0000057 _____ () C:\ProgramData\Ament.ini

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll
[2010-11-21 05:24] - [2014-10-04 15:39] - 1008640 ____A (Microsoft Corporation) 2C353B6CE0C8D03225CAA2AF33B68D79

C:\Windows\SysWOW64\User32.dll
[2010-11-21 05:24] - [2014-10-04 15:39] - 0833024 ____A (Microsoft Corporation) 861C4346F9281DC0380DE72C8D55D6BE

C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-12-17 13:10

==================== End of FRST.txt ============================

 

 

Addition log

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by Alex (04-01-2017 08:00:28)
Running from C:\Users\Alex\Desktop
Windows 7 Ultimate Service Pack 1 (X64) (2014-10-04 13:39:42)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-139745227-2284625060-2539193485-500 - Administrator - Disabled)
Alex (S-1-5-21-139745227-2284625060-2539193485-1000 - Administrator - Enabled) => C:\Users\Alex
Guest (S-1-5-21-139745227-2284625060-2539193485-501 - Limited - Disabled)
NeroMediaHomeUser.4 (S-1-5-21-139745227-2284625060-2539193485-1002 - Limited - Enabled) => C:\Users\NeroMediaHomeUser.4

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 21.0.0.215 - Adobe Systems Incorporated)
Adobe Flash Player 24 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 24.0.0.186 - Adobe Systems Incorporated)
Adobe Flash Player 24 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 24.0.0.186 - Adobe Systems Incorporated)
Adobe Reader X (10.1.16) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.16 - Adobe Systems Incorporated)
Advertising Center (x32 Version: 0.0.0.2 - Nero AG) Hidden
Arx Fatalis (HKLM-x32\...\{96443F45-13E2-11D6-AC87-00D0B7A9E540}) (Version: 1.0.0 - JoWood)
Atheros Bluetooth Suite (64) (HKLM\...\{230D1595-57DA-4933-8C4E-375797EBB7E1}) (Version: 7.4.0.122 - Atheros)
Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 9.0 - Atheros)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Ben There, Dan That! pack (HKLM-x32\...\GOGPACKBTDTTGP_is1) (Version: 2.0.0.6 - GOG.com)
Combined Community Codec Pack 2014-07-13 (HKLM-x32\...\Combined Community Codec Pack_is1) (Version: 2014.07.13.0 - CCCP Project)
DAEMON Tools Pro (HKLM-x32\...\DAEMON Tools Pro) (Version: 5.1.0.0333 - DT Soft Ltd)
Easy Software Manager (HKLM-x32\...\{DE256D8B-D971-456D-BC02-CB64DA24F115}) (Version: 1.2.10.7 - Samsung Electronics Co., Ltd.)
EAX4 Unified Redist (HKLM-x32\...\{89661B04-C646-4412-B6D3-5E19F02F1F37}) (Version: 4.001 - Creative Labs)
Epic Games Launcher Prerequisites (x64) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Escape Goat (HKLM-x32\...\GOGPACKESCAPEGOAT_is1) (Version: 2.0.0.3 - GOG.com)
Escape Goat 2 (HKLM\...\Steam App 255340) (Version:  - MagicalTimeBean)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
ETDWare PS/2-X64 10.7.13.1_WHQL (HKLM\...\Elantech) (Version: 10.7.13.1 - ELAN Microelectronic Corp.)
Expand (HKLM\...\Steam App 399780) (Version:  - Chris Johnson)
Fraps (remove only) (HKLM-x32\...\Fraps) (Version:  - )
Grand Theft Auto: Episodes from Liberty City (x32 Version: 1.0.0002.135 - Rockstar Games Inc.) Hidden
Grand Theft Auto: Episodes from Liberty City (x32 Version: 1.0.0003.135 - Rockstar Games Inc.) Hidden
Hearthstone (HKLM-x32\...\Hearthstone) (Version:  - Blizzard Entertainment)
HP Deskjet 2050 J510 series Basic Device Software (HKLM\...\{73B1AC18-614F-42CD-A798-4BA214586406}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Deskjet 2050 J510 series Help (HKLM-x32\...\{7A3DF2E2-CF13-44FB-A93E-F71D5381DB3F}) (Version: 140.0.61.61 - Hewlett Packard)
Intel® Manageability Engine Firmware Recovery Agent (HKLM-x32\...\{A6C48A9F-694A-4234-B3AA-62590B668927}) (Version: 1.0.0.35342 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.2.1410 - Intel Corporation)
Intel® OpenCL CPU Runtime (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version:  - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2712 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.0.0.1032 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{09536BA1-E498-4CC3-B834-D884A67D7E34}) (Version: 1.23.605.1 - Intel Corporation)
Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Launcher Prerequisites (x64) (x32 Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Lost Horizon (HKLM-x32\...\Lost Horizon) (Version:  - Animation Arts)
Malwarebytes version 3.0.5.1299 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.5.1299 - Malwarebytes)
Master Spy (HKLM\...\Steam App 331190) (Version:  - TURBOGUN)
Microsoft .NET Compact Framework 2.0 SP1 (HKLM-x32\...\{625386A4-B6B6-4911-A6E8-23189C3F2D15}) (Version: 2.0.6129 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Games for Windows - LIVE (HKLM-x32\...\{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}) (Version: 3.1.186.0 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}) (Version: 3.1.99.0 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24210 (HKLM-x32\...\{f144e08f-9cbe-4f09-9a8c-f2b858b7ee7f}) (Version: 14.0.24210.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24210 (HKLM-x32\...\{23658c02-145e-483d-ba6b-1eb82c580529}) (Version: 14.0.24210.0 - Microsoft Corporation)
Microsoft Xbox 360 Accessories 1.2 (HKLM\...\{D9C50188-12D5-4D3E-8F00-682346C2AA5F}) (Version: 1.20.146.0 - Microsoft)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
Mozilla Firefox 50.1.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 50.1.0 (x86 en-US)) (Version: 50.1.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 50.1.0.6186 - Mozilla)
Nero 8 (HKLM-x32\...\{8AEA4BE2-2B52-41C0-BB7D-9F2D17AF1033}) (Version: 8.0.182 - Nero AG)
Nero MediaHome 4 Essentials (HKLM-x32\...\{b65b6fb1-1bdc-4294-ad85-e53a5fec1889}) (Version:  - Nero AG)
Neverwinter Nights 2 Complete (HKLM-x32\...\GOGPACKNWN2COMPLETE_is1) (Version: 2.1.0.6 - GOG.com)
NVIDIA Graphics Driver 344.75 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 344.75 - NVIDIA Corporation)
NVIDIA PhysX (HKLM-x32\...\{8A809006-C25A-4A3A-9DAB-94659BCDB107}) (Version: 9.10.0224 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.15.0428 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0428 - NVIDIA Corporation)
Odallus - The Dark Call (HKLM-x32\...\1435937720_is1) (Version: 2.3.0.4 - GOG.com)
Oniken (HKLM-x32\...\Steam App 252010) (Version:  - JoyMasher)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
Quake Live (HKLM-x32\...\Steam App 282440) (Version:  - id Software)
Rapture3D 2.4.11 Game (HKLM-x32\...\{D2FCA41E-AC01-4DCD-B3A7-DC9E32363065}}_is1) (Version:  - Blue Ripple Sound)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.50.1123.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6608 - Realtek Semiconductor Corp.)
Rockstar Games Social Club (HKLM-x32\...\Rockstar Games Social Club) (Version: 1.1.7.8 - Rockstar Games)
RogueKiller version 12.9.1.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.9.1.0 - Adlice Software)
ScummVM 1.7.0 (HKLM-x32\...\ScummVM_is1) (Version:  - The ScummVM Team)
Snakebird (HKLM\...\Steam App 357300) (Version:  - Noumenon Games)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
SumatraPDF (HKLM-x32\...\SumatraPDF) (Version: 3.0 - Krzysztof Kowalczyk)
System Requirements Lab CYRI (HKLM-x32\...\{6C8C4577-8E15-4C63-96ED-D40F2072FF74}) (Version: 6.0.19.0 - Husdawg, LLC)
Thief 2: The Metal Age (HKLM-x32\...\Thief 2: The Metal Age_is1) (Version:  - GOG.com)
Unreal Development Kit: 2015-01 (HKLM\...\UDK-7dce4c9e-12b8-476c-9c83-2a773c22f42f) (Version:  - Epic Games, Inc.)
Uplay (HKLM-x32\...\Uplay) (Version: 3.0 - Ubisoft)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.0 - VideoLAN)
WinRAR 5.11 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.11.0 - win.rar GmbH)
Yahoo! Software Update (HKLM-x32\...\Yahoo! Software Update) (Version:  - )
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.70.244 - Zemana Ltd.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {375C34EC-F26B-4DD5-B04A-821A71D73846} - System32\Tasks\SoundsSystemService => C:\windows\rsdsrv.exe
Task: {8D61CBB4-B2F8-4D45-920A-FC9C076F83E2} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25] (Intel Corporation)
Task: {CBF3F8D5-076A-42CC-81DF-871946ECA93B} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25] (Intel Corporation)
Task: {DBA64D4E-26BA-477C-AFAD-DC08EAD6AC52} - System32\Tasks\Easy Software Manager Agent => C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe [2012-02-27] (Samsung)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe
Task: C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2014-12-17 10:05 - 2014-11-13 02:20 - 00013120 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2014-12-17 10:10 - 2014-11-12 23:56 - 00118080 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2014-10-04 15:50 - 2012-06-21 10:18 - 00128280 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
2016-12-28 17:57 - 2016-12-28 17:57 - 00152944 _____ () C:\Program Files (x86)\Zemana AntiMalware\ZAMShellExt64.dll
2012-03-26 11:33 - 2012-03-26 11:33 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2016-12-27 17:20 - 2017-01-02 11:17 - 02259232 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
2016-12-27 17:20 - 2017-01-02 11:17 - 02247632 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2016-12-27 17:20 - 2017-01-02 11:17 - 02813904 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\arwlib.dll
2014-12-17 10:05 - 2014-11-13 02:20 - 00010952 _____ () C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll
2014-10-04 15:46 - 2012-02-08 10:00 - 00755280 _____ () C:\Program Files (x86)\Samsung\Easy Software Manager\SWMFuncDLL.dll
2007-03-13 11:28 - 2007-03-13 11:28 - 00823296 _____ () C:\Program Files (x86)\Common Files\Nero\Lib\log4cxx.dll
2014-10-04 15:50 - 2012-02-07 11:39 - 01198872 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-139745227-2284625060-2539193485-1000\...\hola.org -> hxxp://hola.org

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2016-12-27 16:49 - 00001006 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com
127.0.0.1       union.baidu2019.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-139745227-2284625060-2539193485-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{02A2EE4E-3881-42E0-A6C1-DBF793CC070B}] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{05DA2C95-7B2D-4AD2-A39B-9947C3065931}] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{CF805753-3B6B-46D3-898A-2B855DC6927A}] => C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe
FirewallRules: [{5EF22086-F982-42D4-BCCC-0262C460F7A5}] => C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe
FirewallRules: [{96BA98F1-FCD1-4A22-B59B-12662D7079C8}] => C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{086CAB11-3FFC-4E98-BCBC-B7022E5870D6}] => C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{6B8C75C6-B09B-459C-8176-78C53FB08027}] => C:\Program Files (x86)\Hearthstone\Hearthstone.exe
FirewallRules: [{85BF109C-1CBC-4A5B-9263-E773B445DD42}] => C:\Program Files (x86)\Hearthstone\Hearthstone.exe
FirewallRules: [{13C1FD73-50DE-472B-840A-3A7065442B55}] => C:\Users\Alex\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BBA917B2-FA6D-4D4B-B5E4-59200AD471F0}] => C:\Users\Alex\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{82BFFD3C-6321-4851-ACB3-16E19790662F}C:\users\alex\appdata\local\id software\quakelive\quakelive.exe] => C:\users\alex\appdata\local\id software\quakelive\quakelive.exe
FirewallRules: [UDP Query User{D7A665A1-0598-4235-BC62-F9E61FCF974D}C:\users\alex\appdata\local\id software\quakelive\quakelive.exe] => C:\users\alex\appdata\local\id software\quakelive\quakelive.exe
FirewallRules: [TCP Query User{C167CA27-333C-4654-BC75-8DD2E7C6D5C0}C:\program files (x86)\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\splintercell4.exe] => C:\program files (x86)\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\splintercell4.exe
FirewallRules: [UDP Query User{1DDD4408-5AF9-4B06-B83F-79F194F5188C}C:\program files (x86)\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\splintercell4.exe] => C:\program files (x86)\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\splintercell4.exe
FirewallRules: [{07C519EC-719D-4FDE-931C-D68DC28A4A32}] => C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe
FirewallRules: [{F5CF10E0-ED59-4D9F-8D15-8DA5CB3B190B}] => C:\ProgramData\Battle.net\Agent\Agent.3427\Agent.exe
FirewallRules: [TCP Query User{C8E68BE1-EBC0-44A3-8C6A-B7D66BAB781B}C:\program files (x86)\hearthstone\hearthstone.exe] => C:\program files (x86)\hearthstone\hearthstone.exe
FirewallRules: [UDP Query User{35C8F5B1-CF97-481D-AC03-71B83DD823D8}C:\program files (x86)\hearthstone\hearthstone.exe] => C:\program files (x86)\hearthstone\hearthstone.exe
FirewallRules: [TCP Query User{DB708BB5-687D-4C06-8698-059A10F9033E}C:\users\alex\appdata\local\id software\quakelive\quakelive.exe] => C:\users\alex\appdata\local\id software\quakelive\quakelive.exe
FirewallRules: [UDP Query User{FCF30968-5467-4103-8F74-ACF151322BC7}C:\users\alex\appdata\local\id software\quakelive\quakelive.exe] => C:\users\alex\appdata\local\id software\quakelive\quakelive.exe
FirewallRules: [TCP Query User{45CD37BD-4E6C-421A-A3AF-A0EB549E2948}C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe] => C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe
FirewallRules: [UDP Query User{917372D2-DDFA-4B89-8458-51C529D9AAAA}C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe] => C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe
FirewallRules: [{80E7DBAD-8587-4705-A2C4-5F4567DF5DD3}] => C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe
FirewallRules: [{D66B072B-5535-4A9D-B8C3-9C4BEB30B91B}] => C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe
FirewallRules: [TCP Query User{698C8A9D-B7CD-4E28-8033-3E92C892C492}C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe] => C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe
FirewallRules: [UDP Query User{F5DE9143-12F1-4B83-81C6-8A0562D1FFA6}C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe] => C:\program files (x86)\wolfenstein the new order\wolfneworder_x64.exe
FirewallRules: [{06E4BDE8-0D4B-4344-A19B-0CC65C7BDC7A}] => C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe
FirewallRules: [{38F04E03-476A-426D-8B81-A564A151AD22}] => C:\ProgramData\Battle.net\Agent\Agent.3454\Agent.exe
FirewallRules: [{A4F9A5F3-3144-4407-9F39-EBCA11D8BAEC}] => C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe
FirewallRules: [{C602E3F6-CAD7-4DB8-830E-4FB97D78C006}] => C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe
FirewallRules: [{7C919915-5AAB-4A02-9CE1-D6639BCB1D3C}] => C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{5D90AE03-10E3-4DFE-94DB-EDC321840985}] => C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{27A6E520-F510-4841-AE97-932F687BAAF0}] => C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{BC50901D-A776-4AA2-B74E-C5D488836D1C}] => C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{61ACE77C-501A-4C7D-9F10-52514A33E34D}] => C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe
FirewallRules: [{103B2E22-C12E-40F0-B3FF-5141DA02B8B6}] => C:\ProgramData\Battle.net\Agent\Agent.3478\Agent.exe
FirewallRules: [{7274972C-EA8D-4FAC-B23C-7C56A475FC7E}] => C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe
FirewallRules: [{ED22699D-EEF1-4F15-868F-18CC5D5AA68F}] => C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe
FirewallRules: [{6837CD8A-17D7-4BCE-B986-A0FF6CA35770}] => C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe
FirewallRules: [{9E3018B5-CE0E-462C-8B72-3C8E316879D8}] => C:\ProgramData\Battle.net\Agent\Agent.3507\Agent.exe
FirewallRules: [{B296DEFD-8F00-4DE0-AB7B-DB6FF1CFAA14}] => C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe
FirewallRules: [{3FB8BEB0-51C5-4AFC-B6F8-F197C12D4507}] => C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe
FirewallRules: [{B57A9476-74E0-46E7-AFBC-BAE17015326F}] => C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe
FirewallRules: [{D6D92956-4F98-4CC3-ACF8-92D5BC8E91A4}] => C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe
FirewallRules: [{497E0128-41B9-44C7-A7B3-E54B647347EC}] => C:\Program Files\HP\HP Deskjet 2050 J510 series\Bin\USBSetup.exe
FirewallRules: [{86343E7A-ADDC-45FE-A040-177A4E7389F4}] => C:\ProgramData\Battle.net\Agent\Agent.3632\Agent.exe
FirewallRules: [{72F99E6E-0FE5-43BB-8A26-FE6416467CAE}] => C:\ProgramData\Battle.net\Agent\Agent.3632\Agent.exe
FirewallRules: [{2285FCE0-A605-45C7-97AE-10CEB9268977}] => C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe
FirewallRules: [{BB3CEF4B-DB06-404E-BA1B-2EA42EC2A967}] => C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe
FirewallRules: [{787F333B-1C4E-4432-8003-7F6673DB45A1}] => C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{7E9E0AFE-37C7-4002-8AD7-C48E4AD946A8}] => C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{F4B4C29E-9BA5-44B9-BAA3-2C7FDE0B4DEA}] => C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe
FirewallRules: [{709C6462-4A05-49AE-AA0F-3BEFDF4880BA}] => C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe
FirewallRules: [{D4478C8B-0E80-4616-A4BC-9AD1630E8283}] => C:\GOG Games\Stacking\stack.exe
FirewallRules: [TCP Query User{0D1165FE-B8F7-4C31-87DC-935240022F86}D:\downloads\quake3\quake3.exe] => D:\downloads\quake3\quake3.exe
FirewallRules: [UDP Query User{5C6A0AB3-E9FA-4BA3-800C-69EB790C6A48}D:\downloads\quake3\quake3.exe] => D:\downloads\quake3\quake3.exe
FirewallRules: [TCP Query User{903B2BCB-AF2A-440D-828C-4344811DE376}C:\program files (x86)\counter strike pro\hl.exe] => C:\program files (x86)\counter strike pro\hl.exe
FirewallRules: [UDP Query User{3CED8B4D-175E-4B1F-B935-EDBBDCA823C9}C:\program files (x86)\counter strike pro\hl.exe] => C:\program files (x86)\counter strike pro\hl.exe
FirewallRules: [{0920347A-F208-4CA3-A170-F28953EC6C72}] => C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe
FirewallRules: [{A0BE2381-E9DE-4B6D-95B7-BFE5E6994AB6}] => C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe
FirewallRules: [{DD485D39-C768-43DD-A8EE-0717DBC2049A}] => C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe
FirewallRules: [{92C9A074-85D7-4080-9755-89AA83E31C9F}] => C:\ProgramData\Battle.net\Agent\Agent.3669\Agent.exe
FirewallRules: [{CE9C09D8-A53C-49F5-A712-8E538246BB6F}] => C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe
FirewallRules: [{E5018AA5-8723-4CC8-BC5D-3A273AD6F86A}] => C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe
FirewallRules: [{8EE88042-39C3-4502-A057-EEB0AD3D6F58}] => C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe
FirewallRules: [{5EDE8515-8AF3-4192-A0A2-9E2882610C91}] => C:\ProgramData\Battle.net\Agent\Agent.3688\Agent.exe
FirewallRules: [{9EBB3175-D9D3-42C6-8461-FD567C62B0EA}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{5F11150C-5A8C-4964-A91C-B0119057558D}] => C:\ProgramData\Battle.net\Agent\Agent.3689\Agent.exe
FirewallRules: [{941027A9-36EE-42BA-B222-67124F660F62}] => C:\ProgramData\Battle.net\Agent\Agent.3689\Agent.exe
FirewallRules: [TCP Query User{B67C9907-3917-4465-B468-5E1147964D24}C:\program files (x86)\might and magic x legacy\might and magic x legacy.exe] => C:\program files (x86)\might and magic x legacy\might and magic x legacy.exe
FirewallRules: [UDP Query User{8997F599-30CB-4E1E-AAC2-1A97AAB660BD}C:\program files (x86)\might and magic x legacy\might and magic x legacy.exe] => C:\program files (x86)\might and magic x legacy\might and magic x legacy.exe
FirewallRules: [{B1DC75E0-C770-4D7B-82AC-CC4011284A42}] => C:\ProgramData\Battle.net\Agent\Agent.3715\Agent.exe
FirewallRules: [{74110D87-1D85-47CD-B031-40C6B02CD3B3}] => C:\ProgramData\Battle.net\Agent\Agent.3715\Agent.exe
FirewallRules: [TCP Query User{94ADD653-AB77-44A3-8EB6-FD03931513BD}C:\program files (x86)\nero\nero8\nero mediahome\nmmediaserver.exe] => C:\program files (x86)\nero\nero8\nero mediahome\nmmediaserver.exe
FirewallRules: [UDP Query User{B9D55E1B-A3DA-4976-915C-9794679F7F34}C:\program files (x86)\nero\nero8\nero mediahome\nmmediaserver.exe] => C:\program files (x86)\nero\nero8\nero mediahome\nmmediaserver.exe
FirewallRules: [{338E81FF-0BCA-4C09-BB68-F8E4DBA43D91}] => C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe
FirewallRules: [{48A34691-2E4E-402A-A53E-3CF62D88EE52}] => C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe
FirewallRules: [TCP Query User{FD96C08A-3CCF-42A0-9E50-024CF55EA199}C:\programdata\battle.net\agent\agent.3715\agent.exe] => C:\programdata\battle.net\agent\agent.3715\agent.exe
FirewallRules: [UDP Query User{744E3A9B-54D8-4FB7-8BEB-01681C850EDF}C:\programdata\battle.net\agent\agent.3715\agent.exe] => C:\programdata\battle.net\agent\agent.3715\agent.exe
FirewallRules: [TCP Query User{7F5C68D7-1B4B-4D7A-ADE7-B0ED40ACA0B7}C:\program files\fox\no one lives forever\nolfserv.exe] => C:\program files\fox\no one lives forever\nolfserv.exe
FirewallRules: [UDP Query User{B736D539-754C-4095-93EE-FA043B3E92DB}C:\program files\fox\no one lives forever\nolfserv.exe] => C:\program files\fox\no one lives forever\nolfserv.exe
FirewallRules: [TCP Query User{63EFBAB6-E1E5-4CEA-8E83-713A3BC90556}C:\program files (x86)\mozilla firefox\firefox.exe] => C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{E9F3FA62-36E7-4C37-9CB8-256E66F6ED6F}C:\program files (x86)\mozilla firefox\firefox.exe] => C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [TCP Query User{16150232-B68F-430D-8F35-C5D157093962}C:\program files (x86)\gog.com\xiii\system\xiii.exe] => C:\program files (x86)\gog.com\xiii\system\xiii.exe
FirewallRules: [UDP Query User{F1EC0CE4-2FAA-4CD1-9EC2-18A2EBC3762F}C:\program files (x86)\gog.com\xiii\system\xiii.exe] => C:\program files (x86)\gog.com\xiii\system\xiii.exe
FirewallRules: [TCP Query User{33B5DBA8-1FA2-4074-926E-2FF63D24E2A2}C:\program files (x86)\gog.com\xiii\system\xiii.exe] => C:\program files (x86)\gog.com\xiii\system\xiii.exe
FirewallRules: [UDP Query User{96A30D0D-9A85-4A78-BC27-2AD7FE88D8B9}C:\program files (x86)\gog.com\xiii\system\xiii.exe] => C:\program files (x86)\gog.com\xiii\system\xiii.exe
FirewallRules: [{7AEF8269-45AB-4EA8-9F5D-B1A718875E33}] => C:\Program Files (x86)\Rockstar Games\EFLC\LaunchEFLC.exe
FirewallRules: [{CEB91767-B874-49A1-9802-AA339AD1B014}] => C:\Program Files (x86)\Rockstar Games\EFLC\LaunchEFLC.exe
FirewallRules: [TCP Query User{AEAEE0EB-5757-4996-94C3-524EB5827AFD}C:\program files (x86)\rockstar games\eflc\eflc.exe] => C:\program files (x86)\rockstar games\eflc\eflc.exe
FirewallRules: [UDP Query User{271C56A7-8794-4954-B2A7-E547271159D7}C:\program files (x86)\rockstar games\eflc\eflc.exe] => C:\program files (x86)\rockstar games\eflc\eflc.exe
FirewallRules: [TCP Query User{C62C61A5-75C1-4170-AF2C-FC1B42316CC4}C:\program files (x86)\thq\saints row the third\saintsrowthethird_dx11.exe] => C:\program files (x86)\thq\saints row the third\saintsrowthethird_dx11.exe
FirewallRules: [UDP Query User{44C4119C-827B-42F5-B87A-5820E05CD510}C:\program files (x86)\thq\saints row the third\saintsrowthethird_dx11.exe] => C:\program files (x86)\thq\saints row the third\saintsrowthethird_dx11.exe
FirewallRules: [{03B4BEAC-C7B3-4EFF-B267-AD2BC54F079E}] => C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp\CnetInstaller-10263702.exe
FirewallRules: [{56E74837-DC92-4F46-BA3D-A9A43FAE7CC5}] => C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp\CnetInstaller-10263702.exe
FirewallRules: [TCP Query User{C773E41B-AA29-4EB9-91E7-924BDFEAB535}C:\gog games\the rise of the triad\binaries\win32\rott.exe] => C:\gog games\the rise of the triad\binaries\win32\rott.exe
FirewallRules: [UDP Query User{55E5D707-296A-45C6-850A-D95159AC8A2A}C:\gog games\the rise of the triad\binaries\win32\rott.exe] => C:\gog games\the rise of the triad\binaries\win32\rott.exe
FirewallRules: [{411A2ADF-D1A4-4D63-8BE6-B38E5C9E3297}] => C:\GOG Games\The Rise of the Triad\Binaries\ROTTLauncher.exe
FirewallRules: [{3B78FD9E-4E70-41A5-80A9-DCD0A07C8D65}] => C:\GOG Games\The Rise of the Triad\Binaries\ROTTLauncher.exe
FirewallRules: [{9DE5AE39-F99A-43A2-AB58-B059334AD3D2}] => C:\GOG Games\The Rise of the Triad\Binaries\ROTTLauncher.exe
FirewallRules: [{B9BABF32-53CA-48F2-BF11-9B99E476AB98}] => C:\GOG Games\The Rise of the Triad\Binaries\ROTTLauncher.exe
FirewallRules: [{D8EB163C-D53D-45EB-871C-CEE5EB81F400}] => C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{D802D0E7-2A01-431A-8C99-CBB9C09588D6}] => C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{B62B7088-1573-4353-A324-FE5442F0BE0A}] => C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{D7A43650-7B35-4EB9-B3DE-4BBD2202BF6A}] => C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [TCP Query User{E5F492DC-2255-48FB-BD55-8DD9C009AE8C}C:\program files (x86)\saints row iv\saintsrowiv.exe] => C:\program files (x86)\saints row iv\saintsrowiv.exe
FirewallRules: [UDP Query User{D9F68E8F-32D4-430C-95A1-2883364FD1DC}C:\program files (x86)\saints row iv\saintsrowiv.exe] => C:\program files (x86)\saints row iv\saintsrowiv.exe
FirewallRules: [TCP Query User{822CE36E-743F-47E3-B77D-2441BDD7A19B}C:\program files (x86)\electronic arts\crytek\crysis 2\bin32\crysis2.exe] => C:\program files (x86)\electronic arts\crytek\crysis 2\bin32\crysis2.exe
FirewallRules: [UDP Query User{12219DA7-4556-494F-B631-3620C6AF2FEA}C:\program files (x86)\electronic arts\crytek\crysis 2\bin32\crysis2.exe] => C:\program files (x86)\electronic arts\crytek\crysis 2\bin32\crysis2.exe
FirewallRules: [TCP Query User{401D12B6-24A2-45C4-9828-A7745E38787D}C:\program files (x86)\double dragon neon\bin\doubledragon.exe] => C:\program files (x86)\double dragon neon\bin\doubledragon.exe
FirewallRules: [UDP Query User{46A6A0BC-D8E9-46F5-98D1-C39BBADFC871}C:\program files (x86)\double dragon neon\bin\doubledragon.exe] => C:\program files (x86)\double dragon neon\bin\doubledragon.exe
FirewallRules: [TCP Query User{FC6D73B2-AE18-4F99-A2AB-959EB7B5EFA0}C:\program files (x86)\dishonored\binaries\win32\dishonored.exe] => C:\program files (x86)\dishonored\binaries\win32\dishonored.exe
FirewallRules: [UDP Query User{1893CB8C-7F87-473C-B9E6-1F1284CF92C6}C:\program files (x86)\dishonored\binaries\win32\dishonored.exe] => C:\program files (x86)\dishonored\binaries\win32\dishonored.exe
FirewallRules: [TCP Query User{DE124580-A054-4936-8C5D-118F726F5A68}C:\gog games\super time force ultra\stf_win32.exe] => C:\gog games\super time force ultra\stf_win32.exe
FirewallRules: [UDP Query User{8438F1C3-1DC1-4ED8-92DA-80B646668EDA}C:\gog games\super time force ultra\stf_win32.exe] => C:\gog games\super time force ultra\stf_win32.exe
FirewallRules: [TCP Query User{B4BB49A0-DB6F-49E0-9ECB-6B66AD248B43}C:\gog games\rise of the triad (2013)\binaries\win64\rott.exe] => C:\gog games\rise of the triad (2013)\binaries\win64\rott.exe
FirewallRules: [UDP Query User{03092A0F-008D-4BCD-81D9-33B264318BFF}C:\gog games\rise of the triad (2013)\binaries\win64\rott.exe] => C:\gog games\rise of the triad (2013)\binaries\win64\rott.exe
FirewallRules: [TCP Query User{108C8E02-9FAD-45C8-B6A1-20E77B2451DD}C:\program files (x86)\activision\call of duty - black ops\blackops.exe] => C:\program files (x86)\activision\call of duty - black ops\blackops.exe
FirewallRules: [UDP Query User{CDACE3E1-764A-49AB-948E-442FC389939C}C:\program files (x86)\activision\call of duty - black ops\blackops.exe] => C:\program files (x86)\activision\call of duty - black ops\blackops.exe
FirewallRules: [TCP Query User{BFA2F76C-E5BE-4FAA-ABF3-527B062F34E5}C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe] => C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe
FirewallRules: [UDP Query User{DAE66FEE-7E8C-489F-820F-878DC4664C9C}C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe] => C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe
FirewallRules: [TCP Query User{D9829DC7-3352-4842-9F6B-59A8791480D3}C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe] => C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe
FirewallRules: [UDP Query User{1CB5F277-2D4F-4C03-A888-051EA6F866E4}C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe] => C:\program files (x86)\gog.com\unreal tournament goty\system\unrealtournament.exe
FirewallRules: [TCP Query User{6A1B0730-17E0-4FB9-A3A8-9378155B3EB3}C:\gog games\warsow\warsow.exe] => C:\gog games\warsow\warsow.exe
FirewallRules: [UDP Query User{9AB9FEE8-7525-4426-A09A-E83DB71070F1}C:\gog games\warsow\warsow.exe] => C:\gog games\warsow\warsow.exe
FirewallRules: [TCP Query User{8777973E-F74C-4577-9A81-0741CA941D8D}C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe] => C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe
FirewallRules: [UDP Query User{A08696BD-1F02-4CB9-B47E-075393AD35C9}C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe] => C:\users\alex\appdata\local\hola\firefox\app\hola_plugin.exe
FirewallRules: [TCP Query User{CF86CAE0-F30A-402A-AF54-BF668CBAA578}C:\program files (x86)\heroes of the storm\versions\base35702\heroesofthestorm_x64.exe] => C:\program files (x86)\heroes of the storm\versions\base35702\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{48050E04-60E3-4CB6-9CCE-F20BA1517E17}C:\program files (x86)\heroes of the storm\versions\base35702\heroesofthestorm_x64.exe] => C:\program files (x86)\heroes of the storm\versions\base35702\heroesofthestorm_x64.exe
FirewallRules: [{3D1AE4C1-599A-4045-BDD3-D1A2875747A6}] => C:\Program Files (x86)\Steam\SteamApps\common\The Talos Principle\Bin\Talos.exe
FirewallRules: [{93D8224F-09BE-4BAD-9130-551426364AD7}] => C:\Program Files (x86)\Steam\SteamApps\common\The Talos Principle\Bin\Talos.exe
FirewallRules: [{D55669B2-1D99-4681-ADA0-FAA7C3C162D8}] => C:\Program Files (x86)\Steam\SteamApps\common\The Talos Principle\Bin\Talos_Unrestricted.exe
FirewallRules: [{4C42317A-8379-4D2E-B1A5-E6C5A19EA0E4}] => C:\Program Files (x86)\Steam\SteamApps\common\The Talos Principle\Bin\Talos_Unrestricted.exe
FirewallRules: [TCP Query User{F538B5FA-D818-47B8-8763-120C64B89B68}C:\users\alex\appdata\roaming\utorrent\updates\3.4.3_40298.exe] => C:\users\alex\appdata\roaming\utorrent\updates\3.4.3_40298.exe
FirewallRules: [UDP Query User{438645F2-FFBD-480A-9B11-74A07E1621D5}C:\users\alex\appdata\roaming\utorrent\updates\3.4.3_40298.exe] => C:\users\alex\appdata\roaming\utorrent\updates\3.4.3_40298.exe
FirewallRules: [TCP Query User{9BC5B26F-7644-4C93-A239-07B53CCE66ED}C:\gog games\shadowrun returns\shadowrun.exe] => C:\gog games\shadowrun returns\shadowrun.exe
FirewallRules: [UDP Query User{ACD779B0-9F1F-422E-8F92-82A97A8A7B49}C:\gog games\shadowrun returns\shadowrun.exe] => C:\gog games\shadowrun returns\shadowrun.exe
FirewallRules: [TCP Query User{803588B6-718B-467A-9183-248DBE2A0FF2}C:\program files (x86)\radiant\rising thunder\radiantgames\rising thunder\windowsnoeditor\risingthunder\binaries\win64\risingthunder-win64-shipping.exe] => C:\program files (x86)\radiant\rising thunder\radiantgames\rising thunder\windowsnoeditor\risingthunder\binaries\win64\risingthunder-win64-shipping.exe
FirewallRules: [UDP Query User{FB4949EA-246F-473F-B365-604FE3D27BD1}C:\program files (x86)\radiant\rising thunder\radiantgames\rising thunder\windowsnoeditor\risingthunder\binaries\win64\risingthunder-win64-shipping.exe] => C:\program files (x86)\radiant\rising thunder\radiantgames\rising thunder\windowsnoeditor\risingthunder\binaries\win64\risingthunder-win64-shipping.exe
FirewallRules: [{312874E2-E1BD-4B57-B4BA-EB32A066E5E7}] => C:\Program Files (x86)\Electronic Arts\Battlefield Bad Company 2\BFBC2Updater.exe
FirewallRules: [{8B033EED-AF00-47B6-9991-F8149F3E1063}] => C:\Program Files (x86)\Electronic Arts\Battlefield Bad Company 2\BFBC2Updater.exe
FirewallRules: [TCP Query User{F09528EB-DA9D-482F-8D2E-B77E34375D6E}C:\program files\epic games\unrealtournamentdev\engine\binaries\win64\ue4-win64-test.exe] => C:\program files\epic games\unrealtournamentdev\engine\binaries\win64\ue4-win64-test.exe
FirewallRules: [UDP Query User{02A9AEE4-16D0-4891-A48E-4419304D1B8E}C:\program files\epic games\unrealtournamentdev\engine\binaries\win64\ue4-win64-test.exe] => C:\program files\epic games\unrealtournamentdev\engine\binaries\win64\ue4-win64-test.exe
FirewallRules: [{65C71C70-7A4B-48FE-B1DC-D6227F227A2B}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{02397B2E-3B12-43B8-8C74-8758EA7E03C8}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{5E48B757-7CE2-4904-8429-3D1F680BA314}C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe] => C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe
FirewallRules: [UDP Query User{B63A66BD-CBA9-4759-8994-60E7652941B6}C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe] => C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe
FirewallRules: [TCP Query User{AA407032-E52C-4028-908A-4ED315C90A59}C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe] => C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe
FirewallRules: [UDP Query User{CF1AB386-13FB-4D81-AE26-F1937F116200}C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe] => C:\program files (x86)\2k games\xcom - enemy unknown\binaries\win32\xcomgame.exe
FirewallRules: [{6EA6A2FF-1F56-4CDB-9AA2-981508178A8F}] => C:\Program Files (x86)\Steam\SteamApps\common\Quake Live\quakelive_steam.exe
FirewallRules: [{E4B8B4C9-7957-43C7-B357-E2E82D1BE599}] => C:\Program Files (x86)\Steam\SteamApps\common\Quake Live\quakelive_steam.exe
FirewallRules: [TCP Query User{D21BE33E-5CEB-47FB-9C35-549C4F623179}C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe] => C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe
FirewallRules: [UDP Query User{3C8B72BB-6A9E-4C17-B444-EA7A56C31667}C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe] => C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe
FirewallRules: [{C3B76347-27EB-433E-9C05-070AB622B8D9}] => C:\Program Files (x86)\Steam\SteamApps\common\Oniken\Oniken.exe
FirewallRules: [{6AB90514-4C75-4F2C-B260-633E69D212D9}] => C:\Program Files (x86)\Steam\SteamApps\common\Oniken\Oniken.exe
FirewallRules: [TCP Query User{662206FC-86C9-4121-A9EA-5D3450FF0486}C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe] => C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe
FirewallRules: [UDP Query User{FDDF7C78-947F-4388-A2A1-CF64C5988B9F}C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe] => C:\program files\epic games\shadowcomplexremastered\binaries\win32\shadowcomplex-win32-egl.exe
FirewallRules: [TCP Query User{2D1E4BB1-794D-4581-8CC9-4B9C4809E9FD}C:\users\alex\appdata\roaming\utorrent\updates\3.4.5_41372.exe] => C:\users\alex\appdata\roaming\utorrent\updates\3.4.5_41372.exe
FirewallRules: [UDP Query User{72916D0F-FA4C-4C75-A43F-CCA5041B7383}C:\users\alex\appdata\roaming\utorrent\updates\3.4.5_41372.exe] => C:\users\alex\appdata\roaming\utorrent\updates\3.4.5_41372.exe
FirewallRules: [TCP Query User{2F3F2B89-A7DE-4BF0-B1D3-DEE5A394DF93}C:\program files (x86)\the vanishing of ethan carter redux\ethancarter\binaries\win64\ethancarter-win64-shipping.exe] => C:\program files (x86)\the vanishing of ethan carter redux\ethancarter\binaries\win64\ethancarter-win64-shipping.exe
FirewallRules: [UDP Query User{D86B2970-16F4-48FD-B517-A9C0AD5DDBD5}C:\program files (x86)\the vanishing of ethan carter redux\ethancarter\binaries\win64\ethancarter-win64-shipping.exe] => C:\program files (x86)\the vanishing of ethan carter redux\ethancarter\binaries\win64\ethancarter-win64-shipping.exe
FirewallRules: [{DAA0DB05-C81E-4610-96FF-FF136DCD24EA}] => C:\Program Files (x86)\Steam\SteamApps\common\rocketleague\Binaries\Win32\RocketLeague.exe
FirewallRules: [{D3714FD3-B1AE-4251-A9B3-E133C0D8E422}] => C:\Program Files (x86)\Steam\SteamApps\common\rocketleague\Binaries\Win32\RocketLeague.exe
FirewallRules: [TCP Query User{38CB6B56-1993-4BAD-A4BC-A8BB06C26BF9}C:\program files (x86)\overwatch\overwatch.exe] => C:\program files (x86)\overwatch\overwatch.exe
FirewallRules: [UDP Query User{E62A31BA-F624-4165-ABAB-6D8E3EA6D8E7}C:\program files (x86)\overwatch\overwatch.exe] => C:\program files (x86)\overwatch\overwatch.exe
FirewallRules: [{7997A107-095E-46CD-95B8-E2381FB186C7}] => C:\Program Files (x86)\Steam\SteamApps\common\Escape Goat 2\EscapeGoat2.exe
FirewallRules: [{1FE6EF57-8C70-471B-AEFF-F374572496F9}] => C:\Program Files (x86)\Steam\SteamApps\common\Escape Goat 2\EscapeGoat2.exe
FirewallRules: [{9FB6AFDE-7F05-4153-8EC7-40DCEDA41AA2}] => C:\Program Files (x86)\Steam\SteamApps\common\Master Spy\MasterSpy.exe
FirewallRules: [{77285005-0E93-4F65-A3B0-3DC68C75BFE8}] => C:\Program Files (x86)\Steam\SteamApps\common\Master Spy\MasterSpy.exe
FirewallRules: [TCP Query User{8DBCC493-EC64-4C5E-B7AD-7B15280F4FA9}C:\program files (x86)\steam\steamapps\common\consortium\consortium.exe] => C:\program files (x86)\steam\steamapps\common\consortium\consortium.exe
FirewallRules: [UDP Query User{799ABB68-FEF4-4B2C-A62D-B70178E238FE}C:\program files (x86)\steam\steamapps\common\consortium\consortium.exe] => C:\program files (x86)\steam\steamapps\common\consortium\consortium.exe
FirewallRules: [TCP Query User{F29DC2C4-2979-4915-96C6-B66DFAB82611}C:\program files (x86)\gog.com\unreal gold\system\unreal.exe] => C:\program files (x86)\gog.com\unreal gold\system\unreal.exe
FirewallRules: [UDP Query User{72E14C88-50D7-45D8-B440-7DD0ED1F8FCD}C:\program files (x86)\gog.com\unreal gold\system\unreal.exe] => C:\program files (x86)\gog.com\unreal gold\system\unreal.exe
FirewallRules: [{DB6C824D-9456-4F5B-9DAB-D276960F91B9}] => C:\Program Files (x86)\Steam\SteamApps\common\Snakebird\Snakebird.exe
FirewallRules: [{C7A5E3DD-B73F-49B4-B06B-9A678E3BD161}] => C:\Program Files (x86)\Steam\SteamApps\common\Snakebird\Snakebird.exe
FirewallRules: [{9AC2948E-983D-47FB-B934-64D9F9946E60}] => C:\Program Files (x86)\Steam\SteamApps\common\Bleed\Bleed.exe
FirewallRules: [{E4CD90EC-C44F-43B8-966C-F43CE6AA65C7}] => C:\Program Files (x86)\Steam\SteamApps\common\Bleed\Bleed.exe
FirewallRules: [TCP Query User{5CB9B892-7064-46E1-A98D-4E560CC5CC71}C:\users\alex\desktop\toybox\toybox64.exe] => C:\users\alex\desktop\toybox\toybox64.exe
FirewallRules: [UDP Query User{8AC9902C-DBCC-463E-A790-56B9FD973FCF}C:\users\alex\desktop\toybox\toybox64.exe] => C:\users\alex\desktop\toybox\toybox64.exe
FirewallRules: [TCP Query User{EE12A618-EFAB-46D6-9E0F-162490C13D1B}C:\program files (x86)\id software\quake 4\quake4.exe] => C:\program files (x86)\id software\quake 4\quake4.exe
FirewallRules: [UDP Query User{ABFC0704-A078-4F59-BF3F-290A7E6C4B19}C:\program files (x86)\id software\quake 4\quake4.exe] => C:\program files (x86)\id software\quake 4\quake4.exe
FirewallRules: [TCP Query User{E6EA501C-4FB9-48E2-8A2A-5076E3628FB6}C:\program files (x86)\id software\quake 4\quake4ded.exe] => C:\program files (x86)\id software\quake 4\quake4ded.exe
FirewallRules: [UDP Query User{9FC44D23-F263-4846-9BD3-A5B5A8C5D3A9}C:\program files (x86)\id software\quake 4\quake4ded.exe] => C:\program files (x86)\id software\quake 4\quake4ded.exe
FirewallRules: [TCP Query User{E070DE1B-8296-4729-A900-0CC78A71FA1D}C:\program files (x86)\ubisoft\tom clancy's splinter cell chaos theory\system\splintercell3.exe] => C:\program files (x86)\ubisoft\tom clancy's splinter cell chaos theory\system\splintercell3.exe
FirewallRules: [UDP Query User{6315DF07-1D18-48D0-A52F-B3D90D7CEF40}C:\program files (x86)\ubisoft\tom clancy's splinter cell chaos theory\system\splintercell3.exe] => C:\program files (x86)\ubisoft\tom clancy's splinter cell chaos theory\system\splintercell3.exe
FirewallRules: [{9296F4D6-713E-440E-A4FD-F18720FA2E32}] => C:\Program Files (x86)\Steam\SteamApps\common\CastlevaniaLoS_Demo\bin\DemoCastlevaniaLoSUE.exe
FirewallRules: [{2979AFC9-E716-4220-92C7-490E21CC74EE}] => C:\Program Files (x86)\Steam\SteamApps\common\CastlevaniaLoS_Demo\bin\DemoCastlevaniaLoSUE.exe
FirewallRules: [TCP Query User{888405F5-16CE-49E9-A81F-0CDD4CB32728}C:\gog games\blade of darkness\bin\blade.exe] => C:\gog games\blade of darkness\bin\blade.exe
FirewallRules: [UDP Query User{B0EB281F-D810-4457-84D4-345BB7896C30}C:\gog games\blade of darkness\bin\blade.exe] => C:\gog games\blade of darkness\bin\blade.exe
FirewallRules: [{744F52EA-A494-41F6-A8F6-6A3C01E0C83D}] => C:\Program Files (x86)\Steam\SteamApps\common\Expand\expand.exe
FirewallRules: [{458DA4FA-B814-4B25-9734-50F190D97F40}] => C:\Program Files (x86)\Steam\SteamApps\common\Expand\expand.exe
FirewallRules: [TCP Query User{CA4727ED-5796-4776-A55A-6E8F69C12FD3}C:\program files (x86)\steam\steamapps\common\unbox demo\boxjumpdemo\binaries\win64\boxjumpdemo-win64-shipping.exe] => C:\program files (x86)\steam\steamapps\common\unbox demo\boxjumpdemo\binaries\win64\boxjumpdemo-win64-shipping.exe
FirewallRules: [UDP Query User{1F3A2B13-46A2-40AB-ADD4-F9DB2E01E2F4}C:\program files (x86)\steam\steamapps\common\unbox demo\boxjumpdemo\binaries\win64\boxjumpdemo-win64-shipping.exe] => C:\program files (x86)\steam\steamapps\common\unbox demo\boxjumpdemo\binaries\win64\boxjumpdemo-win64-shipping.exe
FirewallRules: [TCP Query User{0C610AA5-FA55-4BCC-9891-2369B0E5BF09}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe] => C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe
FirewallRules: [UDP Query User{21ADB2E7-977E-4A36-B95E-4A6737CB9E01}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe] => C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe
FirewallRules: [TCP Query User{43E5BEF7-F781-4E0F-BADC-0F5C5F249EF5}C:\program files (x86)\gog galaxy\games\warsow\warsow_x64.exe] => C:\program files (x86)\gog galaxy\games\warsow\warsow_x64.exe
FirewallRules: [UDP Query User{DF84BD07-4C4E-4D32-93EC-C50ED294CEA0}C:\program files (x86)\gog galaxy\games\warsow\warsow_x64.exe] => C:\program files (x86)\gog galaxy\games\warsow\warsow_x64.exe
FirewallRules: [TCP Query User{067B2AF4-6C66-4EE0-AD96-8ABC674BD649}C:\program files\we happy few\glimpsegame\binaries\win64\glimpsegame.exe] => C:\program files\we happy few\glimpsegame\binaries\win64\glimpsegame.exe
FirewallRules: [UDP Query User{F8B4E364-5B14-49FD-890E-A29933F37050}C:\program files\we happy few\glimpsegame\binaries\win64\glimpsegame.exe] => C:\program files\we happy few\glimpsegame\binaries\win64\glimpsegame.exe
FirewallRules: [{4C9ECA39-DC5B-48EC-869A-59C97E6FCD2F}] => C:\Program Files (x86)\Steam\SteamApps\common\Magic Duels\MagicDuels.exe
FirewallRules: [{FBDABDCC-130F-4850-B155-8A23B0A15DDB}] => C:\Program Files (x86)\Steam\SteamApps\common\Magic Duels\MagicDuels.exe
FirewallRules: [{03327A80-862D-41FD-836E-D4BB4F4E715A}] => C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{4EAF9DCF-0068-49C7-9CA6-BC58B8EA768D}] => C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{B82C808A-EDD2-4BBD-B276-B5E429BECBEB}] => C:\Program Files (x86)\Maoha\MaohaAP\MaohaWifiSvr.exe
FirewallRules: [{F32EDB33-D5DA-4775-B641-856696B06728}] => C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{0A26EB5E-B113-4B1C-BC06-63CBE5F2ABD0}] => C:\Program Files (x86)\Steam\SteamApps\common\TOXIKK\Binaries\ToxikkLauncher.exe
FirewallRules: [{0048067A-FA3F-4B54-849B-D414A4B87573}] => C:\Program Files (x86)\Steam\SteamApps\common\TOXIKK\Binaries\ToxikkLauncher.exe

==================== Restore Points =========================

20-12-2016 17:57:26 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610
20-12-2016 17:59:00 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610
27-12-2016 18:20:00 JRT Pre-Junkware Removal
27-12-2016 20:26:32 Checkpoint by HitmanPro
27-12-2016 20:28:11 Checkpoint by HitmanPro
28-12-2016 07:27:05 Checkpoint by HitmanPro
01-01-2017 09:44:56 Removed Alpha Protocol
01-01-2017 09:46:46 Removed Tom Clancy's Splinter Cell Double Agent
01-01-2017 10:04:09 Restore Point Created by FRST
03-01-2017 09:59:44 Restore Point Created by FRST
03-01-2017 21:01:21 zoek.exe restore point

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/04/2017 07:01:18 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.

Error: (01/04/2017 07:01:12 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/03/2017 09:47:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/03/2017 09:45:37 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.

Error: (01/03/2017 10:08:08 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/03/2017 10:06:42 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.

Error: (01/03/2017 09:59:38 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {3ff8ef6f-dd96-4b86-8758-200b8b4a79cc}

Error: (01/03/2017 08:53:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/03/2017 08:52:10 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.

Error: (01/03/2017 06:57:56 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.


System errors:
=============
Error: (01/04/2017 06:59:41 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
VBoxNetAdp

Error: (01/04/2017 06:59:34 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Drip Latlab service failed to start due to the following error:
The system cannot find the file specified.

Error: (01/04/2017 06:59:30 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Game Protection Service service terminated with the following error:
The specified module could not be found.

Error: (01/03/2017 09:45:54 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
VBoxNetAdp

Error: (01/03/2017 09:45:44 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Drip Latlab service failed to start due to the following error:
The system cannot find the file specified.

Error: (01/03/2017 09:45:36 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Game Protection Service service terminated with the following error:
The specified module could not be found.

Error: (01/03/2017 09:20:16 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (01/03/2017 09:20:15 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (01/03/2017 09:20:15 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (01/03/2017 09:20:15 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.


==================== Memory info ===========================

Processor: Intel® Core™ i3-3110M CPU @ 2.40GHz
Percentage of memory in use: 40%
Total physical RAM: 3877.54 MB
Available physical RAM: 2293.56 MB
Total Virtual: 7753.27 MB
Available Virtual: 6051.6 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:488.18 GB) (Free:338.08 GB) NTFS
Drive d: (Backup) (Fixed) (Total:195.31 GB) (Free:163.05 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 698.6 GB) (Disk ID: A33B6C03)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=488.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=195.3 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

 

 

 

 

 

 



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,789 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:32 AM

Posted 04 January 2017 - 04:39 PM

Greetings,

Let's see if we can get through a FRST fix. Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-18\...\Run: [360wp-srv] => C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi\360wpsrv.exe [1636264 2016-12-09] (360.cn)
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi
SearchScopes: HKU\S-1-5-21-139745227-2284625060-2539193485-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Extension: (Rename command invocation) - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\Extensions\{81005532-A277-0574-A3A9-44D6D7619194} [2016-12-27] [not signed]
FF Plugin HKU\S-1-5-21-139745227-2284625060-2539193485-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Alex\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [No File]
S2 GmSvc; C:\Program Files (x86)\LDSGameCenter\GmSvc.dll [X]
S2 upuste; C:\Windows\system32\config\systemprofile\AppData\Local\Mathtam.exe prodrco upuste [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
NETSVCx32: HpSvc -> no filepath.
NETSVCx32: GmSvc -> C:\Program Files (x86)\LDSGameCenter\GmSvc.dll ==> No File
2017-01-03 10:07 - 2017-01-04 07:03 - 00000000 ____D C:\Users\Alex\AppData\Roaming\Ludashi
2017-01-03 10:07 - 2017-01-03 10:08 - 00000000 ____D C:\Users\Alex\AppData\Roaming\lockhomepage
2016-12-26 17:49 - 2016-12-30 15:53 - 00000000 ____D C:\Program Files\The Little Acre
2016-12-26 17:49 - 2016-12-26 17:49 - 00003326 _____ C:\Windows\System32\Tasks\SoundsSystemService
2016-12-27 16:50 - 2016-12-27 16:50 - 00000004 _____ C:\Users\Alex\AppData\Roaming\4E9225DA0A29463E8AD95A233536E924.dat
Task: {375C34EC-F26B-4DD5-B04A-821A71D73846} - System32\Tasks\SoundsSystemService => C:\windows\rsdsrv.exe
C:\windows\rsdsrv.exe
FirewallRules: [{03B4BEAC-C7B3-4EFF-B267-AD2BC54F079E}] => C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp\CnetInstaller-10263702.exe
FirewallRules: [{56E74837-DC92-4F46-BA3D-A9A43FAE7CC5}] => C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp\CnetInstaller-10263702.exe
C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC???
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\LDSGameAssistant
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\360wp
C:\Windows\SysNative\config\systemprofile\AppData\Roaming\LDSGameAssistant
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\app
C:\Windows\SysNative\config\systemprofile\AppData\Local\Mathtam.dat
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Programs
C:\Windows\SysNative\config\systemprofile\AppData\Roaming\gplyra
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Luwosplersock
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Profiles
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Tuzersppazot
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\PlusSanit.tst
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\md.xml
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Main.dat
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\noah.dat
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\agent.dat
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Config.xml
C:\Windows\SysNative\config\systemprofile\AppData\Roaming\NUIns
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Installer.dat
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\InstallationConfiguration.xml
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 DesperateMeasures

DesperateMeasures
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 05 January 2017 - 01:56 AM

So I ran the fix, no problems encountered, rebooted, went to check users/appdata/roaming and the Ludashi folder is finally gone! The last time this happened was when some malware cleaning tool "deleted" it the previous week but it appeared again like 10 seconds after logging into windows. The computer's been active for about 15 minutes so far and no sign of the problem reappearing, which is great.

 

Here's the fixlog and I'm waiting for further instructions

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by Alex (05-01-2017 08:38:56) Run:5
Running from C:\Users\Alex\Desktop
Loaded Profiles: Alex & NeroMediaHomeUser.4 (Available Profiles: Alex & NeroMediaHomeUser.4)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-18\...\Run: [360wp-srv] => C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi\360wpsrv.exe [1636264 2016-12-09] (360.cn)
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi
SearchScopes: HKU\S-1-5-21-139745227-2284625060-2539193485-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Extension: (Rename command invocation) - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\Extensions\{81005532-A277-0574-A3A9-44D6D7619194} [2016-12-27] [not signed]
FF Plugin HKU\S-1-5-21-139745227-2284625060-2539193485-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Alex\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [No File]
S2 GmSvc; C:\Program Files (x86)\LDSGameCenter\GmSvc.dll [X]
S2 upuste; C:\Windows\system32\config\systemprofile\AppData\Local\Mathtam.exe prodrco upuste [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
NETSVCx32: HpSvc -> no filepath.
NETSVCx32: GmSvc -> C:\Program Files (x86)\LDSGameCenter\GmSvc.dll ==> No File
2017-01-03 10:07 - 2017-01-04 07:03 - 00000000 ____D C:\Users\Alex\AppData\Roaming\Ludashi
2017-01-03 10:07 - 2017-01-03 10:08 - 00000000 ____D C:\Users\Alex\AppData\Roaming\lockhomepage
2016-12-26 17:49 - 2016-12-30 15:53 - 00000000 ____D C:\Program Files\The Little Acre
2016-12-26 17:49 - 2016-12-26 17:49 - 00003326 _____ C:\Windows\System32\Tasks\SoundsSystemService
2016-12-27 16:50 - 2016-12-27 16:50 - 00000004 _____ C:\Users\Alex\AppData\Roaming\4E9225DA0A29463E8AD95A233536E924.dat
Task: {375C34EC-F26B-4DD5-B04A-821A71D73846} - System32\Tasks\SoundsSystemService => C:\windows\rsdsrv.exe
C:\windows\rsdsrv.exe
FirewallRules: [{03B4BEAC-C7B3-4EFF-B267-AD2BC54F079E}] => C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp\CnetInstaller-10263702.exe
FirewallRules: [{56E74837-DC92-4F46-BA3D-A9A43FAE7CC5}] => C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp\CnetInstaller-10263702.exe
C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC???
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\LDSGameAssistant
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\360wp
C:\Windows\SysNative\config\systemprofile\AppData\Roaming\LDSGameAssistant
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\app
C:\Windows\SysNative\config\systemprofile\AppData\Local\Mathtam.dat
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Programs
C:\Windows\SysNative\config\systemprofile\AppData\Roaming\gplyra
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Luwosplersock
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Profiles
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Tuzersppazot
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\PlusSanit.tst
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\md.xml
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Main.dat
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\noah.dat
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\agent.dat
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Config.xml
C:\Windows\SysNative\config\systemprofile\AppData\Roaming\NUIns
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Installer.dat
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\InstallationConfiguration.xml
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\360wp-srv => value removed successfully
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360bizhi => moved successfully
HKU\S-1-5-21-139745227-2284625060-2539193485-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\fu1vpkaw.default\Extensions\{81005532-A277-0574-A3A9-44D6D7619194} => moved successfully
HKU\S-1-5-21-139745227-2284625060-2539193485-1000\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0 => key removed successfully
C:\Users\Alex\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll => not found.
HKLM\System\CurrentControlSet\Services\GmSvc => key removed successfully
GmSvc => service removed successfully
HKLM\System\CurrentControlSet\Services\upuste => key removed successfully
upuste => service removed successfully
HKLM\System\CurrentControlSet\Services\VBoxNetFlt => key removed successfully
VBoxNetFlt => service removed successfully
HKLM\System\CurrentControlSet\Services\VGPU => key removed successfully
VGPU => service removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs HpSvc => removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs GmSvc => removed successfully
C:\Users\Alex\AppData\Roaming\Ludashi => moved successfully
C:\Users\Alex\AppData\Roaming\lockhomepage => moved successfully
C:\Program Files\The Little Acre => moved successfully
C:\Windows\System32\Tasks\SoundsSystemService => moved successfully
C:\Users\Alex\AppData\Roaming\4E9225DA0A29463E8AD95A233536E924.dat => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{375C34EC-F26B-4DD5-B04A-821A71D73846} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{375C34EC-F26B-4DD5-B04A-821A71D73846} => key removed successfully
C:\Windows\System32\Tasks\SoundsSystemService => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SoundsSystemService => key removed successfully
"C:\windows\rsdsrv.exe" => not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{03B4BEAC-C7B3-4EFF-B267-AD2BC54F079E} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{56E74837-DC92-4F46-BA3D-A9A43FAE7CC5} => value removed successfully
"C:\Users\Alex\AppData\Local\Temp\nsjC845.tmp" => not found.
"C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC???" => not found.
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\LDSGameAssistant => moved successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\360wp => moved successfully
"C:\Windows\SysNative\config\systemprofile\AppData\Roaming\LDSGameAssistant" => not found.
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\app => moved successfully
"C:\Windows\SysNative\config\systemprofile\AppData\Local\Mathtam.dat" => not found.
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Programs => moved successfully
"C:\Windows\SysNative\config\systemprofile\AppData\Roaming\gplyra" => not found.
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Luwosplersock => moved successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Profiles => moved successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Tuzersppazot => moved successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\PlusSanit.tst => moved successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\md.xml => moved successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Main.dat => moved successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\noah.dat => moved successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\agent.dat => moved successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Config.xml => moved successfully
"C:\Windows\SysNative\config\systemprofile\AppData\Roaming\NUIns" => not found.
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Installer.dat => moved successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\InstallationConfiguration.xml => moved successfully


The system needed a reboot.

==== End of Fixlog 08:40:50 ====



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,789 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:32 AM

Posted 05 January 2017 - 10:58 AM

Very good. There is one folder I want to follow up on.

Please do these things.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
Folder: C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
emptytemp:
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Emsisoft Emergency Kit Scan

--------------------
  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double-click icon then click Install
  • A Window should open highlighting Start Emergency Kit Scanner
  • Right click on the icon and select Run as administrator
  • Click 1. Update now!
  • Once the update is completed select Settings under Scan
  • Uncheck Join the Emsisoft Anti-Malware Network
  • Click Scan at the top
  • Click On scan completion
  • Click Quarantine detected objects, then click OK
  • Click Malware Scan
  • Once completed click View Report
  • Save the file to your Desktop using the default file name
  • Copy and paste the report in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon then click Run
  • Press any key to launch the program
  • Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • When completed a Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Emsisoft report
  • Security check report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 DesperateMeasures

DesperateMeasures
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 06 January 2017 - 02:38 AM

Ok, here they are.

 

Fixlog

 

ix result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by Alex (06-01-2017 08:31:57) Run:6
Running from C:\Users\Alex\Desktop
Loaded Profiles: Alex & NeroMediaHomeUser.4 (Available Profiles: Alex & NeroMediaHomeUser.4)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Folder: C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
emptytemp:
*****************


========================= Folder: C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs ========================

2014-10-31 15:43 - 2014-10-31 15:43 - 0000174 ___SH () C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
2016-12-27 17:24 - 2016-12-27 17:24 - 0001480 _____ () C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器.lnk
2016-12-27 17:24 - 2016-12-27 17:24 - 0000000 ____D () C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器
2016-12-27 17:24 - 2016-12-27 17:24 - 0001486 _____ () C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器\UC浏览器.lnk
2016-12-27 17:24 - 2016-12-27 17:24 - 0001445 _____ () C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器\卸载UC浏览器.lnk

====== End of Folder: ======


=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 15396145 B
Java, Flash, Steam htmlcache => 145288521 B
Windows/system/drivers => 54882 B
Edge => 0 B
Chrome => 0 B
Firefox => 25976002 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66228 B
systemprofile32 => 0 B
LocalService => 66228 B
NetworkService => 0 B
Alex => 10065373 B
UpdatusUser => 0 B
NeroMediaHomeUser.4 => 0 B

RecycleBin => 0 B
EmptyTemp: => 187.8 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 08:32:04 ====

 

 

Emsisoft scan

 

Emsisoft Emergency Kit - Version 12.0
Last update: 1/6/2017 8:38:33 AM
User account: Alex-PC\Alex
Computer name: ALEX-PC
OS version: Windows 7x64 Service Pack 1

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start:    1/6/2017 8:39:38 AM
C:\Users\Alex\Downloads\de.robv.android.xposed.installer_v33_36570c.apk -> classes.dex     detected: Android.Riskware.Agent.gGSOY (B) [krnl.xmd]

Scanned    76226
Found    1

Scan end:    1/6/2017 8:49:49 AM
Scan time:    0:10:11

C:\Users\Alex\Downloads\de.robv.android.xposed.installer_v33_36570c.apk     Android.Riskware.Agent.gGSOY (B)

Quarantined    1

 

 

SecurityCheckup

 

Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Malwarebytes   
  (On Access scanning disabled!)
 Error obtaining update status for antivirus!  
`````````Anti-malware/Other Utilities Check:`````````
 Zemana AntiMalware    
 Java 7 Update 67  
 Java version 32-bit out of Date!
 Adobe Flash Player 24.0.0.186  
 Adobe Reader 10.1.16 Adobe Reader out of Date!  
 Mozilla Firefox (50.1.0)
````````Process Check: objlist.exe by Laurent````````  
 Zemana AntiMalware ZAM.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 7%
````````````````````End of Log``````````````````````
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users