Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cse.google redirect


  • This topic is locked This topic is locked
7 replies to this topic

#1 lordsigurd

lordsigurd

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 08 January 2017 - 12:02 PM

Good Afternoon everyone,

 

I got myself into a pickle with a bad download for the first time in a very long time.

 

I booted into safe mode and downloaded all of the usual tools that I would use to remove Malware and viruses and I removed almost everything.

 

(I used MWB and Avast along with a few others.)

 

The issue that still stands is I am still continually getting a cse.google redirect when I search for something on google. I have deleted what I thought was the root cause of this multiple times so far but it still rears it's ugly head after a reboot or after a certain amount of time. MWB continually finds issues and quarantines them but I still get the redirect even after several scans and other applications to check for infection as well.

 

So I come to you, here is my HJT log. This computer I am using is on a private network and is only for personal use.

 

Thank you!

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,175 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 AM

Posted 09 January 2017 - 08:26 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post both the logs for my review.
===

p.s.
HijackThis is no longer supported and not ready for your Operating system.
I suggest your remove via the Control panel > Programs > Programs and Features.
Use the Farbar tool from now on to report problems.
<<<>>>

#3 lordsigurd

lordsigurd
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 10 January 2017 - 06:27 PM

 Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-01-2017

Ran by CrazyDiamond (administrator) on JOSUKE (07-01-2017 17:04:52)
Running from C:\Users\CrazyDiamond\Desktop
Loaded Profiles: CrazyDiamond (Available Profiles: CrazyDiamond)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\BBSvc.EXE
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(BitTorrent Inc.) C:\Users\CrazyDiamond\AppData\Roaming\uTorrent\uTorrent.exe
(Oracle Corporation) C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Curse, Inc) C:\Users\CrazyDiamond\AppData\Roaming\Curse Client\Bin\Curse.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(BitTorrent Inc.) C:\Users\CrazyDiamond\AppData\Roaming\uTorrent\updates\3.4.9_43085\utorrentie.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(BitTorrent Inc.) C:\Users\CrazyDiamond\AppData\Roaming\uTorrent\updates\3.4.9_43085\utorrentie.exe
(Curse, Inc.) C:\Users\CrazyDiamond\AppData\Roaming\Curse Client\Bin\Electron\CurseUI.exe
(Curse, Inc.) C:\Users\CrazyDiamond\AppData\Roaming\Curse Client\Bin\Electron\CurseUI.exe
(Curse, Inc.) C:\Users\CrazyDiamond\AppData\Roaming\Curse Client\Bin\Electron\CurseUI.exe
(Curse, Inc.) C:\Users\CrazyDiamond\AppData\Roaming\Curse Client\Bin\Electron\CurseUI.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2398776 2016-06-03] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => "C:\Windows\system32\rundll32.exe" C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2776528 2016-12-14] (Malwarebytes)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9080768 2017-01-04] (AVAST Software)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
HKU\S-1-5-21-3942347804-715397359-136909450-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-3942347804-715397359-136909450-1000\...\Run: [uTorrent] => C:\Users\CrazyDiamond\AppData\Roaming\uTorrent\uTorrent.exe [1979072 2016-12-15] (BitTorrent Inc.)
HKU\S-1-5-18\...\Run: [] => 0
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-01-04] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Universal Media Server.lnk [2016-06-22]
ShortcutTarget: Universal Media Server.lnk -> C:\Program Files (x86)\Universal Media Server\UMS.exe (Universal Media Server)
Startup: C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Curse.lnk [2016-08-21]
ShortcutTarget: Curse.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Curse Client\Bin\Curse.exe (Curse, Inc)
BootExecute: autocheck autochk * sdnclean64.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.114.81.1 75.114.81.2
Tcpip\..\Interfaces\{4FB9217F-C7BA-4C74-8393-030F815F8F0C}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{5D064F29-D27E-4FDA-B786-00B4BDC027A6}: [DhcpNameServer] 75.114.81.1 75.114.81.2
Tcpip\..\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{B67AF0DF-C112-4D07-85B1-881BF15BC2D7}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{B67AF0DF-C112-4D07-85B1-881BF15BC2D7}: [DhcpNameServer] 8.8.8.8
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3942347804-715397359-136909450-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_111\bin\ssv.dll [2017-01-07] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2017-01-04] (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_111\bin\jp2ssv.dll [2017-01-07] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2017-01-04] (AVAST Software)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\BingExt.dll" No File
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2017-01-04]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2017-01-04]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Plugin: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2017-01-07] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2017-01-07] (Oracle Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-06-02] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-06-02] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
 
Chrome: 
=======
CHR Profile: C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default [2017-01-07]
CHR Extension: (Google Slides) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-06-18]
CHR Extension: (Entanglement Web App) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd [2016-06-22]
CHR Extension: (Google Docs) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-06-18]
CHR Extension: (Google Drive) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-18]
CHR Extension: (MEGA) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\bigefpfhnfcobdlfbedofhhaibnlghod [2017-01-04]
CHR Extension: (YouTube) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-06-18]
CHR Extension: (Facebook) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\boeajhmfdjldchidhphikilcgdacljfm [2016-06-22]
CHR Extension: (Adblock Plus) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-10-29]
CHR Extension: (Realm of the Mad God) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhjfmaldpppkmjjgkmadddbanpabfflp [2016-06-22]
CHR Extension: (Google Sheets) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-06-18]
CHR Extension: (Chain Reaction) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\gemgfpodpjapjhfohdlibagceiknakpa [2016-06-22]
CHR Extension: (Google Docs Offline) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-18]
CHR Extension: (Avast Online Security) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-01-04]
CHR Extension: (Adblock for Facebook™) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbfjodonncabnangfknilmabjfofdikc [2016-06-22]
CHR Extension: (Autodesk Homestyler) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdmmkfaghgcicheaimnpffeeekheafkb [2016-08-22]
CHR Extension: (Little Alchemy) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\knkapnclbofjjgicpkfoagdjohlfjhpd [2016-06-22]
CHR Extension: (Google Play) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\komhbcfkdcgmcdoenjcjheifdiabikfi [2016-06-22]
CHR Extension: (Poppit!) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2016-06-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-18]
CHR Extension: (Gmail) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-06-18]
CHR Extension: (Chrome Media Router) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2017-01-04] (AVAST Software)
S3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusServiceLite.exe [1467072 2016-08-29] (Disc Soft Ltd)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1165368 2016-06-03] (NVIDIA Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-16] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-12-14] (Malwarebytes)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1881144 2016-06-03] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [3634232 2016-06-03] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2522680 2016-06-03] (NVIDIA Corporation)
S4 RunSwUSB; C:\Windows\runSW.exe [48856 2013-10-18] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2016-05-16] (Microsoft Corporation)
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2017-01-04] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2017-01-04] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108816 2017-01-04] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2017-01-04] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2017-01-04] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [969184 2017-01-04] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [513632 2017-01-04] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [163416 2017-01-04] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [293352 2017-01-04] (AVAST Software)
R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2016-09-10] (Disc Soft Ltd)
R3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [47672 2016-09-10] (Disc Soft Ltd)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77416 2016-12-14] ()
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [176064 2017-01-04] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [102856 2017-01-07] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2017-01-07] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [250816 2017-01-07] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [81696 2017-01-07] (Malwarebytes)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [28216 2016-06-03] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [56384 2016-06-03] (NVIDIA Corporation)
S3 PcaSp60; C:\Windows\SysWOW64\DRIVERS\PcaSp60.sys [38912 2010-09-07] (Printing Communications Assoc., Inc. (PCAUSA))
S3 RtlWlanu; C:\Windows\System32\DRIVERS\rtwlanu.sys [3045592 2014-01-16] (Realtek Semiconductor Corporation                           )
R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [231112 2013-01-02] (VIA Technologies, Inc.)
R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [301256 2013-01-02] (VIA Technologies, Inc.)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2017-01-05] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2017-01-05] (Zemana Ltd.)
S0 mvs91xx; system32\DRIVERS\mvs91xx.sys [X]
S3 Mv_Process; \??\c:\windows\syswow64\mv_process.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-07 17:04 - 2017-01-07 17:05 - 00019135 _____ C:\Users\CrazyDiamond\Desktop\FRST.txt
2017-01-07 17:04 - 2017-01-07 17:04 - 02418688 _____ (Farbar) C:\Users\CrazyDiamond\Desktop\FRST64.exe
2017-01-07 17:04 - 2017-01-07 17:04 - 00000000 ____D C:\FRST
2017-01-07 16:53 - 2017-01-07 16:53 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-01-07 16:48 - 2017-01-07 16:48 - 00110144 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2017-01-07 16:46 - 2017-01-07 16:46 - 03988944 _____ C:\Users\CrazyDiamond\Downloads\AdwCleaner (2).exe
2017-01-07 16:42 - 2017-01-07 16:44 - 00000000 ____D C:\AdwCleaner
2017-01-07 16:42 - 2017-01-07 16:42 - 03988944 _____ C:\Users\CrazyDiamond\Downloads\AdwCleaner (1).exe
2017-01-07 10:57 - 2017-01-07 16:45 - 00000000 ____D C:\Users\CrazyDiamond\AppData\LocalLow\uTorrent
2017-01-05 18:17 - 2017-01-05 18:17 - 00001624 _____ C:\Users\Public\Desktop\SUPERHOT.lnk
2017-01-05 18:17 - 2017-01-05 18:17 - 00000000 ____D C:\Users\CrazyDiamond\AppData\LocalLow\SUPERHOT_Team
2017-01-05 18:17 - 2017-01-05 18:17 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Local\SUPERHOT_Sp_z_o.o
2017-01-05 18:15 - 2017-01-05 18:15 - 00000000 ____D C:\Users\CrazyDiamond\AppData\LocalLow\SUPERHOT Team
2017-01-05 18:02 - 2017-01-05 18:02 - 03977168 _____ C:\Users\CrazyDiamond\Downloads\AdwCleaner.exe
2017-01-05 17:52 - 2017-01-07 17:04 - 00067261 _____ C:\Windows\ZAM.krnl.trace
2017-01-05 17:52 - 2017-01-07 17:04 - 00039440 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-01-05 17:51 - 2017-01-05 17:51 - 05227968 _____ (Zemana Ltd.) C:\Users\CrazyDiamond\Downloads\Zemana.AntiMalware.Portable.exe
2017-01-05 17:51 - 2017-01-05 17:51 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2017-01-05 17:51 - 2017-01-05 17:51 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2017-01-05 17:51 - 2017-01-05 17:51 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Local\Zemana
2017-01-04 22:46 - 2017-01-04 22:46 - 00388608 _____ (Trend Micro Inc.) C:\Users\CrazyDiamond\Downloads\HijackThis.exe
2017-01-04 22:44 - 2017-01-04 22:44 - 00000000 ____D C:\Windows\pss
2017-01-04 22:43 - 2017-01-04 22:43 - 00000085 _____ C:\Windows\wininit.ini
2017-01-04 22:29 - 2017-01-04 22:29 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2017-01-04 22:29 - 2017-01-04 22:29 - 00003886 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1483586996
2017-01-04 22:29 - 2017-01-04 22:29 - 00001043 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk
2017-01-04 22:29 - 2017-01-04 22:29 - 00001043 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2017-01-04 22:21 - 2017-01-04 22:44 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-01-04 22:21 - 2017-01-04 22:43 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-01-04 22:15 - 2017-01-04 22:15 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\CrazyDiamond\Downloads\spybot-2.4.exe
2017-01-04 22:11 - 2017-01-04 22:11 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Roaming\AVAST Software
2017-01-04 22:10 - 2017-01-04 22:29 - 00000000 ____D C:\Program Files\AVAST Software
2017-01-04 22:10 - 2017-01-04 22:24 - 00000000 ____D C:\Program Files\Common Files\AV
2017-01-04 22:10 - 2017-01-04 22:10 - 00969184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2017-01-04 22:10 - 2017-01-04 22:10 - 00513632 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2017-01-04 22:10 - 2017-01-04 22:10 - 00391496 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2017-01-04 22:10 - 2017-01-04 22:10 - 00293352 _____ (AVAST Software) C:\Windows\system32\Drivers\aswvmm.sys
2017-01-04 22:10 - 2017-01-04 22:10 - 00163416 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2017-01-04 22:10 - 2017-01-04 22:10 - 00108816 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2017-01-04 22:10 - 2017-01-04 22:10 - 00103064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2017-01-04 22:10 - 2017-01-04 22:10 - 00074544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2017-01-04 22:10 - 2017-01-04 22:10 - 00053208 _____ (AVAST Software) C:\Windows\avastSS.scr
2017-01-04 22:10 - 2017-01-04 22:10 - 00037656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2017-01-04 22:10 - 2017-01-04 22:10 - 00001922 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2017-01-04 22:10 - 2017-01-04 22:10 - 00000350 ____H C:\Windows\Tasks\avast! Emergency Update.job
2017-01-04 22:10 - 2017-01-04 22:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2017-01-04 22:09 - 2017-01-04 22:29 - 00000000 ____D C:\ProgramData\AVAST Software
2017-01-04 22:09 - 2017-01-04 22:09 - 06253640 _____ (AVAST Software) C:\Users\Public\Desktop\avast_free_antivirus_setup_online_cnet_2.exe
2017-01-04 22:09 - 2017-01-04 22:09 - 06253640 _____ (AVAST Software) C:\Users\CrazyDiamond\Downloads\avast_free_antivirus_setup_online_cnet_2.exe
2017-01-04 21:52 - 2017-01-07 16:45 - 00250816 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-01-04 21:52 - 2017-01-07 16:45 - 00102856 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-01-04 21:52 - 2017-01-07 16:45 - 00081696 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-01-04 21:52 - 2017-01-07 16:45 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-01-04 21:52 - 2017-01-04 21:52 - 00176064 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-01-04 21:41 - 2017-01-04 22:39 - 00315534 _____ C:\Windows\ntbtlog.txt
2017-01-04 21:34 - 2017-01-04 21:51 - 00001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-01-04 21:29 - 2017-01-04 21:41 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Local\node-webkit
2017-01-04 21:29 - 2017-01-04 21:33 - 00003880 _____ C:\Windows\System32\Tasks\ab08A1fsos25zUEqWqNjmv-ni-2017-01-04-ni-20258-ni-1
2017-01-04 21:27 - 2017-01-04 21:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-01-04 21:27 - 2017-01-04 21:40 - 00003720 _____ C:\Windows\System32\Tasks\dc06A0hSHDyZI0GUsQU0KW-ni-2017-01-04-ni-20756-ni-1
2017-01-04 21:27 - 2017-01-04 21:33 - 00003870 _____ C:\Windows\System32\Tasks\ab06A0hSHDyZI0GUsQU0KW-ni-2017-01-04-ni-20756-ni-1
2017-01-04 21:27 - 2017-01-04 21:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2017-01-04 21:27 - 2017-01-04 21:27 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-01-04 21:27 - 2017-01-04 21:27 - 00000000 ____D C:\Program Files\Malwarebytes
2017-01-04 21:27 - 2016-12-14 12:55 - 00077416 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-01-04 21:25 - 2017-01-04 21:48 - 00000000 ____D C:\Windows\system32\SSL
2017-01-04 21:25 - 2017-01-04 21:27 - 00000001 _____ C:\Users\CrazyDiamond\AppData\Local\setupsuccessful.txt
2017-01-04 21:25 - 2017-01-04 21:25 - 00000000 ___HD C:\ProgramData\3w6k8o0
2017-01-04 21:25 - 2017-01-04 21:25 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Roaming\tlerauic
2017-01-04 21:25 - 2017-01-04 21:25 - 00000000 _____ C:\TOSTACK
2017-01-04 21:24 - 2017-01-07 17:05 - 00016706 _____ C:\Windows\System32\Tasks\66098v3a513h49
2017-01-04 21:24 - 2017-01-04 21:40 - 00003726 _____ C:\Windows\System32\Tasks\dc08A1fsos25zUEqWqNjmv-ni-2017-01-04-ni-20258-ni-1
2017-01-04 21:24 - 2017-01-04 21:24 - 00000000 ___HD C:\ProgramData\66098v3a513h49
2017-01-04 21:24 - 2017-01-04 21:24 - 00000000 ___HD C:\Program Files (x86)\Spiking
2017-01-04 21:24 - 2017-01-04 21:24 - 00000000 ___HD C:\Program Files (x86)\Sings
2017-01-04 21:24 - 2017-01-04 21:24 - 00000000 ___HD C:\Program Files (x86)\metroplex
2017-01-04 21:24 - 2017-01-04 21:24 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Roaming\Mozilla
2017-01-04 21:24 - 2017-01-04 21:24 - 00000000 ____D C:\Program Files\BitTorrent
2017-01-04 21:24 - 2017-01-04 21:24 - 00000000 ____D C:\Program Files (x86)\sheeted
2017-01-04 21:23 - 2017-01-07 16:53 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-01-04 21:23 - 2017-01-07 16:53 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-01-04 21:23 - 2017-01-07 16:53 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-01-04 21:23 - 2017-01-07 16:53 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-01-04 21:23 - 2017-01-07 16:53 - 00000000 ____D C:\Windows\system32\Macromed
2017-01-04 21:23 - 2017-01-04 21:55 - 00000000 ____D C:\Program Files\COMODO
2017-01-04 21:23 - 2017-01-04 21:27 - 00000055 _____ C:\Windows\key.ini
2017-01-04 21:23 - 2017-01-04 21:27 - 00000000 ___HD C:\a
2017-01-04 21:23 - 2017-01-04 21:27 - 00000000 _____ C:\Users\CrazyDiamond\AppData\Local\stxtname.txt
2017-01-04 21:23 - 2017-01-04 21:27 - 00000000 _____ C:\Users\CrazyDiamond\AppData\Local\run.txt
2017-01-04 21:23 - 2017-01-04 21:23 - 19397312 _____ (Adobe Systems Incorporated) C:\Users\CrazyDiamond\AppData\Local\install_flash_player_21_active_x.exe
2017-01-04 21:23 - 2017-01-04 21:23 - 00002100 ___RS C:\Users\Public\Desktop\Ваttle.net.lnk
2017-01-04 21:23 - 2017-01-04 21:23 - 00002096 ___RS C:\Users\Public\Desktop\Diаblo III.lnk
2017-01-04 21:23 - 2017-01-04 21:23 - 00002055 ___RS C:\Users\Public\Desktop\Оverwаtсh.lnk
2017-01-04 21:23 - 2017-01-04 21:23 - 00001864 ___RS C:\Users\Public\Desktop\DАEМОN Тools Lite.lnk
2017-01-04 21:23 - 2017-01-04 21:23 - 00001402 ___RS C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnet Ехрlorеr.lnk
2017-01-04 21:23 - 2017-01-04 21:23 - 00001166 ___RS C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gоogle Chrоme.lnk
2017-01-04 21:23 - 2017-01-04 21:23 - 00000000 ____D C:\Users\Public\Documents\Tools
2017-01-04 21:23 - 2017-01-04 21:23 - 00000000 ____D C:\ProgramData\COMODO
2017-01-04 08:27 - 2017-01-04 08:27 - 00528896 _____ (houlton) C:\Users\CrazyDiamond\AppData\Local\chicago.exe
2017-01-04 08:27 - 2017-01-04 08:27 - 00192000 _____ C:\Windows\dll.dll
2017-01-04 08:27 - 2017-01-04 08:27 - 00041199 _____ C:\Windows\hooky.exe
2017-01-04 07:13 - 2017-01-04 07:13 - 00009728 _____ C:\Windows\palmers.exe
2017-01-04 07:13 - 2017-01-04 07:13 - 00009728 _____ C:\Users\CrazyDiamond\AppData\Local\sprouts.exe
2017-01-04 06:19 - 2017-01-04 06:19 - 00528896 _____ (rusting) C:\Users\CrazyDiamond\AppData\Local\curricula.exe
2017-01-04 06:19 - 2017-01-04 06:19 - 00041199 _____ C:\Windows\critique.exe
2017-01-03 19:26 - 2017-01-03 19:26 - 00132746 _____ C:\Users\CrazyDiamond\Downloads\Product Code List - 2016-01-01_version3.xlsx
2017-01-03 19:26 - 2017-01-03 19:26 - 00000105 ____H C:\Users\CrazyDiamond\Downloads\.~lock.Product Code List - 2016-01-01_version3.xlsx#
2017-01-02 21:18 - 2017-01-02 21:18 - 00000932 _____ C:\Users\CrazyDiamond\Desktop\dd - Shortcut.lnk
2017-01-02 21:10 - 2017-01-02 21:11 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Roaming\DevilDaggers
2017-01-02 20:35 - 2017-01-02 21:05 - 00000000 ____D C:\Program Files (x86)\Doom
2017-01-02 20:29 - 2017-01-02 20:29 - 00000000 ____D C:\Windows\system32\appmgmt
2017-01-02 20:15 - 2017-01-02 20:15 - 00000221 _____ C:\Users\CrazyDiamond\Desktop\FINAL FANTASY XIV A Realm Reborn.url
2017-01-01 19:32 - 2017-01-02 20:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SQUARE ENIX
2016-12-19 08:56 - 2016-12-03 18:36 - 00047901 _____ C:\Users\CrazyDiamond\Documents\Canada%20Product%20Code%20List%20-%20December%202016.xlsx_0.ods
2016-12-15 17:04 - 2016-12-15 17:04 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Local\Chromium
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-07 17:00 - 2016-06-22 17:55 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Roaming\uTorrent
2017-01-07 16:53 - 2009-07-13 23:45 - 00026352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-01-07 16:53 - 2009-07-13 23:45 - 00026352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-01-07 16:51 - 2009-07-14 00:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2017-01-07 16:51 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2017-01-07 16:50 - 2016-06-28 18:08 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2017-01-07 16:50 - 2016-06-28 18:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2017-01-07 16:50 - 2016-06-28 18:08 - 00000000 ____D C:\Program Files\WinRAR
2017-01-07 16:48 - 2016-06-22 18:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-01-07 16:48 - 2016-06-22 18:58 - 00000000 ____D C:\Program Files\Java
2017-01-07 16:45 - 2016-08-21 22:01 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Roaming\Curse Client
2017-01-07 16:45 - 2016-06-22 18:03 - 00000000 ____D C:\ProgramData\UMS
2017-01-07 16:45 - 2016-06-18 03:13 - 00000000 ____D C:\ProgramData\NVIDIA
2017-01-07 16:45 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-07 16:41 - 2016-06-25 22:11 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Roaming\Skype
2017-01-07 16:41 - 2016-06-22 18:03 - 00000000 ____D C:\Program Files (x86)\AviSynth
2017-01-05 22:03 - 2016-06-22 17:07 - 00000000 ____D C:\Program Files (x86)\Steam
2017-01-05 18:17 - 2009-07-14 00:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2017-01-05 18:16 - 2016-06-22 23:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2017-01-05 18:15 - 2016-06-22 23:10 - 00000000 ____D C:\GOG Games
2017-01-05 17:52 - 2016-06-18 05:26 - 00000000 ____D C:\Users\CrazyDiamond
2017-01-04 22:45 - 2016-08-02 17:42 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Local\CrashDumps
2017-01-04 21:56 - 2016-06-18 05:27 - 00001413 ____H C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-01-04 21:56 - 2016-06-18 03:06 - 00002195 ____H C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-01-04 21:55 - 2016-06-18 03:06 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Local\Apps\2.0
2017-01-04 21:40 - 2011-11-21 22:08 - 00068608 _____ C:\Windows\SysWOW64\freqdb.db
2017-01-04 21:29 - 2009-07-13 23:45 - 00328960 _____ C:\Windows\system32\FNTCACHE.DAT
2017-01-04 21:25 - 2016-06-18 03:06 - 00000000 ____D C:\Program Files (x86)\Google
2017-01-04 21:23 - 2016-06-24 17:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Overwatch
2017-01-04 21:23 - 2016-06-22 21:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo III
2017-01-04 21:23 - 2016-06-18 03:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Battle.net
2017-01-04 21:23 - 2016-06-18 03:06 - 00074040 _____ C:\Users\CrazyDiamond\AppData\Local\GDIPFONTCACHEV1.DAT
2017-01-04 21:18 - 2009-07-13 22:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2017-01-04 21:18 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2017-01-04 18:44 - 2016-07-06 18:20 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Roaming\discord
2017-01-02 20:55 - 2016-09-08 20:15 - 00000000 ____D C:\Users\CrazyDiamond\Documents\CPY_SAVES
2017-01-02 20:32 - 2016-11-13 09:51 - 00000000 ____D C:\Users\CrazyDiamond\Downloads\Ericka
2017-01-02 20:22 - 2016-06-18 05:49 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-01-01 19:32 - 2016-06-22 17:20 - 00000000 ____D C:\Users\CrazyDiamond\Documents\my games
2016-12-15 18:44 - 2016-06-18 03:50 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Local\Battle.net
2016-12-15 17:50 - 2016-06-18 03:50 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-12-15 17:47 - 2016-06-24 17:12 - 00000000 ____D C:\Program Files (x86)\Overwatch
2016-12-15 17:45 - 2016-06-22 21:49 - 00000000 ____D C:\Program Files (x86)\Diablo III
2016-12-15 17:04 - 2016-06-22 17:08 - 00000000 ____D C:\Users\CrazyDiamond\AppData\Local\Steam
 
==================== Files in the root of some directories =======
 
2017-01-04 08:27 - 2017-01-04 08:27 - 0528896 _____ (houlton) C:\Users\CrazyDiamond\AppData\Local\chicago.exe
2017-01-04 06:19 - 2017-01-04 06:19 - 0528896 _____ (rusting) C:\Users\CrazyDiamond\AppData\Local\curricula.exe
2017-01-04 21:23 - 2017-01-04 21:23 - 19397312 _____ (Adobe Systems Incorporated) C:\Users\CrazyDiamond\AppData\Local\install_flash_player_21_active_x.exe
2017-01-04 21:23 - 2017-01-04 21:27 - 0000000 _____ () C:\Users\CrazyDiamond\AppData\Local\run.txt
2017-01-04 21:25 - 2017-01-04 21:27 - 0000001 _____ () C:\Users\CrazyDiamond\AppData\Local\setupsuccessful.txt
2017-01-04 07:13 - 2017-01-04 07:13 - 0009728 _____ () C:\Users\CrazyDiamond\AppData\Local\sprouts.exe
2017-01-04 21:23 - 2017-01-04 21:27 - 0000000 _____ () C:\Users\CrazyDiamond\AppData\Local\stxtname.txt
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-01-03 18:36
 
==================== End of FRST.txt ============================

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,175 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 AM

Posted 11 January 2017 - 09:45 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-18\...\Run: [] => 0
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3942347804-715397359-136909450-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\BingExt.dll" No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [No File]
CHR Extension: (Avast Online Security) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-01-04]
CHR Extension: (Poppit!) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2016-06-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-18]
CHR Extension: (Chrome Media Router) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S0 mvs91xx; system32\DRIVERS\mvs91xx.sys [X]
S3 Mv_Process; \??\c:\windows\syswow64\mv_process.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys 
Task: {0F61F954-5F55-46C5-9E34-6366593F0380} - \Sak14785461k14785461 -> No File <==== ATTENTION
Task: {1F9C84CE-516D-4D81-87F3-5FA7B9F1F888} - System32\Tasks\dc06A0hSHDyZI0GUsQU0KW-ni-2017-01-04-ni-20756-ni-1 => C:\Program Files (x86)\ball\brinsley.exe
Task: {25636C86-8D50-41C0-B84C-E8D36C2E147A} - System32\Tasks\66098v3a513h49 => Rundll32.exe "C:\ProgramData\66098v3a513h49\66098v3a513h49.dll",bgozrak <==== ATTENTION
Task: {43D521A0-72B3-4FBE-AE6C-887995BEB9C9} - \3w6k8o0 -> No File <==== ATTENTION
Task: {4B216ACA-E970-440B-960B-1231B8B4C14C} - \USBAC56WLANMGR -> No File <==== ATTENTION
Task: {5AE9C734-65E8-4D26-895B-66DBFAD10C87} - System32\Tasks\dc08A1fsos25zUEqWqNjmv-ni-2017-01-04-ni-20258-ni-1 => C:\Program Files (x86)\outfitters\albas.exe
Task: {6089182B-A9BB-49F9-B33C-E131C32D415D} - System32\Tasks\ab06A0hSHDyZI0GUsQU0KW-ni-2017-01-04-ni-20756-ni-1 => C:\Program Files (x86)\ball\brinsley.exe
Task: {95279E87-5208-406C-964B-95EE0B93E077} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {C2C364E8-6E05-455B-A64E-EC78E3D32035} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {E4BCF4A4-D32A-4B6A-9DCB-F28E0BA435BF} - System32\Tasks\ab08A1fsos25zUEqWqNjmv-ni-2017-01-04-ni-20258-ni-1 => C:\Program Files (x86)\outfitters\albas.exe
Task: {F4B8646D-0C47-4A00-8D72-E94B1B842C00} - \{0E080F47-0805-0479-0A11-0478050E1108} -> No File <==== ATTENTION
Task: {FD2EA3ED-B9E7-447C-854E-1A16E5384997} - \klcp_update -> No File <==== ATTENTION
Shortcut: C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rnet ???lor?r.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rnet Ex?l?r?r (No Add-?ns).lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gle ?hr?m?.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rnet ???l?r?r ?rowser.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\G??gle Chr?me.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G?ogle Chr?me.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\Di?blo III.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.rehcnual iii olbaid.bat (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\D?E??N ?ools Lite.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.rehcnualtd.bat (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\??ttle.net.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.rehcnual ten.elttab.bat (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\?verw?t?h.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.rehcnual hctawrevo.bat (No File) <===== Cyrillic
() C:\Windows\TEMP\g6F58.tmp
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\brittingham
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\brittinghambrittingham
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\constituted
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\reheard
FirewallRules: [TCP Query User{8ECB454B-04B7-4F4C-87BD-DCF9601EEAAD}C:\program files\java\jre1.8.0_92\bin\javaw.exe] => C:\program files\java\jre1.8.0_92\bin\javaw.exe
FirewallRules: [UDP Query User{51E3E8AF-3A3F-48EC-A866-F75EF38B1A83}C:\program files\java\jre1.8.0_92\bin\javaw.exe] => C:\program files\java\jre1.8.0_92\bin\javaw.exe
FirewallRules: [{A5C790FA-0B5C-41A7-98EE-E25352ED7468}] => C:\Users\CrazyDiamond\AppData\Local\ddnowyes.exe
FirewallRules: [{8314CF0A-60C3-4FD3-B89C-B8CF4F78E2CF}] => C:\Users\CrazyDiamond\AppData\Local\Temp\DAOXF6RWH\Bundle_FasterInternet.exe
FirewallRules: [{FA8872E9-46F0-456A-866B-52B93DC9D8C9}] => C:\Users\CrazyDiamond\AppData\Local\64394116.exe
FirewallRules: [{6D03655E-90B2-41BA-B749-ACB0E0095A10}] => C:\Users\CrazyDiamond\AppData\Local\tinstall.exe
FirewallRules: [{D1AA30D3-07B2-4C66-8D33-63949D8D06CE}] => C:\Users\CrazyDiamond\AppData\Local\sc8858885.exe
FirewallRules: [{E5449EBC-1447-4360-83FA-3C552F0D0846}] => C:\Users\CrazyDiamond\AppData\Local\ddnow.exe
FirewallRules: [{E01B497D-3E91-4F2D-A468-4913C960AEDC}] => C:\Program Files (x86)\outfitters\albas.exe
FirewallRules: [{DA0CB37A-E8D5-43AF-BF91-16AED3136B7A}] => C:\Program Files (x86)\outfitters\wootten.exe
FirewallRules: [{CC2B12AA-F9D5-4ED6-AC0F-54C084E5D2F6}] => C:\Program Files (x86)\freeway\condone.exe
FirewallRules: [{D3D3CD96-4F6F-40A0-B6D2-DFDF7BDE59DB}] => C:\Program Files (x86)\Caribbean\ranchers.exe
FirewallRules: [{4982554E-E9DB-4337-9160-C71924C9A276}] => C:\Windows\phy.exe
FirewallRules: [TCP Query User{8E8AC9E5-9ABC-4036-A33F-0F43D35BD251}C:\program files (x86)\google\chrome\application\chrome334.exe] => C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [UDP Query User{DFCDD349-3EAF-4A7E-9813-D2719363124D}C:\program files (x86)\google\chrome\application\chrome334.exe] => C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [{A30EC88E-B5A4-4656-89C9-291B921DEEBD}] => C:\Program Files (x86)\Sings\sprouts.exe
FirewallRules: [{1CABA0EA-6D49-43BA-BB3A-6D257D4899E0}] => C:\Program Files (x86)\Spiking\sprouts.exe
FirewallRules: [{B02AFDD0-DEEC-443C-A22E-AE0C488FD80B}] => C:\Users\CrazyDiamond\AppData\Local\ddnowyes.exe
FirewallRules: [{317BC082-098F-4BF0-B226-DA5CC9024A32}] => C:\Users\CrazyDiamond\AppData\Local\Temp\4536fc0c6cec449692b2841a50938818\setup.exe
FirewallRules: [{F2F87288-4D5C-4A57-B971-66F25651B7D4}] => C:\Users\CrazyDiamond\AppData\Local\47995151.exe
FirewallRules: [{A49DBC46-F6F9-4963-8836-EC2D1B8C7A83}] => C:\Users\CrazyDiamond\AppData\Local\tinstall.exe
FirewallRules: [{AD78269C-135A-4528-B664-6E8687714FFE}] => C:\Users\CrazyDiamond\AppData\Local\sc73779464.exe
FirewallRules: [{D2B00E76-EE04-407A-A070-3D08381F30BC}] => C:\Users\CrazyDiamond\AppData\Local\ddnow.exe
FirewallRules: [{876CB05C-C1F4-4BA7-B306-59A3C188DAEA}] => C:\Program Files (x86)\ball\brinsley.exe
FirewallRules: [{291D6CDB-69EB-4B30-AFCC-B08E547E7B4D}] => C:\Program Files (x86)\ball\tyrrhenian.exe
FirewallRules: [{5ACD7D7C-9289-48BC-97F3-A1AF56820779}] => C:\Program Files (x86)\rafsanjani\rio.exe
FirewallRules: [{6DBE56FE-567E-4729-9F11-CC361ACC1F51}] => C:\Program Files (x86)\Scenically\macgowan.exe
FirewallRules: [{0B4B1410-65F6-46E3-8EDB-115F45BB5F7C}] => C:\Windows\concealment.exe
FirewallRules: [{4608C15A-341D-4ACD-920F-65C1BD5AA212}] => C:\Users\CrazyDiamond\AppData\Local\vghd\bin\vghd.exe
FirewallRules: [{6076AB82-4F44-4B9E-9FD8-0F098B8E8220}] => C:\Users\CrazyDiamond\AppData\Local\vghd\bin\vghd.exe
C:\Users\CrazyDiamond\AppData\Local\chicago.exe
C:\Users\CrazyDiamond\AppData\Local\curricula.exe
C:\Users\CrazyDiamond\AppData\Local\install_flash_player_21_active_x.exe
C:\Users\CrazyDiamond\AppData\Local\run.txt
C:\Users\CrazyDiamond\AppData\Local\setupsuccessful.txt
C:\Users\CrazyDiamond\AppData\Local\sprouts.exe
C:\Users\CrazyDiamond\AppData\Local\stxtname.txt
C:\Program Files (x86)\ball
C:\ProgramData\66098v3a513h49
C:\Program Files (x86)\outfitters
C:\Users\CrazyDiamond\AppData\Roaming\Browsers
C:\Windows\TEMP\g6F58.tmp
C:\Windows\pss
C:\Program Files (x86)\Sings
C:\Program Files (x86)\Spiking
C:\Program Files (x86)\metroplex
C:\Users\CrazyDiamond\AppData\Local\ddnowyes.exe
C:\Users\CrazyDiamond\AppData\Local\Temp\DAOXF6RWH
C:\Users\CrazyDiamond\AppData\Local\64394116.exe
C:\Users\CrazyDiamond\AppData\Local\tinstall.exe
C:\Users\CrazyDiamond\AppData\Local\sc8858885.exe
C:\Users\CrazyDiamond\AppData\Local\ddnow.exe
C:\Program Files (x86)\freeway
C:\Program Files (x86)\Caribbean
C:\Windows\phy.exe
C:\program files (x86)\google\chrome\application\chrome334.exe
C:\Users\CrazyDiamond\AppData\Local\Temp\4536fc0c6cec449692b2841a50938818
C:\Users\CrazyDiamond\AppData\Local\47995151.exe
C:\Users\CrazyDiamond\AppData\Local\tinstall.exe
C:\Users\CrazyDiamond\AppData\Local\sc73779464.exe
C:\Users\CrazyDiamond\AppData\Local\ddnow.exe
C:\Program Files (x86)\ball\brinsley.exe
C:\Program Files (x86)\rafsanjani
C:\Program Files (x86)\Scenically
C:\Windows\concealment.exe
C:\Users\CrazyDiamond\AppData\Local\vghd

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
___

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 92 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418092F0}) (Version: 8.0.920.14 - Oracle Corporation)
===

Please post the Fixldog.txt and let me know what problem persists with this computer.

#5 lordsigurd

lordsigurd
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 12 January 2017 - 06:27 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-01-2017
Ran by CrazyDiamond (12-01-2017 18:09:49) Run:1
Running from C:\Users\CrazyDiamond\Downloads
Loaded Profiles: CrazyDiamond (Available Profiles: CrazyDiamond)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKU\S-1-5-18\...\Run: [] => 0
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3942347804-715397359-136909450-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\BingExt.dll" No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [No File]
CHR Extension: (Avast Online Security) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-01-04]
CHR Extension: (Poppit!) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2016-06-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-18]
CHR Extension: (Chrome Media Router) - C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S0 mvs91xx; system32\DRIVERS\mvs91xx.sys [X]
S3 Mv_Process; \??\c:\windows\syswow64\mv_process.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys 
Task: {0F61F954-5F55-46C5-9E34-6366593F0380} - \Sak14785461k14785461 -> No File <==== ATTENTION
Task: {1F9C84CE-516D-4D81-87F3-5FA7B9F1F888} - System32\Tasks\dc06A0hSHDyZI0GUsQU0KW-ni-2017-01-04-ni-20756-ni-1 => C:\Program Files (x86)\ball\brinsley.exe
Task: {25636C86-8D50-41C0-B84C-E8D36C2E147A} - System32\Tasks\66098v3a513h49 => Rundll32.exe "C:\ProgramData\66098v3a513h49\66098v3a513h49.dll",bgozrak <==== ATTENTION
Task: {43D521A0-72B3-4FBE-AE6C-887995BEB9C9} - \3w6k8o0 -> No File <==== ATTENTION
Task: {4B216ACA-E970-440B-960B-1231B8B4C14C} - \USBAC56WLANMGR -> No File <==== ATTENTION
Task: {5AE9C734-65E8-4D26-895B-66DBFAD10C87} - System32\Tasks\dc08A1fsos25zUEqWqNjmv-ni-2017-01-04-ni-20258-ni-1 => C:\Program Files (x86)\outfitters\albas.exe
Task: {6089182B-A9BB-49F9-B33C-E131C32D415D} - System32\Tasks\ab06A0hSHDyZI0GUsQU0KW-ni-2017-01-04-ni-20756-ni-1 => C:\Program Files (x86)\ball\brinsley.exe
Task: {95279E87-5208-406C-964B-95EE0B93E077} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {C2C364E8-6E05-455B-A64E-EC78E3D32035} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {E4BCF4A4-D32A-4B6A-9DCB-F28E0BA435BF} - System32\Tasks\ab08A1fsos25zUEqWqNjmv-ni-2017-01-04-ni-20258-ni-1 => C:\Program Files (x86)\outfitters\albas.exe
Task: {F4B8646D-0C47-4A00-8D72-E94B1B842C00} - \{0E080F47-0805-0479-0A11-0478050E1108} -> No File <==== ATTENTION
Task: {FD2EA3ED-B9E7-447C-854E-1A16E5384997} - \klcp_update -> No File <==== ATTENTION
Shortcut: C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rnet ???lor?r.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rnet Ex?l?r?r (No Add-?ns).lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gle ?hr?m?.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rnet ???l?r?r ?rowser.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\G??gle Chr?me.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G?ogle Chr?me.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\Di?blo III.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.rehcnual iii olbaid.bat (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\D?E??N ?ools Lite.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.rehcnualtd.bat (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\??ttle.net.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.rehcnual ten.elttab.bat (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\?verw?t?h.lnk -> C:\Users\CrazyDiamond\AppData\Roaming\Browsers\exe.rehcnual hctawrevo.bat (No File) <===== Cyrillic
() C:\Windows\TEMP\g6F58.tmp
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\brittingham
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\brittinghambrittingham
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\constituted
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\reheard
FirewallRules: [TCP Query User{8ECB454B-04B7-4F4C-87BD-DCF9601EEAAD}C:\program files\java\jre1.8.0_92\bin\javaw.exe] => C:\program files\java\jre1.8.0_92\bin\javaw.exe
FirewallRules: [UDP Query User{51E3E8AF-3A3F-48EC-A866-F75EF38B1A83}C:\program files\java\jre1.8.0_92\bin\javaw.exe] => C:\program files\java\jre1.8.0_92\bin\javaw.exe
FirewallRules: [{A5C790FA-0B5C-41A7-98EE-E25352ED7468}] => C:\Users\CrazyDiamond\AppData\Local\ddnowyes.exe
FirewallRules: [{8314CF0A-60C3-4FD3-B89C-B8CF4F78E2CF}] => C:\Users\CrazyDiamond\AppData\Local\Temp\DAOXF6RWH\Bundle_FasterInternet.exe
FirewallRules: [{FA8872E9-46F0-456A-866B-52B93DC9D8C9}] => C:\Users\CrazyDiamond\AppData\Local\64394116.exe
FirewallRules: [{6D03655E-90B2-41BA-B749-ACB0E0095A10}] => C:\Users\CrazyDiamond\AppData\Local\tinstall.exe
FirewallRules: [{D1AA30D3-07B2-4C66-8D33-63949D8D06CE}] => C:\Users\CrazyDiamond\AppData\Local\sc8858885.exe
FirewallRules: [{E5449EBC-1447-4360-83FA-3C552F0D0846}] => C:\Users\CrazyDiamond\AppData\Local\ddnow.exe
FirewallRules: [{E01B497D-3E91-4F2D-A468-4913C960AEDC}] => C:\Program Files (x86)\outfitters\albas.exe
FirewallRules: [{DA0CB37A-E8D5-43AF-BF91-16AED3136B7A}] => C:\Program Files (x86)\outfitters\wootten.exe
FirewallRules: [{CC2B12AA-F9D5-4ED6-AC0F-54C084E5D2F6}] => C:\Program Files (x86)\freeway\condone.exe
FirewallRules: [{D3D3CD96-4F6F-40A0-B6D2-DFDF7BDE59DB}] => C:\Program Files (x86)\Caribbean\ranchers.exe
FirewallRules: [{4982554E-E9DB-4337-9160-C71924C9A276}] => C:\Windows\phy.exe
FirewallRules: [TCP Query User{8E8AC9E5-9ABC-4036-A33F-0F43D35BD251}C:\program files (x86)\google\chrome\application\chrome334.exe] => C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [UDP Query User{DFCDD349-3EAF-4A7E-9813-D2719363124D}C:\program files (x86)\google\chrome\application\chrome334.exe] => C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [{A30EC88E-B5A4-4656-89C9-291B921DEEBD}] => C:\Program Files (x86)\Sings\sprouts.exe
FirewallRules: [{1CABA0EA-6D49-43BA-BB3A-6D257D4899E0}] => C:\Program Files (x86)\Spiking\sprouts.exe
FirewallRules: [{B02AFDD0-DEEC-443C-A22E-AE0C488FD80B}] => C:\Users\CrazyDiamond\AppData\Local\ddnowyes.exe
FirewallRules: [{317BC082-098F-4BF0-B226-DA5CC9024A32}] => C:\Users\CrazyDiamond\AppData\Local\Temp\4536fc0c6cec449692b2841a50938818\setup.exe
FirewallRules: [{F2F87288-4D5C-4A57-B971-66F25651B7D4}] => C:\Users\CrazyDiamond\AppData\Local\47995151.exe
FirewallRules: [{A49DBC46-F6F9-4963-8836-EC2D1B8C7A83}] => C:\Users\CrazyDiamond\AppData\Local\tinstall.exe
FirewallRules: [{AD78269C-135A-4528-B664-6E8687714FFE}] => C:\Users\CrazyDiamond\AppData\Local\sc73779464.exe
FirewallRules: [{D2B00E76-EE04-407A-A070-3D08381F30BC}] => C:\Users\CrazyDiamond\AppData\Local\ddnow.exe
FirewallRules: [{876CB05C-C1F4-4BA7-B306-59A3C188DAEA}] => C:\Program Files (x86)\ball\brinsley.exe
FirewallRules: [{291D6CDB-69EB-4B30-AFCC-B08E547E7B4D}] => C:\Program Files (x86)\ball\tyrrhenian.exe
FirewallRules: [{5ACD7D7C-9289-48BC-97F3-A1AF56820779}] => C:\Program Files (x86)\rafsanjani\rio.exe
FirewallRules: [{6DBE56FE-567E-4729-9F11-CC361ACC1F51}] => C:\Program Files (x86)\Scenically\macgowan.exe
FirewallRules: [{0B4B1410-65F6-46E3-8EDB-115F45BB5F7C}] => C:\Windows\concealment.exe
FirewallRules: [{4608C15A-341D-4ACD-920F-65C1BD5AA212}] => C:\Users\CrazyDiamond\AppData\Local\vghd\bin\vghd.exe
FirewallRules: [{6076AB82-4F44-4B9E-9FD8-0F098B8E8220}] => C:\Users\CrazyDiamond\AppData\Local\vghd\bin\vghd.exe
C:\Users\CrazyDiamond\AppData\Local\chicago.exe
C:\Users\CrazyDiamond\AppData\Local\curricula.exe
C:\Users\CrazyDiamond\AppData\Local\install_flash_player_21_active_x.exe
C:\Users\CrazyDiamond\AppData\Local\run.txt
C:\Users\CrazyDiamond\AppData\Local\setupsuccessful.txt
C:\Users\CrazyDiamond\AppData\Local\sprouts.exe
C:\Users\CrazyDiamond\AppData\Local\stxtname.txt
C:\Program Files (x86)\ball
C:\ProgramData\66098v3a513h49
C:\Program Files (x86)\outfitters
C:\Users\CrazyDiamond\AppData\Roaming\Browsers
C:\Windows\TEMP\g6F58.tmp
C:\Windows\pss
C:\Program Files (x86)\Sings
C:\Program Files (x86)\Spiking
C:\Program Files (x86)\metroplex
C:\Users\CrazyDiamond\AppData\Local\ddnowyes.exe
C:\Users\CrazyDiamond\AppData\Local\Temp\DAOXF6RWH
C:\Users\CrazyDiamond\AppData\Local\64394116.exe
C:\Users\CrazyDiamond\AppData\Local\tinstall.exe
C:\Users\CrazyDiamond\AppData\Local\sc8858885.exe
C:\Users\CrazyDiamond\AppData\Local\ddnow.exe
C:\Program Files (x86)\freeway
C:\Program Files (x86)\Caribbean
C:\Windows\phy.exe
C:\program files (x86)\google\chrome\application\chrome334.exe
C:\Users\CrazyDiamond\AppData\Local\Temp\4536fc0c6cec449692b2841a50938818
C:\Users\CrazyDiamond\AppData\Local\47995151.exe
C:\Users\CrazyDiamond\AppData\Local\tinstall.exe
C:\Users\CrazyDiamond\AppData\Local\sc73779464.exe
C:\Users\CrazyDiamond\AppData\Local\ddnow.exe
C:\Program Files (x86)\ball\brinsley.exe
C:\Program Files (x86)\rafsanjani
C:\Program Files (x86)\Scenically
C:\Windows\concealment.exe
C:\Users\CrazyDiamond\AppData\Local\vghd
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-3942347804-715397359-136909450-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{8dcb7100-df86-4384-8842-8fa844297b3f} => value removed successfully
HKCR\Wow6432Node\CLSID\{8dcb7100-df86-4384-8842-8fa844297b3f} => key not found. 
HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0 => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3 => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9 => key removed successfully
C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki => moved successfully
C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi => moved successfully
C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\CrazyDiamond\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki => key removed successfully
HKLM\System\CurrentControlSet\Services\gupdate => key removed successfully
gupdate => service removed successfully
HKLM\System\CurrentControlSet\Services\gupdatem => key removed successfully
gupdatem => service removed successfully
HKLM\System\CurrentControlSet\Services\mvs91xx => key removed successfully
mvs91xx => service removed successfully
HKLM\System\CurrentControlSet\Services\Mv_Process => key removed successfully
Mv_Process => service removed successfully
HKLM\System\CurrentControlSet\Services\VGPU => key removed successfully
VGPU => service removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0F61F954-5F55-46C5-9E34-6366593F0380} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F61F954-5F55-46C5-9E34-6366593F0380} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Sak14785461k14785461 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1F9C84CE-516D-4D81-87F3-5FA7B9F1F888} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1F9C84CE-516D-4D81-87F3-5FA7B9F1F888} => key not found. 
C:\Windows\System32\Tasks\dc06A0hSHDyZI0GUsQU0KW-ni-2017-01-04-ni-20756-ni-1 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\dc06A0hSHDyZI0GUsQU0KW-ni-2017-01-04-ni-20756-ni-1 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{25636C86-8D50-41C0-B84C-E8D36C2E147A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{25636C86-8D50-41C0-B84C-E8D36C2E147A} => key removed successfully
C:\Windows\System32\Tasks\66098v3a513h49 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\66098v3a513h49 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{43D521A0-72B3-4FBE-AE6C-887995BEB9C9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{43D521A0-72B3-4FBE-AE6C-887995BEB9C9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\3w6k8o0 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4B216ACA-E970-440B-960B-1231B8B4C14C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4B216ACA-E970-440B-960B-1231B8B4C14C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\USBAC56WLANMGR => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5AE9C734-65E8-4D26-895B-66DBFAD10C87} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5AE9C734-65E8-4D26-895B-66DBFAD10C87} => key not found. 
C:\Windows\System32\Tasks\dc08A1fsos25zUEqWqNjmv-ni-2017-01-04-ni-20258-ni-1 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\dc08A1fsos25zUEqWqNjmv-ni-2017-01-04-ni-20258-ni-1 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6089182B-A9BB-49F9-B33C-E131C32D415D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6089182B-A9BB-49F9-B33C-E131C32D415D} => key not found. 
C:\Windows\System32\Tasks\ab06A0hSHDyZI0GUsQU0KW-ni-2017-01-04-ni-20756-ni-1 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ab06A0hSHDyZI0GUsQU0KW-ni-2017-01-04-ni-20756-ni-1 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{95279E87-5208-406C-964B-95EE0B93E077} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{95279E87-5208-406C-964B-95EE0B93E077} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C2C364E8-6E05-455B-A64E-EC78E3D32035} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C2C364E8-6E05-455B-A64E-EC78E3D32035} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E4BCF4A4-D32A-4B6A-9DCB-F28E0BA435BF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E4BCF4A4-D32A-4B6A-9DCB-F28E0BA435BF} => key not found. 
C:\Windows\System32\Tasks\ab08A1fsos25zUEqWqNjmv-ni-2017-01-04-ni-20258-ni-1 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ab08A1fsos25zUEqWqNjmv-ni-2017-01-04-ni-20258-ni-1 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F4B8646D-0C47-4A00-8D72-E94B1B842C00} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F4B8646D-0C47-4A00-8D72-E94B1B842C00} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{0E080F47-0805-0479-0A11-0478050E1108} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FD2EA3ED-B9E7-447C-854E-1A16E5384997} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FD2EA3ED-B9E7-447C-854E-1A16E5384997} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\klcp_update => key removed successfully
"C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rnet ???lor?r.lnk" => Could not move.
"C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rnet Ex?l?r?r (No Add-?ns).lnk" => Could not move.
"C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gle ?hr?m?.lnk" => Could not move.
"C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rnet ???l?r?r ?rowser.lnk" => Could not move.
"C:\Users\CrazyDiamond\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\G??gle Chr?me.lnk" => Could not move.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G?ogle Chr?me.lnk" => Could not move.
"C:\Users\Public\Desktop\Di?blo III.lnk" => Could not move.
"C:\Users\Public\Desktop\D?E??N ?ools Lite.lnk" => Could not move.
"C:\Users\Public\Desktop\??ttle.net.lnk" => Could not move.
"C:\Users\Public\Desktop\?verw?t?h.lnk" => Could not move.
C:\Windows\TEMP\g6F58.tmp => No running process found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\brittingham => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\brittinghambrittingham => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\constituted => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\reheard => key removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{8ECB454B-04B7-4F4C-87BD-DCF9601EEAAD}C:\program files\java\jre1.8.0_92\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{51E3E8AF-3A3F-48EC-A866-F75EF38B1A83}C:\program files\java\jre1.8.0_92\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A5C790FA-0B5C-41A7-98EE-E25352ED7468} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8314CF0A-60C3-4FD3-B89C-B8CF4F78E2CF} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FA8872E9-46F0-456A-866B-52B93DC9D8C9} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6D03655E-90B2-41BA-B749-ACB0E0095A10} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D1AA30D3-07B2-4C66-8D33-63949D8D06CE} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E5449EBC-1447-4360-83FA-3C552F0D0846} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E01B497D-3E91-4F2D-A468-4913C960AEDC} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{DA0CB37A-E8D5-43AF-BF91-16AED3136B7A} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CC2B12AA-F9D5-4ED6-AC0F-54C084E5D2F6} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D3D3CD96-4F6F-40A0-B6D2-DFDF7BDE59DB} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4982554E-E9DB-4337-9160-C71924C9A276} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{8E8AC9E5-9ABC-4036-A33F-0F43D35BD251}C:\program files (x86)\google\chrome\application\chrome334.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{DFCDD349-3EAF-4A7E-9813-D2719363124D}C:\program files (x86)\google\chrome\application\chrome334.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A30EC88E-B5A4-4656-89C9-291B921DEEBD} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1CABA0EA-6D49-43BA-BB3A-6D257D4899E0} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B02AFDD0-DEEC-443C-A22E-AE0C488FD80B} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{317BC082-098F-4BF0-B226-DA5CC9024A32} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F2F87288-4D5C-4A57-B971-66F25651B7D4} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A49DBC46-F6F9-4963-8836-EC2D1B8C7A83} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{AD78269C-135A-4528-B664-6E8687714FFE} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D2B00E76-EE04-407A-A070-3D08381F30BC} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{876CB05C-C1F4-4BA7-B306-59A3C188DAEA} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{291D6CDB-69EB-4B30-AFCC-B08E547E7B4D} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5ACD7D7C-9289-48BC-97F3-A1AF56820779} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6DBE56FE-567E-4729-9F11-CC361ACC1F51} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0B4B1410-65F6-46E3-8EDB-115F45BB5F7C} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4608C15A-341D-4ACD-920F-65C1BD5AA212} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6076AB82-4F44-4B9E-9FD8-0F098B8E8220} => value removed successfully
C:\Users\CrazyDiamond\AppData\Local\chicago.exe => moved successfully
C:\Users\CrazyDiamond\AppData\Local\curricula.exe => moved successfully
C:\Users\CrazyDiamond\AppData\Local\install_flash_player_21_active_x.exe => moved successfully
C:\Users\CrazyDiamond\AppData\Local\run.txt => moved successfully
C:\Users\CrazyDiamond\AppData\Local\setupsuccessful.txt => moved successfully
C:\Users\CrazyDiamond\AppData\Local\sprouts.exe => moved successfully
C:\Users\CrazyDiamond\AppData\Local\stxtname.txt => moved successfully
"C:\Program Files (x86)\ball" => not found.
C:\ProgramData\66098v3a513h49 => moved successfully
"C:\Program Files (x86)\outfitters" => not found.
"C:\Users\CrazyDiamond\AppData\Roaming\Browsers" => not found.
"C:\Windows\TEMP\g6F58.tmp" => not found.
C:\Windows\pss => moved successfully
C:\Program Files (x86)\Sings => moved successfully
C:\Program Files (x86)\Spiking => moved successfully
C:\Program Files (x86)\metroplex => moved successfully
"C:\Users\CrazyDiamond\AppData\Local\ddnowyes.exe" => not found.
C:\Users\CrazyDiamond\AppData\Local\Temp\DAOXF6RWH => moved successfully
"C:\Users\CrazyDiamond\AppData\Local\64394116.exe" => not found.
"C:\Users\CrazyDiamond\AppData\Local\tinstall.exe" => not found.
"C:\Users\CrazyDiamond\AppData\Local\sc8858885.exe" => not found.
"C:\Users\CrazyDiamond\AppData\Local\ddnow.exe" => not found.
"C:\Program Files (x86)\freeway" => not found.
"C:\Program Files (x86)\Caribbean" => not found.
"C:\Windows\phy.exe" => not found.
"C:\program files (x86)\google\chrome\application\chrome334.exe" => not found.
C:\Users\CrazyDiamond\AppData\Local\Temp\4536fc0c6cec449692b2841a50938818 => moved successfully
"C:\Users\CrazyDiamond\AppData\Local\47995151.exe" => not found.
"C:\Users\CrazyDiamond\AppData\Local\tinstall.exe" => not found.
"C:\Users\CrazyDiamond\AppData\Local\sc73779464.exe" => not found.
"C:\Users\CrazyDiamond\AppData\Local\ddnow.exe" => not found.
"C:\Program Files (x86)\ball\brinsley.exe" => not found.
"C:\Program Files (x86)\rafsanjani" => not found.
"C:\Program Files (x86)\Scenically" => not found.
"C:\Windows\concealment.exe" => not found.
"C:\Users\CrazyDiamond\AppData\Local\vghd" => not found.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 31066692 B
Java, Flash, Steam htmlcache => 142497 B
Windows/system/drivers => 92398816 B
Edge => 0 B
Chrome => 506413965 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 16802 B
systemprofile32 => 33125 B
LocalService => 0 B
NetworkService => 77254 B
CrazyDiamond => 274756299 B
 
RecycleBin => 113344 B
EmptyTemp: => 871.1 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 18:10:11 ====


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,175 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 AM

Posted 13 January 2017 - 11:22 AM

Any remaining issues?

#7 lordsigurd

lordsigurd
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 13 January 2017 - 05:45 PM

None so far! Thank you so much for your help!



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,175 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 AM

Posted 14 January 2017 - 09:55 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users