Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost.exe causing system to slow down


  • This topic is locked This topic is locked
49 replies to this topic

#1 Kurkus54

Kurkus54

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 18 January 2017 - 09:16 PM

I have found the past couple of months that my laptop, running win7 hsa been slowing down a great deal almost to a standstill and when looking in resource mnitor i find Svchost.exe is the main service causing the slowdown

 

I have run Malware & 360 total security scans ans the same thing keeps happening

 

When I terminate this program, it speeds back up for a little while

 

What can I do to stop this?

 

Thanks for the assistance in advance


Edited by Kurkus54, 18 January 2017 - 09:17 PM.


BC AdBot (Login to Remove)

 


#2 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 22 January 2017 - 05:00 PM

Hi Kurkus54 :)
 
My name is polskamachina and I would like to welcome you to the Malware Removal Forum. I will be helping you with your malware issues.

What follows below are some ground rules for this forum.
 
I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-8 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine. Running any additional tools may detect false positives, interfere with our tools, cause unforeseen damage, or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

In order to provide you any assistance I will need for you to do the following:
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both the 32-bit and 64-bit versions and try to run them. Only one of them will run on your system. That will be the correct version.

  • Right-click FRST then click Run as administrator
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will create two logs named, FRST.txt and Addition.txt in the same directory from which the tool was run.
  • Please copy and paste the logs into your next reply to me.

In summary I will need you to copy and paste into your next reply to me::

  • FRST.txt
  • Addition.txt

polskamachina


Edited by polskamachina, 22 January 2017 - 05:01 PM.


#3 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 28 January 2017 - 06:34 PM

Hi Kurkus54 :)

 

It's been a while since you've checked in. Did you need any more help with this? If not, this topic will be closed in 48 hours.
 
Please let me know if you have any questions.
 
polskamachina



#4 Kurkus54

Kurkus54
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 28 January 2017 - 09:10 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-01-2017 01
Ran by Kurk (administrator) on HAL (28-01-2017 18:05:43)
Running from C:\Users\Kurk\Desktop
Loaded Profiles: Kurk (Available Profiles: Kurk)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Cisco) C:\Users\Kurk\AppData\Local\Cisco\VideoGuardPlayer\VideoGuardMonitor\CiscoVideoGuardMonitor.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(VTech) C:\Program Files (x86)\VTech\DownloadManager\Applications\AppAccessory\12051\VTechUSBSocketService\VTechServiceInstaller.exe
(VTech) C:\Program Files (x86)\VTech\DownloadManager\Applications\AppAccessory\12051\VTechUSBSocketService\VTechUSBSocketService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [975952 2010-08-10] (Dritek System Inc.)
HKLM-x32\...\Run: [QHSafeTray] => C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe [1939880 2017-01-22] (QIHU 360 SOFTWARE CO. LIMITED)
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2636084727-710489765-3987840401-1000\...\Run: [VideoGuardMonitor] => C:\Users\Kurk\AppData\Local\Cisco\VideoGuardPlayer\VideoGuardMonitor\CiscoVideoGuardMonitor.exe [4155656 2016-06-29] (Cisco)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2013-10-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
GroupPolicy\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{F56D4B81-B940-468B-8016-8E619E68900D}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM-x32 -> DefaultScope {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2636084727-710489765-3987840401-1000 -> DefaultScope {0735A49D-9B14-4CC5-949F-F7C4C0459013} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-2636084727-710489765-3987840401-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2636084727-710489765-3987840401-1000 -> {0735A49D-9B14-4CC5-949F-F7C4C0459013} URL = hxxps://www.google.com/search?q={searchTerms}
BHO: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll [2017-01-22] (Qihu 360 Software Co., Ltd.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-10-02] (Oracle Corporation)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO-x32: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\Total Security\safemon\safemon.dll [2017-01-04] (Qihu 360 Software Co., Ltd.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-10-02] (Oracle Corporation)
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
IE Session Restore: HKU\S-1-5-21-2636084727-710489765-3987840401-1000 -> is enabled.
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-17] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-17] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Kurk\AppData\Roaming\Mozilla\Firefox\Profiles\eezlh6o3.default-1476656239674 [2017-01-28]
FF Session Restore: Mozilla\Firefox\Profiles\eezlh6o3.default-1476656239674 -> is enabled.
FF Extension: (AdBlocker Ultimate) - C:\Users\Kurk\AppData\Roaming\Mozilla\Firefox\Profiles\eezlh6o3.default-1476656239674\Extensions\adblockultimate@adblockultimate.net.xpi [2016-12-28]
FF Extension: (F.B Purity - Cleans up Facebook (WX)) - C:\Users\Kurk\AppData\Roaming\Mozilla\Firefox\Profiles\eezlh6o3.default-1476656239674\Extensions\fbpElectroWebExt@fbpurity.com.xpi [2016-10-21]
FF Extension: (Ad-Blocker ) - C:\Users\Kurk\AppData\Roaming\Mozilla\Firefox\Profiles\eezlh6o3.default-1476656239674\Extensions\{b89efd87-232e-4829-87d2-22148919d72f}.xpi [2016-11-26]
FF HKLM-x32\...\Firefox\Extensions: [WebProtection@360safe.com] - C:\Program Files (x86)\360\Total Security\safemon\webprotection_firefox
FF Extension: (360 Internet Protection) - C:\Program Files (x86)\360\Total Security\safemon\webprotection_firefox [2016-07-02]
FF HKU\S-1-5-21-2636084727-710489765-3987840401-1000\...\Firefox\Extensions: [{d5bc46d8-67c7-11dc-8c1d-0097498c2b7a}] - C:\Users\Kurk\Program Files (x86)\DNA
FF Extension: (DNA) - C:\Users\Kurk\Program Files (x86)\DNA [2016-07-22] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_194.dll [2017-01-18] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-04-26] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_194.dll [2017-01-18] ()
FF Plugin-x32: @bittorrent.com/BitTorrentDNA -> C:\Program Files (x86)\DNA\plugins\npbtdna.dll [2013-10-15] (BitTorrent, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-10-02] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-10-02] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-04-17] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-11-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-11-13] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2636084727-710489765-3987840401-1000: @bittorrent.com/BitTorrentDNA -> C:\Users\Kurk\Program Files (x86)\DNA\plugins\npbtdna.dll [2014-08-31] (BitTorrent, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npbittorrent.dll [2008-09-03] (BitTorrent, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)

Chrome:
=======
CHR HomePage: Default -> hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
CHR StartupUrls: Default -> "hxxp://www.msn.com/?pc=U040&ocid=U040DHP"
CHR DefaultSearchKeyword: Default -> load a page +1 bagaiev's profile photolevel 2 9/16/09 bagaiev said: the big problem when i'm typing local sites: i can't reach them at all. +1 wár17 §'s profile phototop contributor alumni 9/16/09 wár17 § said: mixelle, how did you type the address?  did you type with http:// included? +1 bagaiev's profile photolevel 2 9/17/09 bagaiev said: i also typed it with http:\\\\ included. (for example http:\\\\www.youtube.com) +1 prashanth2010's profile photolevel 1 11/17/09 prashanth2010 said: i started having the same problems as bagajev and mixelle above today and find myself unable to use any intranet sites because the search cant possibly get past our firewall. it'll be great to have future version of chrome allow you to disable the search feature if it starts to malfunction like this +1 test monkey's profile photolevel 1 12/5/09 test monkey said: what i found (accidentally) was that if you disable google or your other search engine as the default, so that you have no default search engine, chrome will not use it for autosearching.  i'm not sure how i managed to get into that state, however. +1 dillon.larry's profile photolevel 4 12/20/09 dillon.larry said: i used to thing that google was the greatest company on earth.  but i'm finding more and more \
CHR Session Restore: Default -> is enabled.
CHR Plugin: (Widevine Content Decryption Module) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\WidevineCdm\_platform_specific\win_x64\widevinecdmadapter.dll (Google Inc.)
CHR Profile: C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default [2017-01-21]
CHR Extension: (Google Slides) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-11-13]
CHR Extension: (Google Docs) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-11-13]
CHR Extension: (Google Drive) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-11-13]
CHR Extension: (YouTube) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-11-13]
CHR Extension: (Adblock Plus) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-11-13]
CHR Extension: (Empty New Tab Page) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpjamkmjmigaoobjbekmfgabipmfilij [2017-01-18]
CHR Extension: (Google Sheets) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-11-13]
CHR Extension: (Stylish) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjnbnpbmkenffdnngjfgmeleoegfcffe [2016-11-13]
CHR Extension: (Google Docs Offline) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-11-13]
CHR Extension: (Pinterest Save Button) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpdjojdkbbmdfjfahjcgigfpmkopogic [2016-11-13]
CHR Extension: (Social Fixer for Facebook) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifmhoabcaeehkljcfclfiieohkohdgbb [2017-01-18]
CHR Extension: (F.B.(FluffBusting)Purity) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmkinhboiljjkhaknpaeaicmdjhagpep [2017-01-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Gmail) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-11-13]
CHR Extension: (Chrome Media Router) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-18]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 QHActiveDefense; C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe [928168 2017-01-22] (QIHU 360 SOFTWARE CO. LIMITED)
S3 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
R2 VTechUSBSocketService; C:\Program Files (x86)\VTech\DownloadManager\Applications\AppAccessory\12051\VTechUSBSocketService\VTechServiceInstaller.exe [82824 2013-03-28] (VTech)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 NMIndexingService; "C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker64.sys [151784 2016-06-03] (360.cn)
R3 360AvFlt; C:\Windows\System32\DRIVERS\360AvFlt.sys [86248 2017-01-22] (360.cn)
R3 360AvFlt; C:\Windows\SysWOW64\DRIVERS\360AvFlt.sys [86248 2017-01-22] (360.cn)
R1 360Box64; C:\Windows\System32\DRIVERS\360Box64.sys [330472 2017-01-22] (360.cn)
R1 360Camera; C:\Windows\System32\Drivers\360Camera64.sys [40520 2014-12-12] (360.cn)
R1 360FsFlt; C:\Windows\System32\DRIVERS\360FsFlt.sys [391392 2016-08-08] (360.cn)
S3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [38424 2011-07-07] (Google Inc)
S3 androidusb; C:\Windows\SysWOW64\Drivers\androidusb.sys [32408 2010-10-18] (Google Inc)
R1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV64.sys [188864 2016-09-14] (360.cn)
S3 CisUtMonitor; C:\Windows\System32\DRIVERS\CisUtMonitor.sys [33360 2011-10-30] (CrystalIdea Software)
S3 massfilter_hs; C:\Windows\System32\drivers\massfilter_hs.sys [18456 2011-07-07] (HandSet Incorporated)
S3 massfilter_hs; C:\Windows\SysWOW64\drivers\massfilter_hs.sys [9216 2010-10-20] (HandSet Incorporated)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2017-01-18] (Malwarebytes)
U5 UnlockerDriver5; C:\Completed\Unlocker portable 1.88\unlocker1.8.8-portable\UnlockerDriver5.sys [4096 2009-10-25] () [File not signed]
S1 SABKUTIL; \??\C:\Program Files (x86)\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [X]
S3 SABProcEnum; \??\C:\Program Files (x86)\SuperAdBlocker.com\Super Ad Blocker\SABProcEnum.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-28 18:05 - 2017-01-28 18:12 - 00016859 _____ C:\Users\Kurk\Desktop\FRST.txt
2017-01-28 18:05 - 2017-01-28 18:05 - 00000000 ____D C:\FRST
2017-01-28 18:02 - 2017-01-28 18:02 - 02420736 _____ (Farbar) C:\Users\Kurk\Desktop\FRST64.exe
2017-01-20 22:41 - 2017-01-20 22:41 - 00013824 ___SH C:\Users\Kurk\Downloads\Thumbs.db
2017-01-18 20:30 - 2017-01-18 20:30 - 00058016 _____ C:\Users\Kurk\AppData\Local\GDIPFONTCACHEV1.DAT
2017-01-18 20:29 - 2017-01-18 20:30 - 00268392 _____ C:\Windows\system32\FNTCACHE.DAT

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-28 17:20 - 2015-04-14 14:46 - 00000000 ____D C:\Users\Kurk\AppData\LocalLow\360WD
2017-01-28 17:09 - 2015-04-14 14:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center
2017-01-27 23:55 - 2016-11-20 18:29 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-01-27 23:48 - 2009-07-13 23:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-01-27 23:48 - 2009-07-13 23:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-01-27 23:38 - 2016-11-25 23:01 - 00000000 ____D C:\Users\Kurk\AppData\LocalLow\Mozilla
2017-01-27 23:37 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-22 01:16 - 2016-07-02 11:36 - 00086248 _____ (360.cn) C:\Windows\system32\Drivers\360AvFlt.sys
2017-01-22 01:16 - 2015-12-18 23:57 - 00086248 _____ (360.cn) C:\Windows\SysWOW64\Drivers\360AvFlt.sys
2017-01-22 01:16 - 2015-04-14 14:45 - 00330472 _____ (360.cn) C:\Windows\system32\Drivers\360Box64.sys
2017-01-21 14:49 - 2016-09-17 23:55 - 00000000 ____D C:\ThumbsPlus
2017-01-20 23:08 - 2010-08-27 06:11 - 00000000 ____D C:\ProgramData\Adobe
2017-01-18 23:24 - 2013-10-14 23:35 - 00000000 ____D C:\Windows\system32\Macromed
2017-01-18 22:25 - 2014-11-24 22:19 - 00007593 _____ C:\Users\Kurk\AppData\Local\Resmon.ResmonCfg
2017-01-18 22:24 - 2009-07-14 00:08 - 00032626 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-01-18 20:56 - 2015-04-14 14:54 - 00000000 ____D C:\Windows\Tasks\360Disabled
2017-01-18 20:34 - 2013-10-14 23:35 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-01-18 20:34 - 2013-10-14 23:35 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-01-18 20:34 - 2013-10-14 23:35 - 00003770 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-01-18 20:34 - 2013-10-14 22:28 - 00000000 ____D C:\Users\Kurk\AppData\Local\Adobe
2017-01-18 20:34 - 2010-08-27 06:12 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-01-18 20:28 - 2015-04-14 14:46 - 00000000 ____D C:\ProgramData\360safe
2017-01-18 20:08 - 2014-04-26 17:00 - 00000000 ____D C:\AdwCleaner
2017-01-18 19:56 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2017-01-18 19:54 - 2016-11-13 15:55 - 00002262 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-01-18 19:37 - 2014-12-13 20:27 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-01-15 00:06 - 2013-10-15 00:06 - 00000000 ____D C:\Completed
2017-01-02 00:44 - 2016-03-12 13:54 - 00000000 ____D C:\Users\Kurk\AppData\Roaming\tixati

==================== Files in the root of some directories =======

2014-11-24 22:19 - 2017-01-18 22:25 - 0007593 _____ () C:\Users\Kurk\AppData\Local\Resmon.ResmonCfg
2015-05-11 13:36 - 2015-05-11 13:36 - 0000057 _____ () C:\ProgramData\Ament.ini

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-07-09 15:40

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-01-2017 01
Ran by Kurk (28-01-2017 18:26:11)
Running from C:\Users\Kurk\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2013-10-15 03:26:54)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2636084727-710489765-3987840401-500 - Administrator - Disabled)
Guest (S-1-5-21-2636084727-710489765-3987840401-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-2636084727-710489765-3987840401-1017 - Limited - Enabled)
Kurk (S-1-5-21-2636084727-710489765-3987840401-1000 - Administrator - Enabled) => C:\Users\Kurk

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: 360 Total Security (Enabled - Up to date) {0371CA44-3F80-A1D3-BECE-910620B58D50}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: 360 Total Security (Enabled - Up to date) {B8102BA0-19BA-AE5D-847E-AA745B32C7ED}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-2636084727-710489765-3987840401-1000\...\uTorrent) (Version: 3.4.2.33023 - BitTorrent Inc.)
360 Total Security (HKLM-x32\...\360TotalSecurity) (Version: 9.0.0.1115 - 360 Security Center)
Acer Backup Manager (HKLM-x32\...\InstallShield_{72B776E5-4530-4C4B-9453-751DF87D9D93}) (Version: 2.0.0.68 - NewTech Infosystems)
Acer Crystal Eye Webcam (HKLM-x32\...\{7760D94E-B1B5-40A0-9AA0-ABF942108755}) (Version: 5.2.19.3 - Suyin Optronics Corp)
Acer ePower Management (HKLM-x32\...\{3DB0448D-AD82-4923-B305-D001E521A964}) (Version: 5.00.3005 - Acer Incorporated)
Acer eRecovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 4.05.3013 - Acer Incorporated)
Acer Registration (HKLM-x32\...\Acer Registration) (Version: 1.03.3003 - Acer Incorporated)
Acer ScreenSaver (HKLM-x32\...\Acer Screensaver) (Version: 1.1.0707.2010 - Acer Incorporated)
Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 23.0.0.257 - Adobe Systems Incorporated)
Adobe Flash Player 23 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 23.0.0.207 - Adobe Systems Incorporated)
Adobe Flash Player 23 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 23.0.0.207 - Adobe Systems Incorporated)
Adobe Flash Player 24 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 24.0.0.194 - Adobe Systems Incorporated)
Adobe Reader X (10.1.16) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.16 - Adobe Systems Incorporated)
Backup Manager Basic (x32 Version: 2.0.0.68 - NewTech Infosystems) Hidden
Cisco VideoGuard Player (HKLM-x32\...\{28145961-299d-4f61-88d6-ff9ea46bd919}) (Version: 6.7 - Cisco Systems, Inc)
CyberLink PowerDVD 9 (HKLM-x32\...\InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}) (Version: 9.0.3216.50 - CyberLink Corp.)
DNA (HKU\S-1-5-21-2636084727-710489765-3987840401-1000\...\BitTorrent DNA) (Version: 2.2.2 (13666) - BitTorrent Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 55.0.2883.87 - Google Inc.)
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
HP FWUpdateEDO2 (HKLM-x32\...\{415FA9AD-DA10-4ABE-97B6-5051D4795C90}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Photosmart 6510 series Basic Device Software (HKLM\...\{1952AED6-2908-418F-B9D8-AC359651F92D}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Photosmart 6510 series Help (HKLM-x32\...\{A2F95F8C-CDA9-4B08-BAD1-CA9656E4EC14}) (Version: 140.0.2.2 - Hewlett Packard)
HP Photosmart 6510 series Product Improvement Study (HKLM\...\{57CA7C8A-39E1-4CB5-B312-3E45B54AF51A}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticAlert (x32 Version: 1.00.0001 - Microsoft) Hidden
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3003 - Acer Incorporated)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1892 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.2.1001 - Intel Corporation)
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
Junk Mail filter update (x32 Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Kodi (HKU\S-1-5-21-2636084727-710489765-3987840401-1000\...\Kodi) (Version:  - XBMC-Foundation)
Launch Manager (HKLM-x32\...\LManager) (Version: 4.0.14 - Acer Inc.)
magicJack (HKU\S-1-5-21-2636084727-710489765-3987840401-1000\...\magicJack) (Version: 4.1.7574.5297 - magicJack L.P.)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Mozilla Firefox 50.1.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 50.1.0 (x86 en-US)) (Version: 50.1.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 50.1.0.6186 - Mozilla)
NpackdCL (HKLM-x32\...\{C32CA36A-DA63-4D55-9B17-87C61033137D}) (Version: 1.18.7 - Npackd)
NTI Media Maker 9 (HKLM-x32\...\InstallShield_{D3D5C4E8-040F-4C6F-8105-41D43CF94F44}) (Version: 9.0.2.8928 - NTI Corporation)
NTI Media Maker 9 (x32 Version: 9.0.2.8928 - NTI Corporation) Hidden
Potplayer-64 bit (HKLM\...\PotPlayer64) (Version:  - Kakao Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6151 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30121 - Realtek Semiconductor Corp.)
ServiceInstaller (HKLM-x32\...\ServiceInstaller) (Version:  - )
Spotify (HKU\S-1-5-21-2636084727-710489765-3987840401-1000\...\Spotify) (Version: 0.9.14.13.gba5645ad - Spotify AB)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 14.0.19.0 - Synaptics Incorporated)
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.36897 - TeamViewer)
ThumbsPlus version 7 SP2 (HKLM-x32\...\ThumbsPlus7) (Version: 7.0 SP2 - Cerious Software, Inc.)
Tixati (HKLM-x32\...\tixati) (Version:  - )
Uninstall Tool (HKLM\...\Uninstall Tool_is1) (Version: 3.3.2 - CrystalIDEA Software, Inc.)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.3 - VideoLAN)
VTech Download Agent Library (x32 Version: 1.00.0000 - VTech) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM-x32\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{B10914FD-8812-47A4-85A1-50FCDE7F1F33}) (Version: 14.0.8117.416 - Microsoft Corporation)
Windows Live Upload Tool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
WinRAR 4.20 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)
ZTE Handset USB Driver (HKLM\...\{01D42BF0-ED08-463f-8A28-99EB6FEE962B}) (Version:  - ZTE Corporation)
ZTE Handset USB Driver (HKLM\...\{D2D77DC2-8299-11D1-8949-444553540000}_is1) (Version: 5.2066.1.A11B08 - ZTE Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {05BDBB47-DFB2-4318-94BF-087AE0001080} - \NSManager -> No File <==== ATTENTION
Task: {15A484C7-A290-445E-B71C-84A53D6C4FEE} - System32\Tasks\{E0C996DE-7277-4E41-BC87-A7C714E2C035} => pcalua.exe -a "C:\Users\Kurk\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0DOZMDS\JavaSetup8u45.exe" -d C:\Users\Kurk\Desktop
Task: {20EBA31A-85B0-4AB3-A408-509D87C9DEB4} - System32\Tasks\GoogleUpdateTaskMachineCore1d0d2989ce7252d => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-12-20] (Google Inc.)
Task: {3C12A443-6DEB-4F44-B4AC-31FE3B335D01} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_23_0_0_207_pepper.exe [2016-11-13] (Adobe Systems Incorporated)
Task: {98C69CB6-BE2B-4571-A40A-C2BDE0B60839} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-01-18] (Adobe Systems Incorporated)
Task: {C438C3A0-4F9A-44F8-A875-867004C869F9} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-12-20] (Google Inc.)
Task: {CF6FA125-7769-49E5-A03B-925B680CE791} - System32\Tasks\HPCustParticipation HP Photosmart 6510 series => C:\Program Files\HP\HP Photosmart 6510 series\Bin\HPCustPartic.exe [2012-10-17] (Hewlett-Packard Co.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2015-04-14 14:45 - 2017-01-22 01:16 - 00785320 _____ () C:\Program Files (x86)\360\Total Security\MenuEx64.dll
2010-08-27 06:31 - 2009-05-20 01:02 - 00072200 _____ () C:\Program Files (x86)\Launch Manager\CdDirIo.dll
2010-06-28 17:20 - 2010-06-28 17:20 - 00465576 _____ () C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\sqlite3.dll
2010-06-28 17:12 - 2010-06-28 17:12 - 01081600 _____ () C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\ACE.dll
2010-08-27 05:47 - 2010-04-13 11:52 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2015-04-14 14:45 - 2017-01-22 01:16 - 00099240 _____ () C:\Program Files (x86)\360\Total Security\deepscan\qutmload.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKU\S-1-5-21-2636084727-710489765-3987840401-1000\Software\Classes\.exe: exefile =>  <===== ATTENTION
HKU\S-1-5-21-2636084727-710489765-3987840401-1000\Software\Classes\.scr:  =>  <===== ATTENTION

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-2636084727-710489765-3987840401-1000\...\magicjack.com -> my.magicjack.com
IE trusted site: HKU\S-1-5-21-2636084727-710489765-3987840401-1000\...\talkfree.com -> reg.talkfree.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2016-10-16 20:54 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2636084727-710489765-3987840401-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Kurk\AppData\Local\Temp\~WALLPAP.BMP
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{72F4EEDC-4ADD-4A69-A056-3E6C4FB1C3AB}] => C:\Program Files (x86)\CyberLink\PowerDVD9\PowerDVD9.EXE
FirewallRules: [{1FD1FA86-241C-4084-991D-9B4F55D03F88}] => C:\Program Files (x86)\Windows Live\Messenger\wlcsdk.exe
FirewallRules: [{EEF4917D-002A-4571-B7EE-E547F618FBC8}] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{85024A4F-37D3-4FFB-B71B-01D23612266B}] => svchost.exe
FirewallRules: [{DE286C61-6FB2-4E83-8490-3EEE31936A17}] => C:\Program Files (x86)\Windows Live\Sync\WindowsLiveSync.exe
FirewallRules: [{CF54CF89-D738-46D3-A547-C717453AD28D}] => C:\Program Files (x86)\DNA\btdna.exe
FirewallRules: [{E0F27E5B-FD68-447C-9D9B-D963ACAD64D6}] => C:\Program Files (x86)\DNA\btdna.exe
FirewallRules: [TCP Query User{A3DFDF44-390F-46BC-A6BC-0FFBFE70DD61}C:\program files (x86)\bittorrent\bittorrent.exe] => C:\program files (x86)\bittorrent\bittorrent.exe
FirewallRules: [UDP Query User{620A3FA9-7755-44B1-AEF4-D5AAFE7E9EBE}C:\program files (x86)\bittorrent\bittorrent.exe] => C:\program files (x86)\bittorrent\bittorrent.exe
FirewallRules: [TCP Query User{F42B2A19-BF66-466F-BC9A-1E12ACB37C44}C:\users\kurk\program files (x86)\dna\btdna.exe] => C:\users\kurk\program files (x86)\dna\btdna.exe
FirewallRules: [UDP Query User{10C48EAC-8FB7-41DB-97B2-667FA29087BB}C:\users\kurk\program files (x86)\dna\btdna.exe] => C:\users\kurk\program files (x86)\dna\btdna.exe
FirewallRules: [TCP Query User{6320DD9B-5486-4EF8-9153-9E7203AB0465}C:\users\kurk\program files (x86)\dna\btdna.exe] => C:\users\kurk\program files (x86)\dna\btdna.exe
FirewallRules: [UDP Query User{B8DB69F1-E156-4EA3-A155-3E26B77F02C7}C:\users\kurk\program files (x86)\dna\btdna.exe] => C:\users\kurk\program files (x86)\dna\btdna.exe
FirewallRules: [TCP Query User{45AF0FAE-4D02-44CB-855B-3BA1160A0629}C:\users\kurk\appdata\roaming\spotify\spotify.exe] => C:\users\kurk\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{FF617DFF-3185-49C2-9C64-4B1E82553B16}C:\users\kurk\appdata\roaming\spotify\spotify.exe] => C:\users\kurk\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{94915F24-1073-41BB-A1CC-5F5FA9A7E732}C:\users\kurk\appdata\roaming\spotify\spotify.exe] => C:\users\kurk\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{0E26E7E2-118E-4F92-86E7-38356D20EF2F}C:\users\kurk\appdata\roaming\spotify\spotify.exe] => C:\users\kurk\appdata\roaming\spotify\spotify.exe
FirewallRules: [{B23CF7D4-7DEE-4BE6-A1EA-79F9F8298A5B}] => C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{7765307C-B23D-4619-9318-DB113D78E78A}] => C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{91C80948-CF34-4892-A8AF-86F8FD6EB38F}] => C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{8C044099-A346-42BB-80F8-55EFAB1731BF}] => C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{E6E79C3D-0BC7-4BCB-89C4-8ED925CE1974}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{38C0BA4D-6085-4B64-BF36-7046E25503DF}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{FE00E15A-293E-436B-A7B9-C4C16DF199F4}C:\program files (x86)\mozilla firefox\firefox.exe] => C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{5A6FA9E0-3F45-449C-88E1-CC49A7704A43}C:\program files (x86)\mozilla firefox\firefox.exe] => C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{78144B4E-A04E-4C3E-A61A-89888C957D21}] => C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe
FirewallRules: [{FD7B2512-55DF-4B6A-9BDF-EAF8B59E4135}] => C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe
FirewallRules: [TCP Query User{C60A6F35-F2F9-45F7-B47D-CD7B97DDB12C}C:\program files (x86)\kodi\kodi.exe] => C:\program files (x86)\kodi\kodi.exe
FirewallRules: [UDP Query User{D2FB98FA-9EE1-4A9B-91CE-5DC0082C3B30}C:\program files (x86)\kodi\kodi.exe] => C:\program files (x86)\kodi\kodi.exe
FirewallRules: [TCP Query User{7163C8B7-9CF3-4ED9-A100-AA1DBF072664}C:\users\kurk\appdata\roaming\mjusbsp\magicjack.exe] => C:\users\kurk\appdata\roaming\mjusbsp\magicjack.exe
FirewallRules: [UDP Query User{14353580-193F-4611-AA13-52C8223C3993}C:\users\kurk\appdata\roaming\mjusbsp\magicjack.exe] => C:\users\kurk\appdata\roaming\mjusbsp\magicjack.exe
FirewallRules: [{1AC2D7DF-9682-4CE3-B8DA-97FF019BE106}] => C:\Program Files\HP\HP Photosmart 6510 series\Bin\DeviceSetup.exe
FirewallRules: [{9DDC688B-35EE-4D85-8A79-73977EEA96DF}] => C:\Program Files\HP\HP Photosmart 6510 series\Bin\HPNetworkCommunicator.exe
FirewallRules: [{2AD30C4D-DBAD-41FE-8B57-A8BCDD0C1D8B}] => C:\Program Files\HP\HP Photosmart 6510 series\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{CAE00934-AED6-4DD6-81AA-5EAF6CB275EC}] => C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe
FirewallRules: [{946006AF-54B5-4CDB-A5FF-E3AD6A433B16}] => C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe
FirewallRules: [{DEE1D26D-BBE9-4629-9E35-BB225F2E8959}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{A8B037DA-DC02-4A90-94FF-A253AFA46E79}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{B171D2EB-470E-4E8B-9053-CF3B34285511}C:\program files\tixati\tixati.exe] => C:\program files\tixati\tixati.exe
FirewallRules: [UDP Query User{D74C8360-03D8-47D4-A872-2942BA6D4DBA}C:\program files\tixati\tixati.exe] => C:\program files\tixati\tixati.exe
FirewallRules: [TCP Query User{BD453E28-88E5-4D16-8327-DB66CF36236B}C:\program files (x86)\kodi\kodi.exe] => C:\program files (x86)\kodi\kodi.exe
FirewallRules: [UDP Query User{8EF3A917-D662-4F03-81EE-43DA4EB464EA}C:\program files (x86)\kodi\kodi.exe] => C:\program files (x86)\kodi\kodi.exe
FirewallRules: [{DD258D28-537A-455A-86B9-1AA5A4B17981}] => C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe
FirewallRules: [{F4CAFCE3-F0B3-4A97-B69D-83071EE4DFF6}] => C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe
FirewallRules: [{750381D7-47A8-4FE6-A04C-997059FC3F7B}] => C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe
FirewallRules: [{F6B1873B-F9D6-4A83-B43B-EBADFF85095B}] => C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe
FirewallRules: [TCP Query User{9167DD13-ED5D-4EBB-9BC8-EC6032E2D4E7}C:\users\kurk\appdata\local\google\chrome\application\chrome.exe] => C:\users\kurk\appdata\local\google\chrome\application\chrome.exe
FirewallRules: [UDP Query User{DB909CB0-1C66-4749-8532-62A0E2C21617}C:\users\kurk\appdata\local\google\chrome\application\chrome.exe] => C:\users\kurk\appdata\local\google\chrome\application\chrome.exe
FirewallRules: [TCP Query User{1DA086AC-909C-4C0E-9351-091EEAFF574B}C:\program files\tixati\tixati.exe] => C:\program files\tixati\tixati.exe
FirewallRules: [UDP Query User{D8F36D59-E3CF-4BB5-8F92-0ACD03CE98A6}C:\program files\tixati\tixati.exe] => C:\program files\tixati\tixati.exe
FirewallRules: [{00B9FC3E-29D1-4DB0-939E-0F77509C7803}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{2D89B83E-6FE1-4C09-ACCE-74BAF58FB558}] => C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
FirewallRules: [{55316812-AB6B-4003-BACE-F2E1AC029457}] => C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
FirewallRules: [{26C9E361-7032-4AE7-BF3D-FB439A2F4514}] => C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
FirewallRules: [{83287FD8-0CFF-40E6-8912-F2F5B0333120}] => C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\BitTorrent\bittorrent.exe] => Enabled:BitTorrent

==================== Restore Points =========================

02-10-2016 23:17:24 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
02-10-2016 23:20:50 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106
02-10-2016 23:22:02 Installed DirectX
02-10-2016 23:23:31 Installed DirectX
02-10-2016 23:25:04 Installed DirectX
02-10-2016 23:43:58 Installed DirectX
02-10-2016 23:45:08 Installed Nero 7. Available with Windows Installer version 1.2 and later.
03-10-2016 03:08:10 Installed Nero 7. Available with Windows Installer version 1.2 and later.
03-10-2016 10:03:42 Removed Nero 7 Premium. Available with Windows Installer version 1.2 and later.
16-10-2016 19:58:51 Removed SpyHunter
16-10-2016 20:30:58 Removed SpyHunter
16-10-2016 20:47:22 Installed SpyHunter
09-12-2016 22:39:21 Windows Modules Installer

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/27/2017 11:47:34 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: HTTP status 403: The client does not have sufficient access rights to the requested server object.

Error: (01/21/2017 10:35:21 AM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: HTTP status 403: The client does not have sufficient access rights to the requested server object.

Error: (01/20/2017 11:03:22 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: HTTP status 403: The client does not have sufficient access rights to the requested server object.

Error: (01/20/2017 08:13:54 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: HTTP status 403: The client does not have sufficient access rights to the requested server object.

Error: (01/18/2017 08:08:45 PM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (01/18/2017 08:08:45 PM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (01/18/2017 08:08:45 PM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (01/18/2017 08:08:45 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    Element not found.  (HRESULT : 0x80070490) (0x80070490)

Error: (01/18/2017 08:08:42 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (01/18/2017 08:08:42 PM) (Source: Windows Search Service) (EventID: 9002) (User: )
Description: The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index database is corrupt.  (HRESULT : 0xc0041800) (0xc0041800)


System errors:
=============
Error: (01/28/2017 05:08:27 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The 360 Total Security service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/27/2017 11:37:41 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SABKUTIL

Error: (01/21/2017 10:25:16 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SABKUTIL

Error: (01/21/2017 10:24:45 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 10:23:34 AM on ‎1/‎21/‎2017 was unexpected.

Error: (01/21/2017 09:23:43 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.

Error: (01/20/2017 10:53:19 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SABKUTIL

Error: (01/20/2017 10:52:45 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 10:51:58 PM on ‎1/‎20/‎2017 was unexpected.

Error: (01/20/2017 10:51:41 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Multimedia Class Scheduler service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (01/20/2017 10:51:41 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MMCSS service.

Error: (01/20/2017 10:51:11 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Multimedia Class Scheduler service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.


CodeIntegrity:
===================================
  Date: 2016-11-13 23:55:09.358
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Completed\Unlocker portable 1.88\unlocker1.8.8-portable\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-11-13 23:55:09.201
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Completed\Unlocker portable 1.88\unlocker1.8.8-portable\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-11-13 23:55:08.970
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Completed\Unlocker portable 1.88\unlocker1.8.8-portable\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-11-13 23:55:08.795
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Completed\Unlocker portable 1.88\unlocker1.8.8-portable\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-11-13 18:56:43.966
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Completed\Unlocker portable 1.88\unlocker1.8.8-portable\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-11-13 18:56:43.815
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Completed\Unlocker portable 1.88\unlocker1.8.8-portable\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-11-13 18:56:43.670
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Completed\Unlocker portable 1.88\unlocker1.8.8-portable\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-11-13 18:56:43.522
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Completed\Unlocker portable 1.88\unlocker1.8.8-portable\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-10-03 00:38:12.022
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Completed\Unlocker portable 1.88\unlocker1.8.8-portable\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-10-03 00:38:11.882
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Completed\Unlocker portable 1.88\unlocker1.8.8-portable\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Celeron® CPU 900 @ 2.20GHz
Percentage of memory in use: 69%
Total physical RAM: 3001.98 MB
Available physical RAM: 913.46 MB
Total Virtual: 6002.14 MB
Available Virtual: 4002.93 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:219.29 GB) (Free:127.74 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: D52DE95C)
Partition 1: (Not Active) - (Size=13.5 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=219.3 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



#5 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 29 January 2017 - 11:45 AM

Hi Kurkus54,
 
Good job posting the logs :thumbup2:
 
Please give me some time to review your situation and I will get back to you with further instructions.
 
polskamachina



#6 Kurkus54

Kurkus54
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 29 January 2017 - 11:41 PM

thanks



#7 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 31 January 2017 - 04:55 AM

Hi Kurkus54,
 
I'm still working on your fix.  :busy:

 

Thanks for your patience,
 
polskamachina



#8 Kurkus54

Kurkus54
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 31 January 2017 - 11:20 AM

thanks for your efforts, they are appreciated



#9 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 31 January 2017 - 01:12 PM

Hi Kurkus54,
 
Let's get to work. :)
 
Going over your logs I noticed that you have µTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via the programs and features option in the control panel.

If you wish to keep it, please do not use it until your computer is cleaned.
 
Next:

  • Please copy and paste the text below in its entirety into Notepad:
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2013-10-20] (Microsoft Corporation)
Task: {15A484C7-A290-445E-B71C-84A53D6C4FEE} - System32\Tasks\{E0C996DE-7277-4E41-BC87-A7C714E2C035} => pcalua.exe -a "C:\Users\Kurk\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0DOZMDS\JavaSetup8u45.exe" -d C:\Users\Kurk\Desktop
CHR DefaultSearchKeyword: Default -> load a page +1 bagaiev's profile photolevel 2 9/16/09 bagaiev said: the big problem when i'm typing local sites: i can't reach them at all. +1 wár17 §'s profile phototop contributor alumni 9/16/09 wár17 § said: mixelle, how did you type the address?  did you type with http:// included? +1 bagaiev's profile photolevel 2 9/17/09 bagaiev said: i also typed it with http:\\\\ included. (for example http:\\\\www.youtube.com) +1 prashanth2010's profile photolevel 1 11/17/09 prashanth2010 said: i started having the same problems as bagajev and mixelle above today and find myself unable to use any intranet sites because the search cant possibly get past our firewall. it'll be great to have future version of chrome allow you to disable the search feature if it starts to malfunction like this +1 test monkey's profile photolevel 1 12/5/09 test monkey said: what i found (accidentally) was that if you disable google or your other search engine as the default, so that you have no default search engine, chrome will not use it for autosearching.  i'm not sure how i managed to get into that state, however. +1 dillon.larry's profile photolevel 4 12/20/09 dillon.larry said: i used to thing that google was the greatest company on earth.  but i'm finding more and more \
  • Save the file to your Desktop as fixlist.txt  Note: FRST64 and fixlist.txt must be in the same folder in order for the fix to work.
  • Run FRST64
  • Click on Fix
  • It should only take a few moments for the fix to complete
  • If you are asked to restart your computer, please do so
  • When the fix has completed, a new file will be created named Fixlog.txt, and it will be saved to your Desktop
  • Please copy and paste that log into your next reply to me

In summary I will need from you:

  • Fixlog.txt
  • Whether or not you removed µTorrent
  • How is your computer performing now?

Let me know if you have have any questions.
 
polskamachina



#10 Kurkus54

Kurkus54
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 01 February 2017 - 12:15 PM

I uninstalled the torrent program

and am including the log

I will let you know how the computer responds

 

should i also run the search files and registry options of the frst program?

---------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-01-2017
Ran by Kurk (administrator) on HAL (01-02-2017 12:02:50)
Running from C:\Users\Kurk\Desktop
Loaded Profiles: Kurk (Available Profiles: Kurk)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
(Cisco) C:\Users\Kurk\AppData\Local\Cisco\VideoGuardPlayer\VideoGuardMonitor\CiscoVideoGuardMonitor.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(VTech) C:\Program Files (x86)\VTech\DownloadManager\Applications\AppAccessory\12051\VTechUSBSocketService\VTechServiceInstaller.exe
(VTech) C:\Program Files (x86)\VTech\DownloadManager\Applications\AppAccessory\12051\VTechUSBSocketService\VTechUSBSocketService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\perfmon.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\PatchUp.exe
() C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe
(Microsoft Corporation) C:\Program Files (x86)\360\Total Security\hotfix\ndp45-kb3210139-x64_24ee9b5347f56040a5d3aa43d32660924663ae4f.exe
(Microsoft Corporation) C:\cdc78f681ae44d736602e8662b0b\Setup.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [975952 2010-08-10] (Dritek System Inc.)
HKLM-x32\...\Run: [QHSafeTray] => C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe [1939880 2017-01-22] (QIHU 360 SOFTWARE CO. LIMITED)
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2636084727-710489765-3987840401-1000\...\Run: [VideoGuardMonitor] => C:\Users\Kurk\AppData\Local\Cisco\VideoGuardPlayer\VideoGuardMonitor\CiscoVideoGuardMonitor.exe [4155656 2016-06-29] (Cisco)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2013-10-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
GroupPolicy\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 64.233.217.2 64.233.217.3
Tcpip\..\Interfaces\{F56D4B81-B940-468B-8016-8E619E68900D}: [DhcpNameServer] 64.233.217.2 64.233.217.3

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM-x32 -> DefaultScope {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2636084727-710489765-3987840401-1000 -> DefaultScope {0735A49D-9B14-4CC5-949F-F7C4C0459013} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-2636084727-710489765-3987840401-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2636084727-710489765-3987840401-1000 -> {0735A49D-9B14-4CC5-949F-F7C4C0459013} URL = hxxps://www.google.com/search?q={searchTerms}
BHO: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll [2017-01-22] (Qihu 360 Software Co., Ltd.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-10-02] (Oracle Corporation)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO-x32: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\Total Security\safemon\safemon.dll [2017-01-22] (Qihu 360 Software Co., Ltd.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-10-02] (Oracle Corporation)
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
IE Session Restore: HKU\S-1-5-21-2636084727-710489765-3987840401-1000 -> is enabled.
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-17] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-17] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Kurk\AppData\Roaming\Mozilla\Firefox\Profiles\eezlh6o3.default-1476656239674 [2017-02-01]
FF Session Restore: Mozilla\Firefox\Profiles\eezlh6o3.default-1476656239674 -> is enabled.
FF Extension: (AdBlocker Ultimate) - C:\Users\Kurk\AppData\Roaming\Mozilla\Firefox\Profiles\eezlh6o3.default-1476656239674\Extensions\adblockultimate@adblockultimate.net.xpi [2016-12-28]
FF Extension: (F.B Purity - Cleans up Facebook (WX)) - C:\Users\Kurk\AppData\Roaming\Mozilla\Firefox\Profiles\eezlh6o3.default-1476656239674\Extensions\fbpElectroWebExt@fbpurity.com.xpi [2016-10-21]
FF Extension: (Ad-Blocker ) - C:\Users\Kurk\AppData\Roaming\Mozilla\Firefox\Profiles\eezlh6o3.default-1476656239674\Extensions\{b89efd87-232e-4829-87d2-22148919d72f}.xpi [2016-11-26]
FF HKLM-x32\...\Firefox\Extensions: [WebProtection@360safe.com] - C:\Program Files (x86)\360\Total Security\safemon\webprotection_firefox
FF Extension: (360 Internet Protection) - C:\Program Files (x86)\360\Total Security\safemon\webprotection_firefox [2016-07-02]
FF HKU\S-1-5-21-2636084727-710489765-3987840401-1000\...\Firefox\Extensions: [{d5bc46d8-67c7-11dc-8c1d-0097498c2b7a}] - C:\Users\Kurk\Program Files (x86)\DNA
FF Extension: (DNA) - C:\Users\Kurk\Program Files (x86)\DNA [2016-07-22] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_194.dll [2017-01-18] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-04-26] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_194.dll [2017-01-18] ()
FF Plugin-x32: @bittorrent.com/BitTorrentDNA -> C:\Program Files (x86)\DNA\plugins\npbtdna.dll [2013-10-15] (BitTorrent, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-10-02] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-10-02] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-04-17] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-11-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-11-13] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2636084727-710489765-3987840401-1000: @bittorrent.com/BitTorrentDNA -> C:\Users\Kurk\Program Files (x86)\DNA\plugins\npbtdna.dll [2014-08-31] (BitTorrent, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npbittorrent.dll [2008-09-03] (BitTorrent, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)

Chrome:
=======
CHR HomePage: Default -> hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
CHR StartupUrls: Default -> "hxxp://www.msn.com/?pc=U040&ocid=U040DHP"
CHR DefaultSearchKeyword: Default -> load a page +1 bagaiev's profile photolevel 2 9/16/09 bagaiev said: the big problem when i'm typing local sites: i can't reach them at all. +1 wár17 §'s profile phototop contributor alumni 9/16/09 wár17 § said: mixelle, how did you type the address?  did you type with http:// included? +1 bagaiev's profile photolevel 2 9/17/09 bagaiev said: i also typed it with http:\\\\ included. (for example http:\\\\www.youtube.com) +1 prashanth2010's profile photolevel 1 11/17/09 prashanth2010 said: i started having the same problems as bagajev and mixelle above today and find myself unable to use any intranet sites because the search cant possibly get past our firewall. it'll be great to have future version of chrome allow you to disable the search feature if it starts to malfunction like this +1 test monkey's profile photolevel 1 12/5/09 test monkey said: what i found (accidentally) was that if you disable google or your other search engine as the default, so that you have no default search engine, chrome will not use it for autosearching.  i'm not sure how i managed to get into that state, however. +1 dillon.larry's profile photolevel 4 12/20/09 dillon.larry said: i used to thing that google was the greatest company on earth.  but i'm finding more and more \
CHR Session Restore: Default -> is enabled.
CHR Plugin: (Widevine Content Decryption Module) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\WidevineCdm\_platform_specific\win_x64\widevinecdmadapter.dll (Google Inc.)
CHR Profile: C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default [2017-01-29]
CHR Extension: (Google Slides) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-11-13]
CHR Extension: (Google Docs) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-11-13]
CHR Extension: (Google Drive) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-11-13]
CHR Extension: (YouTube) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-11-13]
CHR Extension: (Adblock Plus) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-11-13]
CHR Extension: (Empty New Tab Page) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpjamkmjmigaoobjbekmfgabipmfilij [2017-01-18]
CHR Extension: (Google Sheets) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-11-13]
CHR Extension: (Stylish - Custom themes for any website) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjnbnpbmkenffdnngjfgmeleoegfcffe [2017-01-28]
CHR Extension: (Google Docs Offline) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-11-13]
CHR Extension: (Pinterest Save Button) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpdjojdkbbmdfjfahjcgigfpmkopogic [2016-11-13]
CHR Extension: (Social Fixer for Facebook) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifmhoabcaeehkljcfclfiieohkohdgbb [2017-01-18]
CHR Extension: (F.B.(FluffBusting)Purity) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmkinhboiljjkhaknpaeaicmdjhagpep [2017-01-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Gmail) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-11-13]
CHR Extension: (Chrome Media Router) - C:\Users\Kurk\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-18]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 QHActiveDefense; C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe [928168 2017-01-22] (QIHU 360 SOFTWARE CO. LIMITED)
S3 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
R2 VTechUSBSocketService; C:\Program Files (x86)\VTech\DownloadManager\Applications\AppAccessory\12051\VTechUSBSocketService\VTechServiceInstaller.exe [82824 2013-03-28] (VTech)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 NMIndexingService; "C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker64.sys [151784 2016-06-03] (360.cn)
R3 360AvFlt; C:\Windows\System32\DRIVERS\360AvFlt.sys [86248 2017-01-22] (360.cn)
R3 360AvFlt; C:\Windows\SysWOW64\DRIVERS\360AvFlt.sys [86248 2017-01-22] (360.cn)
R1 360Box64; C:\Windows\System32\DRIVERS\360Box64.sys [330472 2017-01-22] (360.cn)
R1 360Camera; C:\Windows\System32\Drivers\360Camera64.sys [40520 2014-12-12] (360.cn)
R1 360FsFlt; C:\Windows\System32\DRIVERS\360FsFlt.sys [391392 2016-08-08] (360.cn)
S3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [38424 2011-07-07] (Google Inc)
S3 androidusb; C:\Windows\SysWOW64\Drivers\androidusb.sys [32408 2010-10-18] (Google Inc)
R1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV64.sys [188864 2016-09-14] (360.cn)
S3 CisUtMonitor; C:\Windows\System32\DRIVERS\CisUtMonitor.sys [33360 2011-10-30] (CrystalIdea Software)
S3 massfilter_hs; C:\Windows\System32\drivers\massfilter_hs.sys [18456 2011-07-07] (HandSet Incorporated)
S3 massfilter_hs; C:\Windows\SysWOW64\drivers\massfilter_hs.sys [9216 2010-10-20] (HandSet Incorporated)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2017-01-18] (Malwarebytes)
U5 UnlockerDriver5; C:\Completed\Unlocker portable 1.88\unlocker1.8.8-portable\UnlockerDriver5.sys [4096 2009-10-25] () [File not signed]
S1 SABKUTIL; \??\C:\Program Files (x86)\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [X]
S3 SABProcEnum; \??\C:\Program Files (x86)\SuperAdBlocker.com\Super Ad Blocker\SABProcEnum.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-01 12:02 - 2017-02-01 12:02 - 00000000 ____D C:\Users\Kurk\Desktop\FRST-OlderVersion
2017-02-01 12:01 - 2017-02-01 12:01 - 00001726 _____ C:\Users\Kurk\Desktop\fixlist.txt
2017-02-01 11:52 - 2017-02-01 12:02 - 00000892 _____ C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job
2017-02-01 11:52 - 2017-02-01 11:56 - 00000000 ____D C:\cdc78f681ae44d736602e8662b0b
2017-02-01 11:51 - 2017-02-01 12:02 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-01-29 09:30 - 2017-01-29 09:31 - 00000352 _____ C:\Users\Kurk\Downloads\reminder.ics
2017-01-28 23:35 - 2017-01-28 23:35 - 00000000 ____D C:\Users\Public\CyberLink
2017-01-28 23:35 - 2017-01-28 23:35 - 00000000 ____D C:\Users\Kurk\AppData\Local\Cyberlink
2017-01-28 23:34 - 2017-01-28 23:34 - 00000000 ____D C:\Users\Kurk\Documents\CyberLink
2017-01-28 23:34 - 2017-01-28 23:34 - 00000000 ____D C:\Users\Kurk\AppData\Roaming\CyberLink
2017-01-28 23:34 - 2017-01-28 23:34 - 00000000 ____D C:\ProgramData\CyberLink
2017-01-28 18:26 - 2017-01-28 18:30 - 00033577 _____ C:\Users\Kurk\Desktop\Addition.txt
2017-01-28 18:05 - 2017-02-01 12:07 - 00017628 _____ C:\Users\Kurk\Desktop\FRST.txt
2017-01-28 18:05 - 2017-02-01 12:02 - 00000000 ____D C:\FRST
2017-01-28 18:02 - 2017-02-01 12:02 - 02420736 _____ (Farbar) C:\Users\Kurk\Desktop\FRST64.exe
2017-01-20 22:41 - 2017-01-20 22:41 - 00013824 ___SH C:\Users\Kurk\Downloads\Thumbs.db
2017-01-18 20:30 - 2017-01-18 20:30 - 00058016 _____ C:\Users\Kurk\AppData\Local\GDIPFONTCACHEV1.DAT
2017-01-18 20:29 - 2017-01-18 20:30 - 00268392 _____ C:\Windows\system32\FNTCACHE.DAT

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-01 12:02 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-01 12:01 - 2014-11-24 22:19 - 00007593 _____ C:\Users\Kurk\AppData\Local\Resmon.ResmonCfg
2017-02-01 12:01 - 2009-07-14 00:08 - 00032626 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-02-01 11:56 - 2009-07-13 23:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-01 11:56 - 2009-07-13 23:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-01 11:52 - 2016-11-13 18:28 - 00003876 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2017-02-01 11:52 - 2013-10-14 23:35 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-02-01 11:52 - 2013-10-14 23:35 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-02-01 11:52 - 2013-10-14 23:35 - 00003770 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-02-01 11:51 - 2015-04-14 14:46 - 00000000 ____D C:\Users\Kurk\AppData\LocalLow\360WD
2017-02-01 11:51 - 2013-10-14 23:35 - 00000000 ____D C:\Windows\system32\Macromed
2017-02-01 11:51 - 2010-08-27 06:12 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-02-01 11:41 - 2016-11-25 23:01 - 00000000 ____D C:\Users\Kurk\AppData\LocalLow\Mozilla
2017-02-01 11:41 - 2014-11-16 15:22 - 00001873 _____ C:\Windows\wininit.ini
2017-02-01 11:40 - 2016-11-20 18:29 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-01 11:40 - 2013-10-14 23:14 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-01-28 22:21 - 2013-10-15 00:06 - 00000000 ____D C:\Completed
2017-01-28 17:09 - 2015-04-14 14:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center
2017-01-22 01:16 - 2016-07-02 11:36 - 00086248 _____ (360.cn) C:\Windows\system32\Drivers\360AvFlt.sys
2017-01-22 01:16 - 2015-12-18 23:57 - 00086248 _____ (360.cn) C:\Windows\SysWOW64\Drivers\360AvFlt.sys
2017-01-22 01:16 - 2015-04-14 14:45 - 00330472 _____ (360.cn) C:\Windows\system32\Drivers\360Box64.sys
2017-01-21 14:49 - 2016-09-17 23:55 - 00000000 ____D C:\ThumbsPlus
2017-01-20 23:08 - 2010-08-27 06:11 - 00000000 ____D C:\ProgramData\Adobe
2017-01-18 20:56 - 2015-04-14 14:54 - 00000000 ____D C:\Windows\Tasks\360Disabled
2017-01-18 20:34 - 2013-10-14 22:28 - 00000000 ____D C:\Users\Kurk\AppData\Local\Adobe
2017-01-18 20:28 - 2015-04-14 14:46 - 00000000 ____D C:\ProgramData\360safe
2017-01-18 20:08 - 2014-04-26 17:00 - 00000000 ____D C:\AdwCleaner
2017-01-18 19:56 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2017-01-18 19:54 - 2016-11-13 15:55 - 00002262 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-01-18 19:37 - 2014-12-13 20:27 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

==================== Files in the root of some directories =======

2014-11-24 22:19 - 2017-02-01 12:01 - 0007593 _____ () C:\Users\Kurk\AppData\Local\Resmon.ResmonCfg
2015-05-11 13:36 - 2015-05-11 13:36 - 0000057 _____ () C:\ProgramData\Ament.ini

Some files in TEMP:
====================
2017-01-28 23:35 - 2017-01-28 23:35 - 0465920 _____ (Realtek Semiconductor Corp.) C:\Users\Kurk\AppData\Local\Temp\COMAP.EXE

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-07-09 15:40

==================== End of FRST.txt ============================



#11 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 02 February 2017 - 11:27 AM

Hi Kurkus54,

I uninstalled the torrent program

:thumbsup:
 
You asked:

should i also run the search files and registry options of the frst program?

The search options only come into play when we are investigating specific files or registry items. It is unrelated to the standard search for malware. Therefore, it is not necessary to perform any searches at this time.
 
Regarding the FRST log that you posted, I was asking you to perform a FRST Fix and post the subsequent Fixlog.
 
I have recopied the directions here for your convenience:

  • Open Notepad
  • Please copy and paste the text below in its entirety into Notepad:
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2013-10-20] (Microsoft Corporation)
Task: {15A484C7-A290-445E-B71C-84A53D6C4FEE} - System32\Tasks\{E0C996DE-7277-4E41-BC87-A7C714E2C035} => pcalua.exe -a "C:\Users\Kurk\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0DOZMDS\JavaSetup8u45.exe" -d C:\Users\Kurk\Desktop
CHR DefaultSearchKeyword: Default -> load a page +1 bagaiev's profile photolevel 2 9/16/09 bagaiev said: the big problem when i'm typing local sites: i can't reach them at all. +1 wár17 §'s profile phototop contributor alumni 9/16/09 wár17 § said: mixelle, how did you type the address?  did you type with http:// included? +1 bagaiev's profile photolevel 2 9/17/09 bagaiev said: i also typed it with http:\\\\ included. (for example http:\\\\www.youtube.com) +1 prashanth2010's profile photolevel 1 11/17/09 prashanth2010 said: i started having the same problems as bagajev and mixelle above today and find myself unable to use any intranet sites because the search cant possibly get past our firewall. it'll be great to have future version of chrome allow you to disable the search feature if it starts to malfunction like this +1 test monkey's profile photolevel 1 12/5/09 test monkey said: what i found (accidentally) was that if you disable google or your other search engine as the default, so that you have no default search engine, chrome will not use it for autosearching.  i'm not sure how i managed to get into that state, however. +1 dillon.larry's profile photolevel 4 12/20/09 dillon.larry said: i used to thing that google was the greatest company on earth.  but i'm finding more and more \
  • Save the file to your Desktop as fixlist.txt  Note: FRST64 and fixlist.txt must be in the same folder in order for the fix to work.
  • Run FRST64
  • Click on Fix
  • It should only take a few moments for the fix to complete
  • If you are asked to restart your computer, please do so
  • When the fix has completed, a new file will be created named Fixlog.txt, and it will be saved to your Desktop
  • Please copy and paste that Fixlog into your next reply to me

In summary I will need from you:

  • Fixlog.txt
  • How is your computer performing after the fix?

polskamachina



#12 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 05 February 2017 - 12:15 PM

Hi Kurkus54 :)

 

It's been a while since you've checked in. Did you need any more help with this? If not, this topic will be closed in 48 hours.
 
Please let me know if you have any questions.
 
polskamachina



#13 Kurkus54

Kurkus54
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 06 February 2017 - 01:30 AM

I will be doing that now, thought I did do it as the instructions asked, but will try it again, thanks



#14 Kurkus54

Kurkus54
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 06 February 2017 - 02:15 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-02-2017
Ran by Kurk (06-02-2017 02:11:00) Run:1
Running from C:\Users\Kurk\Desktop
Loaded Profiles: Kurk (Available Profiles: Kurk)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2013-10-20] (Microsoft Corporation)
Task: {15A484C7-A290-445E-B71C-84A53D6C4FEE} - System32\Tasks\{E0C996DE-7277-4E41-BC87-A7C714E2C035} => pcalua.exe -a "C:\Users\Kurk\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0DOZMDS\JavaSetup8u45.exe" -d C:\Users\Kurk\Desktop
CHR DefaultSearchKeyword: Default -> load a page +1 bagaiev's profile photolevel 2 9/16/09 bagaiev said: the big problem when i'm typing local sites: i can't reach them at all. +1 wár17 §'s profile phototop contributor alumni 9/16/09 wár17 § said: mixelle, how did you type the address?  did you type with http:// included? +1 bagaiev's profile photolevel 2 9/17/09 bagaiev said: i also typed it with http:\\\\ included. (for example http:\\\\www.youtube.com) +1 prashanth2010's profile photolevel 1 11/17/09 prashanth2010 said: i started having the same problems as bagajev and mixelle above today and find myself unable to use any intranet sites because the search cant possibly get past our firewall. it'll be great to have future version of chrome allow you to disable the search feature if it starts to malfunction like this +1 test monkey's profile photolevel 1 12/5/09 test monkey said: what i found (accidentally) was that if you disable google or your other search engine as the default, so that you have no default search engine, chrome will not use it for autosearching.  i'm not sure how i managed to get into that state, however. +1 dillon.larry's profile photolevel 4 12/20/09 dillon.larry said: i used to thing that google was the greatest company on earth.  but i'm finding more and more \
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SPReview => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{15A484C7-A290-445E-B71C-84A53D6C4FEE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15A484C7-A290-445E-B71C-84A53D6C4FEE} => key removed successfully
C:\Windows\System32\Tasks\{E0C996DE-7277-4E41-BC87-A7C714E2C035} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{E0C996DE-7277-4E41-BC87-A7C714E2C035} => key removed successfully
Chrome DefaultSearchKeyword => removed successfully


The system needed a reboot.

==== End of Fixlog 02:12:11 ====



#15 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 06 February 2017 - 02:06 PM

Hi Kurukus 54,
 
Good job running the FRST fix. :thumbup2:
 
Can you please tell me if you've noticed any change in the way your computer is performing?
 
polskamachina






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users