Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

360safe virus Windows 7


  • This topic is locked This topic is locked
10 replies to this topic

#1 netaccs

netaccs

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 03 January 2017 - 05:45 PM

Windows 7 Pro x64bit
There is some virus, malware...
I don't know its name but I have noticed those problems that it causes
 
- it create files in 
\AppData\Roaming
\AppData\Local\Temp
\AppData\Local
\AppData\Local\Application Data\Temp
\system32\drivers\
and may be other folders with file names of antivirus programs (360safe,360SD,360WD,Comodo,Malwarebytes,Trend Micro and other)
 
- modified the hosts file
append in hosts file 0.0.0.0 to web sites like Kaspersky, Comodo and many more
 
- Something mess up with MSI install service.
I can install almost any antivirus programs like:
SuperAntiSpyware, , Kaspersky, KAV online checker, NOD, somehow I install malwarebytes but it cannot start works resident, only scan.
Cannot start 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 01-01-2017
Ran by niki (administrator) on BRISTOL-SERVER (04-01-2017 00:20:02)
Running from C:\Users\niki\Desktop
Loaded Profiles: sys & niki (Available Profiles: DELL & clock & Suite8.Scheduler & DB1 & admin & dell2 & sys & niki)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Broadcom Corporation) C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
(CHENGDU YIWO Tech Development Co., Ltd) C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe
(Firebird Project) C:\Program Files (x86)\firebird\firebird_2_1\bin\fbguard.exe
() C:\ClockBS\GBakSchd\GBAKSRVC.EXE
(Oracle Corporation) D:\ORACLE\11.2.0\DATABASE\BIN\TNSLSNR.EXE
(Oracle Corporation) D:\ORACLE\11.2.0\DATABASE\BIN\oracle.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
() C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Firebird Project) C:\Program Files (x86)\firebird\firebird_2_1\bin\fbserver.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(IObit) C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(MICROS-Fidelio GmbH) C:\FIDELIO\IFC8\Ifc8.exe
(MICROS-Fidelio GmbH) C:\FIDELIO\IFC8\Ifc8.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe
(CHENGDU YIWO Tech Development Co., Ltd) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayNotify.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Foolish IT LLC) C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventMonSvc.exe
(Micros-Fidelio (Ireland) Ltd.) C:\FIDELIO\programs\BWCommunicator.exe
(Micros-Fidelio (Ireland) Ltd.) C:\FIDELIO\programs\mfnTrgReader.exe
(Micros-Fidelio (Ireland) Ltd.) C:\FIDELIO\programs\mfnFileReader.exe
(Micros-Fidelio (Ireland) Ltd.) C:\FIDELIO\programs\mfnDispatcher.exe
(Micros-Fidelio (Ireland) Ltd.) C:\FIDELIO\programs\mfn2WDispatcher.exe
() C:\FIDELIO\programs\mfV8SvcMonitor.exe
(Farbar) C:\Users\niki\Desktop\frst64english.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [112408 2011-08-09] (Intel Corporation)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [55264 2016-03-10] (Malwarebytes)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2016-12-07] (SUPERAntiSpyware)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{4124EE17-4096-4712-A0A4-C17F0EE48C0A}: [NameServer] 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3625114160-3359095786-791446984-1012\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3625114160-3359095786-791446984-1013\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3625114160-3359095786-791446984-1012\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3625114160-3359095786-791446984-1013\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3625114160-3359095786-791446984-1013\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll [2016-05-23] (IObit)
Handler-x32: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\RNetPin.dll [2006-10-16] ()

FireFox:
========
FF ProfilePath: C:\Users\niki\AppData\Roaming\Mozilla\Firefox\Profiles\DSht9W7t.default [2016-12-21]
FF Extension: (No Name) - C:\Users\niki\AppData\Roaming\Mozilla\Firefox\Profiles\DSht9W7t.default\Extensions\abs@avira.com [2016-12-21]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)

Chrome:
=======
CHR Profile: C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default [2017-01-04]
CHR Extension: (Google Презентации) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-11-26]
CHR Extension: (Google Документи) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-11-26]
CHR Extension: (Google Диск) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-11-26]
CHR Extension: (YouTube) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-11-26]
CHR Extension: (Avast SafePrice) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-11-26]
CHR Extension: (Електронни таблици от Google) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-11-26]
CHR Extension: (Google Документи офлайн) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-11-29]
CHR Extension: (Avast Online Security) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-12-20]
CHR Extension: (Плащания в уеб магазина на Chrome) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-11-26]
CHR Extension: (Gmail) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-11-26]
CHR Extension: (Chrome Media Router) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-26]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 BrcmMgmtAgent; C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [158720 2010-06-30] (Broadcom Corporation) [File not signed]
R3 CryptoPreventEmail; C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventMonSvc.exe [420336 2016-11-29] (Foolish IT LLC)
R3 CryptoPreventFolderWatch; C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventMonSvc.exe [420336 2016-11-29] (Foolish IT LLC)
R2 CryptoPreventMonSvc; C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventMonSvc.exe [420336 2016-11-29] (Foolish IT LLC)
R2 EaseUS Agent; C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe [39616 2016-06-03] (CHENGDU YIWO Tech Development Co., Ltd)
R2 FileReader; C:\Fidelio\Programs\mfnFileReader.exe [4434160 2015-11-27] (Micros-Fidelio (Ireland) Ltd.) [File not signed]
R2 FirebirdGuardianDefaultInstance; C:\Program Files (x86)\firebird\firebird_2_1\bin\fbguard.exe [81920 2014-06-04] (Firebird Project) [File not signed]
R3 FirebirdServerDefaultInstance; C:\Program Files (x86)\firebird\firebird_2_1\bin\fbserver.exe [2793472 2014-06-04] (Firebird Project) [File not signed]
R2 GBAKSrvc; C:\ClockBS\GBakSchd\GBAKSrvc.EXE [899584 2011-01-29] () [File not signed]
S2 IObitUnSvr; C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe [360736 2016-10-28] (IObit)
R2 mfnMsgDispatcher; C:\Fidelio\Programs\mfnDispatcher.exe [1944816 2015-11-27] (Micros-Fidelio (Ireland) Ltd.) [File not signed]
R2 mfnTrgDispatcher; C:\Fidelio\Programs\mfn2WDispatcher.exe [1944304 2015-11-27] (Micros-Fidelio (Ireland) Ltd.) [File not signed]
S3 OracleDATABASEClrAgent; D:\ORACLE\11.2.0\DATABASE\bin\OraClrAgnt.exe [15360 2011-09-26] (Oracle Corporation) [File not signed]
S3 OracleDBConsoleV8; D:\ORACLE\11.2.0\DATABASE\bin\nmesrvc.exe [34304 2011-09-26] (Oracle Corporation) [File not signed]
S4 OracleJobSchedulerV8; d:\oracle\11.2.0\database\Bin\extjob.exe [45568 2011-11-02] () [File not signed]
S3 OracleMTSRecoveryService; D:\ORACLE\11.2.0\DATABASE\bin\omtsreco.exe [81408 2011-09-26] (Oracle Corporation) [File not signed]
R2 OracleServiceV8; d:\oracle\11.2.0\database\bin\ORACLE.EXE [150021120 2012-04-07] (Oracle Corporation) [File not signed]
S3 OracleVssWriterV8; d:\oracle\11.2.0\database\bin\OraVSSW.exe [192000 2011-11-02] () [File not signed]
S2 scan_service; C:\ClockBS\ClockTC\scan_server.exe [274432 2011-07-19] (ClockBS) [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [4088608 2016-09-21] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [235984 2016-11-24] (Safer-Networking Ltd.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [7500048 2016-09-20] (TeamViewer GmbH)
S2 timesyncsvc; C:\Windows\syswow64\timesyncsvc.dll [3202560 2010-11-21] (Microsoft Corporation) [File not signed]
S4 TlntSvr; C:\Windows\System32\tlntsvr.exe [81920 2009-07-14] (Microsoft Corporation)
R2 TrgReader; C:\Fidelio\Programs\mfnTrgReader.exe [1909488 2015-11-27] (Micros-Fidelio (Ireland) Ltd.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
R2 OracleDATABASETNSListener; D:\ORACLE\11.2.0\DATABASE\BIN\TNSLSNR [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 EUBKMON; C:\Windows\System32\drivers\EUBKMON.sys [48168 2015-12-10] ()
S4 LMIRfsClientNP; no ImagePath
R0 MB3SwissArmy; C:\Windows\System32\drivers\MB3SwissArmy.sys [228800 2016-11-24] (Malwarebytes)
U5 mbamchameleon; C:\Windows\System32\Drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)
S3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [102856 2016-11-24] (Malwarebytes)
R3 radpms; C:\Windows\System32\DRIVERS\radpms.sys [14944 2014-02-07] (LogMeIn, Inc.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 StnPport; C:\Windows\System32\DRIVERS\StnPport.sys [97280 2010-10-26] ()
R3 StnSport; C:\Windows\System32\DRIVERS\StnSport.sys [128000 2010-08-20] ()
U0 ybdby; C:\Windows\System32\drivers\jifnmv.sys [79064 2016-12-23] (Malwarebytes)
U4 dmwappushservice; no ImagePath
U4 dmwappushsvc; no ImagePath
S2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [X]
S2 NPF; system32\drivers\npf.sys [X]
U3 W3SVC; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-04 00:20 - 2017-01-04 00:20 - 00348582 _____ C:\Users\niki\Desktop\FRST.txt
2017-01-04 00:19 - 2017-01-04 00:20 - 00000000 ____D C:\FRST
2017-01-04 00:19 - 2017-01-04 00:19 - 02418176 _____ (Farbar) C:\Users\niki\Downloads\FRST64.exe
2017-01-04 00:19 - 2017-01-04 00:19 - 02418176 _____ (Farbar) C:\Users\niki\Desktop\frst64english.exe
2017-01-04 00:17 - 2017-01-04 00:17 - 02622304 _____ (Kaspersky Lab) C:\Users\niki\Downloads\kss16.0.0.1344en_9702.exe
2016-12-28 00:30 - 2016-12-31 00:30 - 00524288 ___SH C:\Users\LogMeInRemoteUser\ntuser.dat{1b580d5c-c7bb-11e6-9e00-180373bc7336}.TMContainer00000000000000000002.regtrans-ms
2016-12-28 00:30 - 2016-12-31 00:30 - 00524288 ___SH C:\Users\LogMeInRemoteUser\ntuser.dat{1b580d5c-c7bb-11e6-9e00-180373bc7336}.TMContainer00000000000000000001.regtrans-ms
2016-12-28 00:30 - 2016-12-31 00:30 - 00065536 ___SH C:\Users\LogMeInRemoteUser\ntuser.dat{1b580d5c-c7bb-11e6-9e00-180373bc7336}.TM.blf
2016-12-27 15:59 - 2016-12-27 15:55 - 00001743 _____ C:\Users\sys\Desktop\BW Bristol new.xml
2016-12-23 14:32 - 2017-01-01 00:30 - 00005120 ___SH C:\Users\LogMeInRemoteUser\ntuser.dat.LOG1
2016-12-23 14:32 - 2016-12-23 14:32 - 00524288 ___SH C:\Users\LogMeInRemoteUser\ntuser.dat{1b580b3f-c7bb-11e6-9e00-180373bc7336}.TMContainer00000000000000000002.regtrans-ms
2016-12-23 14:32 - 2016-12-23 14:32 - 00524288 ___SH C:\Users\LogMeInRemoteUser\ntuser.dat{1b580b3f-c7bb-11e6-9e00-180373bc7336}.TMContainer00000000000000000001.regtrans-ms
2016-12-23 14:32 - 2016-12-23 14:32 - 00262144 _____ C:\Users\LogMeInRemoteUser\ntuser.dat
2016-12-23 14:32 - 2016-12-23 14:32 - 00079064 _____ (Malwarebytes) C:\Windows\system32\Drivers\jifnmv.sys
2016-12-23 14:32 - 2016-12-23 14:32 - 00065536 ___SH C:\Users\LogMeInRemoteUser\ntuser.dat{1b580b3f-c7bb-11e6-9e00-180373bc7336}.TM.blf
2016-12-23 14:32 - 2016-12-23 14:32 - 00000000 ___SH C:\Users\LogMeInRemoteUser\ntuser.dat.LOG2
2016-12-22 15:43 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
2016-12-22 15:43 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\ProgramData\Desktop\Post Win10 Spybot-install.exe
2016-12-22 15:09 - 2016-12-22 14:57 - 00000083 _____ C:\Windows\system32\Drivers\etc\hosts.20161222-150930.backup
2016-12-22 15:08 - 2016-12-22 15:08 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2016-12-22 15:07 - 2016-12-22 16:07 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-12-22 15:07 - 2016-12-22 15:43 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-12-22 15:07 - 2016-12-22 15:07 - 00001351 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2016-12-22 15:07 - 2016-12-22 15:07 - 00001339 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2016-12-22 15:07 - 2016-12-22 15:07 - 00001339 _____ C:\ProgramData\Desktop\Spybot-S&D Start Center.lnk
2016-12-22 15:07 - 2016-12-22 15:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2016-12-22 15:07 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2016-12-22 15:06 - 2016-12-22 15:06 - 00003556 _____ C:\Users\niki\Desktop\Rkill.txt
2016-12-22 15:05 - 2016-12-22 15:05 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\niki\Downloads\spybot-2.4.exe
2016-12-22 15:02 - 2016-12-22 15:02 - 00000000 _____ C:\autoexec.bat
2016-12-22 15:01 - 2016-12-23 14:32 - 00000000 ____D C:\Users\niki\AppData\Roaming\Enigma Software Group
2016-12-22 15:01 - 2016-12-22 15:18 - 00000000 ____D C:\Users\niki\AppData\Roaming\IObit
2016-12-22 15:01 - 2016-12-22 15:18 - 00000000 ____D C:\Program Files\Enigma Software Group
2016-12-22 14:54 - 2016-12-22 14:54 - 00000000 ____D C:\Program Files\Reason
2016-12-22 14:24 - 2016-12-22 14:24 - 00062064 _____ C:\Users\niki\AppData\Local\GDIPFONTCACHEV1.DAT
2016-12-22 14:23 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-12-22 14:23 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-12-22 14:23 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-12-22 14:22 - 2017-01-04 00:15 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-21 22:25 - 2016-12-21 22:25 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\47B84B83.sys
2016-12-21 22:13 - 2016-12-21 22:13 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\496F42AF.sys
2016-12-21 22:12 - 2016-12-21 22:12 - 00000000 ____D C:\Users\sys\AppData\Roaming\Mozilla
2016-12-21 22:09 - 2016-12-21 22:22 - 00005304 _____ C:\Windows\setupact.log
2016-12-21 22:09 - 2016-12-21 22:21 - 00584662 _____ C:\Windows\PFRO.log
2016-12-21 22:09 - 2016-12-21 22:09 - 00000000 _____ C:\Windows\setuperr.log
2016-12-21 22:07 - 2016-12-21 22:07 - 00000000 ____D C:\Program Files\Windows Defender
2016-12-21 22:07 - 2016-12-21 22:07 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2016-12-21 21:51 - 2016-12-21 21:51 - 08803648 _____ (Piriform Ltd) C:\Users\niki\Downloads\ccsetup525.exe
2016-12-21 21:51 - 2016-12-21 21:51 - 00002800 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-12-21 21:51 - 2016-12-21 21:51 - 00000782 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-12-21 21:51 - 2016-12-21 21:51 - 00000782 _____ C:\ProgramData\Desktop\CCleaner.lnk
2016-12-21 21:51 - 2016-12-21 21:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-12-21 21:51 - 2016-12-21 21:51 - 00000000 ____D C:\Program Files\CCleaner
2016-12-21 21:50 - 2016-12-21 21:50 - 14454784 _____ C:\Windows\system32\config\system.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 01564672 _____ C:\Users\DELL\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 01036288 _____ C:\Users\sys\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00954368 _____ C:\Users\niki\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00851968 _____ C:\Users\clock\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00684032 _____ C:\Users\admin\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00671744 _____ C:\Users\Suite8.Scheduler\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00634880 _____ C:\Users\dell2\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00610304 _____ C:\Users\DB1\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00102400 _____ C:\Windows\system32\config\default.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00069632 _____ C:\Windows\system32\config\sam.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00028672 _____ C:\Windows\system32\config\security.rctemp
2016-12-21 21:48 - 2016-12-21 21:50 - 80220160 _____ C:\Windows\system32\config\software.rctemp
2016-12-21 21:40 - 2016-12-21 21:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows 7 Manager
2016-12-21 21:40 - 2016-12-21 21:40 - 00000000 ____D C:\Program Files\Yamicsoft
2016-12-21 21:32 - 2016-12-21 21:32 - 00000000 ____D C:\Users\niki\AppData\Roaming\Mozilla
2016-12-21 21:27 - 2016-12-21 21:27 - 00000000 ____D C:\Users\niki\AppData\LocalLow\IObit
2016-12-21 21:25 - 2016-12-22 15:17 - 00000000 ____D C:\ProgramData\IObit
2016-12-21 21:25 - 2016-12-21 21:27 - 00000000 ____D C:\ProgramData\ProductData
2016-12-21 21:25 - 2016-12-21 21:25 - 14361888 _____ (IObit) C:\Users\niki\Downloads\iobituninstaller.exe
2016-12-21 21:25 - 2016-12-21 21:25 - 00002914 _____ C:\Windows\System32\Tasks\Uninstaller_SkipUac_sys
2016-12-21 21:25 - 2016-12-21 21:25 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller.lnk
2016-12-21 21:25 - 2016-12-21 21:25 - 00001314 _____ C:\Users\Public\Desktop\IObit Uninstaller.lnk
2016-12-21 21:25 - 2016-12-21 21:25 - 00001314 _____ C:\ProgramData\Desktop\IObit Uninstaller.lnk
2016-12-21 21:25 - 2016-12-21 21:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller
2016-12-21 21:25 - 2016-12-21 21:25 - 00000000 ____D C:\Program Files (x86)\IObit
2016-12-21 21:24 - 2016-12-21 21:24 - 00000000 ____D C:\ProgramData\AVAST Software
2016-12-21 21:21 - 2016-12-21 21:21 - 00524288 ___SH C:\ProgramData\ntuser.dat{0cb92389-c7b2-11e6-9a1a-180373bc7336}.TMContainer00000000000000000002.regtrans-ms
2016-12-21 21:21 - 2016-12-21 21:21 - 00524288 ___SH C:\ProgramData\ntuser.dat{0cb92389-c7b2-11e6-9a1a-180373bc7336}.TMContainer00000000000000000001.regtrans-ms
2016-12-21 21:21 - 2016-12-21 21:21 - 00065536 ___SH C:\ProgramData\ntuser.dat{0cb92389-c7b2-11e6-9a1a-180373bc7336}.TM.blf
2016-12-21 21:12 - 2016-12-21 22:18 - 00000906 __RSH C:\ProgramData\ntuser.pol
2016-12-21 21:11 - 2016-12-21 21:11 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-12-21 19:45 - 2016-12-22 09:48 - 00002150 _____ C:\Windows\epplauncher.mif
2016-12-21 19:45 - 2016-12-21 22:13 - 00005120 ___SH C:\ProgramData\ntuser.dat.LOG1
2016-12-21 19:45 - 2016-12-21 19:45 - 00524288 ___SH C:\Users\Public\ntuser.dat{a27a57de-c75b-11e6-a692-180373bc7336}.TMContainer00000000000000000002.regtrans-ms
2016-12-21 19:45 - 2016-12-21 19:45 - 00524288 ___SH C:\Users\Public\ntuser.dat{a27a57de-c75b-11e6-a692-180373bc7336}.TMContainer00000000000000000001.regtrans-ms
2016-12-21 19:45 - 2016-12-21 19:45 - 00524288 ___SH C:\ProgramData\ntuser.dat{a27a57c8-c75b-11e6-a692-180373bc7336}.TMContainer00000000000000000002.regtrans-ms
2016-12-21 19:45 - 2016-12-21 19:45 - 00524288 ___SH C:\ProgramData\ntuser.dat{a27a57c8-c75b-11e6-a692-180373bc7336}.TMContainer00000000000000000001.regtrans-ms
2016-12-21 19:45 - 2016-12-21 19:45 - 00262144 _____ C:\ProgramData\ntuser.dat
2016-12-21 19:45 - 2016-12-21 19:45 - 00065536 ___SH C:\Users\Public\ntuser.dat{a27a57de-c75b-11e6-a692-180373bc7336}.TM.blf
2016-12-21 19:45 - 2016-12-21 19:45 - 00065536 ___SH C:\ProgramData\ntuser.dat{a27a57c8-c75b-11e6-a692-180373bc7336}.TM.blf
2016-12-21 19:45 - 2016-12-21 19:45 - 00000000 ___SH C:\ProgramData\ntuser.dat.LOG2
2016-12-21 19:44 - 2016-12-21 19:44 - 15065792 _____ (Microsoft Corporation) C:\Users\niki\Downloads\MSEInstall.exe
2016-12-21 19:43 - 2016-12-21 19:45 - 175942176 _____ (Kaspersky Lab) C:\Users\niki\Downloads\kav17.0.0.611en_10733.exe
2016-12-21 15:06 - 2016-12-21 15:06 - 00001743 _____ C:\Users\sys\Desktop\Bristol.xml
2016-12-21 11:05 - 2016-12-21 11:05 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\1E8D42F8.sys
2016-12-21 09:56 - 2016-12-21 11:04 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\301B0EAC.sys
2016-12-21 09:56 - 2016-12-21 09:56 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\644D0E7E.sys
2016-12-21 09:54 - 2017-01-03 17:54 - 00000508 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 7778d8ea-f386-487e-bb82-b5348f74b025.job
2016-12-21 09:54 - 2017-01-03 02:00 - 00000508 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 97f4adeb-0927-4f73-aa7e-bc520ad6bd9a.job
2016-12-21 09:54 - 2016-12-21 09:54 - 00003596 _____ C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task 97f4adeb-0927-4f73-aa7e-bc520ad6bd9a
2016-12-21 09:54 - 2016-12-21 09:54 - 00003522 _____ C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task 7778d8ea-f386-487e-bb82-b5348f74b025
2016-12-21 09:53 - 2016-12-21 09:53 - 00001808 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2016-12-21 09:53 - 2016-12-21 09:53 - 00001808 _____ C:\ProgramData\Desktop\SUPERAntiSpyware Free Edition.lnk
2016-12-21 09:53 - 2016-12-21 09:53 - 00000000 ____D C:\Users\niki\AppData\Roaming\SUPERAntiSpyware.com
2016-12-21 09:53 - 2016-12-21 09:53 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2016-12-21 09:53 - 2016-12-21 09:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2016-12-21 09:53 - 2016-12-21 09:53 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-12-21 01:03 - 2016-12-21 01:03 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\390676BA.sys
2016-12-21 00:46 - 2016-12-21 00:49 - 00000000 __SHD C:\$RECYCLE.BIN
2016-12-21 00:42 - 2016-12-21 21:45 - 00000000 ___SD C:\ComboFix
2016-12-21 00:42 - 2006-01-09 10:36 - 00040960 _____ C:\Windows\SysWOW64\swsc.exe
2016-12-21 00:39 - 2017-01-01 00:30 - 00005120 ___SH C:\Users\Public\ntuser.dat.LOG1
2016-12-21 00:39 - 2016-12-21 00:39 - 00524288 ___SH C:\Users\Public\ntuser.dat{e210925f-c703-11e6-80e3-180373bc7336}.TMContainer00000000000000000002.regtrans-ms
2016-12-21 00:39 - 2016-12-21 00:39 - 00524288 ___SH C:\Users\Public\ntuser.dat{e210925f-c703-11e6-80e3-180373bc7336}.TMContainer00000000000000000001.regtrans-ms
2016-12-21 00:39 - 2016-12-21 00:39 - 00262144 _____ C:\Users\Public\ntuser.dat
2016-12-21 00:39 - 2016-12-21 00:39 - 00065536 ___SH C:\Users\Public\ntuser.dat{e210925f-c703-11e6-80e3-180373bc7336}.TM.blf
2016-12-21 00:39 - 2016-12-21 00:39 - 00000000 ___SH C:\Users\Public\ntuser.dat.LOG2
2016-12-21 00:38 - 2016-12-21 19:45 - 00000000 ____D C:\ProgramData\Kaspersky Lab Setup Files
2016-12-21 00:38 - 2016-12-21 00:38 - 00000000 ____D C:\Users\Public\AppData\Local\temp
2016-12-21 00:38 - 2016-12-21 00:38 - 00000000 ____D C:\Users\Public\AppData\Local
2016-12-21 00:38 - 2016-12-21 00:38 - 00000000 ____D C:\Users\Public\AppData
2016-12-21 00:38 - 2016-12-21 00:38 - 00000000 ____D C:\Users\Default\AppData\Local\temp
2016-12-21 00:38 - 2016-12-21 00:38 - 00000000 ____D C:\Users\Default User\AppData\Local\temp
2016-12-21 00:37 - 2016-12-21 01:03 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\5EEC62D4.sys
2016-12-21 00:37 - 2016-12-21 00:42 - 00004331 _____ C:\rapport.txt
2016-12-21 00:37 - 2016-12-21 00:42 - 00000990 _____ C:\Windows\SysWOW64\tmp.reg
2016-12-21 00:37 - 2016-12-21 00:42 - 00000000 _____ C:\Windows\SysWOW64\tmp.txt
2016-12-21 00:37 - 2009-06-02 11:17 - 00075776 _____ C:\Windows\SysWOW64\WS2Fix.exe
2016-12-21 00:37 - 2008-12-12 01:57 - 00078336 _____ (S!Ri.URZ) C:\Windows\SysWOW64\Agent.OMZ.Fix.exe
2016-12-21 00:37 - 2008-11-29 18:58 - 00082944 _____ (S!Ri.URZ) C:\Windows\SysWOW64\IEDFix.C.exe
2016-12-21 00:37 - 2008-10-01 15:51 - 00087552 _____ (S!Ri.URZ) C:\Windows\SysWOW64\VACFix.exe
2016-12-21 00:37 - 2008-09-20 12:45 - 00080384 _____ (S!Ri.URZ) C:\Windows\SysWOW64\o4Patch.exe
2016-12-21 00:37 - 2008-08-18 12:19 - 00082432 _____ (S!Ri.URZ) C:\Windows\SysWOW64\404Fix.exe
2016-12-21 00:37 - 2008-05-18 21:40 - 00082944 _____ (S!Ri.URZ) C:\Windows\SysWOW64\IEDFix.exe
2016-12-21 00:37 - 2007-09-06 00:22 - 00289144 _____ (S!Ri) C:\Windows\SysWOW64\VCCLSID.exe
2016-12-21 00:37 - 2006-04-27 17:49 - 00288417 _____ (S!Ri) C:\Windows\SysWOW64\SrchSTS.exe
2016-12-21 00:37 - 2004-07-31 18:50 - 00051200 _____ C:\Windows\SysWOW64\dumphive.exe
2016-12-21 00:37 - 2003-06-05 21:13 - 00053248 _____ (hxxp://www.beyondlogic.org) C:\Windows\SysWOW64\Process.exe
2016-12-21 00:24 - 2016-12-21 00:24 - 00000000 ___SH C:\Windows\system32\config\SYSTEM.tmp.LOG2
2016-12-21 00:24 - 2016-12-21 00:24 - 00000000 ___SH C:\Windows\system32\config\SYSTEM.tmp.LOG1
2016-12-21 00:24 - 2016-12-21 00:24 - 00000000 ___SH C:\Windows\system32\config\SOFTWARE.tmp.LOG2
2016-12-21 00:24 - 2016-12-21 00:24 - 00000000 ___SH C:\Windows\system32\config\SOFTWARE.tmp.LOG1
2016-12-21 00:24 - 2016-12-21 00:24 - 00000000 ___SH C:\Windows\system32\config\SECURITY.tmp.LOG2
2016-12-21 00:24 - 2016-12-21 00:24 - 00000000 ___SH C:\Windows\system32\config\SECURITY.tmp.LOG1
2016-12-21 00:24 - 2016-12-21 00:24 - 00000000 ___SH C:\Windows\system32\config\SAM.tmp.LOG2
2016-12-21 00:24 - 2016-12-21 00:24 - 00000000 ___SH C:\Windows\system32\config\SAM.tmp.LOG1
2016-12-21 00:24 - 2016-12-21 00:24 - 00000000 ___SH C:\Windows\system32\config\DEFAULT.tmp.LOG2
2016-12-21 00:24 - 2016-12-21 00:24 - 00000000 ___SH C:\Windows\system32\config\DEFAULT.tmp.LOG1
2016-12-21 00:23 - 2017-01-04 00:15 - 00000000 ____D C:\Windows\temp
2016-12-21 00:23 - 2016-12-23 14:32 - 00449935 _____ C:\Windows\system32\Drivers\etc\hosts
2016-12-21 00:17 - 2016-12-21 00:42 - 00000000 ____D C:\Qoobox
2016-12-21 00:17 - 2016-12-21 00:36 - 00000000 ____D C:\Windows\erdnt
2016-12-21 00:17 - 2011-06-26 08:45 - 00256000 _____ C:\Windows\PEV.exe
2016-12-21 00:17 - 2010-11-07 19:20 - 00208896 _____ C:\Windows\MBR.exe
2016-12-21 00:17 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-12-21 00:17 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-12-21 00:17 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-12-21 00:17 - 2000-08-31 02:00 - 00098816 _____ C:\Windows\sed.exe
2016-12-21 00:17 - 2000-08-31 02:00 - 00080412 _____ C:\Windows\grep.exe
2016-12-21 00:17 - 2000-08-31 02:00 - 00068096 _____ C:\Windows\zip.exe
2016-12-21 00:03 - 2016-12-21 00:11 - 00000000 ____D C:\Users\niki\Doctor Web
2016-12-20 23:59 - 2016-12-20 23:59 - 28698328 _____ (SUPERAntiSpyware) C:\Users\niki\Downloads\SUPERAntiSpyware.exe
2016-12-20 23:57 - 2016-12-20 23:59 - 146638432 _____ C:\Users\niki\Downloads\t4m4uitk.exe
2016-12-20 23:48 - 2016-12-20 23:48 - 00000000 ____D C:\Users\niki\AppData\Roaming\WinRAR
2016-12-20 23:33 - 2016-12-21 00:36 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\0D8F312E.sys
2016-12-20 23:32 - 2016-12-20 23:32 - 00004034 _____ C:\Windows\System32\Tasks\Restart OIFC BW_1
2016-12-20 23:32 - 2016-12-20 23:32 - 00003752 _____ C:\Windows\System32\Tasks\BackupDB Fidelio1
2016-12-20 23:31 - 2016-12-20 23:31 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\24EB2FF2.sys
2016-12-20 23:30 - 2016-12-22 14:23 - 00000992 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-12-20 23:30 - 2016-12-22 14:23 - 00000992 _____ C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2016-12-20 23:30 - 2016-12-22 14:23 - 00000000 ____D C:\Program Files (x86)\Malwarebytessss
2016-12-20 23:30 - 2016-12-20 23:30 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\11652F83.sys
2016-12-20 23:30 - 2016-12-20 23:30 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-12-20 23:19 - 2016-12-21 21:45 - 00000000 ____D C:\Users\niki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker
2016-12-20 23:16 - 2016-12-21 21:42 - 00000000 ____D C:\Program Files (x86)\Unlocker
2016-12-20 22:53 - 2016-12-22 15:17 - 00000000 ____D C:\AdwCleaner
2016-12-20 12:24 - 2016-12-20 12:24 - 00004034 _____ C:\Windows\System32\Tasks\Restart OIFC BW
2016-12-20 12:20 - 2016-12-20 12:24 - 00003750 _____ C:\Windows\System32\Tasks\BackupDB Fidelio
2016-12-19 10:24 - 2016-12-19 10:27 - 00002002 ____H C:\Users\sys\Documents\Default.rdp

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-03 16:49 - 2016-02-10 16:15 - 00000000 ____D C:\TEMP
2017-01-03 11:00 - 2016-11-29 18:56 - 00004096 ___SH C:\{3E6923B3-24B0-4838-887C-41C96A6BF594}.CBM
2017-01-03 10:40 - 2016-11-29 18:33 - 00334336 ___SH C:\EUMONBMP.SYS
2017-01-03 10:40 - 2016-11-29 18:33 - 00000000 ____D C:\Windows\system32\config\regsave
2016-12-29 20:21 - 2009-07-14 06:45 - 00015168 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-29 20:21 - 2009-07-14 06:45 - 00015168 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-29 13:25 - 2016-06-28 08:57 - 00000000 ____D C:\Users\sys\AppData\Local\Temp
2016-12-29 13:25 - 2009-07-14 07:32 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-12-28 00:30 - 2012-06-22 13:07 - 00000000 ____D C:\Users\LogMeInRemoteUser
2016-12-27 15:59 - 2016-06-28 08:57 - 00000000 ___RD C:\Users\sys\Desktop
2016-12-23 22:23 - 2012-06-21 12:06 - 00000000 ____D C:\Windows\Prefetch
2016-12-23 14:32 - 2016-11-26 14:02 - 00000000 ___RD C:\Users\niki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
2016-12-23 14:32 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\drivers
2016-12-23 14:32 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\Branding
2016-12-22 19:38 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\winsxs
2016-12-22 19:38 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\catroot2
2016-12-22 16:47 - 2012-06-22 13:07 - 00000000 ____D C:\Users\LogMeInRemoteUser\Documents
2016-12-22 16:47 - 2012-06-22 13:07 - 00000000 ____D C:\Users\LogMeInRemoteUser\Desktop
2016-12-22 16:08 - 2016-06-27 21:40 - 05242880 ___SH C:\Users\dell2\NTUSER.DAT
2016-12-22 16:08 - 2016-06-26 23:43 - 05505024 ___SH C:\Users\admin\NTUSER.DAT
2016-12-22 16:08 - 2016-05-02 19:05 - 05242880 ___SH C:\Users\DB1\NTUSER.DAT
2016-12-22 16:08 - 2016-02-10 16:19 - 05505024 ___SH C:\Users\Suite8.Scheduler\NTUSER.DAT
2016-12-22 16:08 - 2012-06-28 13:31 - 05505024 ___SH C:\Users\clock\NTUSER.DAT
2016-12-22 16:08 - 2012-06-21 12:09 - 06291456 ___SH C:\Users\DELL\NTUSER.DAT
2016-12-22 15:43 - 2016-11-22 18:57 - 00000000 ____D C:\Program Files\Common Files\AV
2016-12-22 15:43 - 2009-07-14 05:20 - 00000000 __RHD C:\Users\Public\Desktop
2016-12-22 15:18 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\Tasks
2016-12-22 15:09 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\Drivers\etc
2016-12-22 15:07 - 2009-07-14 05:20 - 00000000 ___SD C:\ProgramData\Microsoft
2016-12-22 15:07 - 2009-07-14 05:20 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs
2016-12-22 15:07 - 2009-07-14 05:20 - 00000000 ___RD C:\Program Files (x86)
2016-12-22 15:07 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\System32
2016-12-22 15:07 - 2009-07-14 05:20 - 00000000 ____D C:\ProgramData
2016-12-22 15:01 - 2016-11-26 14:02 - 00000000 ____D C:\Users\niki\AppData\Roaming
2016-12-22 15:01 - 2009-07-14 05:20 - 00000000 ___RD C:\Program Files
2016-12-22 14:24 - 2016-11-26 14:02 - 00000000 ____D C:\Users\niki\AppData\Local
2016-12-22 14:23 - 2016-11-22 19:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-12-22 14:19 - 2016-06-28 08:57 - 00000000 ____D C:\Users\sys\AppData\Local
2016-12-22 14:19 - 2016-02-10 16:19 - 00000000 ____D C:\Users\Suite8.Scheduler\AppData\Local\Temp
2016-12-22 14:18 - 2016-02-10 16:19 - 00000000 ____D C:\Users\Suite8.Scheduler\AppData\Local
2016-12-22 14:14 - 2016-06-27 21:40 - 00000000 ____D C:\Users\dell2\AppData\Local\Temp
2016-12-22 14:12 - 2016-06-27 21:40 - 00000000 ____D C:\Users\dell2\AppData\Local
2016-12-22 14:10 - 2012-06-21 12:09 - 00000000 ____D C:\Users\DELL\AppData\Local\Temp
2016-12-22 14:09 - 2012-06-21 12:09 - 00000000 ____D C:\Users\DELL\AppData\Local
2016-12-22 14:06 - 2016-05-02 19:05 - 00000000 ____D C:\Users\DB1\AppData\Local\Temp
2016-12-22 14:05 - 2016-05-02 19:05 - 00000000 ____D C:\Users\DB1\AppData\Local
2016-12-22 14:05 - 2012-06-28 13:31 - 00000000 ____D C:\Users\clock\AppData\Local
2016-12-22 14:04 - 2012-06-28 13:31 - 00000000 ____D C:\Users\clock\AppData\Local\Temp
2016-12-22 14:03 - 2016-06-26 23:43 - 00000000 ____D C:\Users\admin\AppData\Local\Temp
2016-12-22 14:02 - 2016-06-26 23:43 - 00000000 ____D C:\Users\admin\AppData\Local
2016-12-21 22:32 - 2012-05-23 22:09 - 00000000 __SHD C:\Windows\Installer
2016-12-21 22:23 - 2012-05-23 14:08 - 00000044 _____ C:\Windows\SysWOW64\log.txt
2016-12-21 22:22 - 2016-11-28 04:05 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-21 22:22 - 2009-07-14 07:38 - 00067584 _____ C:\Windows\bootstat.dat
2016-12-21 22:22 - 2009-07-14 04:34 - 00028672 _____ C:\Windows\system32\config\SECURITY
2016-12-21 22:22 - 2009-07-14 04:34 - 00021504 ____H C:\Windows\system32\config\SECURITY.LOG1
2016-12-21 22:21 - 2016-09-15 02:22 - 4170080256 ___SH C:\pagefile.sys
2016-12-21 22:21 - 2012-07-20 16:00 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-12-21 22:21 - 2012-05-23 21:23 - 4201299968 ___SH C:\hiberfil.sys
2016-12-21 22:17 - 2009-07-14 05:20 - 00000000 __RSD C:\Windows\assembly
2016-12-21 22:14 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\DriverStore
2016-12-21 22:14 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\inf
2016-12-21 22:14 - 2009-07-14 04:34 - 00189440 ____H C:\Users\Default\NTUSER.DAT.LOG1
2016-12-21 22:12 - 2016-06-28 08:57 - 00000000 ____D C:\Users\sys\AppData\Roaming
2016-12-21 21:52 - 2012-06-21 16:11 - 00000000 ____D C:\ProgramData\LogMeIn
2016-12-21 21:52 - 2009-07-14 06:45 - 00000000 ____D C:\Windows\debug
2016-12-21 21:52 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\Logs
2016-12-21 21:50 - 2016-11-26 14:02 - 00000000 ____D C:\Users\niki
2016-12-21 21:50 - 2016-06-28 08:57 - 00000000 ____D C:\Users\sys
2016-12-21 21:50 - 2016-06-27 21:40 - 00000000 ____D C:\Users\dell2
2016-12-21 21:50 - 2016-06-26 23:43 - 00000000 ____D C:\Users\admin
2016-12-21 21:50 - 2016-05-02 19:05 - 00000000 ____D C:\Users\DB1
2016-12-21 21:50 - 2016-02-10 16:19 - 00000000 ____D C:\Users\Suite8.Scheduler
2016-12-21 21:50 - 2012-06-28 13:31 - 00000000 ____D C:\Users\clock
2016-12-21 21:50 - 2012-06-21 12:09 - 00000000 ____D C:\Users\DELL
2016-12-21 21:45 - 2016-11-24 00:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2016-12-21 21:45 - 2016-06-26 23:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap
2016-12-21 21:45 - 2014-08-12 13:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firebird 2.1 (Win32)
2016-12-21 21:40 - 2009-07-14 01:31 - 00000000 __SHD C:\System Volume Information
2016-12-21 21:27 - 2016-11-26 14:02 - 00000000 ____D C:\Users\niki\AppData\LocalLow
2016-12-21 21:27 - 2009-07-14 05:20 - 00000000 ____D C:\Program Files (x86)\Common Files
2016-12-21 21:21 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\catroot
2016-12-21 19:45 - 2009-07-14 05:20 - 00000000 ___RD C:\Users\Public
2016-12-21 19:12 - 2009-07-14 05:20 - 00000000 ____D C:\Program Files\Common Files
2016-12-21 09:54 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\Tasks
2016-12-21 09:45 - 2009-07-14 07:32 - 00000000 ____D C:\Windows\Offline Web Pages
2016-12-21 02:21 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\config\RegBack
2016-12-21 00:42 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\SysWOW64
2016-12-21 00:38 - 2009-07-14 05:20 - 00000000 __RHD C:\Users\Default
2016-12-21 00:38 - 2009-07-14 05:20 - 00000000 ____D C:\Users\Default\AppData\Local
2016-12-21 00:38 - 2009-07-14 05:20 - 00000000 ____D C:\Users\Default User\AppData\Local
2016-12-21 00:31 - 2009-07-14 04:34 - 00000215 _____ C:\Windows\system.ini
2016-12-21 00:29 - 2009-07-14 04:34 - 81002496 _____ C:\Windows\system32\config\SOFTWARE.bak
2016-12-21 00:29 - 2009-07-14 04:34 - 17825792 _____ C:\Windows\system32\config\SYSTEM.bak
2016-12-21 00:29 - 2009-07-14 04:34 - 00262144 _____ C:\Windows\system32\config\SECURITY.bak
2016-12-21 00:29 - 2009-07-14 04:34 - 00262144 _____ C:\Windows\system32\config\SAM.bak
2016-12-21 00:29 - 2009-07-14 04:34 - 00262144 _____ C:\Windows\system32\config\DEFAULT.bak
2016-12-21 00:21 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\SysWOW64\drivers
2016-12-21 00:21 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\AppPatch
2016-12-20 23:28 - 2016-11-26 14:03 - 00000000 ____D C:\Users\niki\AppData\Local\Google
2016-12-20 17:23 - 2016-11-29 18:23 - 00000034 _____ C:\Windows\AvastEmUpdate.ini
2016-12-19 16:44 - 2016-11-26 14:02 - 00000000 ____D C:\Users\niki\AppData\Local\Microsoft
2016-12-19 10:24 - 2016-06-28 08:57 - 00000000 ___RD C:\Users\sys\Documents
2016-12-05 14:02 - 2016-06-28 10:17 - 00001218 _____ C:\Users\sys\Desktop\Restart_OIFC.bat

==================== Files in the root of some directories =======

2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\AVG Secure Search
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Baidu
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Bitdefender
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\BullGuard Ltd
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\COMODO
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Doctor Web
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\eAcceleration
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\G Data
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\InfoWatch
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Intel Security
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\McAfee
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\MicroWorld
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Panda Security
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Symantec Shared
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\TrustPort
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\ProgramData\.clamwin

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-12-21 02:21

==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by niki (04-01-2017 00:20:35)
Running from C:\Users\niki\Desktop
Windows 7 Professional Service Pack 1 (X64) (2012-06-21 10:22:28)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

admin (S-1-5-21-3625114160-3359095786-791446984-1010 - Administrator - Disabled) => C:\Users\admin
Administrator (S-1-5-21-3625114160-3359095786-791446984-500 - Administrator - Disabled)
backup (S-1-5-21-3625114160-3359095786-791446984-1014 - Limited - Enabled)
clock (S-1-5-21-3625114160-3359095786-791446984-1002 - Administrator - Disabled) => C:\Users\clock
DB1 (S-1-5-21-3625114160-3359095786-791446984-1009 - Administrator - Disabled) => C:\Users\DB1
DELL (S-1-5-21-3625114160-3359095786-791446984-1000 - Administrator - Disabled) => C:\Users\DELL
dell2 (S-1-5-21-3625114160-3359095786-791446984-1011 - Administrator - Disabled) => C:\Users\dell2
Guest (S-1-5-21-3625114160-3359095786-791446984-501 - Limited - Disabled)
niki (S-1-5-21-3625114160-3359095786-791446984-1013 - Administrator - Enabled) => C:\Users\niki
Suite8.Scheduler (S-1-5-21-3625114160-3359095786-791446984-1008 - Administrator - Disabled) => C:\Users\Suite8.Scheduler
Suite8.VerCtrl (S-1-5-21-3625114160-3359095786-791446984-1005 - Limited - Disabled)
sys (S-1-5-21-3625114160-3359095786-791446984-1012 - Administrator - Enabled) => C:\Users\sys

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Spybot - Search and Destroy (Enabled - Out of date) {A16C3F68-9280-E053-1818-342707FECF4D}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Disabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Advanced Mass Sender 4.3 (HKLM-x32\...\Advanced Mass Sender 4.3) (Version: - )
ATI Catalyst Install Manager (HKLM\...\{35B9B5CE-CA4C-944F-E699-09F7EF1AFA82}) (Version: 3.0.804.0 - ATI Technologies, Inc.)
Best Western PKI version 1.0 (HKLM-x32\...\Best Western PKI_is1) (Version: 1.0 - Best Western International, Inc.) <==== ATTENTION
Broadcom NetXtreme-I Netlink Driver and Management Installer (HKLM\...\{64973F6A-8754-43D1-BDD0-FC6F0546347B}) (Version: 14.4.4.3 - Broadcom Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 5.25 - Piriform)
Clock Effect 3 (HKLM-x32\...\Clock Effect 3) (Version: - )
Clock Effect Server (HKLM-x32\...\Clock Effect Server) (Version: - )
Clock Evolution 2011 Client (HKLM-x32\...\Clock Evolution 2011 Client) (Version: 7.1.18 - Clock Hotel Software)
Clock Evolution 2011 Server (HKLM-x32\...\Clock Evolution 2011 Server) (Version: 7.1.18 - Clock Hotel Software)
Clock Evolution 8 Client (HKLM-x32\...\Clock Evolution 8 Client) (Version: 7.1.18 - Clock Hotel Software)
Clock Evolution 8 Client (x32 Version: 7.1.18 - Clock Hotel Software) Hidden
Clock Evolution 8 Server (HKLM-x32\...\Clock Evolution 8 Server) (Version: 7.1.18 - Clock Hotel Software)
Clock Evolution 8 Server (x32 Version: 7.1.18 - Clock Hotel Software) Hidden
Clock POSitive 3 (HKLM-x32\...\Clock POSitive 3) (Version: - )
Clock POSitive 3 Server (p 42) (HKLM-x32\...\Clock POSitive 3 Server (p 42)) (Version: - )
Crazy Browser version 3.1.0 (HKLM-x32\...\Crazy Browser 3.1.0_is1) (Version: - )
CryptoPrevent (HKLM-x32\...\{5C5B24E7-4694-4049-A222-CCE7D3FAC63F}_is1) (Version: 8.0.0.0 - Foolish IT LLC)
Crystal Report 2008 Runtime SP6 (HKLM-x32\...\{C484CC8D-03CF-4022-89C4-DB4F02E8A15B}) (Version: 12.6.0.1596 - SAP AG)
Crystal Reports 2008 SP2 (HKLM-x32\...\{068857D8-FDD1-4F29-8F74-E9DE91E8A587}) (Version: 12.1.0.883 - Business Objects)
EaseUS Todo Backup Free 9.2 (HKLM-x32\...\EaseUS Todo Backup_is1) (Version: 9.2 - CHENGDU YIWO Tech Development Co., Ltd)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version: - )
Fidelio SUITE8 Client (HKLM-x32\...\{99B8EB99-D050-4BE1-BE7F-85FCF1F1C912}) (Version: 8.9.5.3 - )
Fidelio SUITE8 Oracle 11.2.0.3 Setup (HKLM-x32\...\{9066F985-259E-4A9D-BACF-A195AEE19139}) (Version: 8.9.5.2 Patch 10.14 - )
Fidelio SUITE8 Oracle Instance/Version Control (HKLM-x32\...\{C127774A-3669-4E7C-B239-E9E6B9D99FC5}) (Version: 8.9.5.2 Patch 10.14 - )
Firebird 2.1.6.18547 (Win32) (HKLM-x32\...\FBDBServer_2_1_is1) (Version: 2.1.6.18547 - Firebird Project)
Firebird Server CHS Edition (HKLM-x32\...\{DD3912A9-2D22-44C1-9D83-15C2ED8985FC}) (Version: 1.00.0000 - Clock Hotel Software)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 54.0.2840.99 - Google Inc.)
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
HijackThis 2.0.0 (HKLM-x32\...\HijackThis) (Version: 2.0.0 - TrendMicro)
HK-Software IBExpert Developer Studio Trial Version (HKLM-x32\...\HK-Software IBExpert Developer Studio Trial Version_is1) (Version: - )
IFC8 - Version 8.8.1.8 (HKLM-x32\...\{6E48945F-8863-462B-B33F-B08BE5D0A0E9}) (Version: 8.8.1.8 - )
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 15.4 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2418 - Intel Corporation)
IObit Uninstaller (HKLM-x32\...\IObitUninstall) (Version: 6.1.0.26 - IObit)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
MICROS-Fidelio Suite8 Online Interface (HKLM-x32\...\{07563377-5592-48C9-ABF7-7F4D26718AB3}) (Version: 8.9.6.2 - )
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
MSI to redistribute MS VS2005 CRT libraries (HKLM-x32\...\{A8D93648-9F7F-407D-915C-62044644C3DA}) (Version: 8.0.50727.42 - The Firebird Project)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Quest Installer (HKLM-x32\...\Quest Installer) (Version: - )
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.30.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.0.30.0 - Renesas Electronics Corporation) Hidden
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1230 - SUPERAntiSpyware.com)
TeamViewer 11 (HKLM-x32\...\TeamViewer) (Version: 11.0.66695 - TeamViewer)
Toad for Oracle 10.6 (HKLM-x32\...\{07E15A70-04CB-46D5-8C7D-8BEA6DADBBF0}) (Version: 10.6.1.3 - Quest Software, Inc.)
TurboMailer 2 (HKLM-x32\...\{9E156899-D3A1-4F10-8323-364A095FCFDB}}_is1) (Version: - Xellsoft.com)
Unlocker 1.9.0 (HKLM-x32\...\Unlocker) (Version: 1.9.0 - Cedrick Collomb)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (HKLM-x32\...\{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01) (Version: 9.0.30729.01 - Microsoft Corporation)
Winamp (HKLM-x32\...\Winamp) (Version: 5.666 - Nullsoft, Inc)
Windows 7 Manager (HKLM\...\{796CE952-4989-4E96-9BA7-FFE18F5EC73C}) (Version: 4.4.8 - Yamicsoft)
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
WinRAR 5.40 beta 3 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.40.3 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1997163B-7472-447F-9A99-07F90287AB8B} - \Microsoft\Windows\WindowsBackup\Windows Backup Monitor -> No File <==== ATTENTION
Task: {1C0616C8-AD57-4724-BA13-AC1C82D4C6BE} - System32\Tasks\avast! Emergency Update => C:\Program Files (x86)\AvastAV\AvastEmUpdate.exe
Task: {1EB03939-FE73-409A-99D1-2FB531D12499} - System32\Tasks\Restart OIFC BW => C:\FIDELIO\Restart_OIFC.bat [2016-10-12] () <==== ATTENTION
Task: {1F8EBFDF-1B74-48FB-96D3-B97B335F51A5} - \SUITE8 db schema analyze -> No File <==== ATTENTION
Task: {201BA14A-799A-4253-B6A2-9DA9A3A2FB93} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {2092C50E-DBE3-4AD8-B097-B67C6070F60B} - System32\Tasks\Uninstaller_SkipUac_sys => C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe [2016-12-01] (IObit)
Task: {24B9B6BC-40E5-446E-813A-1A5B55F51F6D} - System32\Tasks\Restart OIFC BW_1 => C:\FIDELIO\Restart_OIFC.bat [2016-10-12] () <==== ATTENTION
Task: {2B637A6B-8003-40C5-9F3D-AF5148642FF3} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4} - \Microsoft\Windows\Customer Experience Improvement Program\UsbCeip -> No File <==== ATTENTION
Task: {4E693EE0-8FCC-43B3-94FE-476D0D5DCD52} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2016-03-21] (Safer-Networking Ltd.)
Task: {5FB8E99C-4D6C-453B-ABA5-4F68536C6BF2} - System32\Tasks\avast! Emergency Update => C:\Program Files (x86)\AvastAV\AvastEmUpdate.exe
Task: {6222156F-560F-4AF3-9E08-AFAC311DCC17} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
Task: {6868DEDE-6139-403E-A5CC-DCF77DEC6C1C} - \FidelioBackup -> No File <==== ATTENTION
Task: {7149FE22-21EF-40F9-A99E-D5DDC5095A98} - \Restart_OIFC -> No File <==== ATTENTION
Task: {78BA8569-C8DD-47A2-A03B-49599EFD9650} - \Microsoft\Windows\WindowsBackup\AutomaticBackup -> No File <==== ATTENTION
Task: {86735146-CD3E-45A2-824C-41AB2931D575} - \SUITE8 db clean log files -> No File <==== ATTENTION
Task: {8BB920DA-1B69-471C-ABE6-9AEBEC0011C8} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2016-03-21] (Safer-Networking Ltd.)
Task: {8D0054EA-8523-4671-9EB3-3E1D43CF27EA} - \Restart Online Interface -> No File <==== ATTENTION
Task: {9BE2BD46-FA73-44C5-A743-4D629D68D8D3} - System32\Tasks\SUPERAntiSpyware Scheduled Task 7778d8ea-f386-487e-bb82-b5348f74b025 => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com)
Task: {A5091800-8FD8-4D21-BBB4-B59CDB15B157} - System32\Tasks\BackupDB Fidelio => D:\backupDB\Backup.bat [2016-02-10] () <==== ATTENTION
Task: {A68BA75D-5C16-4832-83B3-1AC08157C8EA} - \AVAST Software\Avast settings backup -> No File <==== ATTENTION
Task: {A7C73732-9F11-4281-8D19-764D4EC9D94D} - \Microsoft\Windows\Application Experience\ProgramDataUpdater -> No File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {C016366B-7126-46CA-B36B-592A3D95A60B} - \Microsoft\Windows\Customer Experience Improvement Program\Consolidator -> No File <==== ATTENTION
Task: {C0D66802-8ADF-4D97-8FE8-D1B50C41DE5F} - System32\Tasks\SUPERAntiSpyware Scheduled Task 97f4adeb-0927-4f73-aa7e-bc520ad6bd9a => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com)
Task: {C2C777DD-24E4-4130-9244-A630C72D6D34} - System32\Tasks\BackupDB Fidelio1 => D:\backupDB\Backup.bat [2016-02-10] () <==== ATTENTION
Task: {D0250F3F-6480-484F-B719-42F659AC64D5} - \Microsoft\Windows\Windows Error Reporting\QueueReporting -> No File <==== ATTENTION
Task: {D7B6E81D-3CF4-432C-84D2-24213F4316E6} - \Microsoft\Windows\Autochk\Proxy -> No File <==== ATTENTION
Task: {ECCD88BB-48F8-4B75-8862-DC5E36BF003F} - \RMAN backup database -> No File <==== ATTENTION
Task: {ED6E8702-6D81-467F-8C73-E7C1A9F8EAD6} - \RMAN maintenance -> No File <==== ATTENTION
Task: {F089B685-9851-4608-81B0-43314C7D8D51} - \RMAN backup archive -> No File <==== ATTENTION
Task: {F19994C7-679C-48E9-82B6-7E72BB7956E0} - \CreateChoiceProcessTask -> No File <==== ATTENTION
Task: {FD4B8D24-DDAD-4B03-B4D5-CBC7B69DB81A} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-12-06] (Piriform Ltd)
Task: {FDD56C73-F0D5-41B6-B767-6EFFD7966428} - \Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 7778d8ea-f386-487e-bb82-b5348f74b025.job => C:\Program Files\SUPERAntiSpyware\SASTask.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Task: C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 97f4adeb-0927-4f73-aa7e-bc520ad6bd9a.job => C:\Program Files\SUPERAntiSpyware\SASTask.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2011-01-29 19:02 - 2011-01-29 19:02 - 00899584 _____ () C:\ClockBS\GBakSchd\GBAKSrvc.EXE
2012-05-23 14:24 - 2011-06-11 02:36 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2016-11-29 17:19 - 2016-06-03 12:15 - 00278720 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
2016-02-10 17:11 - 2015-11-27 11:54 - 03662064 _____ () C:\Fidelio\programs\mfV8SvcMonitor.exe
2016-11-29 17:19 - 2015-12-10 06:04 - 00080936 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CodeLog.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 01296424 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\libxml2.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00060968 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\zlib1.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00017448 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CompressFile.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00088616 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\TBGetRemoteNetInfo.dll
2016-11-29 17:19 - 2016-06-03 12:12 - 00024768 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CmcTbProxy.dll
2016-11-29 17:19 - 2016-06-03 12:12 - 00188608 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CMCPipeCenter.dll
2016-11-29 17:19 - 2016-06-03 12:12 - 00173760 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CMCAdapt.dll
2016-11-29 17:19 - 2016-06-03 12:13 - 00056512 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\TBInfo.dll
2016-11-29 17:19 - 2016-06-03 12:12 - 00018112 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CMCNetTokenProxy.dll
2016-11-29 17:19 - 2016-06-03 12:12 - 00128192 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\ActivationOnline.dll
2016-11-29 17:19 - 2016-06-03 12:13 - 00085184 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\logsys.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00030760 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\DiskSearchImg.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00068136 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\MountImg.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00158248 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\ImgFile.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00281128 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\DsImgFile.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00072232 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CheckImg.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00139816 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\vhdvmdk.dll
2016-11-29 17:19 - 2016-06-03 12:12 - 00040128 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\BootDriver.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00769064 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\ExImage.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00193064 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\EmailBackupSize.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00443944 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\AndroidImage.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00148008 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\EnumDisk.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00076840 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\FatLib.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00207912 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\NTFSLib.dll
2016-11-29 17:19 - 2016-06-03 12:13 - 00114880 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\FileStorage.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00169512 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CloudInterface.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00501800 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\StorageMgr.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00024616 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\GetDriverInfo.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00020520 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CorrectMbr.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00032296 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\EnumTapeDevice.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00034856 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\TbTapeBrowse.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00064040 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\RegLib.dll
2016-11-29 17:19 - 2016-06-03 12:12 - 00026816 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\AccountManager.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00059944 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\NasOperator.dll
2016-11-29 17:19 - 2016-06-03 12:12 - 00220864 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\EmailBrowser.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00077864 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CloudOperator.dll
2016-11-29 17:19 - 2016-06-03 12:12 - 00021184 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\ActiveOnline.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00136232 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\VMConfig.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00020008 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\AndroidDeviceManager.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00043048 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\TbDataSwap.dll
2016-11-29 17:19 - 2016-04-13 16:49 - 00432320 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\uexper.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00353832 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\DeviceManager.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00027176 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\DeviceAdapter.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00138792 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\Device.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00146984 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\Partition.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00050216 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\FileSystemAnalyser.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00061992 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\FATFileSystemAnalyser.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00089640 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\Common.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00056360 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\NTFSFileSystemAnalyser.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00033320 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\LibraryManager.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00037928 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\Burn.dll
2016-11-29 17:19 - 2015-12-10 06:04 - 00224808 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\SmartBackup.dll
2016-12-21 21:25 - 2016-06-21 19:30 - 00442144 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madExcept_.bpl
2016-12-21 21:25 - 2016-06-21 19:29 - 00210720 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madBasic_.bpl
2016-12-21 21:25 - 2016-06-21 19:29 - 00059680 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madDisAsm_.bpl
2016-12-21 21:25 - 2016-05-23 21:49 - 00899872 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\webres.dll
2016-12-21 21:25 - 2016-10-18 16:57 - 00631072 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\ProductStatistics.dll
2016-12-22 15:07 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2016-12-22 15:07 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2016-12-22 15:07 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2016-12-22 15:07 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2016-12-22 15:07 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKLM\...\.scr: CryptoPreventSCR => "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.CryptoPreventEXEC" "%1" /S %*

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7865 more sites.

IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1012\...\123simsen.com -> www.123simsen.com

There are 7865 more sites.

IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-3625114160-3359095786-791446984-1013\...\123simsen.com -> www.123simsen.com

There are 7865 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2016-12-21 00:23 - 2016-12-23 14:32 - 00449935 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 localhost
0.0.0.0 serius.mwbsys.com127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com

There are 15462 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3625114160-3359095786-791446984-1012\Control Panel\Desktop\\Wallpaper -> C:\Users\sys\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-3625114160-3359095786-791446984-1013\Control Panel\Desktop\\Wallpaper -> C:\Users\niki\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 8.8.8.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{D1A98C27-9491-4879-A43E-65F9BDD91807}] => C:\Program Files (x86)\firebird\firebird_2_1\bin\fbserver.exe
FirewallRules: [{9F3DB6C3-800B-416E-BDB1-84EAA6775279}] => C:\Program Files (x86)\firebird\firebird_2_1\bin\fbserver.exe
FirewallRules: [{EA6739AF-2BB4-49B5-8910-B6FABF984967}] => LPort=3050
FirewallRules: [TelnetServer-TlntSvr-TCP-In] => %systemroot%\system32\tlntsvr.exe
FirewallRules: [TelnetServer-Tlntadmn-RPC-In] => %systemroot%\system32\tlntsvr.exe
FirewallRules: [{37F125CC-2D71-44B7-917A-BBBDC2156D0D}] => C:\Program Files (x86)\firebird\firebird_2_1\bin\fbserver.exe
FirewallRules: [{CB6853D6-CCD5-40F9-B5FA-7A0CA49F1852}] => C:\Program Files (x86)\firebird\firebird_2_1\bin\fbserver.exe
FirewallRules: [{955992C6-2FEF-4AFD-99EF-A4C22ABB62CC}] => C:\Program Files (x86)\Winamp\winamp.exe
FirewallRules: [{CE4896D2-E6DB-4651-890F-21E7CD8D95D1}] => C:\Program Files (x86)\Winamp\winamp.exe
FirewallRules: [TCP Query User{EB8291CA-36DE-48E2-ACDF-16FF4A3C5C80}C:\programdata\{8612acbc-3d73-4035-ac2b-1d31604e2f1a}\offline\mfilebagide.dll\bag\clockpatcher.exe] => C:\programdata\{8612acbc-3d73-4035-ac2b-1d31604e2f1a}\offline\mfilebagide.dll\bag\clockpatcher.exe
FirewallRules: [UDP Query User{12C394A3-9D9B-4C08-B3DF-30306354F7E0}C:\programdata\{8612acbc-3d73-4035-ac2b-1d31604e2f1a}\offline\mfilebagide.dll\bag\clockpatcher.exe] => C:\programdata\{8612acbc-3d73-4035-ac2b-1d31604e2f1a}\offline\mfilebagide.dll\bag\clockpatcher.exe
FirewallRules: [{DCA72ADA-E4CD-4BE9-AE8C-0BDE37F58F11}] => LPort=3389
FirewallRules: [TCP Query User{57677D8A-2A49-4456-89C4-632C3CB297E1}D:\oracle\11.2.0\database\jdk\jre\bin\java.exe] => D:\oracle\11.2.0\database\jdk\jre\bin\java.exe
FirewallRules: [UDP Query User{CC96D700-81B3-459B-8F54-2154BFAE27B8}D:\oracle\11.2.0\database\jdk\jre\bin\java.exe] => D:\oracle\11.2.0\database\jdk\jre\bin\java.exe
FirewallRules: [{89ADE2D1-4FB4-4092-9A3C-E586FE04DE51}] => LPort=1521
FirewallRules: [{E0224C58-9AA7-4647-8D01-E284B8A0A027}] => D:\ORACLE\11.2.0\DATABASE\bin\tnslsnr.exe
FirewallRules: [{DDD87FBE-B5CD-431F-8023-668A12996B14}] => D:\ORACLE\11.2.0\DATABASE\bin\oracle.exe
FirewallRules: [TCP Query User{22CDB049-7919-40EB-9941-FCC77A3A229A}C:\fidelio\ifc8\ifc8.exe] => C:\fidelio\ifc8\ifc8.exe
FirewallRules: [UDP Query User{7D8DF4DA-D299-4F33-9561-AA2C1DD1BB5B}C:\fidelio\ifc8\ifc8.exe] => C:\fidelio\ifc8\ifc8.exe
FirewallRules: [{DB62C2E2-B67B-4086-A4EB-EDB1F7D91C11}] => LPort=5900
FirewallRules: [{52C84E4E-4D3C-477D-B36A-83E52DE2F209}] => LPort=3306
FirewallRules: [{570857C6-F8D1-4635-9052-D58795E3B71E}] => C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{6CC020E8-B50B-424B-87C2-10B306C2A032}] => C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{3D830F5A-5DA6-47B8-ACF9-50424067C91F}] => C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{01452C7C-88E7-4D2C-9E4A-14438AFF07AD}] => C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{AA67C8B3-5CFB-4A89-BE5C-BA942B4A9E5C}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{692F783A-1C47-4F4A-82F0-5A68E3807013}] => C:\Program Files (x86)\EaseUS\Todo Backup\bin\TbService.exe
FirewallRules: [{0E128DF7-B9DF-4169-865B-33CFE41F2132}] => C:\Program Files (x86)\EaseUS\Todo Backup\bin\TbService.exe
FirewallRules: [{E2631B01-F497-4A66-9E7B-2A25783D428F}] => C:\Program Files (x86)\EaseUS\Todo Backup\bin\TBConsoleUI.exe
FirewallRules: [{8067437C-B2B2-41FC-8E9D-9F0062AC79DB}] => C:\Program Files (x86)\EaseUS\Todo Backup\bin\TBConsoleUI.exe
FirewallRules: [{842571B6-E4E5-42AF-915D-D3F17029C828}] => C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
FirewallRules: [{13000F83-6F36-4F88-9CF8-2992386527AD}] => C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
FirewallRules: [{8F630748-467F-477F-82CA-511D3670FF73}] => C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
FirewallRules: [{288D73F6-9908-48BE-BE08-8500192B8845}] => C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================


==================== Faulty Device Manager Devices =============

Name: NetGroup Packet Filter Driver
Description: NetGroup Packet Filter Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: NPF
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: LogMeIn Kernel Information Provider
Description: LogMeIn Kernel Information Provider
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: LMIInfo
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: WD SES Device USB Device
Description: WD SES Device USB Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/22/2016 04:47:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: CryptoPreventMonSvc.exe, version: 8.0.0.0, time stamp: 0x581bc4f2
Faulting module name: KERNELBASE.dll, version: 6.1.7601.23569, time stamp: 0x57f7bc1f
Exception code: 0xe0434352
Fault offset: 0x0000c54f
Faulting process id: 0x1d14
Faulting application start time: 0x01d25c623fa0736c
Faulting application path: C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventMonSvc.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 7faf49d5-c855-11e6-9e00-180373bc7336

Error: (12/22/2016 04:47:03 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: CryptoPreventMonSvc.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Reflection.TargetInvocationException
Stack:
at System.RuntimeMethodHandle._InvokeMethodFast(System.IRuntimeMethodInfo, System.Object, System.Object[], System.SignatureStruct ByRef, System.Reflection.MethodAttributes, System.RuntimeType)
at System.RuntimeMethodHandle.InvokeMethodFast(System.IRuntimeMethodInfo, System.Object, System.Object[], System.Signature, System.Reflection.MethodAttributes, System.RuntimeType)
at System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, Boolean)
at System.Delegate.DynamicInvokeImpl(System.Object[])
at DynamicClass.(System.Object, System.Object[])
at CryptoPreventMonSvc.ConditionEventArgs.CheckMenu(System.Object, System.Object[])
at CryptoPreventMonSvc.ConfigManager.CheckMenu(System.Object, System.IO.FileSystemEventArgs)
at System.IO.FileSystemWatcher.OnChanged(System.IO.FileSystemEventArgs)
at System.IO.FileSystemWatcher.NotifyFileSystemEventArgs(Int32, System.String)
at System.IO.FileSystemWatcher.CompletionStatusChanged(UInt32, UInt32, System.Threading.NativeOverlapped*)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)

Error: (12/22/2016 04:46:55 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: CryptoPreventMonSvc.exe, version: 8.0.0.0, time stamp: 0x581bc4f2
Faulting module name: KERNELBASE.dll, version: 6.1.7601.23569, time stamp: 0x57f7bc1f
Exception code: 0xe0434352
Fault offset: 0x0000c54f
Faulting process id: 0x1eb8
Faulting application start time: 0x01d25c6215929b59
Faulting application path: C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventMonSvc.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 7b3a79e1-c855-11e6-9e00-180373bc7336

Error: (12/22/2016 04:46:55 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: CryptoPreventMonSvc.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Reflection.TargetInvocationException
Stack:
at System.RuntimeMethodHandle._InvokeMethodFast(System.IRuntimeMethodInfo, System.Object, System.Object[], System.SignatureStruct ByRef, System.Reflection.MethodAttributes, System.RuntimeType)
at System.RuntimeMethodHandle.InvokeMethodFast(System.IRuntimeMethodInfo, System.Object, System.Object[], System.Signature, System.Reflection.MethodAttributes, System.RuntimeType)
at System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, Boolean)
at System.Delegate.DynamicInvokeImpl(System.Object[])
at DynamicClass.(System.Object, System.Object[])
at CryptoPreventMonSvc.ConditionEventArgs.CheckMenu(System.Object, System.Object[])
at CryptoPreventMonSvc.ConfigManager.CheckMenu(System.Object, System.IO.FileSystemEventArgs)
at System.IO.FileSystemWatcher.OnChanged(System.IO.FileSystemEventArgs)
at System.IO.FileSystemWatcher.NotifyFileSystemEventArgs(Int32, System.String)
at System.IO.FileSystemWatcher.CompletionStatusChanged(UInt32, UInt32, System.Threading.NativeOverlapped*)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)

Error: (12/22/2016 04:45:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: CryptoPreventMonSvc.exe, version: 8.0.0.0, time stamp: 0x581bc4f2
Faulting module name: KERNELBASE.dll, version: 6.1.7601.23569, time stamp: 0x57f7bc1f
Exception code: 0xe0434352
Fault offset: 0x0000c54f
Faulting process id: 0x1dc4
Faulting application start time: 0x01d25c595df917ea
Faulting application path: C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventMonSvc.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 51322022-c855-11e6-9e00-180373bc7336

Error: (12/22/2016 04:45:45 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: CryptoPreventMonSvc.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Reflection.TargetInvocationException
Stack:
at System.RuntimeMethodHandle._InvokeMethodFast(System.IRuntimeMethodInfo, System.Object, System.Object[], System.SignatureStruct ByRef, System.Reflection.MethodAttributes, System.RuntimeType)
at System.RuntimeMethodHandle.InvokeMethodFast(System.IRuntimeMethodInfo, System.Object, System.Object[], System.Signature, System.Reflection.MethodAttributes, System.RuntimeType)
at System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, Boolean)
at System.Delegate.DynamicInvokeImpl(System.Object[])
at DynamicClass.(System.Object, System.Object[])
at CryptoPreventMonSvc.ConditionEventArgs.CheckMenu(System.Object, System.Object[])
at CryptoPreventMonSvc.ConfigManager.CheckMenu(System.Object, System.IO.FileSystemEventArgs)
at System.IO.FileSystemWatcher.OnChanged(System.IO.FileSystemEventArgs)
at System.IO.FileSystemWatcher.NotifyFileSystemEventArgs(Int32, System.String)
at System.IO.FileSystemWatcher.CompletionStatusChanged(UInt32, UInt32, System.Threading.NativeOverlapped*)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)

Error: (12/22/2016 03:43:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: CryptoPreventMonSvc.exe, version: 8.0.0.0, time stamp: 0x581bc4f2
Faulting module name: KERNELBASE.dll, version: 6.1.7601.23569, time stamp: 0x57f7bc1f
Exception code: 0xe0434352
Fault offset: 0x0000c54f
Faulting process id: 0xc0
Faulting application start time: 0x01d25c52ef2dc3b3
Faulting application path: C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventMonSvc.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 999eb6ce-c84c-11e6-9e00-180373bc7336

Error: (12/22/2016 03:43:21 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: CryptoPreventMonSvc.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Reflection.TargetInvocationException
Stack:
at System.RuntimeMethodHandle._InvokeMethodFast(System.IRuntimeMethodInfo, System.Object, System.Object[], System.SignatureStruct ByRef, System.Reflection.MethodAttributes, System.RuntimeType)
at System.RuntimeMethodHandle.InvokeMethodFast(System.IRuntimeMethodInfo, System.Object, System.Object[], System.Signature, System.Reflection.MethodAttributes, System.RuntimeType)
at System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, Boolean)
at System.Delegate.DynamicInvokeImpl(System.Object[])
at DynamicClass.(System.Object, System.Object[])
at CryptoPreventMonSvc.ConditionEventArgs.CheckMenu(System.Object, System.Object[])
at CryptoPreventMonSvc.ConfigManager.CheckMenu(System.Object, System.IO.FileSystemEventArgs)
at System.IO.FileSystemWatcher.OnChanged(System.IO.FileSystemEventArgs)
at System.IO.FileSystemWatcher.NotifyFileSystemEventArgs(Int32, System.String)
at System.IO.FileSystemWatcher.CompletionStatusChanged(UInt32, UInt32, System.Threading.NativeOverlapped*)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)

Error: (12/22/2016 02:57:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: CryptoPreventMonSvc.exe, version: 8.0.0.0, time stamp: 0x581bc4f2
Faulting module name: KERNELBASE.dll, version: 6.1.7601.23569, time stamp: 0x57f7bc1f
Exception code: 0xe0434352
Fault offset: 0x0000c54f
Faulting process id: 0x524
Faulting application start time: 0x01d25bc7e7b17687
Faulting application path: C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventMonSvc.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 2aa8f713-c846-11e6-9e00-180373bc7336

Error: (12/22/2016 02:57:17 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: CryptoPreventMonSvc.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Reflection.TargetInvocationException
Stack:
at System.RuntimeMethodHandle._InvokeMethodFast(System.IRuntimeMethodInfo, System.Object, System.Object[], System.SignatureStruct ByRef, System.Reflection.MethodAttributes, System.RuntimeType)
at System.RuntimeMethodHandle.InvokeMethodFast(System.IRuntimeMethodInfo, System.Object, System.Object[], System.Signature, System.Reflection.MethodAttributes, System.RuntimeType)
at System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, Boolean)
at System.Delegate.DynamicInvokeImpl(System.Object[])
at DynamicClass.(System.Object, System.Object[])
at CryptoPreventMonSvc.ConditionEventArgs.CheckMenu(System.Object, System.Object[])
at CryptoPreventMonSvc.ConfigManager.CheckMenu(System.Object, System.IO.FileSystemEventArgs)
at System.IO.FileSystemWatcher.OnChanged(System.IO.FileSystemEventArgs)
at System.IO.FileSystemWatcher.NotifyFileSystemEventArgs(Int32, System.String)
at System.IO.FileSystemWatcher.CompletionStatusChanged(UInt32, UInt32, System.Threading.NativeOverlapped*)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)


System errors:
=============
Error: (12/29/2016 01:20:43 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Xerox WorkCentre 3119 Series required for printer Xerox WorkCentre 3119 Series is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/28/2016 09:41:56 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver SHARP AR-5516N required for printer SHARP AR-5516N is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/28/2016 09:41:56 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver SHARP AR-5516 required for printer SHARP AR-5516 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/28/2016 09:41:55 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/28/2016 09:41:54 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Nitro PDF Driver 2 required for printer Nitro PDF Creator 2 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/28/2016 05:00:26 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver SHARP AR-5516N required for printer SHARP AR-5516N is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/28/2016 05:00:26 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver SHARP AR-5516 required for printer SHARP AR-5516 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/28/2016 05:00:26 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/28/2016 05:00:23 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Nitro PDF Driver 2 required for printer Nitro PDF Creator 2 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/27/2016 03:59:27 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Xerox WorkCentre 3119 Series required for printer Xerox WorkCentre 3119 Series is unknown. Contact the administrator to install the driver before you log in again.


CodeIntegrity:
===================================
Date: 2016-12-20 23:48:32.370
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2016-12-20 23:40:50.669
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2016-12-20 23:13:36.959
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2016-12-20 23:03:17.142
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2016-12-20 22:50:34.275
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2016-12-20 20:24:53.947
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2016-12-20 12:18:57.605
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2016-12-20 11:13:25.362
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2016-12-20 10:17:33.102
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2016-12-19 10:24:52.026
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Core™ i5-2400 CPU @ 3.10GHz
Percentage of memory in use: 52%
Total physical RAM: 16264.9 MB
Available physical RAM: 7753.34 MB
Total Virtual: 32527.98 MB
Available Virtual: 23845.16 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:162.93 GB) (Free:95.88 GB) NTFS
Drive d: () (Fixed) (Total:302.73 GB) (Free:175.4 GB) NTFS
Drive f: (My Passport) (Fixed) (Total:931.48 GB) (Free:115.78 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: D4224958)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=162.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=302.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: 16F2A91F)

Partition: GPT.

==================== End of Addition.txt ============================
Malwarebytes found some malware, but after remove them and make restart, the virus create all the mess again.
 
- Adwcleaner founds nothing. (one ask bar)
 
I install CryptoPrevent Malware Prevention – Foolish IT and run "default" protection. Make test in %appdata% folder - it works (cannot run .exe)
 
I cannot delete those files until I run for any infected folder in command line

 
takeown /f "c:\Users\Administrator\AppData\Roaming\*.*" /r
icacls "c:\Users\Administrator\AppData\Roaming\*.*"" /reset /T
after that I can remove them, otherwise there are locked.
 
Any idea what I should do to remove the virus and fix the installer, so I can protect the OS ?
 
I upload logs of farbar scan.
 
Best Regards,

Attached Files


Edited by Oh My!, 05 January 2017 - 06:42 PM.
Posted modified logs


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:45 AM

Posted 05 January 2017 - 11:22 AM

Greetings and welcome back. I will spare you the intro since this is our second round.

 

Please allow me some time to review your logs.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:45 AM

Posted 05 January 2017 - 09:51 PM

Thank you for your patience. Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
CreateRestorePoint:
CloseProcesses:
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
Tcpip\..\Interfaces\{4124EE17-4096-4712-A0A4-C17F0EE48C0A}: [NameServer] 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
CHR Extension: (Avast SafePrice) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-11-26]
R2 OracleDATABASETNSListener; D:\ORACLE\11.2.0\DATABASE\BIN\TNSLSNR [X]
S4 LMIRfsClientNP; no ImagePath
U4 dmwappushservice; no ImagePath
U4 dmwappushsvc; no ImagePath
S2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [X]
S2 NPF; system32\drivers\npf.sys [X]
U3 W3SVC; no ImagePath
2016-12-22 15:02 - 2016-12-22 15:02 - 00000000 _____ C:\autoexec.bat
2016-12-21 21:50 - 2016-12-21 21:50 - 14454784 _____ C:\Windows\system32\config\system.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 01564672 _____ C:\Users\DELL\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 01036288 _____ C:\Users\sys\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00954368 _____ C:\Users\niki\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00851968 _____ C:\Users\clock\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00684032 _____ C:\Users\admin\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00671744 _____ C:\Users\Suite8.Scheduler\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00634880 _____ C:\Users\dell2\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00610304 _____ C:\Users\DB1\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00102400 _____ C:\Windows\system32\config\default.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00069632 _____ C:\Windows\system32\config\sam.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00028672 _____ C:\Windows\system32\config\security.rctemp
2016-12-21 21:48 - 2016-12-21 21:50 - 80220160 _____ C:\Windows\system32\config\software.rctemp
2016-12-21 00:37 - 2016-12-21 01:03 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\5EEC62D4.sys
2016-12-21 00:37 - 2016-12-21 00:42 - 00004331 _____ C:\rapport.txt
2016-12-21 00:37 - 2016-12-21 00:42 - 00000990 _____ C:\Windows\SysWOW64\tmp.reg
2016-12-21 00:37 - 2016-12-21 00:42 - 00000000 _____ C:\Windows\SysWOW64\tmp.txt
2016-12-21 00:37 - 2009-06-02 11:17 - 00075776 _____ C:\Windows\SysWOW64\WS2Fix.exe
2016-12-21 00:37 - 2008-12-12 01:57 - 00078336 _____ (S!Ri.URZ) C:\Windows\SysWOW64\Agent.OMZ.Fix.exe
2016-12-21 00:37 - 2008-11-29 18:58 - 00082944 _____ (S!Ri.URZ) C:\Windows\SysWOW64\IEDFix.C.exe
2016-12-21 00:37 - 2008-10-01 15:51 - 00087552 _____ (S!Ri.URZ) C:\Windows\SysWOW64\VACFix.exe
2016-12-21 00:37 - 2008-09-20 12:45 - 00080384 _____ (S!Ri.URZ) C:\Windows\SysWOW64\o4Patch.exe
2016-12-21 00:37 - 2008-08-18 12:19 - 00082432 _____ (S!Ri.URZ) C:\Windows\SysWOW64\404Fix.exe
2016-12-21 00:37 - 2008-05-18 21:40 - 00082944 _____ (S!Ri.URZ) C:\Windows\SysWOW64\IEDFix.exe
2016-12-21 00:37 - 2007-09-06 00:22 - 00289144 _____ (S!Ri) C:\Windows\SysWOW64\VCCLSID.exe
2016-12-21 00:37 - 2006-04-27 17:49 - 00288417 _____ (S!Ri) C:\Windows\SysWOW64\SrchSTS.exe
2016-12-21 00:37 - 2004-07-31 18:50 - 00051200 _____ C:\Windows\SysWOW64\dumphive.exe
2016-12-21 00:37 - 2003-06-05 21:13 - 00053248 _____ (hxxp://www.beyondlogic.org) C:\Windows\SysWOW64\Process.exe
2016-12-20 23:57 - 2016-12-20 23:59 - 146638432 _____ C:\Users\niki\Downloads\t4m4uitk.exe
2017-01-03 11:00 - 2016-11-29 18:56 - 00004096 ___SH C:\{3E6923B3-24B0-4838-887C-41C96A6BF594}.CBM
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\AVG Secure Search
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Baidu
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Bitdefender
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\BullGuard Ltd
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\COMODO
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Doctor Web
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\eAcceleration
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\G Data
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\InfoWatch
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Intel Security
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\McAfee
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\MicroWorld
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Panda Security
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Symantec Shared
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\TrustPort
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\ProgramData\.clamwin
Task: {1997163B-7472-447F-9A99-07F90287AB8B} - \Microsoft\Windows\WindowsBackup\Windows Backup Monitor -> No File <==== ATTENTION
Task: {1F8EBFDF-1B74-48FB-96D3-B97B335F51A5} - \SUITE8 db schema analyze -> No File <==== ATTENTION
Task: {201BA14A-799A-4253-B6A2-9DA9A3A2FB93} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {2B637A6B-8003-40C5-9F3D-AF5148642FF3} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4} - \Microsoft\Windows\Customer Experience Improvement Program\UsbCeip -> No File <==== ATTENTION
Task: {6868DEDE-6139-403E-A5CC-DCF77DEC6C1C} - \FidelioBackup -> No File <==== ATTENTION
Task: {7149FE22-21EF-40F9-A99E-D5DDC5095A98} - \Restart_OIFC -> No File <==== ATTENTION
Task: {78BA8569-C8DD-47A2-A03B-49599EFD9650} - \Microsoft\Windows\WindowsBackup\AutomaticBackup -> No File <==== ATTENTION
Task: {86735146-CD3E-45A2-824C-41AB2931D575} - \SUITE8 db clean log files -> No File <==== ATTENTION
Task: {8D0054EA-8523-4671-9EB3-3E1D43CF27EA} - \Restart Online Interface -> No File <==== ATTENTION
Task: {A68BA75D-5C16-4832-83B3-1AC08157C8EA} - \AVAST Software\Avast settings backup -> No File <==== ATTENTION
Task: {A7C73732-9F11-4281-8D19-764D4EC9D94D} - \Microsoft\Windows\Application Experience\ProgramDataUpdater -> No File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {C016366B-7126-46CA-B36B-592A3D95A60B} - \Microsoft\Windows\Customer Experience Improvement Program\Consolidator -> No File <==== ATTENTION
Task: {D0250F3F-6480-484F-B719-42F659AC64D5} - \Microsoft\Windows\Windows Error Reporting\QueueReporting -> No File <==== ATTENTION
Task: {D7B6E81D-3CF4-432C-84D2-24213F4316E6} - \Microsoft\Windows\Autochk\Proxy -> No File <==== ATTENTION
Task: {ECCD88BB-48F8-4B75-8862-DC5E36BF003F} - \RMAN backup database -> No File <==== ATTENTION
Task: {ED6E8702-6D81-467F-8C73-E7C1A9F8EAD6} - \RMAN maintenance -> No File <==== ATTENTION
Task: {F089B685-9851-4608-81B0-43314C7D8D51} - \RMAN backup archive -> No File <==== ATTENTION
Task: {F19994C7-679C-48E9-82B6-7E72BB7956E0} - \CreateChoiceProcessTask -> No File <==== ATTENTION
Task: {FDD56C73-F0D5-41B6-B767-6EFFD7966428} - \Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask -> No File <==== ATTENTION
File: C:\Windows\SysWOW64\swsc.exe
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 netaccs

netaccs
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 06 January 2017 - 09:48 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by niki (06-01-2017 16:40:28) Run:1
Running from C:\Users\niki\Desktop
Loaded Profiles: sys & niki (Available Profiles: DELL & clock & Suite8.Scheduler & DB1 & admin & dell2 & sys & niki)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
Tcpip\..\Interfaces\{4124EE17-4096-4712-A0A4-C17F0EE48C0A}: [NameServer] 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
CHR Extension: (Avast SafePrice) - C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-11-26]
R2 OracleDATABASETNSListener; D:\ORACLE\11.2.0\DATABASE\BIN\TNSLSNR [X]
S4 LMIRfsClientNP; no ImagePath
U4 dmwappushservice; no ImagePath
U4 dmwappushsvc; no ImagePath
S2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [X]
S2 NPF; system32\drivers\npf.sys [X]
U3 W3SVC; no ImagePath
2016-12-22 15:02 - 2016-12-22 15:02 - 00000000 _____ C:\autoexec.bat
2016-12-21 21:50 - 2016-12-21 21:50 - 14454784 _____ C:\Windows\system32\config\system.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 01564672 _____ C:\Users\DELL\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 01036288 _____ C:\Users\sys\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00954368 _____ C:\Users\niki\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00851968 _____ C:\Users\clock\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00684032 _____ C:\Users\admin\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00671744 _____ C:\Users\Suite8.Scheduler\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00634880 _____ C:\Users\dell2\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00610304 _____ C:\Users\DB1\ntuser.dat.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00102400 _____ C:\Windows\system32\config\default.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00069632 _____ C:\Windows\system32\config\sam.rctemp
2016-12-21 21:50 - 2016-12-21 21:50 - 00028672 _____ C:\Windows\system32\config\security.rctemp
2016-12-21 21:48 - 2016-12-21 21:50 - 80220160 _____ C:\Windows\system32\config\software.rctemp
2016-12-21 00:37 - 2016-12-21 01:03 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\5EEC62D4.sys
2016-12-21 00:37 - 2016-12-21 00:42 - 00004331 _____ C:\rapport.txt
2016-12-21 00:37 - 2016-12-21 00:42 - 00000990 _____ C:\Windows\SysWOW64\tmp.reg
2016-12-21 00:37 - 2016-12-21 00:42 - 00000000 _____ C:\Windows\SysWOW64\tmp.txt
2016-12-21 00:37 - 2009-06-02 11:17 - 00075776 _____ C:\Windows\SysWOW64\WS2Fix.exe
2016-12-21 00:37 - 2008-12-12 01:57 - 00078336 _____ (S!Ri.URZ) C:\Windows\SysWOW64\Agent.OMZ.Fix.exe
2016-12-21 00:37 - 2008-11-29 18:58 - 00082944 _____ (S!Ri.URZ) C:\Windows\SysWOW64\IEDFix.C.exe
2016-12-21 00:37 - 2008-10-01 15:51 - 00087552 _____ (S!Ri.URZ) C:\Windows\SysWOW64\VACFix.exe
2016-12-21 00:37 - 2008-09-20 12:45 - 00080384 _____ (S!Ri.URZ) C:\Windows\SysWOW64\o4Patch.exe
2016-12-21 00:37 - 2008-08-18 12:19 - 00082432 _____ (S!Ri.URZ) C:\Windows\SysWOW64\404Fix.exe
2016-12-21 00:37 - 2008-05-18 21:40 - 00082944 _____ (S!Ri.URZ) C:\Windows\SysWOW64\IEDFix.exe
2016-12-21 00:37 - 2007-09-06 00:22 - 00289144 _____ (S!Ri) C:\Windows\SysWOW64\VCCLSID.exe
2016-12-21 00:37 - 2006-04-27 17:49 - 00288417 _____ (S!Ri) C:\Windows\SysWOW64\SrchSTS.exe
2016-12-21 00:37 - 2004-07-31 18:50 - 00051200 _____ C:\Windows\SysWOW64\dumphive.exe
2016-12-21 00:37 - 2003-06-05 21:13 - 00053248 _____ (hxxp://www.beyondlogic.org) C:\Windows\SysWOW64\Process.exe
2016-12-20 23:57 - 2016-12-20 23:59 - 146638432 _____ C:\Users\niki\Downloads\t4m4uitk.exe
2017-01-03 11:00 - 2016-11-29 18:56 - 00004096 ___SH C:\{3E6923B3-24B0-4838-887C-41C96A6BF594}.CBM
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\AVG Secure Search
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Baidu
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Bitdefender
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\BullGuard Ltd
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\COMODO
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Doctor Web
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\eAcceleration
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\G Data
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\InfoWatch
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Intel Security
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\McAfee
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\MicroWorld
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Panda Security
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\Symantec Shared
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\Program Files (x86)\Common Files\TrustPort
2009-07-14 01:31 - 2009-07-14 01:31 - 0000000 __RSH () C:\ProgramData\.clamwin
Task: {1997163B-7472-447F-9A99-07F90287AB8B} - \Microsoft\Windows\WindowsBackup\Windows Backup Monitor -> No File <==== ATTENTION
Task: {1F8EBFDF-1B74-48FB-96D3-B97B335F51A5} - \SUITE8 db schema analyze -> No File <==== ATTENTION
Task: {201BA14A-799A-4253-B6A2-9DA9A3A2FB93} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {2B637A6B-8003-40C5-9F3D-AF5148642FF3} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4} - \Microsoft\Windows\Customer Experience Improvement Program\UsbCeip -> No File <==== ATTENTION
Task: {6868DEDE-6139-403E-A5CC-DCF77DEC6C1C} - \FidelioBackup -> No File <==== ATTENTION
Task: {7149FE22-21EF-40F9-A99E-D5DDC5095A98} - \Restart_OIFC -> No File <==== ATTENTION
Task: {78BA8569-C8DD-47A2-A03B-49599EFD9650} - \Microsoft\Windows\WindowsBackup\AutomaticBackup -> No File <==== ATTENTION
Task: {86735146-CD3E-45A2-824C-41AB2931D575} - \SUITE8 db clean log files -> No File <==== ATTENTION
Task: {8D0054EA-8523-4671-9EB3-3E1D43CF27EA} - \Restart Online Interface -> No File <==== ATTENTION
Task: {A68BA75D-5C16-4832-83B3-1AC08157C8EA} - \AVAST Software\Avast settings backup -> No File <==== ATTENTION
Task: {A7C73732-9F11-4281-8D19-764D4EC9D94D} - \Microsoft\Windows\Application Experience\ProgramDataUpdater -> No File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {C016366B-7126-46CA-B36B-592A3D95A60B} - \Microsoft\Windows\Customer Experience Improvement Program\Consolidator -> No File <==== ATTENTION
Task: {D0250F3F-6480-484F-B719-42F659AC64D5} - \Microsoft\Windows\Windows Error Reporting\QueueReporting -> No File <==== ATTENTION
Task: {D7B6E81D-3CF4-432C-84D2-24213F4316E6} - \Microsoft\Windows\Autochk\Proxy -> No File <==== ATTENTION
Task: {ECCD88BB-48F8-4B75-8862-DC5E36BF003F} - \RMAN backup database -> No File <==== ATTENTION
Task: {ED6E8702-6D81-467F-8C73-E7C1A9F8EAD6} - \RMAN maintenance -> No File <==== ATTENTION
Task: {F089B685-9851-4608-81B0-43314C7D8D51} - \RMAN backup archive -> No File <==== ATTENTION
Task: {F19994C7-679C-48E9-82B6-7E72BB7956E0} - \CreateChoiceProcessTask -> No File <==== ATTENTION
Task: {FDD56C73-F0D5-41B6-B767-6EFFD7966428} - \Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask -> No File <==== ATTENTION
File: C:\Windows\SysWOW64\swsc.exe
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => key removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4124EE17-4096-4712-A0A4-C17F0EE48C0A}\\NameServer => value removed successfully
C:\Users\niki\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck => moved successfully
HKLM\System\CurrentControlSet\Services\OracleDATABASETNSListener => key removed successfully
OracleDATABASETNSListener => service removed successfully
HKLM\System\CurrentControlSet\Services\LMIRfsClientNP => key removed successfully
LMIRfsClientNP => service removed successfully
HKLM\System\CurrentControlSet\Services\dmwappushservice => key removed successfully
dmwappushservice => service removed successfully
HKLM\System\CurrentControlSet\Services\dmwappushsvc => key removed successfully
dmwappushsvc => service removed successfully
HKLM\System\CurrentControlSet\Services\LMIInfo => key removed successfully
LMIInfo => service removed successfully
HKLM\System\CurrentControlSet\Services\NPF => key removed successfully
NPF => service removed successfully
HKLM\System\CurrentControlSet\Services\W3SVC => key removed successfully
W3SVC => service removed successfully
C:\autoexec.bat => moved successfully
C:\Windows\system32\config\system.rctemp => moved successfully
C:\Users\DELL\ntuser.dat.rctemp => moved successfully
C:\Users\sys\ntuser.dat.rctemp => moved successfully
C:\Users\niki\ntuser.dat.rctemp => moved successfully
C:\Users\clock\ntuser.dat.rctemp => moved successfully
C:\Users\admin\ntuser.dat.rctemp => moved successfully
C:\Users\Suite8.Scheduler\ntuser.dat.rctemp => moved successfully
C:\Users\dell2\ntuser.dat.rctemp => moved successfully
C:\Users\DB1\ntuser.dat.rctemp => moved successfully
C:\Windows\system32\config\default.rctemp => moved successfully
C:\Windows\system32\config\sam.rctemp => moved successfully
C:\Windows\system32\config\security.rctemp => moved successfully
C:\Windows\system32\config\software.rctemp => moved successfully
C:\Windows\system32\Drivers\5EEC62D4.sys => moved successfully
C:\rapport.txt => moved successfully
C:\Windows\SysWOW64\tmp.reg => moved successfully
C:\Windows\SysWOW64\tmp.txt => moved successfully
C:\Windows\SysWOW64\WS2Fix.exe => moved successfully
C:\Windows\SysWOW64\Agent.OMZ.Fix.exe => moved successfully
C:\Windows\SysWOW64\IEDFix.C.exe => moved successfully
C:\Windows\SysWOW64\VACFix.exe => moved successfully
C:\Windows\SysWOW64\o4Patch.exe => moved successfully
C:\Windows\SysWOW64\404Fix.exe => moved successfully
C:\Windows\SysWOW64\IEDFix.exe => moved successfully
C:\Windows\SysWOW64\VCCLSID.exe => moved successfully
C:\Windows\SysWOW64\SrchSTS.exe => moved successfully
C:\Windows\SysWOW64\dumphive.exe => moved successfully
C:\Windows\SysWOW64\Process.exe => moved successfully
C:\Users\niki\Downloads\t4m4uitk.exe => moved successfully
C:\{3E6923B3-24B0-4838-887C-41C96A6BF594}.CBM => moved successfully
C:\Program Files (x86)\Common Files\AVG Secure Search => moved successfully
C:\Program Files (x86)\Common Files\Baidu => moved successfully
C:\Program Files (x86)\Common Files\Bitdefender => moved successfully
C:\Program Files (x86)\Common Files\BullGuard Ltd => moved successfully
C:\Program Files (x86)\Common Files\COMODO => moved successfully
C:\Program Files (x86)\Common Files\Doctor Web => moved successfully
C:\Program Files (x86)\Common Files\eAcceleration => moved successfully
C:\Program Files (x86)\Common Files\G Data => moved successfully
C:\Program Files (x86)\Common Files\InfoWatch => moved successfully
C:\Program Files (x86)\Common Files\Intel Security => moved successfully
C:\Program Files (x86)\Common Files\McAfee => moved successfully
C:\Program Files (x86)\Common Files\MicroWorld => moved successfully
C:\Program Files (x86)\Common Files\Panda Security => moved successfully
C:\Program Files (x86)\Common Files\Symantec Shared => moved successfully
C:\Program Files (x86)\Common Files\TrustPort => moved successfully
C:\ProgramData\.clamwin => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1997163B-7472-447F-9A99-07F90287AB8B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1997163B-7472-447F-9A99-07F90287AB8B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup\Windows Backup Monitor => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1F8EBFDF-1B74-48FB-96D3-B97B335F51A5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1F8EBFDF-1B74-48FB-96D3-B97B335F51A5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SUITE8 db schema analyze => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{201BA14A-799A-4253-B6A2-9DA9A3A2FB93} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{201BA14A-799A-4253-B6A2-9DA9A3A2FB93} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{2B637A6B-8003-40C5-9F3D-AF5148642FF3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2B637A6B-8003-40C5-9F3D-AF5148642FF3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6868DEDE-6139-403E-A5CC-DCF77DEC6C1C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6868DEDE-6139-403E-A5CC-DCF77DEC6C1C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\FidelioBackup => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7149FE22-21EF-40F9-A99E-D5DDC5095A98} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7149FE22-21EF-40F9-A99E-D5DDC5095A98} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Restart_OIFC => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{78BA8569-C8DD-47A2-A03B-49599EFD9650} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{78BA8569-C8DD-47A2-A03B-49599EFD9650} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup\AutomaticBackup => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{86735146-CD3E-45A2-824C-41AB2931D575} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{86735146-CD3E-45A2-824C-41AB2931D575} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SUITE8 db clean log files => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8D0054EA-8523-4671-9EB3-3E1D43CF27EA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8D0054EA-8523-4671-9EB3-3E1D43CF27EA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Restart Online Interface => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{A68BA75D-5C16-4832-83B3-1AC08157C8EA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A68BA75D-5C16-4832-83B3-1AC08157C8EA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AVAST Software\Avast settings backup => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A7C73732-9F11-4281-8D19-764D4EC9D94D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7C73732-9F11-4281-8D19-764D4EC9D94D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\ProgramDataUpdater => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AC4E5ACF-89F7-4220-BA21-81EE183975E2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC4E5ACF-89F7-4220-BA21-81EE183975E2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\AitAgent => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C016366B-7126-46CA-B36B-592A3D95A60B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C016366B-7126-46CA-B36B-592A3D95A60B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\Consolidator => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D0250F3F-6480-484F-B719-42F659AC64D5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D0250F3F-6480-484F-B719-42F659AC64D5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting\QueueReporting => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{D7B6E81D-3CF4-432C-84D2-24213F4316E6} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D7B6E81D-3CF4-432C-84D2-24213F4316E6} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Autochk\Proxy => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ECCD88BB-48F8-4B75-8862-DC5E36BF003F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ECCD88BB-48F8-4B75-8862-DC5E36BF003F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RMAN backup database => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ED6E8702-6D81-467F-8C73-E7C1A9F8EAD6} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ED6E8702-6D81-467F-8C73-E7C1A9F8EAD6} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RMAN maintenance => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F089B685-9851-4608-81B0-43314C7D8D51} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F089B685-9851-4608-81B0-43314C7D8D51} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RMAN backup archive => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F19994C7-679C-48E9-82B6-7E72BB7956E0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F19994C7-679C-48E9-82B6-7E72BB7956E0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CreateChoiceProcessTask => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FDD56C73-F0D5-41B6-B767-6EFFD7966428} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDD56C73-F0D5-41B6-B767-6EFFD7966428} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask => key not found. 
 
========================= File: C:\Windows\SysWOW64\swsc.exe ========================
 
File not signed
MD5: C16B1595E3C2FFC875EF28BF66EC557F
Creation and modification date: 2016-12-21 00:42 - 2006-01-09 10:36
Size: 0040960
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
 
====== End of File: ======
 
 
 
The system needed a reboot.
 
==== End of Fixlog 16:40:44 ====


#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:45 AM

Posted 06 January 2017 - 12:10 PM

Thank you, please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
C:\Windows\SysWOW64\swsc.exe
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Emsisoft Emergency Kit Scan

--------------------
  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double-click icon then click Install
  • A Window should open highlighting Start Emergency Kit Scanner
  • Right click on the icon and select Run as administrator
  • Click 1. Update now!
  • Once the update is completed select Settings under Scan
  • Uncheck Join the Emsisoft Anti-Malware Network
  • Click Scan at the top
  • Click On scan completion
  • Click Quarantine detected objects, then click OK
  • Click Malware Scan
  • Once completed click View Report
  • Save the file to your Desktop using the default file name
  • Copy and paste the report in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon then click Run
  • Press any key to launch the program
  • Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • When completed a Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Emsisoft report
  • Security check report
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 netaccs

netaccs
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 06 January 2017 - 01:49 PM


Fix result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by niki (06-01-2017 19:40:45) Run:2
Running from C:\Users\niki\Desktop
Loaded Profiles: sys & niki (Available Profiles: DELL & clock & Suite8.Scheduler & DB1 & admin & dell2 & sys & niki)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
C:\Windows\SysWOW64\swsc.exe
*****************
 
C:\Windows\SysWOW64\swsc.exe => moved successfully
 
==== End of Fixlog 19:40:45 ====
 
Emsisoft Emergency Kit - Version 12.0
Last update: 06.01.2017 19:44:31
User account: BRISTOL-SERVER\niki
Computer name: BRISTOL-SERVER
OS version: Windows 7x64 Service Pack 1
 
Scan settings:
 
Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\, D:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Direct disk access: Off
 
Scan start: 06.01.2017 19:45:29
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}  detected: Application.AdLink (A) []
Key: HKEY_USERS\S-1-5-21-3625114160-3359095786-791446984-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{54739D49-AC03-4C57-9264-C5195596B3A1}  detected: Application.AdLink (A) []
C:\Users\DELL\Downloads\MailCracker.zip -> MailCracker.exe  detected: Gen:Variant.Zusy.203084 (B) [krnl.xmd]
D:\BRISTOL-SERVER\Backup Set 2015-10-11 220002\Backup Files 2016-04-24 220001\Backup files 2.zip -> C\Users\DELL\Downloads\MailCracker.zip -> MailCracker.exe  detected: Gen:Variant.Zusy.203084 (B) [krnl.xmd]
D:\BRISTOL-SERVER\Backup Set 2015-10-11 220002\Backup Files 2016-04-17 220001\Backup files 2.zip -> C\Users\DELL\Downloads\EMailScraper.zip -> EMailScraper.exe  detected: Gen:Variant.Razy.102435 (B) [krnl.xmd]
D:\BRISTOL-SERVER\Backup Set 2015-10-11 220002\Backup Files 2016-04-17 220001\Backup files 2.zip -> C\Users\DELL\Downloads\MailCracker.zip -> MailCracker.exe  detected: Gen:Variant.Zusy.203084 (B) [krnl.xmd]
D:\BRISTOL-SERVER\Backup Set 2016-09-11 220002\Backup Files 2016-09-11 220002\Backup files 8.zip -> C\Users\DELL\Downloads\MailCracker.zip -> MailCracker.exe  detected: Gen:Variant.Zusy.203084 (B) [krnl.xmd]
D:\BRISTOL-SERVER\Backup Set 2016-10-30 220002\Backup Files 2016-10-30 220002\Backup files 11.zip -> C\Users\DELL\Downloads\MailCracker.zip -> MailCracker.exe  detected: Gen:Variant.Zusy.203084 (B) [krnl.xmd]
D:\Fidelio Install\CAS_Install\cas\VSPD\TCPcom.zip -> TCPcom/TCP-Com/crk/tcp-com.rs232.to.tcp.ip.converter.1.02.0013.crack-tsrh.exe  detected: Trojan.Generic.11958148 (B) [krnl.xmd]
D:\install\Windows Loader v2.2.2 by Daz\Windows Loader.exe  detected: Application.Crack.PEP (B) [krnl.xmd]
 
Scanned 352626
Found 10
 
Scan end: 06.01.2017 20:41:38
Scan time: 0:56:09
 
####################
Security Check
 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Disabled!  
Malwarebytes   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 MVPS Hosts File  
 Spybot - Search & Destroy 
 Google Chrome (54.0.2840.71) 
 Google Chrome (54.0.2840.99) 
 Google Chrome (SetupMetrics...) 
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Spybot Teatimer.exe is disabled! 
 Malwarebytes Anti-Malware mbamtray.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 1% 
````````````````````End of Log`````````````````````` 
 


#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:45 AM

Posted 06 January 2017 - 02:32 PM

Greetings,

I would prefer you delete all of the detected items but that is up to you. Everything else looks good.

Are there any remaining issues?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 netaccs

netaccs
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 08 January 2017 - 11:53 AM

I try to run Kaspersky online virus scanner. 

It stops with unknown error, but may be it is another type of issue.

I think everything is ok.

 

Thanks for helping !



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:45 AM

Posted 08 January 2017 - 02:29 PM

You are quite welcome.

Now that your computer is running well it is my great pleasure to proclaim to you the Good News!

===================================================

All Clean!

--------------

Your machine appears to be clean and we will now remove the tools used and logs created during our steps. Please do this.

===================================================

Delfix by Xplode

--------------------
  • Download Delfix and save it to your Desktop
  • Double click the icon
  • Place checkmarks in:

Remove disinfection tools
Create registry backup
Purge system restore

  • Click Run
===================================================

You may delete any additional programs or logs on your computer which were not automatically removed by Delfix. Simply delete the log files or desktop icons. If we used Emsisoft Emergency Kit just delete the icon on your desktop and the C:\EEK folder.

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :thumbsup:

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:In addition, here are some more links you might find of interest:Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 netaccs

netaccs
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 09 January 2017 - 03:07 AM

# DelFix v1.010 - Logfile created 09/01/2017 at 10:06:09
# Updated 26/04/2015 by Xplode
# Username : niki - BRISTOL-SERVER
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
 
~ Removing disinfection tools ...
 
Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\niki\Desktop\frst64english.exe
Deleted : C:\Users\niki\Downloads\FRST64.exe
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKCU\console_combofixbackup
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hijackthis
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HijackThis.exe
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe
Deleted : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart
Deleted : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys
Deleted : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart
Deleted : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys
 
~ Creating registry backup ... OK
 
~ Cleaning system restore ...
 
Deleted : RP #663 [2017-01-06 | 01/06/2017 12:02:41]
Deleted : RP #665 [Restore Point Created by FRST | 01/06/2017 14:40:34]
Deleted : RP #666 [Windows Update | 01/06/2017 14:55:26]
Deleted : RP #667 [sys_ok | 01/06/2017 15:23:29]
 
New restore point created !
 
########## - EOF - ##########


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:45 AM

Posted 09 January 2017 - 09:45 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users