Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/Virus - svchost.vbs denied access


  • This topic is locked This topic is locked
11 replies to this topic

#1 TheBenjamin

TheBenjamin

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 12 January 2017 - 01:15 PM

Hello,

I don't reboot my computer so often but a few days ago I noticed that when windows booted up I got an error saying "Loading scrip ***PATH**/svchost.vbs failed (access denied)".

 

I tried to look it up online and understood this is somekind of virus that prevents windows defender from running.

 

don't know if it's related but I recently my graphic card started to be noisy, some times online video get stuck on the first second of the video stuttering and I get blue screens aswell.

 

Would appreciate the help to get rid of this situation.

 

 

Thank you!



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,745 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 13 January 2017 - 02:14 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.
==============================

#3 TheBenjamin

TheBenjamin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 13 January 2017 - 04:36 PM

Thank you for your reply, here are the logs:

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 1/13/17
Scan Time: 10:29 PM
Logfile: logMBAM.txt
Administrator: Yes
 
-Software Information-
Version: 3.0.5.1299
Components Version: 1.0.43
Update Package Version: 1.0.1006
License: Trial
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Dor-PC\Dor
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 314692
Time Elapsed: 26 min, 12 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 1
PUP.Optional.YeaPlayer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\svchost, Delete-on-Reboot, [10339], [260966],1.0.1006
 
Registry Value: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 1
Trojan.Agent.Gen, C:\USERS\DOR\APPDATA\ROAMING\svchost, Delete-on-Reboot, [1059], [172813],1.0.1006
 
File: 6
Trojan.Injector, C:\USERS\DOR\APPDATA\LOCAL\TEMP\1906, Delete-on-Reboot, [18], [358930],1.0.1006
Spyware.Pony, C:\USERS\DOR\APPDATA\LOCAL\TEMP\18876.EXE, Delete-on-Reboot, [88], [358473],1.0.1006
Trojan.Injector, C:\USERS\DOR\APPDATA\LOCAL\TEMP\39715.EXE, Delete-on-Reboot, [18], [358346],1.0.1006
Spyware.Pony, C:\USERS\DOR\APPDATA\LOCAL\TEMP\15417.EXE, Delete-on-Reboot, [88], [358473],1.0.1006
Trojan.Injector, C:\USERS\DOR\APPDATA\LOCAL\TEMP\43579.EXE, Delete-on-Reboot, [18], [358930],1.0.1006
Spyware.Pony, C:\USERS\DOR\APPDATA\LOCAL\TEMP\SVCHOST.EXE, Delete-on-Reboot, [88], [357842],1.0.1006
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
 
 
 
 
 
 
 
 
 
# AdwCleaner v6.042 - Logfile created 13/01/2017 at 23:20:26
# Updated on 06/01/2017 by Malwarebytes
# Database : 2017-01-11.1 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X86)
# Username : Dor - DOR-PC
# Running from : C:\Users\Dor\Desktop\adwcleaner_6.042.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Users\Dor\AppData\LocalLow\.acestream
Folder Found:  C:\Users\Dor\AppData\Roaming\.acestream
Folder Found:  C:\Users\Dor\AppData\Roaming\acestream
Folder Found:  C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl
 
 
***** [ Files ] *****
 
File Found:  C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_nonjdcjchghhkdoolnlbekcfllmednbl_0.localstorage
File Found:  C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_nonjdcjchghhkdoolnlbekcfllmednbl_0.localstorage-journal
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Classes\.acelive
Key Found:  HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Classes\.acemedia
Key Found:  HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Classes\.acestream
Key Found:  HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Classes\.tslive
Key Found:  HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Classes\acestream
Key Found:  HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Classes\AceStream.file
Key Found:  HKCU\Software\Classes\.acelive
Key Found:  HKCU\Software\Classes\.acemedia
Key Found:  HKCU\Software\Classes\.acestream
Key Found:  HKCU\Software\Classes\.tslive
Key Found:  HKCU\Software\Classes\acestream
Key Found:  HKCU\Software\Classes\AceStream.file
Key Found:  HKLM\SOFTWARE\Classes\SecureShellFile
Key Found:  HKCU\Software\Classes\CLSID\{79690976-ED6E-403C-BBBA-F8928B5EDE17}
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found:  HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\AceStream
Key Found:  HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Conduit
Key Found:  HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream
Key Found:  HKCU\Software\AceStream
Key Found:  HKCU\Software\Conduit
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream
Key Found:  HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found:  HKLM\SOFTWARE\Microsoft\Shared Tools\MsConfig\StartupReg\AceUpdater
Key Found:  HKCU\Software\Classes\Applications\ace_player.exe
Key Found:  HKCU\Software\Classes\MIME\Database\Content Type\application/x-acestream-plugin
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acelive
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acemedia
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acestream
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tslive
Key Found:  HKCU\Software\MozillaPlugins\@acestream.net/acestreamplugin,version=3.0.12
Key Found:  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acelive
Key Found:  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acemedia
Key Found:  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acestream
Key Found:  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tslive
Key Found:  HKCU\SOFTWARE\Classes\Applications\ace_player.exe
Key Found:  HKCU\SOFTWARE\Classes\MIME\Database\Content Type\application/x-acestream-plugin
Value Found:  HKCU\Software\Mozilla\Firefox\Extensions [acewebextension_unlisted@acestream.org]
Value Found:  HKCU\Software\Mozilla\Firefox\Extensions [acewebextension_unlisted@acestream.org]
Value Found:  HKCU\Software\Mozilla\Firefox\Extensions [acewebextension_unlisted@acestream.org]
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Web data] - lyrics-plugin-for-windows-media-player.en.softonic.com
Chrome pref Found:  [C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - nonjdcjchghhkdoolnlbekcfllmednbl
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [4983 Bytes] - [13/01/2017 23:20:26]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5056 Bytes] ##########
 
 
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-01-2017
Ran by Dor (administrator) on DOR-PC (13-01-2017 23:30:23)
Running from C:\Users\Dor\Desktop
Loaded Profiles: Dor (Available Profiles: Dor)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: אנגלית (ארצות הברית)‏
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Foxit Software Inc.) C:\Program Files\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe
(Microsoft Corporation) C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe
(VMware, Inc.) C:\Windows\System32\vmnat.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Player\vmware-authd.exe
(VMware, Inc.) C:\Windows\System32\vmnetdhcp.exe
(VMware, Inc.) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Tonec Inc.) C:\Program Files\Internet Download Manager\IDMan.exe
(Tonec Inc.) C:\Program Files\Internet Download Manager\IEMonitor.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642304 2013-04-30] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [AMD AVT] => Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files\AMD AVT\bin\kdbsync.exe" aml
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2776528 2016-12-14] (Malwarebytes)
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\...\Run: [IDMan] => C:\Program Files\Internet Download Manager\IDMan.exe [3948600 2016-06-10] (Tonec Inc.)
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\...\MountPoints2: {bc99322b-baa5-11e4-ac92-00241d22c95e} - H:\HPLauncher.exe
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [2616320 2010-11-20] (Microsoft Corporation) <==== ATTENTION
ShellIconOverlayIdentifiers: [   IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files\Internet Download Manager\IDMShellExt.dll [2015-08-14] (Tonec Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Dor\AppData\Roaming\Dropbox\bin\DropboxExt.8.0.dll [2017-01-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Dor\AppData\Roaming\Dropbox\bin\DropboxExt.8.0.dll [2017-01-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Dor\AppData\Roaming\Dropbox\bin\DropboxExt.8.0.dll [2017-01-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Dor\AppData\Roaming\Dropbox\bin\DropboxExt.8.0.dll [2017-01-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Dor\AppData\Roaming\Dropbox\bin\DropboxExt.8.0.dll [2017-01-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Dor\AppData\Roaming\Dropbox\bin\DropboxExt.8.0.dll [2017-01-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Dor\AppData\Roaming\Dropbox\bin\DropboxExt.8.0.dll [2017-01-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Dor\AppData\Roaming\Dropbox\bin\DropboxExt.8.0.dll [2017-01-06] (Dropbox, Inc.)
Startup: C:\Users\Dor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2017-01-07]
Startup: C:\Users\Dor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive for Business.lnk [2017-01-07]
Startup: C:\Users\Dor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs [2017-01-07] ()
GroupPolicy: Restriction ? <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{57674AD4-204E-44C5-88AB-4E83CBADA8D1}: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{5D354F0B-8115-45AF-97F2-2F3A0F5B412A}: [NameServer] 10.0.0.138
 
Internet Explorer:
==================
SearchScopes: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={A76A9493-6717-429C-972F-F93318FD9484}&mid=835a6c81cef447cfb921d1191024e9fb-ae240c7734e055f956cbdf098eea04d699fc34d2&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-12 17:40:03&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files\Internet Download Manager\IDMIECC.dll [2015-12-08] (Internet Download Manager, Tonec Inc.)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll [2016-12-10] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_101\bin\ssv.dll [2016-10-10] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL [2016-12-10] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\root\Office16\GROOVEEX.DLL [2016-12-10] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-10-10] (Oracle Corporation)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-10] (Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-10] (Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-10] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-10] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Dor\AppData\Roaming\Mozilla\Firefox\Profiles\lmzarlc2.default-1451400342964 [2017-01-13]
FF Extension: (Cookies Manager+) - C:\Users\Dor\AppData\Roaming\Mozilla\Firefox\Profiles\lmzarlc2.default-1451400342964\Extensions\{bb6bc1bb-f824-4702-90cd-35e2fb24f25d} [2016-12-31]
FF Extension: (Adblock Plus) - C:\Users\Dor\AppData\Roaming\Mozilla\Firefox\Profiles\lmzarlc2.default-1451400342964\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-24]
FF HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\Dor\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi
FF Extension: (Ace Stream Web Extension) - C:\Users\Dor\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi [2015-12-18]
FF HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\...\Firefox\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files\Internet Download Manager\idmmzcc2.xpi
FF Extension: (IDM integration) - C:\Program Files\Internet Download Manager\idmmzcc2.xpi [2016-06-08]
FF HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files\Internet Download Manager\idmmzcc2.xpi
FF HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Dor\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\Dor\AppData\Roaming\IDM\idmmzcc5 [2017-01-13] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_24_0_0_194.dll [2017-01-10] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-08-09] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-08-09] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-08-09] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-08-09] (Foxit Corporation)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2015-05-20] (Google)
FF Plugin: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-10-10] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-10-10] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-12-10] (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-12-10] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.2.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-03-09] (Adobe Systems)
FF Plugin HKU\S-1-5-21-3134249275-3305112718-2132312083-1000: @acestream.net/acestreamplugin,version=3.0.12 -> C:\Users\Dor\AppData\Roaming\ACEStream\player\npace_plugin.dll [2015-09-24] (Innovative Digital Technologies)
FF Plugin HKU\S-1-5-21-3134249275-3305112718-2132312083-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Dor\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2016-12-13] (Citrix Online)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-02-09]
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR StartupUrls: Default -> "hxxp://www.timeanddate.com/countdown/vacation?iso=20160726T2230&p0=676&msg=Thailand&font=cursive#"
CHR Profile: C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default [2017-01-13]
CHR Extension: (Google Translate) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2015-11-18]
CHR Extension: (Super Netflix) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aioencjhbaolepcoappllicjebblphoc [2016-11-05]
CHR Extension: (HD for YouTube™) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\akjbfncbadcmnkopckegnmjgihagponf [2015-11-18]
CHR Extension: (Google Docs) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-23]
CHR Extension: (כונן Google) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Technion Moodle Connector) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfgmacalelmffegnfkdofhfmjpbmekfp [2016-01-23]
CHR Extension: (Adblock Plus) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-11-05]
CHR Extension: (חיפוש Google) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (Google Docs Offline) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-16]
CHR Extension: (Google Keep - notes and lists) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmjkmjkepdijhoojdojkdfohbdgmmhki [2017-01-10]
CHR Extension: (IP Whois & Flags Chrome & Websites Rating) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmdfbacgombndnllogoijhnggalgmkon [2016-10-06]
CHR Extension: (Leech Buddy) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\lakfbmecemiaaogdkjgbjlheaobhhbpa [2016-04-09]
CHR Extension: (מפות Google) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2015-09-18]
CHR Extension: (Keepa - Amazon Price Tracker) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\neebplgakaahbhdphmkckjjcegoiijjo [2016-11-25]
CHR Extension: (Course Smarts) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\njglciffconfembkgklgmffkelimkhpi [2016-10-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Hover Zoom) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl [2016-12-10]
CHR Extension: (Gmail) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-01]
CHR Extension: (Chrome Media Router) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-15]
CHR Profile: C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Guest Profile [2015-03-06]
CHR HKLM\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files\Internet Download Manager\IDMGCExt.crx [2016-06-09]
CHR HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [291840 2013-04-29] (Advanced Micro Devices, Inc.) [File not signed]
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2115840 2016-12-09] (Microsoft Corporation)
R2 FoxitReaderService; C:\Program Files\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe [1659592 2016-10-13] (Foxit Software Inc.)
R2 HFGService; C:\Windows\System32\HFGService.dll [413696 2009-12-21] (CSR, plc)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [3381200 2016-12-14] (Malwarebytes)
R2 MsDepSvc; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [80472 2012-09-06] (Microsoft Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [103696 2016-11-14] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [280864 2016-11-14] (Microsoft Corporation)
R2 VMAuthdService; C:\Program Files\VMware\VMware Player\vmware-authd.exe [87256 2015-06-24] (VMware, Inc.)
R2 VMnetDHCP; C:\Windows\system32\vmnetdhcp.exe [359128 2015-06-24] (VMware, Inc.)
R2 VMUSBArbService; C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [722624 2014-08-21] (VMware, Inc.)
R2 VMware NAT Service; C:\Windows\system32\vmnat.exe [437976 2015-06-24] (VMware, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 amdkmdap; C:\Windows\System32\DRIVERS\atikmpag.sys [290304 2013-04-30] (Advanced Micro Devices, Inc.) [File not signed]
R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [45184 2012-03-05] (Advanced Micro Devices)
S3 BthAudioHF; C:\Windows\System32\DRIVERS\BthAudioHF.sys [43008 2009-12-21] (CSR, plc)
S3 BthAvrcp; C:\Windows\System32\DRIVERS\BthAvrcp.sys [22528 2009-08-13] (CSR, plc)
S3 csr_a2dp; C:\Windows\System32\drivers\bthav.sys [61952 2009-12-21] (CSR, plc)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae.sys [59968 2016-12-14] ()
R2 hcmon; C:\Windows\system32\drivers\hcmon.sys [43968 2014-08-21] (VMware, Inc.)
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [153024 2017-01-13] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [87496 2017-01-13] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [39360 2017-01-13] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [219072 2017-01-13] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [63264 2017-01-13] (Malwarebytes)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [252808 2016-08-25] (Microsoft Corporation)
R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-03-01] (Riverbed Technology, Inc.)
S3 RTL8192cu; C:\Windows\System32\DRIVERS\RTL8192cu.sys [801896 2013-03-13] (Realtek Semiconductor Corporation                           )
R1 VBoxUSBMon; C:\Windows\System32\DRIVERS\VBoxUSBMon.sys [104064 2017-01-03] (BigNox Corporation)
S3 vmkbd; C:\Windows\system32\drivers\VMkbd.sys [26456 2015-06-24] (VMware, Inc.)
R3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [17104 2015-06-24] (VMware, Inc.)
R2 VMnetBridge; C:\Windows\System32\DRIVERS\vmnetbridge.sys [37456 2015-06-24] (VMware, Inc.)
R2 VMnetuserif; C:\Windows\system32\drivers\vmnetuserif.sys [26968 2015-06-24] (VMware, Inc.)
R2 VMparport; C:\Windows\system32\Drivers\VMparport.sys [24920 2015-06-24] (VMware, Inc.)
R2 vmx86; C:\Windows\system32\Drivers\vmx86.sys [66136 2015-06-24] (VMware, Inc.)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [63824 2013-10-08] (VMware, Inc.)
R1 XQHDrv; C:\Windows\System32\DRIVERS\XQHDrv.sys [203392 2017-01-03] (BigNox Corporation)
S3 amdiox86; system32\DRIVERS\amdiox86.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-13 23:30 - 2017-01-13 23:31 - 00022485 _____ C:\Users\Dor\Desktop\FRST.txt
2017-01-13 23:30 - 2017-01-13 23:30 - 00000000 ____D C:\FRST
2017-01-13 23:29 - 2017-01-13 23:29 - 00005135 _____ C:\Users\Dor\Desktop\AdwCleaner[S0].txt
2017-01-13 23:16 - 2017-01-13 23:20 - 00000000 ____D C:\AdwCleaner
2017-01-13 22:53 - 2017-01-13 22:55 - 01761280 _____ (Farbar) C:\Users\Dor\Desktop\FRST.exe
2017-01-13 22:26 - 2017-01-13 23:16 - 00087496 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-01-13 22:26 - 2017-01-13 23:16 - 00063264 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-01-13 22:26 - 2017-01-13 23:16 - 00039360 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-01-13 22:26 - 2017-01-13 22:27 - 00153024 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-01-13 22:26 - 2017-01-13 22:26 - 03988944 _____ C:\Users\Dor\Desktop\adwcleaner_6.042.exe
2017-01-13 22:25 - 2017-01-13 23:16 - 00219072 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-01-13 22:25 - 2017-01-13 22:25 - 00002024 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-01-13 22:25 - 2017-01-13 22:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-01-13 22:25 - 2017-01-13 22:25 - 00000000 ____D C:\Program Files\Malwarebytes
2017-01-13 22:25 - 2016-12-14 12:55 - 00059968 _____ C:\Windows\system32\Drivers\mbae.sys
2017-01-13 22:24 - 2017-01-13 22:24 - 54199488 _____ (Malwarebytes ) C:\Users\Dor\Desktop\mb3-setup-consumer-3.0.5.1299.exe
2017-01-12 19:34 - 2017-01-12 20:08 - 00000000 ____D C:\ProgramData\Avg
2017-01-12 19:34 - 2017-01-12 20:07 - 00000000 ____D C:\Users\Dor\AppData\Local\AvgSetupLog
2017-01-12 19:34 - 2017-01-12 19:34 - 00000000 ____D C:\Users\Dor\AppData\Local\Avg
2017-01-12 16:59 - 2016-07-22 16:51 - 00123904 _____ (Microsoft Corporation) C:\Windows\system32\poqexec.exe
2017-01-12 16:50 - 2017-01-12 16:50 - 208857941 _____ C:\Windows\MEMORY.DMP
2017-01-12 14:28 - 2017-01-05 19:46 - 00137960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2017-01-12 14:28 - 2017-01-05 19:46 - 00067304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-01-12 14:28 - 2017-01-05 19:43 - 01062912 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00261120 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00254464 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00082432 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2017-01-12 14:28 - 2017-01-05 19:43 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2017-01-12 14:28 - 2017-01-05 19:42 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-01-12 14:28 - 2017-01-05 19:23 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2017-01-12 14:28 - 2017-01-05 19:19 - 00226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-01-12 14:28 - 2017-01-05 19:19 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-01-12 14:28 - 2017-01-05 19:19 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-01-12 14:28 - 2017-01-05 19:19 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2017-01-12 14:28 - 2017-01-05 19:19 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2017-01-12 14:28 - 2017-01-05 19:19 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2017-01-12 04:25 - 2017-01-12 04:25 - 00000000 ____D C:\Users\Dor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2017-01-11 12:21 - 2017-01-11 12:21 - 00236360 _____ C:\Windows\Minidump\011117-17284-01.dmp
2017-01-11 11:45 - 2017-01-11 11:45 - 00236336 _____ C:\Windows\Minidump\011117-19188-01.dmp
2017-01-11 11:39 - 2017-01-11 11:39 - 00236408 _____ C:\Windows\Minidump\011117-17425-01.dmp
2017-01-11 11:09 - 2017-01-11 11:09 - 00236408 _____ C:\Windows\Minidump\011117-27237-01.dmp
2017-01-10 19:59 - 2017-01-10 19:59 - 00000000 ____D C:\ProgramData\ATI
2017-01-10 19:59 - 2017-01-10 19:59 - 00000000 ____D C:\Program Files\Common Files\ATI Technologies
2017-01-10 19:59 - 2017-01-10 19:59 - 00000000 ____D C:\Program Files\AMD AVT
2017-01-10 19:59 - 2017-01-10 19:59 - 00000000 ____D C:\Program Files\AMD APP
2017-01-10 19:58 - 2017-01-10 19:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD VISION Engine Control Center
2017-01-07 09:51 - 2017-01-07 09:51 - 00001581 __RSH C:\ProgramData\svchost
2017-01-06 23:22 - 2016-11-20 18:19 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\hlink.dll
2017-01-06 23:22 - 2016-11-20 16:07 - 00373896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2017-01-06 23:22 - 2016-11-17 18:27 - 00250600 _____ (Microsoft Corporation) C:\Windows\system32\clfs.sys
2017-01-06 23:22 - 2016-11-15 00:39 - 00346320 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2017-01-06 23:22 - 2016-11-12 20:47 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2017-01-06 23:22 - 2016-11-12 20:47 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2017-01-06 23:22 - 2016-11-12 20:30 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2017-01-06 23:22 - 2016-11-12 20:29 - 00498688 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-01-06 23:22 - 2016-11-12 20:29 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2017-01-06 23:22 - 2016-11-12 20:29 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2017-01-06 23:22 - 2016-11-12 20:27 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2017-01-06 23:22 - 2016-11-12 20:20 - 02287616 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-01-06 23:22 - 2016-11-12 20:20 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2017-01-06 23:22 - 2016-11-12 20:19 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2017-01-06 23:22 - 2016-11-12 20:17 - 20302848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-01-06 23:22 - 2016-11-12 20:15 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2017-01-06 23:22 - 2016-11-12 20:15 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2017-01-06 23:22 - 2016-11-12 20:14 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-01-06 23:22 - 2016-11-12 20:14 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2017-01-06 23:22 - 2016-11-12 20:14 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2017-01-06 23:22 - 2016-11-12 20:06 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2017-01-06 23:22 - 2016-11-12 20:03 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2017-01-06 23:22 - 2016-11-12 19:57 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2017-01-06 23:22 - 2016-11-12 19:56 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2017-01-06 23:22 - 2016-11-12 19:52 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2017-01-06 23:22 - 2016-11-12 19:51 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2017-01-06 23:22 - 2016-11-12 19:49 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2017-01-06 23:22 - 2016-11-12 19:47 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2017-01-06 23:22 - 2016-11-12 19:40 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2017-01-06 23:22 - 2016-11-12 19:38 - 00693248 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-01-06 23:22 - 2016-11-12 19:38 - 00689664 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-01-06 23:22 - 2016-11-12 19:37 - 04608000 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-01-06 23:22 - 2016-11-12 19:36 - 02055680 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2017-01-06 23:22 - 2016-11-12 19:36 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2017-01-06 23:22 - 2016-11-12 19:21 - 13653504 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-01-06 23:22 - 2016-11-12 19:05 - 02444800 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-01-06 23:22 - 2016-11-12 19:02 - 01312256 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-01-06 23:22 - 2016-11-12 19:02 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-01-06 23:22 - 2016-11-10 18:19 - 00811520 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2017-01-06 23:22 - 2016-11-09 18:24 - 00105192 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2017-01-06 23:22 - 2016-11-09 18:17 - 02365440 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2017-01-06 23:22 - 2016-11-09 18:17 - 01806848 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2017-01-06 23:22 - 2016-11-09 18:17 - 00337408 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2017-01-06 23:22 - 2016-11-09 18:17 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\appinfo.dll
2017-01-06 23:22 - 2016-11-09 18:17 - 00025088 _____ (Microsoft Corporation) C:\Windows\system32\msimsg.dll
2017-01-06 23:22 - 2016-11-09 18:17 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2017-01-06 23:22 - 2016-11-09 17:55 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\msiexec.exe
2017-01-06 23:22 - 2016-11-06 18:16 - 00306688 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2017-01-06 23:22 - 2016-11-06 17:55 - 02399744 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-01-06 23:22 - 2016-10-27 17:20 - 00627712 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2017-01-06 23:22 - 2016-10-11 17:24 - 04000488 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2017-01-06 23:22 - 2016-10-11 17:24 - 03944680 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-01-06 23:22 - 2016-10-11 17:21 - 01310528 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2017-01-06 23:22 - 2016-10-11 17:18 - 00644096 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2017-01-06 23:22 - 2016-10-11 17:18 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2017-01-06 23:22 - 2016-10-11 17:18 - 00069120 _____ (Microsoft Corporation) C:\Windows\system32\nlsbres.dll
2017-01-06 23:22 - 2016-10-11 17:18 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2017-01-06 23:22 - 2016-10-11 17:18 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2017-01-06 23:22 - 2016-10-11 17:18 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2017-01-06 23:22 - 2016-10-11 17:18 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2017-01-06 23:22 - 2016-10-11 17:18 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2017-01-06 23:22 - 2016-10-11 16:55 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2017-01-06 23:22 - 2016-10-11 16:55 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2017-01-06 23:22 - 2016-10-11 16:55 - 00029696 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2017-01-06 23:22 - 2016-10-11 16:55 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2017-01-06 23:22 - 2016-10-11 16:53 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2017-01-06 23:22 - 2016-10-11 16:51 - 00295936 _____ (Microsoft Corporation) C:\Windows\system32\bcdedit.exe
2017-01-06 23:22 - 2016-10-11 16:50 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2017-01-06 23:22 - 2016-10-11 15:18 - 00419648 _____ C:\Windows\system32\locale.nls
2017-01-06 23:22 - 2016-10-08 15:05 - 00534600 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2017-01-06 23:22 - 2016-10-04 17:13 - 01176064 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2017-01-06 23:22 - 2016-10-04 17:13 - 00179200 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2017-01-06 23:22 - 2016-10-04 17:13 - 00145920 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2017-01-06 23:22 - 2016-10-04 17:13 - 00106496 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2017-01-06 20:34 - 2017-01-06 20:34 - 00000000 _RSHD C:\ProgramData\sysWOW64
2017-01-05 15:29 - 2017-01-07 20:47 - 00014175 _____ C:\Users\Dor\Desktop\s.xlsx
2017-01-03 20:43 - 2017-01-03 20:43 - 00000000 ____D C:\Users\Dor\AppData\Local\MultiPlayerManager
2017-01-03 20:40 - 2017-01-06 14:25 - 00000000 ____D C:\Users\Dor\vmlogs
2017-01-03 20:40 - 2017-01-06 14:25 - 00000000 ____D C:\Users\Dor\.BigNox
2017-01-03 20:40 - 2017-01-03 20:40 - 00000041 _____ C:\Users\Dor\inst.ini
2017-01-03 20:40 - 2017-01-03 20:40 - 00000000 ____D C:\Users\Dor\Nox_share
2017-01-03 20:40 - 2017-01-03 20:40 - 00000000 ____D C:\Program Files\DIFX
2017-01-03 20:40 - 2017-01-03 20:39 - 00203392 _____ (BigNox Corporation) C:\Windows\system32\Drivers\XQHDrv.sys
2017-01-03 20:39 - 2017-01-03 20:40 - 00000000 ____D C:\Users\Dor\AppData\Roaming\Microsoft\Windows\Start Menu\Nox
2017-01-03 20:39 - 2017-01-03 20:39 - 00000763 _____ C:\Users\Dor\Desktop\Nox.lnk
2017-01-03 20:39 - 2017-01-03 20:39 - 00000704 _____ C:\Users\Dor\Desktop\Multi-Drive.lnk
2017-01-03 20:39 - 2017-01-03 20:39 - 00000000 ____D C:\Program Files\Bignox
2017-01-03 20:38 - 2017-01-06 14:41 - 00000000 ____D C:\Users\Dor\AppData\Local\Nox
2017-01-03 20:23 - 2017-01-08 08:22 - 00000000 _RSHD C:\Program Files\sysWOW64
2016-12-30 05:19 - 2016-12-30 05:19 - 00000000 ____D C:\Program Files\Common Files\DESIGNER
2016-12-28 19:19 - 2016-12-28 19:19 - 00000000 ____D C:\Users\Dor\Documents\שוחזר
2016-12-28 18:37 - 2016-12-28 19:21 - 193744113 _____ C:\Users\Dor\rpro.log
2016-12-28 18:37 - 2016-12-28 18:37 - 00000000 ____D C:\Users\Dor\licman
2016-12-28 18:37 - 2016-12-28 18:37 - 00000000 ____D C:\Users\Dor\AppData\Local\LC Technology Inc
2016-12-28 18:36 - 2016-12-28 19:32 - 00000000 ____D C:\Program Files\RescuePRO Deluxe
2016-12-28 15:55 - 2016-12-28 17:45 - 00000000 ____D C:\Users\Dor\AppData\Roaming\IDM
2016-12-28 15:54 - 2016-12-28 15:55 - 00000000 ____D C:\Program Files\Internet Download Manager
2016-12-28 15:54 - 2016-12-28 15:54 - 00000000 ____D C:\Users\Dor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2016-12-28 15:54 - 2016-12-28 15:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2016-12-27 11:05 - 2016-12-27 11:05 - 00000000 _RSHD C:\Users\Dor\AppData\Roaming\windows
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-13 23:23 - 2015-06-20 15:56 - 00000910 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-3134249275-3305112718-2132312083-1000UA.job
2017-01-13 23:23 - 2009-07-14 06:34 - 00029376 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-01-13 23:23 - 2009-07-14 06:34 - 00029376 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-01-13 23:15 - 2016-10-16 15:35 - 00000000 ____D C:\ProgramData\VMware
2017-01-13 23:15 - 2009-07-14 06:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-13 23:13 - 2015-03-02 20:08 - 00000000 ____D C:\Users\Dor\AppData\Roaming\DMCache
2017-01-13 22:43 - 2015-02-22 17:50 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-01-13 22:29 - 2015-05-12 17:35 - 00000000 ____D C:\Users\Dor\AppData\Local\CrashDumps
2017-01-13 22:25 - 2015-02-22 18:05 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-01-13 12:36 - 2015-05-07 19:59 - 00119221 _____ C:\Users\Dor\Desktop\‫מסמך טקסט ‫חדש.txt
2017-01-13 10:29 - 2016-11-18 13:48 - 00000000 ____D C:\Users\Dor\AppData\LocalLow\Mozilla
2017-01-13 06:23 - 2015-06-20 15:56 - 00000858 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-3134249275-3305112718-2132312083-1000Core.job
2017-01-13 03:38 - 2016-11-14 18:13 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-01-13 00:19 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\rescache
2017-01-12 23:28 - 2015-02-22 21:37 - 00000000 ____D C:\Users\Dor\AppData\Roaming\Kodi
2017-01-12 19:40 - 2016-11-18 13:33 - 00000000 ____D C:\Program Files\Mozilla Firefox
2017-01-12 19:16 - 2015-02-22 19:18 - 00000000 ____D C:\Users\Dor\AppData\Roaming\Skype
2017-01-12 14:34 - 2015-02-22 18:51 - 00000000 ____D C:\Windows\system32\MRT
2017-01-12 14:30 - 2015-02-22 18:51 - 133456224 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-01-12 04:26 - 2015-02-22 19:22 - 00000000 ____D C:\Users\Dor\AppData\Roaming\Dropbox
2017-01-11 18:20 - 2015-03-04 23:17 - 00000000 ____D C:\Users\Dor\Documents\קבצי Outlook
2017-01-11 12:21 - 2015-08-06 16:45 - 00000000 ____D C:\Windows\Minidump
2017-01-11 11:22 - 2015-03-02 20:55 - 00000000 ____D C:\Users\Dor\AppData\Roaming\vlc
2017-01-11 11:07 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\LiveKernelReports
2017-01-10 23:43 - 2015-02-22 17:50 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2017-01-10 23:43 - 2015-02-22 17:50 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2017-01-10 23:43 - 2015-02-22 17:50 - 00000000 ____D C:\Windows\system32\Macromed
2017-01-10 19:59 - 2015-02-23 13:43 - 00000000 ____D C:\ProgramData\AMD
2017-01-10 19:58 - 2015-02-23 13:42 - 00000000 ____D C:\Program Files\ATI Technologies
2017-01-10 19:57 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\inf
2017-01-10 19:50 - 2015-02-23 13:39 - 00000582 __RSH C:\ProgramData\ntuser.pol
2017-01-07 09:56 - 2015-02-22 19:04 - 00394790 _____ C:\Windows\system32\perfh00D.dat
2017-01-07 09:56 - 2015-02-22 19:04 - 00085790 _____ C:\Windows\system32\perfc00D.dat
2017-01-07 09:56 - 2010-11-20 23:01 - 01256144 _____ C:\Windows\system32\PerfStringBackup.INI
2017-01-07 09:49 - 2009-07-14 06:33 - 00455896 _____ C:\Windows\system32\FNTCACHE.DAT
2017-01-06 14:26 - 2016-07-16 16:41 - 00000000 ____D C:\Users\Dor\.android
2017-01-06 10:30 - 2016-11-16 18:43 - 00000000 ____D C:\Users\Dor\AppData\Roaming\Foxit Software
2017-01-03 20:40 - 2015-02-22 17:16 - 00000000 ____D C:\Users\Dor
2017-01-03 20:39 - 2015-07-17 13:24 - 00104064 _____ (BigNox Corporation) C:\Windows\system32\Drivers\VBoxUSBMon.sys
2017-01-03 20:39 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\registration
2017-01-02 20:15 - 2015-02-22 17:46 - 00000000 ____D C:\Users\Dor\AppData\Roaming\uTorrent
2016-12-30 05:20 - 2015-02-23 14:11 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-12-30 05:19 - 2009-07-14 04:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-12-30 05:18 - 2015-02-23 14:11 - 00000000 ____D C:\Program Files\Microsoft Office
2016-12-29 15:49 - 2015-03-24 19:19 - 00000000 ____D C:\Users\Dor\workspace
2016-12-29 15:47 - 2015-03-22 19:15 - 00000000 ____D C:\Users\Dor\AppData\Local\Eclipse
2016-12-29 15:46 - 2015-03-24 19:08 - 00000000 ____D C:\eclipse
2016-12-28 19:19 - 2015-02-22 17:16 - 00000000 ___RD C:\Users\Dor\Documents
2016-12-27 12:33 - 2015-03-02 18:41 - 00000000 ____D C:\Users\Dor\AppData\Roaming\codeblocks
2016-12-27 11:30 - 2016-02-29 18:49 - 00524288 ___SH C:\Windows\system32\config\components{3c85a9bf-df04-11e5-b77b-00241d22c95e}.TMContainer00000000000000000002.regtrans-ms
2016-12-26 18:39 - 2015-03-02 16:30 - 00000000 ____D C:\Users\Dor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\‏יישומי Chrome
2016-12-22 21:12 - 2015-02-22 17:22 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-12-18 01:00 - 2015-10-11 16:35 - 00000000 ____D C:\Users\Dor\AppData\Local\Diagnostics
2016-12-16 23:45 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\Tasks
2016-12-15 05:45 - 2015-02-22 19:14 - 00002135 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-12-15 05:45 - 2015-02-22 19:14 - 00002123 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-12-14 09:55 - 2015-02-22 17:16 - 00262144 ___SH C:\Users\Dor\ntuser.dat.LOG2
 
==================== Files in the root of some directories =======
 
2016-11-12 20:35 - 2016-12-11 23:11 - 0000600 _____ () C:\Users\Dor\AppData\Roaming\winscp.rnd
2016-11-12 20:21 - 2016-12-08 07:37 - 0000600 _____ () C:\Users\Dor\AppData\Local\PUTTY.RND
2015-10-27 20:30 - 2015-10-27 20:30 - 0007604 _____ () C:\Users\Dor\AppData\Local\Resmon.ResmonCfg
2015-03-28 22:23 - 2015-03-28 22:23 - 0000057 _____ () C:\ProgramData\Ament.ini
2017-01-07 09:51 - 2017-01-07 09:51 - 0001581 __RSH () C:\ProgramData\svchost
 
Some files in TEMP:
====================
C:\Users\Dor\AppData\Local\Temp\13-9-legacy_vista_win7_32_dd_ccc_whql.exe
C:\Users\Dor\AppData\Local\Temp\130730438357831644.exe
C:\Users\Dor\AppData\Local\Temp\13073043861401629775.exe
C:\Users\Dor\AppData\Local\Temp\27fff54a706caf16275619fa9b79269c.dll
C:\Users\Dor\AppData\Local\Temp\70070.exe
C:\Users\Dor\AppData\Local\Temp\AutoDetectUtilApp.exe
C:\Users\Dor\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpqktqji.dll
C:\Users\Dor\AppData\Local\Temp\idman627build2.exe
C:\Users\Dor\AppData\Local\Temp\jre-8u101-windows-au.exe
C:\Users\Dor\AppData\Local\Temp\jre-8u45-windows-au.exe
C:\Users\Dor\AppData\Local\Temp\jre-8u51-windows-au.exe
C:\Users\Dor\AppData\Local\Temp\jre-8u60-windows-au.exe
C:\Users\Dor\AppData\Local\Temp\jre-8u65-windows-au.exe
C:\Users\Dor\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\Dor\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\Dor\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\Dor\AppData\Local\Temp\jre-8u91-windows-au.exe
C:\Users\Dor\AppData\Local\Temp\npp.6.7.9.2.Installer.exe
C:\Users\Dor\AppData\Local\Temp\proxy_vole6451450386158134460.dll
C:\Users\Dor\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Dor\AppData\Local\Temp\sqlite-unknown-sqlitejdbc.dll
C:\Users\Dor\AppData\Local\Temp\vlc-2.2.1-win32.exe
C:\Users\Dor\AppData\Local\Temp\vlc-2.2.4-win32.exe
C:\Users\Dor\AppData\Local\Temp\xmlUpdater.exe
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-01-13 00:53
 
==================== End of FRST.txt ============================
 
 
 
 
 
 
 
 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,745 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 14 January 2017 - 09:34 AM


Remove these programs in bold via the Control Panel > Programs > Programs and Features.
Ace Stream Media 3.0.12 (HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\...\AceStream) (Version: 3.0.12 - Ace Stream Media) <==== ATTENTION
IDM Crack 6.25 build 21 (HKLM\...\IDM Crack 6.25 build 21) (Version: build 21 - Crackingpatching.com Team)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [2616320 2010-11-20] (Microsoft Corporation) <==== ATTENTION
GroupPolicy: Restriction ? <======= ATTENTION
SearchScopes: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={A76A9493-6717-429C-972F-F93318FD9484}&mid=835a6c81cef447cfb921d1191024e9fb-ae240c7734e055f956cbdf098eea04d699fc34d2&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-12 17:40:03&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
FF HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\Dor\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi
FF Extension: (Ace Stream Web Extension) - C:\Users\Dor\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi [2015-12-18]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\S-1-5-21-3134249275-3305112718-2132312083-1000: @acestream.net/acestreamplugin,version=3.0.12 -> C:\Users\Dor\AppData\Roaming\ACEStream\player\npace_plugin.dll [2015-09-24] (Innovative Digital Technologies)
CHR Extension: (Chrome Web Store Payments) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Hover Zoom) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl [2016-12-10]
CHR Extension: (Chrome Media Router) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-15]
CHR HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
S3 amdiox86; system32\DRIVERS\amdiox86.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{04EBE69E-2DED-44F6-9854-9A3988F751ED}\InprocServer32 -> C:\Users\Dor\AppData\Local\Dropbox\Update\1.3.51.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{0A368B9B-3566-4730-B40E-EAF6858A53AF}\InprocServer32 -> C:\Users\Dor\AppData\Local\Dropbox\Update\1.3.27.33\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{2027D000-8CEB-4191-9620-15DD2561855F}\InprocServer32 -> C:\Users\Dor\AppData\Local\Dropbox\Update\1.3.57.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{79690976-ED6E-403C-BBBA-F8928B5EDE17}\InprocServer32 -> C:\Users\Dor\AppData\Roaming\ACEStream\player\npace_plugin.dll (Innovative Digital Technologies)
CustomCLSID: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{D166BD15-03AF-413A-BEFD-0679FF410B49}\InprocServer32 -> C:\Users\Dor\AppData\Local\Dropbox\Update\1.3.27.29\psuser.dll => No File
Task: {CC867B8D-A8F8-45FC-A6BA-A487794B94EF} - \svchost -> No File <==== ATTENTION
FirewallRules: [TCP Query User{660F6F96-53F4-4E90-A581-20E9E6C1C9EA}C:\program files\java\jre1.8.0_40\bin\javaw.exe] => C:\program files\java\jre1.8.0_40\bin\javaw.exe
FirewallRules: [UDP Query User{F6CEF54B-B96E-4F4C-899F-4D25C293D910}C:\program files\java\jre1.8.0_40\bin\javaw.exe] => C:\program files\java\jre1.8.0_40\bin\javaw.exe
FirewallRules: [TCP Query User{6BBFA3E5-63E9-47B1-B0E1-60CA00CF5E0C}C:\users\dor\appdata\local\jdownloader v2.0\jdownloader2.exe] => C:\users\dor\appdata\local\jdownloader v2.0\jdownloader2.exe
FirewallRules: [UDP Query User{784DEBB7-753B-4A36-9213-461D36440621}C:\users\dor\appdata\local\jdownloader v2.0\jdownloader2.exe] => C:\users\dor\appdata\local\jdownloader v2.0\jdownloader2.exe
FirewallRules: [TCP Query User{E40A0C70-E6CC-42F2-9ABF-3B8CB466BDE5}C:\program files\java\jre1.8.0_65\bin\java.exe] => C:\program files\java\jre1.8.0_65\bin\java.exe
FirewallRules: [UDP Query User{4F0A72FB-D4F2-46C0-A202-26EA8D658EBB}C:\program files\java\jre1.8.0_65\bin\java.exe] => C:\program files\java\jre1.8.0_65\bin\java.exe
FirewallRules: [{1DAE743B-E528-4C71-A078-52F13E951A9A}] => C:\program files\java\jre1.8.0_65\bin\java.exe
FirewallRules: [{19AE5E71-EE17-44B9-936F-6361B96E2C42}] => C:\program files\java\jre1.8.0_65\bin\java.exe
C:\Users\Dor\AppData\Roaming\ACEStream

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 101 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
===

Please let me know what problem persists with this computer.

#5 TheBenjamin

TheBenjamin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 14 January 2017 - 02:02 PM

Fix result of Farbar Recovery Scan Tool (x86) Version: 14-01-2017
Ran by Dor (14-01-2017 20:47:57) Run:1
Running from C:\Users\Dor\Desktop
Loaded Profiles: Dor (Available Profiles: Dor)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [2616320 2010-11-20] (Microsoft Corporation) <==== ATTENTION
GroupPolicy: Restriction ? <======= ATTENTION
SearchScopes: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={A76A9493-6717-429C-972F-F93318FD9484}&mid=835a6c81cef447cfb921d1191024e9fb-ae240c7734e055f956cbdf098eea04d699fc34d2&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-12 17:40:03&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
FF HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\Dor\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi
FF Extension: (Ace Stream Web Extension) - C:\Users\Dor\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi [2015-12-18]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\S-1-5-21-3134249275-3305112718-2132312083-1000: @acestream.net/acestreamplugin,version=3.0.12 -> C:\Users\Dor\AppData\Roaming\ACEStream\player\npace_plugin.dll [2015-09-24] (Innovative Digital Technologies)
CHR Extension: (Chrome Web Store Payments) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Hover Zoom) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl [2016-12-10]
CHR Extension: (Chrome Media Router) - C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-15]
CHR HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
S3 amdiox86; system32\DRIVERS\amdiox86.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{04EBE69E-2DED-44F6-9854-9A3988F751ED}\InprocServer32 -> C:\Users\Dor\AppData\Local\Dropbox\Update\1.3.51.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{0A368B9B-3566-4730-B40E-EAF6858A53AF}\InprocServer32 -> C:\Users\Dor\AppData\Local\Dropbox\Update\1.3.27.33\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{2027D000-8CEB-4191-9620-15DD2561855F}\InprocServer32 -> C:\Users\Dor\AppData\Local\Dropbox\Update\1.3.57.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{79690976-ED6E-403C-BBBA-F8928B5EDE17}\InprocServer32 -> C:\Users\Dor\AppData\Roaming\ACEStream\player\npace_plugin.dll (Innovative Digital Technologies)
CustomCLSID: HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{D166BD15-03AF-413A-BEFD-0679FF410B49}\InprocServer32 -> C:\Users\Dor\AppData\Local\Dropbox\Update\1.3.27.29\psuser.dll => No File
Task: {CC867B8D-A8F8-45FC-A6BA-A487794B94EF} - \svchost -> No File <==== ATTENTION
FirewallRules: [TCP Query User{660F6F96-53F4-4E90-A581-20E9E6C1C9EA}C:\program files\java\jre1.8.0_40\bin\javaw.exe] => C:\program files\java\jre1.8.0_40\bin\javaw.exe
FirewallRules: [UDP Query User{F6CEF54B-B96E-4F4C-899F-4D25C293D910}C:\program files\java\jre1.8.0_40\bin\javaw.exe] => C:\program files\java\jre1.8.0_40\bin\javaw.exe
FirewallRules: [TCP Query User{6BBFA3E5-63E9-47B1-B0E1-60CA00CF5E0C}C:\users\dor\appdata\local\jdownloader v2.0\jdownloader2.exe] => C:\users\dor\appdata\local\jdownloader v2.0\jdownloader2.exe
FirewallRules: [UDP Query User{784DEBB7-753B-4A36-9213-461D36440621}C:\users\dor\appdata\local\jdownloader v2.0\jdownloader2.exe] => C:\users\dor\appdata\local\jdownloader v2.0\jdownloader2.exe
FirewallRules: [TCP Query User{E40A0C70-E6CC-42F2-9ABF-3B8CB466BDE5}C:\program files\java\jre1.8.0_65\bin\java.exe] => C:\program files\java\jre1.8.0_65\bin\java.exe
FirewallRules: [UDP Query User{4F0A72FB-D4F2-46C0-A202-26EA8D658EBB}C:\program files\java\jre1.8.0_65\bin\java.exe] => C:\program files\java\jre1.8.0_65\bin\java.exe
FirewallRules: [{1DAE743B-E528-4C71-A078-52F13E951A9A}] => C:\program files\java\jre1.8.0_65\bin\java.exe
FirewallRules: [{19AE5E71-EE17-44B9-936F-6361B96E2C42}] => C:\program files\java\jre1.8.0_65\bin\java.exe
C:\Users\Dor\AppData\Roaming\ACEStream
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} => key removed successfully.
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => key not found. 
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Mozilla\Firefox\Extensions\\acewebextension_unlisted@acestream.org => value removed successfully.
C:\Users\Dor\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi => not found.
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully.
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\MozillaPlugins\@acestream.net/acestreamplugin,version=3.0.12 => key not found. 
C:\Users\Dor\AppData\Roaming\ACEStream\player\npace_plugin.dll => not found.
C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl => moved successfully
C:\Users\Dor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000\SOFTWARE\Google\Chrome\Extensions\mjbepbhonbojpoaenhckjocchgfiaofo => key removed successfully.
HKLM\System\CurrentControlSet\Services\rpcapd => key removed successfully.
rpcapd => service removed successfully.
HKLM\System\CurrentControlSet\Services\amdiox86 => key removed successfully.
amdiox86 => service removed successfully.
HKLM\System\CurrentControlSet\Services\VGPU => key removed successfully.
VGPU => service removed successfully.
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{04EBE69E-2DED-44F6-9854-9A3988F751ED} => key removed successfully.
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{0A368B9B-3566-4730-B40E-EAF6858A53AF} => key removed successfully.
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{2027D000-8CEB-4191-9620-15DD2561855F} => key removed successfully.
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{79690976-ED6E-403C-BBBA-F8928B5EDE17} => key not found. 
HKU\S-1-5-21-3134249275-3305112718-2132312083-1000_Classes\CLSID\{D166BD15-03AF-413A-BEFD-0679FF410B49} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{CC867B8D-A8F8-45FC-A6BA-A487794B94EF} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CC867B8D-A8F8-45FC-A6BA-A487794B94EF} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\svchost => key not found. 
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{660F6F96-53F4-4E90-A581-20E9E6C1C9EA}C:\program files\java\jre1.8.0_40\bin\javaw.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{F6CEF54B-B96E-4F4C-899F-4D25C293D910}C:\program files\java\jre1.8.0_40\bin\javaw.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{6BBFA3E5-63E9-47B1-B0E1-60CA00CF5E0C}C:\users\dor\appdata\local\jdownloader v2.0\jdownloader2.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{784DEBB7-753B-4A36-9213-461D36440621}C:\users\dor\appdata\local\jdownloader v2.0\jdownloader2.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{E40A0C70-E6CC-42F2-9ABF-3B8CB466BDE5}C:\program files\java\jre1.8.0_65\bin\java.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{4F0A72FB-D4F2-46C0-A202-26EA8D658EBB}C:\program files\java\jre1.8.0_65\bin\java.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1DAE743B-E528-4C71-A078-52F13E951A9A} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{19AE5E71-EE17-44B9-936F-6361B96E2C42} => value removed successfully.
C:\Users\Dor\AppData\Roaming\ACEStream => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 32692219 B
Java, Flash, Steam htmlcache => 128328266 B
Windows/system/drivers => 350341389 B
Edge => 0 B
Chrome => 587245008 B
Firefox => 384042942 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66660 B
LocalService => 66228 B
NetworkService => 132015692 B
Dor => 11372279948 B
 
RecycleBin => 433825 B
EmptyTemp: => 12.1 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 20:57:01 ====
 
 
 
 
 
 
 
 
 
I've deleted these 2 programs you've asked + java and installed an updated version.
the problem still stands - I get the message about failling to load svchost.vbs when windows starts.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,745 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 14 January 2017 - 02:13 PM


I missed removing the Startup entry.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Startup: C:\Users\Dor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs [2017-01-07] ()
C:\Users\Dor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#7 TheBenjamin

TheBenjamin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 14 January 2017 - 02:36 PM

Thank you, the message doesn't appear anymore. can I consider my computer clean?

 

 

The last issue I'm having is that some stuff don't start on windows start up like the sidebar(.exe) and microsoft security essentials, any idea how to fix that?

 

 

Thank you again.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,745 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 15 January 2017 - 08:27 AM


If no problems then these issues you should be clean.
===

What is the exact problem?

Google this string microsoft security essentials does not turn on

Let me know which is the most appropritate cause.

===

Lets check the location of the Sidebar.exe and the Registry setting.


Please run the Farbar Recovery Scan Tool. Enter sidebar.exe in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>


Lets see what we can find in the Registry.

Please run the Farbar Recovery Scan Tool. Enter sidebar.exe in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

#9 TheBenjamin

TheBenjamin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 15 January 2017 - 08:59 AM

Farbar Recovery Scan Tool (x86) Version: 15-01-2017
Ran by Dor (15-01-2017 15:51:32)
Running from C:\Users\Dor\Desktop
Boot Mode: Normal
 
================== Search Files: "sidebar.exe" =============
 
C:\Windows\winsxs\x86_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_d0e415a884ea33e1\sidebar.exe
[2010-11-20 23:29][2010-11-20 23:29] 1174016 ____A (Microsoft Corporation) DCCA4B04AF87E52EF9EAA2190E06CBAC [File is digitally signed]
 
C:\Program Files\Windows Sidebar\sidebar.exe
[2010-11-20 23:29][2010-11-20 23:29] 1174016 ____A (Microsoft Corporation) DCCA4B04AF87E52EF9EAA2190E06CBAC [File is digitally signed]
 
====== End of Search ======
 
 
 
 
 
Farbar Recovery Scan Tool (x86) Version: 15-01-2017
Ran by Dor (15-01-2017 15:58:02)
Running from C:\Users\Dor\Desktop
Boot Mode: Normal
 
================== Search Registry: "sidebar.exe" ===========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\sidebar.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37efd44d-ef8d-41b1-940d-96973a50e9e0}]
"InfoTip"="@%ProgramFiles%\Windows Sidebar\sidebar.exe,-11002"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37efd44d-ef8d-41b1-940d-96973a50e9e0}]
"LocalizedString"="@%ProgramFiles%\Windows Sidebar\sidebar.exe,-11003"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37efd44d-ef8d-41b1-940d-96973a50e9e0}\DefaultIcon]
""="%ProgramFiles%\Windows Sidebar\Sidebar.exe,-100"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37efd44d-ef8d-41b1-940d-96973a50e9e0}\Shell\Open\Command]
""="%ProgramFiles%\Windows Sidebar\sidebar.exe /showGadgets"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Gadgets]
"MUIVerb"="@%ProgramFiles%\Windows Sidebar\sidebar.exe,-11100"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Gadgets]
"Icon"="C:\Program Files\Windows Sidebar\sidebar.exe,-100"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Gadgets\command]
""="C:\Program Files\Windows Sidebar\sidebar.exe /showGadgets"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AAA49BB1-378C-4206-9CAD-53C3372E9550}\1.0\0\win32]
""="%ProgramFiles%\Windows Sidebar\sidebar.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.gadget\shell\open\command]
""="%ProgramFiles%\Windows Sidebar\Sidebar.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HIGH_CONTRAST_BACKGROUND_IMAGES]
"sidebar.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME]
"sidebar.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\ReflectionApplications\sidebar.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\sidebar.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\sidebar.exe]
""=""%ProgramFiles%\Windows Sidebar\sidebar.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A75D362E-50FC-4fb7-AC2C-A8BEAA314493}]
"InfoTip"="@%ProgramFiles%\Windows Sidebar\Sidebar.exe,-10000"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A75D362E-50FC-4fb7-AC2C-A8BEAA314493}]
"Icon"="%ProgramFiles%\Windows Sidebar\Sidebar.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{ed6b3ba8-95b2-4cf5-a317-d4af7003884c}]
"ResourceFileName"="%PROGRAMFILES%\Windows Sidebar\Sidebar.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{ed6b3ba8-95b2-4cf5-a317-d4af7003884c}]
"MessageFileName"="%PROGRAMFILES%\Windows Sidebar\Sidebar.exe"
[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\244\52C64B7E]
"@C:\Program Files\Windows Sidebar\sidebar.exe,-1005"="Desktop Gadget Gallery"
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun"
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun"
[HKEY_USERS\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"h"="sidebar.exe\1"
[HKEY_USERS\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe /autoRun"
[HKEY_USERS\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Classes\Local Settings\MuiCache\244\659639C2]
"@C:\Program Files\Windows Sidebar\sidebar.exe,-1005"="גלריית גאדג'טים של שולחן העבודה"
[HKEY_USERS\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Classes\Local Settings\MuiCache\244\659639C2]
"@C:\Program Files\Windows Sidebar\sidebar.exe,-11003"="גאדג'טים של שולחן העבודה"
[HKEY_USERS\S-1-5-21-3134249275-3305112718-2132312083-1000\Software\Classes\Local Settings\MuiCache\244\659639C2]
"@C:\Program Files\Windows Sidebar\sidebar.exe,-11002"="הצג את הגאדג'טים של שולחן העבודה המותקנים במחשב שלך."
 
====== End of Search ======
 
 
 
 
 
 
Microsoft security essentials seems to work fine, the only thing is that I need to open it manualy and it doesn't launch automatically on system start up.
 
Thank you.

 



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,745 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 15 January 2017 - 02:11 PM

Repair these registry items.

Please Download Tweaking.com - Windows Repair from Here
[list]
  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    02 - Reset File Permissions (2)
    03 - Reset Service permissions
    04 - Register System Files
    10 - Remove Policies Set By Infections
    11 - Repair Start Menu Icons Removed by Infections
    20 - Repair Windows Sidebar/Gadgets
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    How is it now?


#11 TheBenjamin

TheBenjamin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 15 January 2017 - 04:24 PM

no errors in the log, it fixed the sidebar but the security essentials, so I deleted and re-installed it and now it's all good.

 

Thank you so much again!



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,745 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 16 January 2017 - 08:22 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users