Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus that plays background ad audio on desktop - FRST attached


  • This topic is locked This topic is locked
10 replies to this topic

#1 the_ranisa

the_ranisa

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 03 January 2017 - 12:34 AM

Hey guys

 

This virus/malware is driving me nuts. I don't know where else to turn, and would really appreciate the help. 

 

Downloaded a suspicious file, and shortly after stuff started to go wonky.

- Windows Defender wounldn't open

- The malware switched my default browser

- I started hearing the audio of advertisements played in the background.

- It wouldn't let me access any anti-virus websites (including this one) through any browser; it would display the text "The page cannot be displayed because an internal server error has occurred."

 

Anyway, I used rkill, Malwarebytes, ADWCleaner, and JunkwareRemoval Tool. This made my computer a little more functional, but its still running slow, I still hear ads in the background, and Malwarebytes keeps popping up in the notifications that it detected/blocked suspicious activity...however I'm still unable to open the actual Malwarebytes program. 

 

I've posted the FRST files, and would really really appreciate help with this!

Thanks!!

 

-------------

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 01-01-2017
Ran by Mohsen (administrator) on HOME-PC (02-01-2017 22:17:05)
Running from C:\Users\Mohsen\Desktop
Loaded Profiles: Mohsen (Available Profiles: Mohsen)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(troubadours) C:\Windows\joelle.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BBSvc.EXE
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Atheros) C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
() C:\Program Files (x86)\Flaunts\cals.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.197.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
() C:\Program Files (x86)\Flaunts\cals.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Spotify Ltd) C:\Users\Mohsen\AppData\Roaming\Spotify\SpotifyWebHelper.exe
() C:\Program Files (x86)\mileposts\kingly.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\Flaunts\cals.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfServicePlugin.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Dell Inc.) C:\Program Files (x86)\Dell Customer Connect\DCCService.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.7420.23751.0_x64__8wekyb3d8bbwe\HubTaskHost.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVault.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesServer.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [Acronis Scheduler2 Service] => "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-10-02] (Microsoft Corporation)
HKLM\...\Run: [weft.exebestsellers.exe] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKLM\...\Run: [toys] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKLM\...\Run: [ircirc] => C:\Program Files (x86)\Flaunts\cals.exe [10752 2017-01-02] ()
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2776528 2016-12-14] (Malwarebytes)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [277504 2012-07-09] (Intel Corporation)
HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491120 2012-07-04] (CyberLink Corp.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM-x32\...\Run: [AcronisTibMounterMonitor] => C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [941440 2012-07-24] (Acronis)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [518496 2015-06-24] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [25779624 2016-12-21] (Dropbox, Inc.)
HKLM-x32\...\Run: [toys] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKLM-x32\...\Run: [ikiiki] => C:\Program Files (x86)\Flaunts\cals.exe [10752 2017-01-02] ()
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [Spotify Web Helper] => C:\Users\Mohsen\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1444976 2017-01-02] (Spotify Ltd)
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [toys] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [kingly] => C:\Program Files (x86)\mileposts\kingly.exe [40328 2017-01-02] ()
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [piano] => "C:\Program Files (x86)\mileposts\weft.exe"
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [reims] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [politicos] => "C:\Program Files (x86)\Horrors\bestsellers.exe"
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [GoogleChromeAutoLaunch_B8C5EC1D985833084B5212D261E024CD] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1104728 2016-12-08] (Google Inc.)
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\WLXPGSS.SCR [321472 2012-07-28] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [] => 0
HKU\S-1-5-18\...\RunOnce: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\Mohsen\AppData\Roaming\Microsoft\Protect\f33dc709-83f1-4cea-9747-1773afb2e4d8.rs" <===== ATTENTION
ShellIconOverlayIdentifiers: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt10] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt9] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2012-11-26] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2012-11-26] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2012-11-26] (Acronis)
ShellIconOverlayIdentifiers-x32: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt10] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.3.0.dll [2016-12-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt9] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.3.0.dll [2016-12-21] (Dropbox, Inc.)
Startup: C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok33542430.lnk [2017-01-02]
ShortcutTarget: ok33542430.lnk -> C:\Program Files (x86)\contrariness\query.exe (windows)
Startup: C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\watering.lnk [2017-01-02]
ShortcutTarget: watering.lnk -> C:\Program Files (x86)\contrariness\query.exe (windows)
GroupPolicy\User: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{29832bbe-3815-491a-8264-740fbf42cd0f}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{6fab15db-c866-4ec9-aec1-d32004bac7f6}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{6fab15db-c866-4ec9-aec1-d32004bac7f6}: [DhcpNameServer] 209.18.47.61 209.18.47.62
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://dell13.msn.com/
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com
SearchScopes: HKU\S-1-5-21-1873268818-3468620095-3024752975-1001 -> DefaultScope {D5B5D62E-89CA-4A48-88E0-44CDD6A5D2E9} URL = 
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll [2014-03-11] (Microsoft Corporation.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BingExt.dll [2014-03-11] (Microsoft Corporation.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll [2014-03-11] (Microsoft Corporation.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BingExt.dll [2014-03-11] (Microsoft Corporation.)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-06-24] (Citrix Systems, Inc.)
 
FireFox:
========
FF ProfilePath: C:\Users\Mohsen\AppData\Roaming\Mozilla\Firefox\Profiles\zhaqmmh0.default [2017-01-02]
FF Extension: (Adblock Plus) - C:\Users\Mohsen\AppData\Roaming\Mozilla\Firefox\Profiles\zhaqmmh0.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-08-15]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_24_0_0_186.dll [2016-12-14] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_186.dll [2016-12-14] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-10-01] ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2015-06-24] (Citrix Systems, Inc.)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2014-01-06] (Google, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3503.0728 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-07-28] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-01-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-01-02] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1873268818-3468620095-3024752975-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Mohsen\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-07-06] (Citrix Online)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default [2017-01-02]
CHR Extension: (Google Docs) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-05]
CHR Extension: (Google Drive) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Google Cast) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd [2016-07-06]
CHR Extension: (Videostream for Google Chromecast™) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnciopoikihiagdjbjpnocolokfelagl [2016-12-21]
CHR Extension: (Google Search) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-02]
CHR Extension: (Google Docs Offline) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (AdBlock) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-01-02]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR Extension: (MapsGalaxy) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjcpmnemablfdccplioohcaehkeomndn [2014-12-09]
CHR Extension: (Gmail) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-29]
CHR Extension: (Chrome Media Router) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-27]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
U2 comprehensively; C:\WINDOWS\joelle.exe [8192 2017-01-02] (troubadours) [File not signed]
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-11-04] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-11-04] (Dropbox, Inc.)
R2 DbxSvc; C:\WINDOWS\system32\DbxSvc.exe [42096 2016-12-21] (Dropbox, Inc.)
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [132472 2016-09-09] (Dell Inc.)
R2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2572024 2016-06-23] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [202488 2016-06-23] (Dell Inc.)
S2 DellDigitalDelivery; c:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [173056 2012-06-19] (Dell Products, LP.) [File not signed]
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-08-27] (Dell Inc.)
R2 IAStorDataMgrSvc; C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [7168 2012-07-09] (Intel Corporation) [File not signed]
R2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [337888 2016-05-03] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-07-19] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-12-14] (Malwarebytes)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [254512 2012-04-24] ()
R2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31704 2016-09-09] (Dell Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [77824 2012-06-19] (Atheros) [File not signed]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 CLVirtualDrive; C:\WINDOWS\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
R3 DDDriver; C:\WINDOWS\system32\drivers\DDDriver64Dcsa.sys [23760 2015-01-30] (Dell Computer Corporation)
R3 DellProf; C:\WINDOWS\system32\drivers\DellProf.sys [24240 2015-05-22] (Dell Computer Corporation)
S3 DellRbtn; C:\WINDOWS\System32\drivers\DellRbtn.sys [10752 2012-08-05] (OSR Open Systems Resources, Inc.)
S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [129152 2016-04-24] (Samsung Electronics Co., Ltd.)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77416 2016-12-14] ()
S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [54736 2017-01-02] ()
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [176064 2017-01-02] (Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\system32\drivers\farflt.sys [102856 2017-01-02] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [43968 2017-01-02] (Malwarebytes)
R0 MBAMSwissArmy; C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys [250816 2017-01-02] (Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\drivers\mwac.sys [91584 2017-01-02] (Malwarebytes)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
S3 OV550I; C:\WINDOWS\System32\Drivers\ov550ivx.sys [196992 2008-02-22] (Omnivision Technologies, Inc.)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek                                            )
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [221824 2016-04-24] (Samsung Electronics Co., Ltd.)
R0 tib_mounter; C:\WINDOWS\System32\DRIVERS\tib_mounter.sys [1093256 2012-12-28] (Acronis)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 dbx; system32\DRIVERS\dbx.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-02 22:17 - 2017-01-02 22:17 - 00028714 _____ C:\Users\Mohsen\Desktop\FRST.txt
2017-01-02 22:16 - 2017-01-02 22:17 - 00000000 ____D C:\FRST
2017-01-02 22:15 - 2017-01-02 19:04 - 02418176 _____ (Farbar) C:\Users\Mohsen\Desktop\FRST64.exe
2017-01-02 21:39 - 2017-01-02 21:39 - 00005568 _____ C:\WINDOWS\system32\.crusader
2017-01-02 20:57 - 2017-01-02 21:43 - 00054736 _____ C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2017-01-02 20:57 - 2017-01-02 21:40 - 00000000 ____D C:\ProgramData\HitmanPro
2017-01-02 20:54 - 2017-01-02 20:56 - 11581544 _____ (SurfRight B.V.) C:\Users\Mohsen\Downloads\HitmanPro_x64.exe
2017-01-02 20:38 - 2017-01-02 20:43 - 00003416 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2017-01-02 20:38 - 2017-01-02 20:43 - 00003292 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2017-01-02 20:38 - 2017-01-02 20:38 - 01065376 _____ (Google Inc.) C:\Users\Mohsen\Downloads\ChromeSetup.exe
2017-01-02 20:38 - 2017-01-02 20:38 - 00002350 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-01-02 20:33 - 2017-01-02 20:33 - 00001519 _____ C:\Users\Mohsen\Desktop\JRT.txt
2017-01-02 20:07 - 2017-01-02 20:17 - 00000000 ____D C:\AdwCleaner
2017-01-02 20:01 - 2017-01-02 20:01 - 00124572 _____ C:\Users\Mohsen\Desktop\malwarebytes.txt
2017-01-02 18:36 - 2017-01-02 22:10 - 00250816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-01-02 18:36 - 2017-01-02 22:10 - 00102856 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2017-01-02 18:36 - 2017-01-02 22:10 - 00091584 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2017-01-02 18:36 - 2017-01-02 22:10 - 00043968 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-01-02 18:36 - 2017-01-02 18:36 - 00176064 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys
2017-01-02 18:35 - 2017-01-02 18:35 - 00001914 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-01-02 18:35 - 2017-01-02 18:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-01-02 18:35 - 2017-01-02 18:35 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-01-02 18:35 - 2017-01-02 18:35 - 00000000 ____D C:\Program Files\Malwarebytes
2017-01-02 18:35 - 2017-01-02 18:33 - 03977168 _____ C:\Users\Mohsen\Desktop\adwcleaner_6.041.exe
2017-01-02 18:35 - 2016-12-14 12:55 - 00077416 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-01-02 18:34 - 2017-01-02 18:35 - 00002870 _____ C:\Users\Mohsen\Desktop\Rkill.txt
2017-01-02 18:34 - 2017-01-02 18:34 - 01106888 _____ (Bleeping Computer, LLC) C:\Users\Mohsen\Desktop\rkill64.com
2017-01-02 18:34 - 2017-01-02 18:34 - 00000000 ____D C:\Users\Mohsen\Desktop\rkill
2017-01-02 18:34 - 2017-01-02 18:32 - 01663040 _____ (Malwarebytes) C:\Users\Mohsen\Desktop\JRT.exe
2017-01-02 18:34 - 2017-01-02 18:31 - 54199488 _____ (Malwarebytes ) C:\Users\Mohsen\Desktop\mb3-setup-consumer-3.0.5.1299.exe
2017-01-02 18:33 - 2017-01-02 18:30 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Mohsen\Desktop\rkill.com
2017-01-02 18:20 - 2017-01-02 18:21 - 00009794 _____ C:\Users\Mohsen\Desktop\netadapter-log-2017-01-02-18-20-28.txt
2017-01-02 18:20 - 2017-01-02 18:17 - 02091520 _____ (Conner Bernhard) C:\Users\Mohsen\Desktop\NetAdapterRepair1.2.exe
2017-01-02 17:51 - 2017-01-02 17:51 - 00003872 _____ C:\WINDOWS\System32\Tasks\k79997016
2017-01-02 17:51 - 2017-01-02 17:51 - 00003844 _____ C:\WINDOWS\System32\Tasks\79997016
2017-01-02 17:51 - 2017-01-02 17:51 - 00003842 _____ C:\WINDOWS\System32\Tasks\82157375
2017-01-02 17:51 - 2017-01-02 17:51 - 00003742 _____ C:\WINDOWS\System32\Tasks\bak79997016k79997016
2017-01-02 17:51 - 2017-01-02 17:51 - 00003712 _____ C:\WINDOWS\System32\Tasks\ba7999701679997016
2017-01-02 17:51 - 2017-01-02 17:51 - 00003710 _____ C:\WINDOWS\System32\Tasks\ba8215737582157375
2017-01-02 17:51 - 2017-01-02 17:51 - 00000001 _____ C:\Users\Mohsen\AppData\Local\setupsuccessful.txt
2017-01-02 17:51 - 2017-01-02 17:51 - 00000000 ___HD C:\Program Files (x86)\Flaunts
2017-01-02 17:51 - 2017-01-02 17:51 - 00000000 ____D C:\Program Files (x86)\lamplighter
2017-01-02 17:50 - 2017-01-02 21:38 - 00004408 _____ C:\WINDOWS\System32\Tasks\a30723257
2017-01-02 17:50 - 2017-01-02 21:38 - 00004400 _____ C:\WINDOWS\System32\Tasks\b30723257
2017-01-02 17:50 - 2017-01-02 17:54 - 00000308 ____H C:\WINDOWS\Tasks\NC.job
2017-01-02 17:50 - 2017-01-02 17:50 - 00003092 _____ C:\WINDOWS\System32\Tasks\NC
2017-01-02 17:50 - 2017-01-02 17:50 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
2017-01-02 17:50 - 2017-01-02 17:50 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics
2017-01-02 17:49 - 2017-01-02 22:19 - 00000000 ____D C:\Program Files (x86)\contrariness
2017-01-02 17:49 - 2017-01-02 21:39 - 00000000 ____D C:\Program Files (x86)\actualize
2017-01-02 17:49 - 2017-01-02 21:38 - 00000000 ____D C:\Program Files (x86)\mileposts
2017-01-02 17:49 - 2017-01-02 20:30 - 00000000 ____D C:\a
2017-01-02 17:49 - 2017-01-02 20:05 - 00000000 ____D C:\Program Files (x86)\Horrors
2017-01-02 17:49 - 2017-01-02 18:33 - 00003846 _____ C:\WINDOWS\System32\Tasks\22040165
2017-01-02 17:49 - 2017-01-02 18:33 - 00003692 _____ C:\WINDOWS\System32\Tasks\12040165
2017-01-02 17:49 - 2017-01-02 18:21 - 00003866 _____ C:\WINDOWS\System32\Tasks\dc11A6YoJZTGeDXdKOsRic-ni-2017-01-02-ni-99991-ni-1
2017-01-02 17:49 - 2017-01-02 18:15 - 00004018 _____ C:\WINDOWS\System32\Tasks\ab11A6YoJZTGeDXdKOsRic-ni-2017-01-02-ni-99991-ni-1
2017-01-02 17:49 - 2017-01-02 17:51 - 00000000 _____ C:\Users\Mohsen\AppData\Local\stxtname.txt
2017-01-02 17:49 - 2017-01-02 17:49 - 00003858 _____ C:\WINDOWS\System32\Tasks\85207132
2017-01-02 17:49 - 2017-01-02 17:49 - 00003726 _____ C:\WINDOWS\System32\Tasks\Da8520713285207132
2017-01-02 17:49 - 2017-01-02 17:49 - 00000055 _____ C:\WINDOWS\key.ini
2017-01-02 17:49 - 2017-01-02 17:49 - 00000000 ____D C:\Program Files (x86)\MaxInternet
2017-01-02 17:49 - 2017-01-02 17:49 - 00000000 ____D C:\Program Files (x86)\hierarchies
2017-01-02 17:49 - 2017-01-02 17:49 - 00000000 _____ C:\Users\Mohsen\AppData\Local\run.txt
2017-01-02 17:44 - 2017-01-02 17:45 - 00000258 __RSH C:\Users\Mohsen\ntuser.pol
2017-01-02 13:31 - 2017-01-02 14:28 - 00078848 _____ C:\Users\Mohsen\Export_contacts_modified.xls
2017-01-02 11:48 - 2017-01-02 11:48 - 00435040 _____ C:\Users\Mohsen\Downloads\nk2edit_setup.exe
2017-01-02 11:36 - 2017-01-02 12:24 - 00038421 _____ C:\Users\Mohsen\AppData\Roaming\Microsoft Excel 97-2003.ADR
2017-01-02 11:26 - 2017-01-02 18:02 - 00009311 _____ C:\Users\Mohsen\AppData\Roaming\Microsoft Excel 97-2003.EML
2017-01-02 11:25 - 2017-01-02 12:24 - 00115200 _____ C:\Users\Mohsen\Export_contacts.xls
2017-01-02 11:14 - 2017-01-02 11:14 - 00529408 _____ (phonograph) C:\Users\Mohsen\AppData\Local\antechamber.exe
2017-01-02 11:14 - 2017-01-02 11:14 - 00304640 _____ (windows) C:\WINDOWS\discarding.exe
2017-01-02 11:14 - 2017-01-02 11:14 - 00192000 _____ C:\WINDOWS\dll.dll
2017-01-02 11:14 - 2017-01-02 11:14 - 00041201 _____ C:\WINDOWS\apartments.exe
2017-01-02 11:14 - 2017-01-02 11:14 - 00008192 _____ (troubadours) C:\WINDOWS\joelle.exe
2017-01-02 09:24 - 2017-01-02 09:24 - 00010752 _____ C:\WINDOWS\aether.exe
2017-01-02 09:24 - 2017-01-02 09:24 - 00010752 _____ C:\Users\Mohsen\AppData\Local\cals.exe
2017-01-01 22:51 - 2017-01-01 22:51 - 00029491 _____ C:\Users\Mohsen\Downloads\10 Pay Schedule.xlsx
2016-12-31 16:48 - 2016-12-31 16:48 - 00523302 _____ C:\Users\Mohsen\Downloads\Arbitration_agreement_(carve out).docx
2016-12-31 16:47 - 2016-12-31 16:47 - 00033354 _____ C:\Users\Mohsen\Downloads\Outside_Sales_Representative_Employment_Agreement.docx
2016-12-31 16:47 - 2016-12-31 16:47 - 00019500 _____ C:\Users\Mohsen\Downloads\NotOperatingMotorVehicleFormLetterBlank.docx
2016-12-29 11:55 - 2017-01-02 17:12 - 1567663104 _____ C:\Users\Mohsen\TWMI_All_Others_emails.pst
2016-12-29 11:47 - 2017-01-02 17:12 - 108454912 _____ C:\Users\Mohsen\TWMI_Mohsen_emails.pst
2016-12-29 11:45 - 2017-01-02 17:12 - 157975552 _____ C:\Users\Mohsen\TWMI_OmniView_emails.pst
2016-12-29 11:42 - 2017-01-02 17:12 - 51061760 _____ C:\Users\Mohsen\TWMI_Taxes_emails.pst
2016-12-29 11:40 - 2016-12-31 14:17 - 00271360 _____ C:\Users\Mohsen\TWMI_John_Duncan_emails.pst
2016-12-29 11:32 - 2017-01-02 17:12 - 251175936 _____ C:\Users\Mohsen\TWMI_Ali_Parvaneh_emails.pst
2016-12-29 11:25 - 2016-12-31 14:17 - 119120896 _____ C:\Users\Mohsen\TWMI_Jobs_emails.pst
2016-12-29 11:15 - 2016-12-29 11:39 - 662578176 _____ C:\Users\Mohsen\Old_Ford_Emails.pst
2016-12-26 14:31 - 2016-12-26 14:31 - 00123779 _____ C:\Users\Mohsen\Downloads\SOS Online-2056337579-12262016-143111.PDF
2016-12-24 18:20 - 2016-12-24 18:20 - 13757676 _____ C:\Users\Mohsen\Downloads\Family Feud 2016 Score Board.pptm
2016-12-24 16:32 - 2016-12-24 16:32 - 00000000 ____D C:\ProgramData\PC-Doctor, Inc
2016-12-21 22:19 - 2016-12-21 22:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-12-21 13:15 - 2016-12-21 13:15 - 00075888 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-stable.sys
2016-12-21 13:15 - 2016-12-21 13:15 - 00075888 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-dev.sys
2016-12-21 13:15 - 2016-12-21 13:15 - 00075888 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-canary.sys
2016-12-21 13:15 - 2016-12-21 13:15 - 00042096 _____ (Dropbox, Inc.) C:\WINDOWS\system32\DbxSvc.exe
2016-12-11 21:40 - 2016-12-11 21:40 - 00015091 _____ C:\Users\Mohsen\Downloads\Colleen Resume.docx
2016-12-08 15:46 - 2016-12-08 15:46 - 00193885 _____ C:\Users\Mohsen\Downloads\Statement_09-10-2016.PDF
2016-12-06 21:26 - 2016-12-06 21:26 - 00402308 _____ C:\WINDOWS\Minidump\120616-53093-01.dmp
2016-12-06 21:26 - 2016-12-06 21:26 - 00000000 ____D C:\WINDOWS\Minidump
2016-12-06 17:38 - 2016-12-06 17:38 - 00003910 _____ C:\Users\Mohsen\Downloads\Invoice-0000522.pdf
2016-12-06 17:38 - 2016-12-06 17:38 - 00003910 _____ C:\Users\Mohsen\Downloads\Invoice-0000522 (1).pdf
2016-12-04 18:15 - 2016-12-04 18:24 - 00000000 ____D C:\Users\Mohsen\Desktop\Wedding Photo - Jason and Sarah
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-02 22:16 - 2016-06-13 01:46 - 01189212 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-01-02 22:15 - 2012-12-09 21:11 - 00000000 ____D C:\Users\Mohsen\Documents\Outlook Files
2017-01-02 22:12 - 2015-10-04 06:27 - 00000000 ___RD C:\Users\Mohsen\Dropbox
2017-01-02 22:10 - 2016-10-01 22:04 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-01-02 22:10 - 2014-09-14 09:08 - 00000000 __SHD C:\Users\Mohsen\IntelGraphicsProfiles
2017-01-02 22:09 - 2016-07-16 01:04 - 01048576 _____ C:\WINDOWS\system32\config\BBI
2017-01-02 22:04 - 2016-10-01 21:30 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-01-02 20:38 - 2012-12-09 18:22 - 00000000 ____D C:\Program Files (x86)\Google
2017-01-02 17:52 - 2014-09-14 09:11 - 00000000 __RDO C:\Users\Mohsen\OneDrive
2017-01-02 17:51 - 2015-05-17 00:02 - 00000000 ____D C:\Users\Mohsen\AppData\Roaming\uTorrent
2017-01-02 17:49 - 2015-09-11 22:12 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-01-02 17:45 - 2016-10-01 21:36 - 00000000 ____D C:\Users\Mohsen
2017-01-02 17:44 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy
2017-01-02 17:44 - 2013-08-22 10:36 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2017-01-02 17:23 - 2015-05-09 09:25 - 00000000 ____D C:\Users\Mohsen\AppData\Local\Spotify
2017-01-02 17:23 - 2015-05-09 09:24 - 00000000 ____D C:\Users\Mohsen\AppData\Roaming\Spotify
2017-01-02 17:19 - 2016-01-27 01:41 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2017-01-02 17:19 - 2015-07-06 21:30 - 00000690 _____ C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-1873268818-3468620095-3024752975-1001.job
2017-01-02 17:19 - 2015-07-06 21:30 - 00000594 _____ C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1873268818-3468620095-3024752975-1001.job
2017-01-02 17:14 - 2013-01-02 15:40 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2017-01-02 11:25 - 2012-12-09 21:51 - 00000000 ____D C:\Users\Mohsen\Documents\Mohsen
2017-01-02 11:06 - 2012-12-09 21:55 - 00000000 ____D C:\Users\Mohsen\Documents\Catherine
2016-12-25 22:10 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\config\RegBack
2016-12-21 22:19 - 2015-10-04 06:25 - 00000000 ____D C:\Program Files (x86)\Dropbox
2016-12-20 06:03 - 2012-12-09 18:02 - 00000000 ___RD C:\Users\Mohsen\Pictures
2016-12-18 23:36 - 2013-11-03 18:49 - 00000000 ____D C:\Users\Mohsen\Desktop\Andrew
2016-12-14 01:52 - 2016-11-08 06:52 - 20364888 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerInstaller.exe
2016-12-14 01:52 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2016-12-14 01:52 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\Macromed
2016-12-13 05:28 - 2012-12-30 16:56 - 00000157 _____ C:\WINDOWS\SysWOW64\SystemPreferences.xml
2016-12-10 19:28 - 2016-10-01 21:36 - 00000000 ___RD C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
2016-12-10 19:28 - 2016-06-13 05:23 - 00002372 _____ C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-12-10 18:18 - 2016-02-09 16:15 - 00000000 ____D C:\Users\Mohsen\Documents\HOUSEHOLD
2016-12-07 05:56 - 2016-07-16 06:45 - 00000000 ____D C:\WINDOWS\INF
2016-12-06 21:28 - 2015-10-04 06:25 - 00000934 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job
2016-12-06 21:28 - 2015-10-04 06:25 - 00000930 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job
2016-12-06 21:26 - 2016-10-01 21:30 - 00359472 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-12-06 21:26 - 2013-01-20 21:00 - 1027091164 _____ C:\WINDOWS\MEMORY.DMP
 
==================== Files in the root of some directories =======
 
2017-01-02 11:36 - 2017-01-02 12:24 - 0038421 _____ () C:\Users\Mohsen\AppData\Roaming\Microsoft Excel 97-2003.ADR
2017-01-02 11:26 - 2017-01-02 18:02 - 0009311 _____ () C:\Users\Mohsen\AppData\Roaming\Microsoft Excel 97-2003.EML
2017-01-02 11:14 - 2017-01-02 11:14 - 0529408 _____ (phonograph) C:\Users\Mohsen\AppData\Local\antechamber.exe
2017-01-02 09:24 - 2017-01-02 09:24 - 0010752 _____ () C:\Users\Mohsen\AppData\Local\cals.exe
2014-12-03 06:31 - 2016-09-17 11:49 - 0008192 _____ () C:\Users\Mohsen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2017-01-02 17:49 - 2017-01-02 17:49 - 0000000 _____ () C:\Users\Mohsen\AppData\Local\run.txt
2016-10-04 09:33 - 2016-10-04 09:33 - 0006144 _____ () C:\Users\Mohsen\AppData\Local\sc452090775.exe
2016-10-04 09:33 - 2016-10-04 09:33 - 0005632 _____ () C:\Users\Mohsen\AppData\Local\sc52090775.exe
2017-01-02 17:51 - 2017-01-02 17:51 - 0000001 _____ () C:\Users\Mohsen\AppData\Local\setupsuccessful.txt
2017-01-02 17:49 - 2017-01-02 17:51 - 0000000 _____ () C:\Users\Mohsen\AppData\Local\stxtname.txt
2013-12-21 19:32 - 2013-12-21 19:32 - 0000057 _____ () C:\ProgramData\Ament.ini
2012-11-15 01:01 - 2012-11-15 01:01 - 0000119 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2012-11-15 00:58 - 2012-11-15 00:59 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2012-11-15 00:59 - 2012-11-15 01:00 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2012-11-15 00:58 - 2012-11-15 00:58 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2012-11-15 01:00 - 2012-11-15 01:01 - 0000108 _____ () C:\ProgramData\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}.log
 
Some files in TEMP:
====================
C:\Users\Mohsen\AppData\Local\Temp\cflhuenm.exe
C:\Users\Mohsen\AppData\Local\Temp\hpqp.exe
C:\Users\Mohsen\AppData\Local\Temp\installer1.exe
C:\Users\Mohsen\AppData\Local\Temp\libeay32.dll
C:\Users\Mohsen\AppData\Local\Temp\mow.exe
C:\Users\Mohsen\AppData\Local\Temp\msvcr120.dll
C:\Users\Mohsen\AppData\Local\Temp\sqlite3.dll
C:\Users\Mohsen\AppData\Local\Temp\wait.exe
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-12-25 22:10
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 04 January 2017 - 02:38 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===



--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

I need to also see the Addition.txt file that was created by the Farbar tool.
Please include it in your nexr reply.

I will review it with the FRST log and submit a fix.

#3 the_ranisa

the_ranisa
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 04 January 2017 - 03:47 PM

Hi nasdaq,

 

Thanks for the reply!  I'm running a backup of the pictures on my computer and will be out of town tomorrow. If it's not too much trouble I will follow the above detailed instructions and post back on Friday or Saturday. 

 

Thanks!



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 05 January 2017 - 08:34 AM

No problems.

#5 the_ranisa

the_ranisa
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 08 January 2017 - 10:55 AM

Here's the RogueKiller report below. It found a few things in red that I had it fix. I also attached the Addition.txt from the orgininal Farbar tool I ran when I started the topic.

 

-----

 

RogueKiller V12.9.1.0 (x64) [Jan  2 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Mohsen [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/08/2017 00:45:15 (Duration : 03:15:15)

¤¤¤ Processes : 2 ¤¤¤
[VT.Unknown] cals.exe(4224) -- C:\Program Files (x86)\Flaunts\cals.exe[-] -> Found
[VT.Unknown] kingly.exe(6288) -- C:\Program Files (x86)\mileposts\kingly.exe[-] -> Found

¤¤¤ Registry : 19 ¤¤¤
[VT.Downloader.BGQE] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ircirc : "C:\Program Files (x86)\Flaunts\cals.exe" [-] -> Found
[VT.Downloader.BGQE] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ikiiki : "C:\Program Files (x86)\Flaunts\cals.exe" [-] -> Found
[VT.Trojan.Win32.Generic!BT] (X64) HKEY_USERS\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Windows\CurrentVersion\Run | kingly : "C:\Program Files (x86)\mileposts\kingly.exe" [-] -> Found
[VT.Trojan.Win32.Generic!BT] (X86) HKEY_USERS\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Windows\CurrentVersion\Run | kingly : "C:\Program Files (x86)\mileposts\kingly.exe" [-] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\comprehensively (C:\WINDOWS\joelle.exe) -> Found
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) :   -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{46B4DD04-750B-410A-8941-4284624815D7}C:\windows\keygen.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\windows\keygen.exe|Name=keygen|Desc=keygen|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{A1397CBB-D480-4946-9588-FD6B55C86409}C:\windows\keygen.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\windows\keygen.exe|Name=keygen|Desc=keygen|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A6CE2ED1-5856-4BA4-BB8E-3CDCF33E08B1} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Mohsen\AppData\Local\ddnowyes.exe|Name=ddnowyes|Desc=Allow internet|EmbedCtxt=@C:\Users\Mohsen\AppData\Local\ddnowyes.exe,-10000| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C1A8EF1B-F67B-43C5-8C29-69AB8CD29647} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Mohsen\AppData\Local\Temp\1501984\ic-0.c805a75640407.exe|Name=C39427830|Desc=Allow|EmbedCtxt=@C:\Users\Mohsen\AppData\Local\Temp\1501984\ic-0.c805a75640407.exe,-10000| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0DD9C4C2-35E3-4E2F-BA15-42ED061D1AE0} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Mohsen\AppData\Local\39427830.exe|Name=A39427830|Desc=Allow|EmbedCtxt=@C:\Users\Mohsen\AppData\Local\39427830.exe,-10000| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {8FF2EAC3-28FA-4980-80C6-7DCF8E6CEB3B} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Mohsen\AppData\Local\tinstall.exe|Name=B39427830|Desc=Allow|EmbedCtxt=@C:\Users\Mohsen\AppData\Local\tinstall.exe,-10000| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {1C574B26-B217-4027-8C55-A7C5E5712FB7} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Mohsen\AppData\Local\sc52090775.exe|Name=DW39427830|Desc=Allow|EmbedCtxt=@C:\Users\Mohsen\AppData\Local\sc52090775.exe,-10000| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {901B05AC-BA19-4118-B312-E5AE1ECD4A1E} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Mohsen\AppData\Local\ddnow.exe|Name=now45|Desc=Allow internet|EmbedCtxt=@C:\Users\Mohsen\AppData\Local\ddnow.exe,-10000| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B4734EFF-D908-40D6-B216-C1EE28570298} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\WINDOWS\adore.exe|Name=dacey|Desc=Allow|EmbedCtxt=@C:\WINDOWS\adore.exe,-10000| [x] -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[PUP.HackTool][Folder] C:\Windows\AutoKMS -> Found
[Tr.Gen0][File] C:\Users\Mohsen\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Mohsen\AppData\Roaming\uTorrent\updates\3.4.9_43085\utorrentie.exe -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-9YN162 +++++
--- User ---
[MBR] 91cdb19ed6764ac050f3db86706d5e2e
[BSP] 1dc3ff5c7933a6515c30fff3c793e498 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1026048 | Size: 40 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1107968 | Size: 128 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1370112 | Size: 500 MB
4 - Basic data partition | Offset (sectors): 2394112 | Size: 940503 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1928544256 | Size: 450 MB
6 - [SYSTEM][MAN-MOUNT] Microsoft recovery partition | Offset (sectors): 1929465856 | Size: 11746 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: HP Photosmart 7520 USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

Attached File  Addition.txt   52.82KB   2 downloads



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 08 January 2017 - 02:26 PM

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
Online.io Application (HKLM-x32\...\{A91EEA9B-DCAA-4B2D-B62A-50B8EA351561}) (Version: 1.13.0 - Microleaves) <==== ATTENTION
Traffic Exchange (HKLM-x32\...\{804C6085-8AFA-452E-8567-55FE1BF21FBF}) (Version: 1.13.1 - Microleaves) <==== ATTENTION


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


(troubadours) C:\Windows\joelle.exe
() C:\Program Files (x86)\Flaunts\cals.exe
() C:\Program Files (x86)\Flaunts\cals.exe
() C:\Program Files (x86)\mileposts\kingly.exe
() C:\Program Files (x86)\Flaunts\cals.exe
HKLM\...\Run: [weft.exebestsellers.exe] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKLM\...\Run: [toys] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKLM\...\Run: [ircirc] => C:\Program Files (x86)\Flaunts\cals.exe [10752 2017-01-02] ()
HKLM-x32\...\Run: [toys] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKLM-x32\...\Run: [ikiiki] => C:\Program Files (x86)\Flaunts\cals.exe [10752 2017-01-02] ()
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [toys] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [kingly] => C:\Program Files (x86)\mileposts\kingly.exe [40328 2017-01-02] ()
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [piano] => "C:\Program Files (x86)\mileposts\weft.exe"
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [reims] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [politicos] => "C:\Program Files (x86)\Horrors\bestsellers.exe"
HKU\S-1-5-18\...\Run: [] => 0
Startup: C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok33542430.lnk [2017-01-02]
ShortcutTarget: ok33542430.lnk -> C:\Program Files (x86)\contrariness\query.exe (windows)
Startup: C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\watering.lnk [2017-01-02]
ShortcutTarget: watering.lnk -> C:\Program Files (x86)\contrariness\query.exe (windows)
GroupPolicy\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR Extension: (MapsGalaxy) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjcpmnemablfdccplioohcaehkeomndn [2014-12-09]
CHR Extension: (Chrome Media Router) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-27]
U2 comprehensively; C:\WINDOWS\joelle.exe [8192 2017-01-02] (troubadours) [File not signed]
S3 dbx; system32\DRIVERS\dbx.sys [X]
CustomCLSID: HKU\S-1-5-21-1873268818-3468620095-3024752975-1001_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\Mohsen\AppData\Local\Citrix\GoToMeeting\2489\G2MOutlookAddin64.dll => No File
Task: {07F1E954-5F7F-46AA-818D-16D5F48CF84A} - System32\Tasks\dc11A6YoJZTGeDXdKOsRic-ni-2017-01-02-ni-99991-ni-1 => C:\Program Files (x86)\contrariness\query.exe
Task: {0F71076C-D65F-45CE-AA02-482B21C482F9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {10B7ED86-1773-494F-9E5B-DA7EA4B09690} - System32\Tasks\12040165 => C:\Program Files (x86)\mileposts\weft.exe <==== ATTENTION
Task: {147FE1D5-32B5-450C-A426-583106FE5073} - \OneDrive Standalone Update Task -> No File <==== ATTENTION
Task: {16FC28E0-14A0-4871-8163-5A97A706BAD9} - \19962637 -> No File <==== ATTENTION
Task: {1C3A6D1A-46B7-40DE-8C65-DEF120F2E7E2} - \G2MUploadTask-S-1-5-21-1873268818-3468620095-3024752975-1001 -> No File <==== ATTENTION
Task: {1EAA069C-98F2-45FC-8106-99BB88411E4C} - System32\Tasks\k79997016 => C:\Program Files (x86)\lamplighter\lamplighter.exe [2017-01-02] (internships)
Task: {21E27867-5F93-42E1-BA3B-E6D637AA47EF} - System32\Tasks\85207132 => C:\Program Files (x86)\Horrors\bestsellers.exe <==== ATTENTION
Task: {22A0E29D-02ED-4669-AD50-5556AA83CB60} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {241AD1FF-8A24-41E7-82BE-B913AFEC979A} - System32\Tasks\82157375 => C:\Users\Mohsen\AppData\Local\cals.exe [2017-01-02] () <==== ATTENTION
Task: {291AB41E-C7B0-411F-A0B6-09752E14C69E} - \SystemToolsDailyTest -> No File <==== ATTENTION
Task: {3359EC62-654B-40C2-965B-9989C839C51B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {3BA04B60-40F7-4E5F-84C0-3B18495B3BBF} - \PCDDataUploadTask -> No File <==== ATTENTION
Task: {41460695-2F66-45ED-B4D8-4603A2EFA6AB} - \DropboxUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {4792038B-5D0F-4390-ADFB-E91EEBEA85B3} - System32\Tasks\Da8520713285207132 => C:\Program Files (x86)\Horrors\bestsellers.exe
Task: {48CADAF8-7A3B-4002-BE30-91FA2F723128} - System32\Tasks\a30723257 => C:\Program Files (x86)\contrariness\query.exe
Task: {53B7F387-7CD0-47C4-8AE9-DE25809682A8} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {5450B6A2-2F60-43C8-94E0-E2EF35914519} - \PCDEventLauncherTask -> No File <==== ATTENTION
Task: {5C9E53AE-2590-4171-9A41-9861C19E7A0B} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
Task: {6173895F-C3B8-4415-84FE-1268941F25BD} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {67401062-6CB9-4B9E-983E-21D3B6400B81} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {680E15ED-58D0-4570-9071-A7C9DD9F17B0} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {68C08760-87DF-40DE-ABF1-0DEF4F8902F9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {6F25AE10-25E8-4087-B999-9FD928DD742B} - System32\Tasks\bak79997016k79997016 => C:\Program Files (x86)\lamplighter\lamplighter.exe [2017-01-02] (internships)
Task: {73495BF9-1AE3-4E39-8457-A77C56F7DCAF} - \PCDoctorBackgroundMonitorTask -> No File <==== ATTENTION
Task: {7B39C6D9-6E48-4F86-8523-DF5A661FC453} - \Dell SupportAssistAgent AutoUpdate -> No File <==== ATTENTION
Task: {7C316886-579D-4EA2-A29A-78D39916A4BD} - \AutoKMS -> No File <==== ATTENTION
Task: {7FCE40ED-33B4-4C70-A10C-2A032F861594} - System32\Tasks\22040165 => C:\Program Files (x86)\mileposts\weft.exe <==== ATTENTION
Task: {8254AF94-92E2-4A04-992A-E90911F1E35F} - System32\Tasks\79997016 => C:\Program Files (x86)\Flaunts\cals.exe [2017-01-02] () <==== ATTENTION
Task: {8BF55EAB-A61E-471A-9CE3-8F9E14CF13F4} - \Optimize Start Menu Cache Files-S-1-5-21-1873268818-3468620095-3024752975-1001 -> No File <==== ATTENTION
Task: {8F5F12A4-2002-4EC8-8A1B-D94A954A66C3} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {909C7EB7-27E1-4795-8ADD-D895AFD9F829} - System32\Tasks\ab11A6YoJZTGeDXdKOsRic-ni-2017-01-02-ni-99991-ni-1 => C:\Program Files (x86)\contrariness\query.exe
Task: {922CEFA7-AE66-4491-9EEB-3084239BB29C} - System32\Tasks\b30723257 => C:\Program Files (x86)\mileposts\weft.exe
Task: {9F950508-C0E2-4A9C-BAF4-F3725B36F643} - System32\Tasks\ba7999701679997016 => C:\Program Files (x86)\Flaunts\cals.exe [2017-01-02] ()
Task: {A24FF4E8-C721-485A-8D08-B942FE7A546D} - \User_Feed_Synchronization-{AF4B3188-DC0B-4559-AC6D-3F1C519B7A44} -> No File <==== ATTENTION
Task: {B3F48859-DA92-40A9-A722-7FAF4C51D0E8} - \ba1996263719962637 -> No File <==== ATTENTION
Task: {B49CAFB1-7EB2-4FAE-92EB-E35DC8527314} - System32\Tasks\ba8215737582157375 => C:\Users\Mohsen\AppData\Local\cals.exe [2017-01-02] ()
Task: {B82B4D5C-BB08-472C-BD89-88EAB9956F12} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {B86FBA2A-4D00-40BA-B723-50F1B3ACBBA7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {BBB004B9-4818-44AF-B5C8-6FC67B6E77E3} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {C2B2C8D9-45ED-42FC-B94A-1E18B74CFD00} - \DropboxUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {CD40B747-E0B1-4364-9BD6-F88F9A3C0412} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {D50126BD-8033-4193-9255-73D836488B22} - \G2MUpdateTask-S-1-5-21-1873268818-3468620095-3024752975-1001 -> No File <==== ATTENTION
Task: {DA8F0690-4347-4EC2-BA2C-507A6FE0DE08} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {E52E5A2C-D328-428E-A633-EB570D0C176A} - \HPCustParticipation HP Photosmart 7520 series -> No File <==== ATTENTION
Task: {F98FAFC2-0E3F-425C-AA32-0FADA21D9DCB} - System32\Tasks\NC => C:\Program Files (x86)\Microleaves\Traffic Exchange\nc.exe
Task: {FD28E8A2-A088-40FC-BFF7-1ED065A95058} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\NC.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\nc.exe
AlternateDataStreams: C:\Users\Mohsen\Desktop\DSCF4507.JPG:Roxio EMC Stream [38]
FirewallRules: [{A6CE2ED1-5856-4BA4-BB8E-3CDCF33E08B1}] => C:\Users\Mohsen\AppData\Local\ddnowyes.exe
FirewallRules: [{C1A8EF1B-F67B-43C5-8C29-69AB8CD29647}] => C:\Users\Mohsen\AppData\Local\Temp\1501984\ic-0.c805a75640407.exe
FirewallRules: [{0DD9C4C2-35E3-4E2F-BA15-42ED061D1AE0}] => C:\Users\Mohsen\AppData\Local\39427830.exe
FirewallRules: [{1C574B26-B217-4027-8C55-A7C5E5712FB7}] => C:\Users\Mohsen\AppData\Local\sc52090775.exe
FirewallRules: [{901B05AC-BA19-4118-B312-E5AE1ECD4A1E}] => C:\Users\Mohsen\AppData\Local\ddnow.exe
FirewallRules: [{F0D305CF-4DCF-4029-8B79-E9BF99773578}] => C:\Program Files (x86)\contrariness\query.exe
FirewallRules: [{627712D4-6A79-4318-AD2E-E8F9C655FCCF}] => C:\Program Files (x86)\contrariness\overthrown.exe
FirewallRules: [{39622315-AE9B-4EB3-B89F-D18C1F848CE0}] => C:\Program Files (x86)\mileposts\weft.exe
FirewallRules: [{E608D877-0EB8-4F2E-9468-78D08135DEF0}] => C:\Program Files (x86)\Horrors\bestsellers.exe
FirewallRules: [{B4734EFF-D908-40D6-B216-C1EE28570298}] => C:\WINDOWS\adore.exe
FirewallRules: [{085A836E-31EB-4DAD-8002-DE659794F77E}] => C:\Program Files (x86)\Mauri\cals.exe
FirewallRules: [{7002058C-9E53-47DF-A0B6-B3C2B92B9CC1}] => C:\Program Files (x86)\Flaunts\cals.exe
FirewallRules: [TCP Query User{43F1D53F-00E8-4585-A402-2A4D703A47AD}C:\program files (x86)\google\chrome\application\chrome334.exe] => C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [UDP Query User{D3E3A9F8-7202-43B5-A95E-399011AFEAA2}C:\program files (x86)\google\chrome\application\chrome334.exe] => C:\program files (x86)\google\chrome\application\chrome334.exe
C:\Windows\AutoKMS
C:\Windows\joelle.exe
C:\Program Files (x86)\contrariness
C:\Program Files (x86)\mileposts
C:\Program Files (x86)\lamplighter
C:\Program Files (x86)\Horrors
C:\Users\Mohsen\AppData\Local\cals.exe
C:\Program Files (x86)\mileposts
C:\Program Files (x86)\Flaunts
C:\Program Files (x86)\Microleaves
C:\Users\Mohsen\AppData\Local\Temp\nsq650F.tmp
C:\program files (x86)\google\chrome\application\chrome334.exe
C:\Users\Mohsen\AppData\Local\ddnowyes.exe
C:\Users\Mohsen\AppData\Local\Temp\1501984\ic-0.c805a75640407.exe
C:\Users\Mohsen\AppData\Local\39427830.exe
C:\Users\Mohsen\AppData\Local\sc52090775.exe
C:\Users\Mohsen\AppData\Local\ddnow.exe
C:\WINDOWS\adore.exe
C:\Program Files (x86)\Mauri\cals.exe
C:\Program Files (x86)\Flaunts\cals.exe
C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok33542430.lnk
C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\watering.lnk

RemoveProxy:
Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please post the Fixlog.txt and let me know what problem persists with this computer.

===

p.s.
Please run the Killer and post a fresh log for my review.

#7 the_ranisa

the_ranisa
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 09 January 2017 - 09:16 PM

Attached File  KillerLog2.txt   6.37KB   1 downloads

- I tried the removed the programs you mentioned, but they weren't listed under Programs and Features.

- I've posted the Fixlog.txt

- Problems seem to be resolved with the computer. It might be running a tiny bit slower than I remember, but I could be imagining this. 

- I've attached the Killer log .txt

 

---------------------

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 08-01-2017
Ran by Mohsen (09-01-2017 19:26:46) Run:1
Running from C:\Users\Mohsen\Desktop\FRST
Loaded Profiles: Mohsen (Available Profiles: Mohsen)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
 
(troubadours) C:\Windows\joelle.exe
() C:\Program Files (x86)\Flaunts\cals.exe
() C:\Program Files (x86)\Flaunts\cals.exe
() C:\Program Files (x86)\mileposts\kingly.exe
() C:\Program Files (x86)\Flaunts\cals.exe
HKLM\...\Run: [weft.exebestsellers.exe] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKLM\...\Run: [toys] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKLM\...\Run: [ircirc] => C:\Program Files (x86)\Flaunts\cals.exe [10752 2017-01-02] ()
HKLM-x32\...\Run: [toys] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKLM-x32\...\Run: [ikiiki] => C:\Program Files (x86)\Flaunts\cals.exe [10752 2017-01-02] ()
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [toys] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [kingly] => C:\Program Files (x86)\mileposts\kingly.exe [40328 2017-01-02] ()
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [piano] => "C:\Program Files (x86)\mileposts\weft.exe"
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [reims] => C:\Program Files (x86)\contrariness\query.exe [304640 2017-01-02] (windows)
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\...\Run: [politicos] => "C:\Program Files (x86)\Horrors\bestsellers.exe"
HKU\S-1-5-18\...\Run: [] => 0
Startup: C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok33542430.lnk [2017-01-02]
ShortcutTarget: ok33542430.lnk -> C:\Program Files (x86)\contrariness\query.exe (windows)
Startup: C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\watering.lnk [2017-01-02]
ShortcutTarget: watering.lnk -> C:\Program Files (x86)\contrariness\query.exe (windows)
GroupPolicy\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR Extension: (MapsGalaxy) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjcpmnemablfdccplioohcaehkeomndn [2014-12-09]
CHR Extension: (Chrome Media Router) - C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-27]
U2 comprehensively; C:\WINDOWS\joelle.exe [8192 2017-01-02] (troubadours) [File not signed]
S3 dbx; system32\DRIVERS\dbx.sys [X]
CustomCLSID: HKU\S-1-5-21-1873268818-3468620095-3024752975-1001_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\Mohsen\AppData\Local\Citrix\GoToMeeting\2489\G2MOutlookAddin64.dll => No File
Task: {07F1E954-5F7F-46AA-818D-16D5F48CF84A} - System32\Tasks\dc11A6YoJZTGeDXdKOsRic-ni-2017-01-02-ni-99991-ni-1 => C:\Program Files (x86)\contrariness\query.exe
Task: {0F71076C-D65F-45CE-AA02-482B21C482F9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {10B7ED86-1773-494F-9E5B-DA7EA4B09690} - System32\Tasks\12040165 => C:\Program Files (x86)\mileposts\weft.exe <==== ATTENTION
Task: {147FE1D5-32B5-450C-A426-583106FE5073} - \OneDrive Standalone Update Task -> No File <==== ATTENTION
Task: {16FC28E0-14A0-4871-8163-5A97A706BAD9} - \19962637 -> No File <==== ATTENTION
Task: {1C3A6D1A-46B7-40DE-8C65-DEF120F2E7E2} - \G2MUploadTask-S-1-5-21-1873268818-3468620095-3024752975-1001 -> No File <==== ATTENTION
Task: {1EAA069C-98F2-45FC-8106-99BB88411E4C} - System32\Tasks\k79997016 => C:\Program Files (x86)\lamplighter\lamplighter.exe [2017-01-02] (internships)
Task: {21E27867-5F93-42E1-BA3B-E6D637AA47EF} - System32\Tasks\85207132 => C:\Program Files (x86)\Horrors\bestsellers.exe <==== ATTENTION
Task: {22A0E29D-02ED-4669-AD50-5556AA83CB60} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {241AD1FF-8A24-41E7-82BE-B913AFEC979A} - System32\Tasks\82157375 => C:\Users\Mohsen\AppData\Local\cals.exe [2017-01-02] () <==== ATTENTION
Task: {291AB41E-C7B0-411F-A0B6-09752E14C69E} - \SystemToolsDailyTest -> No File <==== ATTENTION
Task: {3359EC62-654B-40C2-965B-9989C839C51B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {3BA04B60-40F7-4E5F-84C0-3B18495B3BBF} - \PCDDataUploadTask -> No File <==== ATTENTION
Task: {41460695-2F66-45ED-B4D8-4603A2EFA6AB} - \DropboxUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {4792038B-5D0F-4390-ADFB-E91EEBEA85B3} - System32\Tasks\Da8520713285207132 => C:\Program Files (x86)\Horrors\bestsellers.exe
Task: {48CADAF8-7A3B-4002-BE30-91FA2F723128} - System32\Tasks\a30723257 => C:\Program Files (x86)\contrariness\query.exe
Task: {53B7F387-7CD0-47C4-8AE9-DE25809682A8} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {5450B6A2-2F60-43C8-94E0-E2EF35914519} - \PCDEventLauncherTask -> No File <==== ATTENTION
Task: {5C9E53AE-2590-4171-9A41-9861C19E7A0B} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
Task: {6173895F-C3B8-4415-84FE-1268941F25BD} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {67401062-6CB9-4B9E-983E-21D3B6400B81} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {680E15ED-58D0-4570-9071-A7C9DD9F17B0} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {68C08760-87DF-40DE-ABF1-0DEF4F8902F9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {6F25AE10-25E8-4087-B999-9FD928DD742B} - System32\Tasks\bak79997016k79997016 => C:\Program Files (x86)\lamplighter\lamplighter.exe [2017-01-02] (internships)
Task: {73495BF9-1AE3-4E39-8457-A77C56F7DCAF} - \PCDoctorBackgroundMonitorTask -> No File <==== ATTENTION
Task: {7B39C6D9-6E48-4F86-8523-DF5A661FC453} - \Dell SupportAssistAgent AutoUpdate -> No File <==== ATTENTION
Task: {7C316886-579D-4EA2-A29A-78D39916A4BD} - \AutoKMS -> No File <==== ATTENTION
Task: {7FCE40ED-33B4-4C70-A10C-2A032F861594} - System32\Tasks\22040165 => C:\Program Files (x86)\mileposts\weft.exe <==== ATTENTION
Task: {8254AF94-92E2-4A04-992A-E90911F1E35F} - System32\Tasks\79997016 => C:\Program Files (x86)\Flaunts\cals.exe [2017-01-02] () <==== ATTENTION
Task: {8BF55EAB-A61E-471A-9CE3-8F9E14CF13F4} - \Optimize Start Menu Cache Files-S-1-5-21-1873268818-3468620095-3024752975-1001 -> No File <==== ATTENTION
Task: {8F5F12A4-2002-4EC8-8A1B-D94A954A66C3} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {909C7EB7-27E1-4795-8ADD-D895AFD9F829} - System32\Tasks\ab11A6YoJZTGeDXdKOsRic-ni-2017-01-02-ni-99991-ni-1 => C:\Program Files (x86)\contrariness\query.exe
Task: {922CEFA7-AE66-4491-9EEB-3084239BB29C} - System32\Tasks\b30723257 => C:\Program Files (x86)\mileposts\weft.exe
Task: {9F950508-C0E2-4A9C-BAF4-F3725B36F643} - System32\Tasks\ba7999701679997016 => C:\Program Files (x86)\Flaunts\cals.exe [2017-01-02] ()
Task: {A24FF4E8-C721-485A-8D08-B942FE7A546D} - \User_Feed_Synchronization-{AF4B3188-DC0B-4559-AC6D-3F1C519B7A44} -> No File <==== ATTENTION
Task: {B3F48859-DA92-40A9-A722-7FAF4C51D0E8} - \ba1996263719962637 -> No File <==== ATTENTION
Task: {B49CAFB1-7EB2-4FAE-92EB-E35DC8527314} - System32\Tasks\ba8215737582157375 => C:\Users\Mohsen\AppData\Local\cals.exe [2017-01-02] ()
Task: {B82B4D5C-BB08-472C-BD89-88EAB9956F12} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {B86FBA2A-4D00-40BA-B723-50F1B3ACBBA7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {BBB004B9-4818-44AF-B5C8-6FC67B6E77E3} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {C2B2C8D9-45ED-42FC-B94A-1E18B74CFD00} - \DropboxUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {CD40B747-E0B1-4364-9BD6-F88F9A3C0412} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {D50126BD-8033-4193-9255-73D836488B22} - \G2MUpdateTask-S-1-5-21-1873268818-3468620095-3024752975-1001 -> No File <==== ATTENTION
Task: {DA8F0690-4347-4EC2-BA2C-507A6FE0DE08} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {E52E5A2C-D328-428E-A633-EB570D0C176A} - \HPCustParticipation HP Photosmart 7520 series -> No File <==== ATTENTION
Task: {F98FAFC2-0E3F-425C-AA32-0FADA21D9DCB} - System32\Tasks\NC => C:\Program Files (x86)\Microleaves\Traffic Exchange\nc.exe
Task: {FD28E8A2-A088-40FC-BFF7-1ED065A95058} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\NC.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\nc.exe
AlternateDataStreams: C:\Users\Mohsen\Desktop\DSCF4507.JPG:Roxio EMC Stream [38]
FirewallRules: [{A6CE2ED1-5856-4BA4-BB8E-3CDCF33E08B1}] => C:\Users\Mohsen\AppData\Local\ddnowyes.exe
FirewallRules: [{C1A8EF1B-F67B-43C5-8C29-69AB8CD29647}] => C:\Users\Mohsen\AppData\Local\Temp\1501984\ic-0.c805a75640407.exe
FirewallRules: [{0DD9C4C2-35E3-4E2F-BA15-42ED061D1AE0}] => C:\Users\Mohsen\AppData\Local\39427830.exe
FirewallRules: [{1C574B26-B217-4027-8C55-A7C5E5712FB7}] => C:\Users\Mohsen\AppData\Local\sc52090775.exe
FirewallRules: [{901B05AC-BA19-4118-B312-E5AE1ECD4A1E}] => C:\Users\Mohsen\AppData\Local\ddnow.exe
FirewallRules: [{F0D305CF-4DCF-4029-8B79-E9BF99773578}] => C:\Program Files (x86)\contrariness\query.exe
FirewallRules: [{627712D4-6A79-4318-AD2E-E8F9C655FCCF}] => C:\Program Files (x86)\contrariness\overthrown.exe
FirewallRules: [{39622315-AE9B-4EB3-B89F-D18C1F848CE0}] => C:\Program Files (x86)\mileposts\weft.exe
FirewallRules: [{E608D877-0EB8-4F2E-9468-78D08135DEF0}] => C:\Program Files (x86)\Horrors\bestsellers.exe
FirewallRules: [{B4734EFF-D908-40D6-B216-C1EE28570298}] => C:\WINDOWS\adore.exe
FirewallRules: [{085A836E-31EB-4DAD-8002-DE659794F77E}] => C:\Program Files (x86)\Mauri\cals.exe
FirewallRules: [{7002058C-9E53-47DF-A0B6-B3C2B92B9CC1}] => C:\Program Files (x86)\Flaunts\cals.exe
FirewallRules: [TCP Query User{43F1D53F-00E8-4585-A402-2A4D703A47AD}C:\program files (x86)\google\chrome\application\chrome334.exe] => C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [UDP Query User{D3E3A9F8-7202-43B5-A95E-399011AFEAA2}C:\program files (x86)\google\chrome\application\chrome334.exe] => C:\program files (x86)\google\chrome\application\chrome334.exe
C:\Windows\AutoKMS
C:\Windows\joelle.exe
C:\Program Files (x86)\contrariness
C:\Program Files (x86)\mileposts
C:\Program Files (x86)\lamplighter
C:\Program Files (x86)\Horrors
C:\Users\Mohsen\AppData\Local\cals.exe
C:\Program Files (x86)\mileposts
C:\Program Files (x86)\Flaunts
C:\Program Files (x86)\Microleaves
C:\Users\Mohsen\AppData\Local\Temp\nsq650F.tmp
C:\program files (x86)\google\chrome\application\chrome334.exe
C:\Users\Mohsen\AppData\Local\ddnowyes.exe
C:\Users\Mohsen\AppData\Local\Temp\1501984\ic-0.c805a75640407.exe
C:\Users\Mohsen\AppData\Local\39427830.exe
C:\Users\Mohsen\AppData\Local\sc52090775.exe
C:\Users\Mohsen\AppData\Local\ddnow.exe
C:\WINDOWS\adore.exe
C:\Program Files (x86)\Mauri\cals.exe
C:\Program Files (x86)\Flaunts\cals.exe
C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok33542430.lnk
C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\watering.lnk
 
RemoveProxy:
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Windows\joelle.exe => No running process found
C:\Program Files (x86)\Flaunts\cals.exe => No running process found
C:\Program Files (x86)\Flaunts\cals.exe => No running process found
C:\Program Files (x86)\mileposts\kingly.exe => No running process found
C:\Program Files (x86)\Flaunts\cals.exe => No running process found
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\weft.exebestsellers.exe => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\toys => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ircirc => value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\toys => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ikiiki => value not found.
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Windows\CurrentVersion\Run\\toys => value removed successfully
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Windows\CurrentVersion\Run\\kingly => value removed successfully
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Windows\CurrentVersion\Run\\piano => value removed successfully
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Windows\CurrentVersion\Run\\reims => value removed successfully
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\Software\Microsoft\Windows\CurrentVersion\Run\\politicos => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok33542430.lnk => not found.
C:\Program Files (x86)\contrariness\query.exe => not found.
C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\watering.lnk => moved successfully
C:\Program Files (x86)\contrariness\query.exe => not found.
C:\WINDOWS\system32\GroupPolicy\User => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value not found.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjcpmnemablfdccplioohcaehkeomndn => not found
C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\System\CurrentControlSet\Services\comprehensively => key removed successfully
comprehensively => service removed successfully
HKLM\System\CurrentControlSet\Services\dbx => key removed successfully
dbx => service removed successfully
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{07F1E954-5F7F-46AA-818D-16D5F48CF84A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{07F1E954-5F7F-46AA-818D-16D5F48CF84A} => key removed successfully
C:\WINDOWS\System32\Tasks\dc11A6YoJZTGeDXdKOsRic-ni-2017-01-02-ni-99991-ni-1 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\dc11A6YoJZTGeDXdKOsRic-ni-2017-01-02-ni-99991-ni-1 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0F71076C-D65F-45CE-AA02-482B21C482F9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F71076C-D65F-45CE-AA02-482B21C482F9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{10B7ED86-1773-494F-9E5B-DA7EA4B09690} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{10B7ED86-1773-494F-9E5B-DA7EA4B09690} => key not found. 
C:\WINDOWS\System32\Tasks\12040165 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\12040165 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{147FE1D5-32B5-450C-A426-583106FE5073} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneDrive Standalone Update Task => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{16FC28E0-14A0-4871-8163-5A97A706BAD9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{16FC28E0-14A0-4871-8163-5A97A706BAD9} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\19962637 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1C3A6D1A-46B7-40DE-8C65-DEF120F2E7E2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1C3A6D1A-46B7-40DE-8C65-DEF120F2E7E2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\G2MUploadTask-S-1-5-21-1873268818-3468620095-3024752975-1001 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1EAA069C-98F2-45FC-8106-99BB88411E4C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1EAA069C-98F2-45FC-8106-99BB88411E4C} => key not found. 
C:\WINDOWS\System32\Tasks\k79997016 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\k79997016 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{21E27867-5F93-42E1-BA3B-E6D637AA47EF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{21E27867-5F93-42E1-BA3B-E6D637AA47EF} => key not found. 
C:\WINDOWS\System32\Tasks\85207132 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\85207132 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{22A0E29D-02ED-4669-AD50-5556AA83CB60} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{22A0E29D-02ED-4669-AD50-5556AA83CB60} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{241AD1FF-8A24-41E7-82BE-B913AFEC979A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{241AD1FF-8A24-41E7-82BE-B913AFEC979A} => key not found. 
C:\WINDOWS\System32\Tasks\82157375 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\82157375 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{291AB41E-C7B0-411F-A0B6-09752E14C69E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{291AB41E-C7B0-411F-A0B6-09752E14C69E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemToolsDailyTest => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3359EC62-654B-40C2-965B-9989C839C51B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3359EC62-654B-40C2-965B-9989C839C51B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3BA04B60-40F7-4E5F-84C0-3B18495B3BBF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3BA04B60-40F7-4E5F-84C0-3B18495B3BBF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PCDDataUploadTask => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{41460695-2F66-45ED-B4D8-4603A2EFA6AB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{41460695-2F66-45ED-B4D8-4603A2EFA6AB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DropboxUpdateTaskMachineUA => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4792038B-5D0F-4390-ADFB-E91EEBEA85B3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4792038B-5D0F-4390-ADFB-E91EEBEA85B3} => key not found. 
C:\WINDOWS\System32\Tasks\Da8520713285207132 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Da8520713285207132 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{48CADAF8-7A3B-4002-BE30-91FA2F723128} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{48CADAF8-7A3B-4002-BE30-91FA2F723128} => key not found. 
C:\WINDOWS\System32\Tasks\a30723257 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a30723257 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{53B7F387-7CD0-47C4-8AE9-DE25809682A8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{53B7F387-7CD0-47C4-8AE9-DE25809682A8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5450B6A2-2F60-43C8-94E0-E2EF35914519} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5450B6A2-2F60-43C8-94E0-E2EF35914519} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PCDEventLauncherTask => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C9E53AE-2590-4171-9A41-9861C19E7A0B} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneDrive Standalone Update Task v2 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6173895F-C3B8-4415-84FE-1268941F25BD} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6173895F-C3B8-4415-84FE-1268941F25BD} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{67401062-6CB9-4B9E-983E-21D3B6400B81} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{67401062-6CB9-4B9E-983E-21D3B6400B81} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{680E15ED-58D0-4570-9071-A7C9DD9F17B0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{680E15ED-58D0-4570-9071-A7C9DD9F17B0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Flash Player Updater => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{68C08760-87DF-40DE-ABF1-0DEF4F8902F9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{68C08760-87DF-40DE-ABF1-0DEF4F8902F9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6F25AE10-25E8-4087-B999-9FD928DD742B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F25AE10-25E8-4087-B999-9FD928DD742B} => key removed successfully
C:\WINDOWS\System32\Tasks\bak79997016k79997016 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bak79997016k79997016 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{73495BF9-1AE3-4E39-8457-A77C56F7DCAF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73495BF9-1AE3-4E39-8457-A77C56F7DCAF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PCDoctorBackgroundMonitorTask => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7B39C6D9-6E48-4F86-8523-DF5A661FC453} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B39C6D9-6E48-4F86-8523-DF5A661FC453} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Dell SupportAssistAgent AutoUpdate => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{7C316886-579D-4EA2-A29A-78D39916A4BD} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7C316886-579D-4EA2-A29A-78D39916A4BD} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7FCE40ED-33B4-4C70-A10C-2A032F861594} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7FCE40ED-33B4-4C70-A10C-2A032F861594} => key not found. 
C:\WINDOWS\System32\Tasks\22040165 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\22040165 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8254AF94-92E2-4A04-992A-E90911F1E35F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8254AF94-92E2-4A04-992A-E90911F1E35F} => key not found. 
C:\WINDOWS\System32\Tasks\79997016 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\79997016 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8BF55EAB-A61E-471A-9CE3-8F9E14CF13F4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8BF55EAB-A61E-471A-9CE3-8F9E14CF13F4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-S-1-5-21-1873268818-3468620095-3024752975-1001 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8F5F12A4-2002-4EC8-8A1B-D94A954A66C3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8F5F12A4-2002-4EC8-8A1B-D94A954A66C3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{909C7EB7-27E1-4795-8ADD-D895AFD9F829} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{909C7EB7-27E1-4795-8ADD-D895AFD9F829} => key removed successfully
C:\WINDOWS\System32\Tasks\ab11A6YoJZTGeDXdKOsRic-ni-2017-01-02-ni-99991-ni-1 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ab11A6YoJZTGeDXdKOsRic-ni-2017-01-02-ni-99991-ni-1 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{922CEFA7-AE66-4491-9EEB-3084239BB29C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{922CEFA7-AE66-4491-9EEB-3084239BB29C} => key not found. 
C:\WINDOWS\System32\Tasks\b30723257 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\b30723257 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9F950508-C0E2-4A9C-BAF4-F3725B36F643} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9F950508-C0E2-4A9C-BAF4-F3725B36F643} => key not found. 
C:\WINDOWS\System32\Tasks\ba7999701679997016 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ba7999701679997016 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A24FF4E8-C721-485A-8D08-B942FE7A546D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A24FF4E8-C721-485A-8D08-B942FE7A546D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{AF4B3188-DC0B-4559-AC6D-3F1C519B7A44} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B3F48859-DA92-40A9-A722-7FAF4C51D0E8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B3F48859-DA92-40A9-A722-7FAF4C51D0E8} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ba1996263719962637 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B49CAFB1-7EB2-4FAE-92EB-E35DC8527314} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B49CAFB1-7EB2-4FAE-92EB-E35DC8527314} => key not found. 
C:\WINDOWS\System32\Tasks\ba8215737582157375 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ba8215737582157375 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B82B4D5C-BB08-472C-BD89-88EAB9956F12} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B82B4D5C-BB08-472C-BD89-88EAB9956F12} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B86FBA2A-4D00-40BA-B723-50F1B3ACBBA7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B86FBA2A-4D00-40BA-B723-50F1B3ACBBA7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{BBB004B9-4818-44AF-B5C8-6FC67B6E77E3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BBB004B9-4818-44AF-B5C8-6FC67B6E77E3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C2B2C8D9-45ED-42FC-B94A-1E18B74CFD00} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C2B2C8D9-45ED-42FC-B94A-1E18B74CFD00} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DropboxUpdateTaskMachineCore => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{CD40B747-E0B1-4364-9BD6-F88F9A3C0412} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CD40B747-E0B1-4364-9BD6-F88F9A3C0412} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D50126BD-8033-4193-9255-73D836488B22} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D50126BD-8033-4193-9255-73D836488B22} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\G2MUpdateTask-S-1-5-21-1873268818-3468620095-3024752975-1001 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DA8F0690-4347-4EC2-BA2C-507A6FE0DE08} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DA8F0690-4347-4EC2-BA2C-507A6FE0DE08} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E52E5A2C-D328-428E-A633-EB570D0C176A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E52E5A2C-D328-428E-A633-EB570D0C176A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPCustParticipation HP Photosmart 7520 series => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F98FAFC2-0E3F-425C-AA32-0FADA21D9DCB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F98FAFC2-0E3F-425C-AA32-0FADA21D9DCB} => key not found. 
C:\WINDOWS\System32\Tasks\NC => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\NC => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FD28E8A2-A088-40FC-BFF7-1ED065A95058} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FD28E8A2-A088-40FC-BFF7-1ED065A95058} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully
C:\WINDOWS\Tasks\NC.job => not found.
C:\Users\Mohsen\Desktop\DSCF4507.JPG => ":Roxio EMC Stream" ADS removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A6CE2ED1-5856-4BA4-BB8E-3CDCF33E08B1} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C1A8EF1B-F67B-43C5-8C29-69AB8CD29647} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0DD9C4C2-35E3-4E2F-BA15-42ED061D1AE0} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1C574B26-B217-4027-8C55-A7C5E5712FB7} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{901B05AC-BA19-4118-B312-E5AE1ECD4A1E} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F0D305CF-4DCF-4029-8B79-E9BF99773578} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{627712D4-6A79-4318-AD2E-E8F9C655FCCF} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{39622315-AE9B-4EB3-B89F-D18C1F848CE0} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E608D877-0EB8-4F2E-9468-78D08135DEF0} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B4734EFF-D908-40D6-B216-C1EE28570298} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{085A836E-31EB-4DAD-8002-DE659794F77E} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7002058C-9E53-47DF-A0B6-B3C2B92B9CC1} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{43F1D53F-00E8-4585-A402-2A4D703A47AD}C:\program files (x86)\google\chrome\application\chrome334.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{D3E3A9F8-7202-43B5-A95E-399011AFEAA2}C:\program files (x86)\google\chrome\application\chrome334.exe => value removed successfully
"C:\Windows\AutoKMS" => not found.
"C:\Windows\joelle.exe" => not found.
C:\Program Files (x86)\contrariness => moved successfully
C:\Program Files (x86)\mileposts => moved successfully
C:\Program Files (x86)\lamplighter => moved successfully
C:\Program Files (x86)\Horrors => moved successfully
C:\Users\Mohsen\AppData\Local\cals.exe => moved successfully
"C:\Program Files (x86)\mileposts" => not found.
C:\Program Files (x86)\Flaunts => moved successfully
"C:\Program Files (x86)\Microleaves" => not found.
"C:\Users\Mohsen\AppData\Local\Temp\nsq650F.tmp" => not found.
"C:\program files (x86)\google\chrome\application\chrome334.exe" => not found.
"C:\Users\Mohsen\AppData\Local\ddnowyes.exe" => not found.
"C:\Users\Mohsen\AppData\Local\Temp\1501984\ic-0.c805a75640407.exe" => not found.
"C:\Users\Mohsen\AppData\Local\39427830.exe" => not found.
"C:\Users\Mohsen\AppData\Local\sc52090775.exe" => not found.
"C:\Users\Mohsen\AppData\Local\ddnow.exe" => not found.
"C:\WINDOWS\adore.exe" => not found.
"C:\Program Files (x86)\Mauri\cals.exe" => not found.
"C:\Program Files (x86)\Flaunts\cals.exe" => not found.
"C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok33542430.lnk" => not found.
"C:\Users\Mohsen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\watering.lnk" => not found.
 
========= RemoveProxy: =========
 
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1873268818-3468620095-3024752975-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 957285039 B
Java, Flash, Steam htmlcache => 3078 B
Windows/system/drivers => 90566 B
Edge => 1575 B
Chrome => 81392618 B
Firefox => 20538784 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 3282 B
NetworkService => 0 B
Mohsen => 27316091 B
 
RecycleBin => 0 B
EmptyTemp: => 1 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 19:26:55 ====

 

 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 10 January 2017 - 08:19 AM


Run the RogueKiller and clean these items.

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{46B4DD04-750B-410A-8941-4284624815D7}C:\windows\keygen.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\windows\keygen.exe|Name=keygen|Desc=keygen|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{A1397CBB-D480-4946-9588-FD6B55C86409}C:\windows\keygen.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\windows\keygen.exe|Name=keygen|Desc=keygen|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {8FF2EAC3-28FA-4980-80C6-7DCF8E6CEB3B} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Mohsen\AppData\Local\tinstall.exe|Name=B39427830|Desc=Allow|EmbedCtxt=@C:\Users\Mohsen\AppData\Local\tinstall.exe,-10000| [x] -> Found


===

Execute this cleaning tool.
Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#9 the_ranisa

the_ranisa
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 10 January 2017 - 01:16 PM

Run completed.  Looks like everything is working fine and computer has been running well.

 

=======================================================================================================

 

 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by Mohsen on Tue 01/10/2017 at 12:07:38.96.
Microsoft Windows 10 Home 10.0.14393  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Mohsen\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
1/10/2017 12:10:19 PM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\Users\Mohsen\AppData\Local\ActiveSync deleted successfully
C:\Users\Mohsen\AppData\Local\EmieSiteList deleted successfully
C:\Users\Mohsen\AppData\Local\EmieUserList deleted successfully
C:\Users\Mohsen\AppData\Local\NetworkTiles deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Maps deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== FireFox Fix ======================
 
Deleted from C:\Users\Mohsen\AppData\Roaming\Mozilla\Firefox\Profiles\zhaqmmh0.default\prefs.js:
 
Added to C:\Users\Mohsen\AppData\Roaming\Mozilla\Firefox\Profiles\zhaqmmh0.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\Users\Mohsen\.android deleted
C:\bootmenu.xml deleted
C:\PROGRA~3\{A328A61B-C332-4C8C-A740-42F7F71DC398} deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Mohsen\AppData\Local\antechamber.exe deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
 
==== Firefox Start and Search pages ======================
 
ProfilePath: C:\Users\Mohsen\AppData\Roaming\Mozilla\Firefox\Profiles\zhaqmmh0.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Firefox Extensions ======================
 
ProfilePath: C:\Users\Mohsen\AppData\Roaming\Mozilla\Firefox\Profiles\zhaqmmh0.default
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
 
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
==== Firefox Plugins ======================
 
Profilepath: C:\Users\Mohsen\AppData\Roaming\Mozilla\Firefox\Profiles\zhaqmmh0.default
E8D38E8FB6EC88E7B0E0B4D9AC9B0725 - C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_186.dll - Shockwave Flash
E3B4EA121F7BDEB0F6366E2BA9608CB5 - C:\Users\Mohsen\AppData\Local\Citrix\Plugins\104\npappdetector.dll - Citrix Online Web Deployment Plugin 1.0.0.104
 
 
==== Chromium Look ======================
 
Google Chrome Version: 46.0.2490.86
 
 
Google Cast - Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd
Videostream for Google Chromecast™ - Mohsen\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnciopoikihiagdjbjpnocolokfelagl
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{D5B5D62E-89CA-4A48-88E0-44CDD6A5D2E9}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D5B5D62E-89CA-4A48-88E0-44CDD6A5D2E9}] not found
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
 
==== All HKLM and HKCU SearchScopes ======================
 
HKLM\SearchScopes "DefaultScope"="{D5B5D62E-89CA-4A48-88E0-44CDD6A5D2E9}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\SearchScopes\{D5B5D62E-89CA-4A48-88E0-44CDD6A5D2E9} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MDDCJS
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{D5B5D62E-89CA-4A48-88E0-44CDD6A5D2E9}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes\{D5B5D62E-89CA-4A48-88E0-44CDD6A5D2E9} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MDDCJS
HKCU\SearchScopes "DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
 
==== Reset Google Chrome ======================
 
C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Web Data will be reset at reboot
C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal will be reset at reboot
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Mohsen\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Mohsen\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Default User\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Mohsen\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Mohsen\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Cache will be emptied at reboot
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=24 folders=19 23162335 bytes)
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\Mohsen\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== Deleting Files / Folders ======================
 
"C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Web Data" not found
"C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal" not found
"C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0" deleted
"C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1" deleted
"C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2" deleted
"C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3" deleted
"C:\Users\Mohsen\AppData\Local\Google\Chrome\User Data\Default\Cache\index" deleted
 
==== EOF on Tue 01/10/2017 at 13:11:36.38 ======================


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 10 January 2017 - 02:03 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#11 the_ranisa

the_ranisa
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 11 January 2017 - 02:29 AM

Thank you so much for all your help and the timely replies, nasdaq! I really appreciate it!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users