Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Issues Eliminating Xmediaserve.com Infection / cmd.exe At Times Appears / Closes


  • This topic is locked This topic is locked
13 replies to this topic

#1 HalfDarkShadow

HalfDarkShadow

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 27 January 2017 - 10:27 PM

Good evening,
 
          So a few days ago (7/23) I was infected with malware, specifically searching-com redirection as well as a handful of unwanted programs being installed. Just about everything was taken care of but this one thing recognized as xmediaserve.com. Pretty much (depending on the site) the first click will open a separate tab (or occassionally a new window/popup) with whatever website I'm on being littered with porn(?) ads all over the place. Mostly those "meet naked russians in your area", "embarrassing celebrity photos", kind of things.
I'm not sure how long I've had it (since the desktop that's infected I haven't been using it as of late) but it didn't start appearing until today after running another scan via Malwarebytes (which also detects consistent 92 Hijack.Host that wont seem to go away though after doing some research, this may be a false positive?). The only other thing I can make of it is that this doesn't happen to all sites, only a selected few. (started when I was on crunchyroll.com/thesaurus.com, and a few websites when I started researching about xmediaserve.)
 
Lastly, one thing I have noticed is that 2 cmd.exe's will pop up (at the same time) every so often and immidiately disapears before it even loads up completely. Between the few times I had to restart the computer, it would happen the moment I typed in any of the certain websites I know of that had the adware issue (I would intentionally go back onto those sites to see if the virus was still infecting those sites).
 
Here's what I've done thus far -
 
Full scans with:
Malwarebytes
Avast

CCleaner
AdwCleaner
JRT
SuperAntiSpyware
(there might have been another one that I'm not remembering).
 
Removed my browser(s) and reinstalled them.
Well, this might still be an issue as Google Chrome tends not to like to remove everything via bookmarks, extensions, some other temp files, etc, so I'm not entirely sure if it was removed completely. Specifically every time I did a separate install, my settings would still be there, so I went into my program files and removed everything else manually. So far it seems that did the trick as nothing carried over again.

 

EDIT: The only extensions I have now that appear are the default ones Chrome comes with via Docs, Docs Offline, Sheets, Slides, and two Avast extensions that were added I'm assuming from the Avast program that's running as my active antivirus.

 

I was also going to do a system restore before all of this transpired but I found out that ever since I upgraded to Windows 10 (over a year ago?), they thought it was a good idea by default it disable System Restore, so this entire time I had no backups whatsoever. Though fortunately I haven't had any major problems in such a long time, but because of that fact, I never had any particular reason to do a System Restore. Honestly, I would never assume it would've been disabled by default in the first place, but I digress. The point being, this unfortunately is not an option.
 
I also ran into this: https://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ and followed the steps/downloaded Run Farbar Recovery Scan Tool (FRST), which I'll provide the logs here:

 

 

Attached File  Addition.txt   106.31KB   9 downloads
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-01-2017 01
Ran by HalfDarkShadow (administrator) on SCARLET (27-01-2017 20:57:38)
Running from C:\Users\HalfDarkShadow\Downloads
Loaded Profiles: HalfDarkShadow (Available Profiles: HalfDarkShadow & DefaultAppPool)
Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(M-Audio) C:\Program Files (x86)\M-Audio\MobilePre\AudioDevMon.exe
(Razer Inc.) C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Razer, Inc.) C:\Program Files (x86)\Razer\Core\64bit\RzOvlMon.exe
(SoftEther VPN Project at University of Tsukuba, Japan.) C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
() C:\Users\HalfDarkShadow\AppData\Local\Amazon Music\Amazon Music Helper.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(SoftEther VPN Project at University of Tsukuba, Japan.) C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(SoftEther VPN Project at University of Tsukuba, Japan.) C:\Program Files\SoftEther VPN Client\vpncmgr_x64.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Razer USA Ltd.) C:\Program Files (x86)\Razer\Lycosa\razerhid.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Japanese Input\GoogleIMEJaConverter.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Japanese Input\GoogleIMEJaRenderer.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Japanese Input\GoogleIMEJaCacheService.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Akamai Technologies, Inc.) C:\Users\HalfDarkShadow\AppData\Local\Akamai\netsession_win.exe
(Akamai Technologies, Inc.) C:\Users\HalfDarkShadow\AppData\Local\Akamai\netsession_win.exe
() C:\ProgramData\Razer\Synapse\RzStats\RzStats.Manager.exe
(Razer, Inc.) C:\Program Files (x86)\Razer\InGameEngine\32bit\RazerIngameEngine.exe
(Razer, Inc.) C:\Users\HalfDarkShadow\AppData\Local\Razer\InGameEngine\cache\RzStats.Manager\RzCefRenderProcess.exe
(Razer, Inc.) C:\Users\HalfDarkShadow\AppData\Local\Razer\InGameEngine\cache\RzSynapse\rzcefrenderprocess.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13885696 2015-06-24] (Realtek Semiconductor)
HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2397120 2016-06-14] (NVIDIA Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM\...\Run: [SoftEther VPN Client UI Helper] => C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe [5232072 2016-06-06] (SoftEther VPN Project at University of Tsukuba, Japan.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [592704 2015-09-29] (Razer Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [115048 2011-09-16] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [Lycosa] => C:\Program Files (x86)\Razer\Lycosa\razerhid.exe [238592 2010-04-13] (Razer USA Ltd.)
HKLM-x32\...\Run: [Google Japanese Input Prelauncher] => C:\Program Files (x86)\Google\Google Japanese Input\GoogleIMEJaBroker32.exe [1752016 2016-12-07] (Google Inc.)
HKLM-x32\...\Run: [ArcSoft Connection Service] => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1075296 2013-04-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Aeria Ignite] => C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe [1925656 2013-06-06] (Aeria Games & Entertainment)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [896632 2015-07-22] (BlueStack Systems, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [595992 2016-05-20] (Oracle Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9080768 2017-01-26] (AVAST Software)
HKU\S-1-5-21-22681376-1415523870-3786703371-1000\...\Run: [Akamai NetSession Interface] => C:\Users\HalfDarkShadow\AppData\Local\Akamai\netsession_win.exe [4440896 2012-08-10] (Akamai Technologies, Inc.)
HKU\S-1-5-21-22681376-1415523870-3786703371-1000\...\Run: [Amazon Music] => C:\Users\HalfDarkShadow\AppData\Local\Amazon Music\Amazon Music Helper.exe [6277952 2014-12-08] ()
HKU\S-1-5-21-22681376-1415523870-3786703371-1000\...\Run: [{79BF4901-1EC4-4726-B3C2-A7859706C6E7}] => "C:\Users\HalfDarkShadow\Downloads\LeagueofLegends_NA_Installer_9_15_2014.exe" /cmdloc "HKCU\Software\Riot Games AiTemp\{79BF4901-1EC4-4726-B3C2-A7859706C6E7}"
HKU\S-1-5-21-22681376-1415523870-3786703371-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9292504 2016-12-21] (Piriform Ltd)
HKU\S-1-5-21-22681376-1415523870-3786703371-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2017-01-05] (SUPERAntiSpyware)
HKU\S-1-5-21-22681376-1415523870-3786703371-1000\...\RunOnce: [Uninstall C:\Users\HalfDarkShadow\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\HalfDarkShadow\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\amd64"
HKU\S-1-5-21-22681376-1415523870-3786703371-1000\...\RunOnce: [Uninstall C:\Users\HalfDarkShadow\AppData\Local\Microsoft\OneDrive\17.3.5951.0827] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\HalfDarkShadow\AppData\Local\Microsoft\OneDrive\17.3.5951.0827"
HKU\S-1-5-21-22681376-1415523870-3786703371-1000\...\MountPoints2: {60ea7620-6ca7-11e5-9bd7-00224d7fbdfe} - "E:\VZW_Software_upgrade_assistant.exe" 
HKU\S-1-5-21-22681376-1415523870-3786703371-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-01-26] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SoftEther VPN Client Manager Startup.lnk [2017-01-17]
ShortcutTarget: SoftEther VPN Client Manager Startup.lnk -> C:\Program Files\SoftEther VPN Client\vpncmgr_x64.exe (SoftEther VPN Project at University of Tsukuba, Japan.)
GroupPolicy\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
Tcpip\..\Interfaces\{e6064c13-2e22-4ce8-91d0-f54c86e86ff5}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{e6064c13-2e22-4ce8-91d0-f54c86e86ff5}: [DhcpNameServer] 75.75.75.75 75.75.76.76
ManualProxies: 
 
Internet Explorer:
==================
BHO-x32: No Name -> {3C6301ED-0F78-4AF2-8150-D9C052361A8E} -> No File
BHO-x32: LEC -> {4A241D35-F7EB-401b-8C5B-A904A50F280E} -> C:\Program Files (x86)\Power Translator 15\Applications\LEC IE Translation Extension.dll [2011-07-05] (Language Engineering Corporation, LLC)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-06-06] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-06-06] (Oracle Corporation)
Toolbar: HKLM-x32 - No Name - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} -  No File
Toolbar: HKLM-x32 - LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files (x86)\Power Translator 15\Applications\LEC IE Translation Extension.dll [2011-07-05] (Language Engineering Corporation, LLC)
DPF: HKLM-x32 {0D41B8C5-2599-4893-8183-00195EC8D5F9} hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-09-23] (Skype Technologies)
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2017-01-26]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2017-01-26]
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_24_0_0_194.dll [2017-01-11] ()
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll [2012-09-08] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2012-09-20] (Adobe Systems)
FF Plugin: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\Win64Plugin\npAdobeExManDetectX64.dll [2013-12-02] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_194.dll [2017-01-11] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-06-06] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-06-06] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3503.0728 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-07-28] (Microsoft Corporation)
FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [2013-01-09] (Nexon)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-05-19] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-05-19] (NVIDIA Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @raidcall.en/RCplugin -> C:\Users\HalfDarkShadow\AppData\Roaming\raidcall\plugins\nprcplugin.dll [2013-02-05] (Raidcall)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-05-08] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2012-09-20] (Adobe Systems)
FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll [2013-12-02] (Adobe Systems)
FF Plugin HKU\S-1-5-21-22681376-1415523870-3786703371-1000: @eximion.com/KalydoPlayer -> C:\Users\HalfDarkShadow\AppData\Roaming\Kalydo\KalydoPlayer\bin2\npkalydo.dll [2012-08-30] (Eximion B.V.)
FF Plugin HKU\S-1-5-21-22681376-1415523870-3786703371-1000: SkypePlugin -> C:\Users\HalfDarkShadow\AppData\Local\SkypePlugin\7.18.0.51\npGatewayNpapi.dll [2016-04-25] (Skype Technologies S.A.)
FF Plugin HKU\S-1-5-21-22681376-1415523870-3786703371-1000: SkypePlugin64 -> C:\Users\HalfDarkShadow\AppData\Local\SkypePlugin\7.18.0.51\npGatewayNpapi-x64.dll [2016-04-25] (Skype Technologies S.A.)
FF Plugin HKU\S-1-5-21-22681376-1415523870-3786703371-1000: thehappycloud.com/HappyCloudPlugin -> C:\ProgramData\HappyCloud\Application\npHappyCloudPlugin.dll [2013-01-08] (The Happy Cloud)
 
Chrome: 
=======
CHR Profile: C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\User Data\Default [2017-01-27]
CHR Extension: (Google Slides) - C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-01-27]
CHR Extension: (Google Docs) - C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-01-27]
CHR Extension: (Google Drive) - C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-01-27]
CHR Extension: (YouTube) - C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-01-27]
CHR Extension: (Avast SafePrice) - C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-01-27]
CHR Extension: (Google Sheets) - C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-01-27]
CHR Extension: (Google Docs Offline) - C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-01-27]
CHR Extension: (Avast Online Security) - C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-01-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-27]
CHR Extension: (Gmail) - C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-01-27]
CHR Extension: (Chrome Media Router) - C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-27]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
StartMenuInternet: Google Chrome.BR2LP7GRFHXCHYUXNORFF3VYVM - C:\Users\HalfDarkShadow\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2017-01-26] (AVAST Software)
S3 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [433784 2015-06-16] (BlueStack Systems, Inc.)
S3 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [413304 2015-06-16] (BlueStack Systems, Inc.)
S3 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [831096 2015-07-21] (BlueStack Systems, Inc.)
S3 EvoSvc; C:\Program Files\Echobit\Evolve\EvoSvc.exe [1583488 2015-08-26] (Echobit LLC)
R2 GoogleIMEJaCacheService; C:\Program Files (x86)\Google\Google Japanese Input\GoogleIMEJaCacheService.exe [946640 2016-12-07] (Google Inc.)
S3 HssTrayService; C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE [78512 2014-06-26] ()
S2 LEC TranslateDotNet Server; C:\Program Files (x86)\Power Translator 15\LogoMedia TranslateDotNet Server.exe [1955520 2011-07-05] (Language Engineering Corporation, LLC)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 MobilePreIIAudioDevMon; C:\Program Files (x86)\M-Audio\MobilePre\AudioDevMon.exe [1919496 2010-06-15] (M-Audio)
S3 npggsvc; C:\WINDOWS\SysWOW64\GameMon.des [5449136 2016-05-16] (INCA Internet Co., Ltd.)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1879488 2016-06-14] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [3632576 2016-06-14] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2521024 2016-06-14] (NVIDIA Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2078216 2015-10-10] (Electronic Arts)
S3 OVPNService; C:\Users\HalfDarkShadow\AppData\Local\TotalVPN\OVPN.Service.exe [20080 2016-06-03] ()
R2 Razer Chroma SDK Service; C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe [51200 2015-11-19] (Razer Inc.) [File not signed]
S2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [187048 2015-06-23] ()
R2 RzOvlMon; C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe [32960 2014-04-18] (Razer, Inc.)
R2 SEVPNCLIENT; C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe [5232072 2016-06-06] (SoftEther VPN Project at University of Tsukuba, Japan.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2016-10-25] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-10-25] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [37656 2017-01-26] (AVAST Software)
R1 aswKbd; C:\WINDOWS\system32\drivers\aswKbd.sys [37144 2017-01-26] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [108816 2017-01-26] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr2.sys [103064 2017-01-26] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2017-01-26] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [969184 2017-01-26] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [513632 2017-01-26] (AVAST Software)
R2 aswStm; C:\WINDOWS\system32\drivers\aswStm.sys [163416 2017-01-26] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [293352 2017-01-26] (AVAST Software)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [145528 2015-06-16] (BlueStack Systems)
S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77416 2017-01-20] ()
S3 EvolveVirtualAdapter; C:\WINDOWS\System32\drivers\evolve.sys [21656 2013-03-14] (Echobit, LLC)
S1 HssDRV6; C:\WINDOWS\System32\DRIVERS\hssdrv6.sys [44744 2014-06-26] (AnchorFree Inc.)
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [176584 2017-01-27] (Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\system32\drivers\farflt.sys [110536 2017-01-27] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [43968 2017-01-27] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [251848 2017-01-27] (Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\drivers\mwac.sys [91584 2017-01-27] (Malwarebytes)
S3 Neo_VPN; C:\WINDOWS\System32\drivers\Neo_0126.sys [28768 2014-07-18] (SoftEther VPN Project at University of Tsukuba, Japan.)
S3 Neo_VPN2; C:\WINDOWS\System32\drivers\Neo6_x64_VPN2.sys [38224 2016-06-06] (SoftEther Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [26560 2016-06-14] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\WINDOWS\system32\drivers\nvvad64v.sys [56384 2016-04-14] (NVIDIA Corporation)
S3 ptun0901; C:\WINDOWS\System32\drivers\ptun0901.sys [27136 2016-04-21] (The OpenVPN Project)
R3 RzDxgk; C:\Windows\system32\drivers\RzDxgk.sys [129472 2014-04-18] (Razer, Inc.)
R3 rzendpt; C:\WINDOWS\System32\drivers\rzendpt.sys [51224 2016-05-11] (Razer Inc)
R2 rzpmgrk; C:\WINDOWS\system32\drivers\rzpmgrk.sys [37184 2015-06-12] (Razer, Inc.)
R2 rzpnk; C:\WINDOWS\system32\drivers\rzpnk.sys [129472 2015-06-26] (Razer, Inc.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 ScpVBus; C:\WINDOWS\System32\drivers\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
R1 SeLow; C:\WINDOWS\system32\DRIVERS\SeLow_x64.sys [51024 2016-06-06] (SoftEther Corporation)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
R3 taphss6; C:\WINDOWS\System32\drivers\taphss6.sys [42184 2014-05-16] (Anchorfree Inc.)
S3 vmulti; C:\WINDOWS\System32\DRIVERS\vmulti.sys [10752 2014-09-17] (Windows ® Win 7 DDK provider) [File not signed]
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
S3 xhunter1; C:\WINDOWS\xhunter1.sys [36808 2016-10-16] (Wellbia.com Co., Ltd.)
U3 idsvc; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-27 20:57 - 2017-01-27 20:57 - 00026845 _____ C:\Users\HalfDarkShadow\Downloads\FRST.txt
2017-01-27 20:57 - 2017-01-27 20:57 - 00000000 ____D C:\FRST
2017-01-27 20:56 - 2017-01-27 20:57 - 02420736 _____ (Farbar) C:\Users\HalfDarkShadow\Downloads\FRST64.exe
2017-01-27 20:53 - 2017-01-27 20:53 - 00002304 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-01-27 20:53 - 2017-01-27 20:53 - 00002292 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-01-27 20:51 - 2017-01-27 20:51 - 01065376 _____ (Google Inc.) C:\Users\HalfDarkShadow\Downloads\ChromeSetup (2).exe
2017-01-27 20:37 - 2017-01-27 20:41 - 01065376 _____ (Google Inc.) C:\Users\HalfDarkShadow\Downloads\ChromeSetup (1).exe
2017-01-27 20:28 - 2017-01-27 20:28 - 05532020 _____ C:\Users\HalfDarkShadow\Documents\bookmarks_1_27_17.html
2017-01-27 20:17 - 2017-01-27 20:17 - 01065376 _____ (Google Inc.) C:\Users\HalfDarkShadow\Downloads\ChromeSetup.exe
2017-01-27 19:42 - 2017-01-27 19:42 - 02953520 _____ (AVAST Software) C:\Users\HalfDarkShadow\Downloads\avast-browser-cleanup.exe
2017-01-27 18:59 - 2017-01-27 18:59 - 00005026 _____ C:\Users\HalfDarkShadow\Downloads\ayesha guidance(piano).mid
2017-01-27 17:32 - 2017-01-27 19:47 - 00000544 _____ C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task b4772891-78f7-4741-8fac-b64242f3dd5e.job
2017-01-27 17:32 - 2017-01-27 19:47 - 00000544 _____ C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 36c6263d-aca4-4de7-b445-ce2a10be802b.job
2017-01-27 17:32 - 2017-01-27 17:32 - 00003786 _____ C:\WINDOWS\System32\Tasks\SUPERAntiSpyware Scheduled Task b4772891-78f7-4741-8fac-b64242f3dd5e
2017-01-27 17:32 - 2017-01-27 17:32 - 00003704 _____ C:\WINDOWS\System32\Tasks\SUPERAntiSpyware Scheduled Task 36c6263d-aca4-4de7-b445-ce2a10be802b
2017-01-27 17:31 - 2017-01-27 17:31 - 00001809 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2017-01-27 17:31 - 2017-01-27 17:31 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\SUPERAntiSpyware.com
2017-01-27 17:31 - 2017-01-27 17:31 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2017-01-27 17:31 - 2017-01-27 17:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2017-01-27 17:31 - 2017-01-27 17:31 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2017-01-27 17:30 - 2017-01-27 17:30 - 29022968 _____ (SUPERAntiSpyware) C:\Users\HalfDarkShadow\Downloads\SUPERAntiSpyware.exe
2017-01-27 17:15 - 2017-01-27 17:15 - 00001969 _____ C:\Users\HalfDarkShadow\Desktop\JRT.txt
2017-01-27 17:07 - 2017-01-27 17:08 - 04015056 _____ C:\Users\HalfDarkShadow\Downloads\adwcleaner_6.043 (1).exe
2017-01-27 17:07 - 2017-01-27 17:07 - 01663040 _____ (Malwarebytes) C:\Users\HalfDarkShadow\Downloads\JRT.exe
2017-01-27 16:15 - 2017-01-27 16:15 - 00000000 ____D C:\WINDOWS\System32\Tasks\AVAST Software
2017-01-27 16:15 - 2017-01-27 16:15 - 00000000 ____D C:\Program Files\Common Files\AV
2017-01-27 15:52 - 2017-01-27 15:52 - 04015056 _____ C:\Users\HalfDarkShadow\Downloads\adwcleaner_6.043.exe
2017-01-27 15:31 - 2017-01-27 15:31 - 00084616 _____ C:\Users\HalfDarkShadow\Downloads\The Fantastic Legend of Tohno.pdf
2017-01-27 14:56 - 2017-01-27 15:04 - 01925470 _____ C:\Users\HalfDarkShadow\Downloads\ProcessExplorer.zip
2017-01-27 14:44 - 2017-01-27 20:00 - 00091584 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2017-01-27 14:44 - 2017-01-27 19:49 - 00110536 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2017-01-27 14:44 - 2017-01-27 19:49 - 00043968 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-01-27 14:44 - 2017-01-27 19:48 - 00251848 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-01-27 14:44 - 2017-01-27 14:44 - 00176584 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys
2017-01-27 14:44 - 2017-01-27 14:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-01-27 14:44 - 2017-01-27 14:44 - 00000000 ____D C:\Program Files\Malwarebytes
2017-01-27 14:44 - 2017-01-20 07:47 - 00077416 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-01-27 14:40 - 2017-01-27 14:40 - 00036131 _____ C:\Users\HalfDarkShadow\Downloads\This Game (1).mid
2017-01-27 14:39 - 2017-01-27 14:39 - 00202999 _____ C:\Users\HalfDarkShadow\Downloads\This Game (1).pdf
2017-01-27 14:31 - 2017-01-27 19:00 - 00000000 ____D C:\Users\HalfDarkShadow\Documents\- piano sheet music
2017-01-27 02:17 - 2017-01-27 02:17 - 00016278 _____ C:\MBAM logs.txt
2017-01-27 02:11 - 2017-01-27 02:11 - 00015544 _____ C:\Users\HalfDarkShadow\Documents\MBAM scan results.txt
2017-01-26 22:52 - 2017-01-26 22:52 - 00002872 _____ C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
2017-01-26 22:52 - 2017-01-26 22:52 - 00000823 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-01-26 22:52 - 2017-01-26 22:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-01-26 22:52 - 2017-01-26 22:52 - 00000000 ____D C:\Program Files\CCleaner
2017-01-26 22:51 - 2017-01-26 22:52 - 08813488 _____ (Piriform Ltd) C:\Users\HalfDarkShadow\Downloads\ccsetup526 (1).exe
2017-01-26 22:51 - 2017-01-26 22:51 - 08813488 _____ (Piriform Ltd) C:\Users\HalfDarkShadow\Downloads\ccsetup526.exe
2017-01-26 12:29 - 2017-01-27 14:16 - 00004004 _____ C:\WINDOWS\System32\Tasks\SafeZone scheduled Autoupdate 1485451739
2017-01-26 12:29 - 2017-01-27 14:16 - 00001048 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2017-01-26 12:28 - 2017-01-26 12:28 - 00037144 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswKbd.sys
2017-01-26 12:26 - 2017-01-26 12:26 - 00969184 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswsnx.sys
2017-01-26 12:26 - 2017-01-26 12:26 - 00513632 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswsp.sys
2017-01-26 12:26 - 2017-01-26 12:26 - 00293352 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswvmm.sys
2017-01-26 12:26 - 2017-01-26 12:26 - 00004004 _____ C:\WINDOWS\System32\Tasks\avast! Emergency Update
2017-01-26 12:26 - 2017-01-26 12:26 - 00001939 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast Free Antivirus.lnk
2017-01-26 12:26 - 2017-01-26 12:25 - 00163416 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStm.sys
2017-01-26 12:26 - 2017-01-26 12:25 - 00108816 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2017-01-26 12:26 - 2017-01-26 12:25 - 00103064 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2017-01-26 12:26 - 2017-01-26 12:25 - 00074544 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2017-01-26 12:26 - 2017-01-26 12:25 - 00037656 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2017-01-26 12:25 - 2017-01-26 12:28 - 00000000 ____D C:\Program Files\AVAST Software
2017-01-26 12:25 - 2017-01-26 12:25 - 00391496 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2017-01-26 12:25 - 2017-01-26 12:25 - 00053208 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2017-01-26 12:23 - 2017-01-26 12:23 - 06334872 _____ (AVAST Software) C:\Users\HalfDarkShadow\Downloads\avast_free_antivirus_setup_online.exe
2017-01-24 20:34 - 2017-01-24 20:34 - 00462174 _____ C:\Users\HalfDarkShadow\Downloads\ASIO4ALL_2_13_English (1).exe
2017-01-24 20:33 - 2017-01-24 20:33 - 00462174 _____ C:\Users\HalfDarkShadow\Downloads\ASIO4ALL_2_13_English.exe
2017-01-17 18:10 - 2017-01-17 18:11 - 267747328 _____ C:\Users\HalfDarkShadow\Downloads\BIAS_FX_Windows64bit_v1_4_3_2063.msi
2017-01-17 17:30 - 2017-01-26 13:04 - 00000000 ____D C:\Users\HalfDarkShadow\Documents\BIAS_FX
2017-01-17 17:30 - 2017-01-26 13:04 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\BIAS FX
2017-01-17 17:30 - 2017-01-17 17:30 - 00000033 _____ C:\Users\HalfDarkShadow\AppData\Roaming\.pgbiasfx
2017-01-17 17:30 - 2017-01-17 17:30 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\BIAS_FX
2017-01-17 17:29 - 2017-01-17 17:30 - 00000000 ____D C:\Users\HalfDarkShadow\Desktop\old stuffs
2017-01-17 17:29 - 2017-01-17 17:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BIAS FX Application
2017-01-17 17:27 - 2017-01-17 17:27 - 00000000 ____D C:\Program Files (x86)\BIAS FX Application (32bit)
2017-01-17 17:18 - 2017-01-17 17:26 - 260513792 _____ C:\Users\HalfDarkShadow\Downloads\BIAS_FX_Windows32bit_v1_4_3_2063.msi
2017-01-17 13:43 - 2017-01-17 13:44 - 00000000 ___HD C:\$SysReset
2017-01-17 13:31 - 2017-01-17 13:48 - 00000000 ____D C:\WINDOWS\system32\SSL
2017-01-17 13:30 - 2017-01-17 13:30 - 00140288 _____ C:\Users\HalfDarkShadow\AppData\Roaming\Installer.dat
2017-01-17 13:30 - 2017-01-17 13:30 - 00000000 ____D C:\WINDOWS\system32\sstmp
2017-01-17 13:02 - 2017-01-17 13:02 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\Plugin Alliance
2017-01-17 12:43 - 2017-01-27 15:08 - 00000000 ____D C:\Program Files\Plugin Alliance
2017-01-17 12:43 - 2017-01-17 12:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Plugin Alliance
2017-01-17 09:29 - 2017-01-17 09:29 - 03009206 _____ C:\WINDOWS\aebfadb84e4bad417a9124f99a60a3c7.exe
2017-01-17 04:04 - 2017-01-17 04:04 - 00282624 ____H C:\WINDOWS\system32\BITFC5E.tmp
2017-01-17 04:04 - 2017-01-17 04:04 - 00282624 ____H C:\WINDOWS\system32\BITEAC9.tmp
2017-01-16 20:22 - 2017-01-16 20:22 - 00012528 _____ C:\Users\HalfDarkShadow\Downloads\[MHCL-1864] ジミーサムP - Unplugged Stray [MP3].rar (4).torrent
2017-01-16 20:10 - 2017-01-16 20:10 - 00011733 _____ C:\Users\HalfDarkShadow\Downloads\[SHFS] Super Lovers 2 - 01 (10bit, x264, AAC, 720p)[AA2EF1E0].mkv.torrent
2017-01-16 20:07 - 2017-01-16 20:07 - 00000000 ____D C:\hydra_tmp_1484615243155
2017-01-16 19:46 - 2017-01-16 19:46 - 00012580 _____ C:\Users\HalfDarkShadow\Downloads\[torrent.cd].[MHCL-1864]_ジミーサムP_-_Unplugged_Stray_[MP3].rar.torrent
2017-01-16 19:45 - 2017-01-16 19:45 - 02237120 _____ (BitTorrent Inc.) C:\Users\HalfDarkShadow\Downloads\uTorrent.exe
2017-01-16 19:44 - 2017-01-16 19:44 - 00012528 _____ C:\Users\HalfDarkShadow\Downloads\[MHCL-1864] ジミーサムP - Unplugged Stray [MP3].rar (3).torrent
2017-01-16 19:16 - 2017-01-16 19:16 - 00012528 _____ C:\Users\HalfDarkShadow\Downloads\[MHCL-1864] ジミーサムP - Unplugged Stray [MP3].rar (2).torrent
2017-01-16 19:15 - 2017-01-16 19:15 - 00012528 _____ C:\Users\HalfDarkShadow\Downloads\[MHCL-1864] ジミーサムP - Unplugged Stray [MP3].rar (1).torrent
2017-01-16 19:13 - 2017-01-16 19:13 - 00012528 _____ C:\Users\HalfDarkShadow\Downloads\[MHCL-1864] ジミーサムP - Unplugged Stray [MP3].rar.torrent
2017-01-13 00:58 - 2017-01-13 00:58 - 70310024 _____ C:\Users\HalfDarkShadow\Downloads\WITS-1.1-all.zip
2017-01-13 00:54 - 2017-01-13 00:57 - 286895170 _____ C:\Users\HalfDarkShadow\Downloads\QuantumSuicidePrologue-all.zip
2017-01-13 00:54 - 2017-01-13 00:56 - 160458055 _____ C:\Users\HalfDarkShadow\Downloads\QuantumSuicide-all.zip
2017-01-13 00:33 - 2017-01-17 17:18 - 00002266 _____ C:\Users\HalfDarkShadow\Desktop\itch.lnk
2017-01-13 00:33 - 2017-01-13 01:03 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\itch
2017-01-13 00:33 - 2017-01-13 00:33 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Itch Corp
2017-01-13 00:31 - 2017-01-13 00:32 - 62083176 _____ (Itch Corp) C:\Users\HalfDarkShadow\Downloads\itchSetup.exe
2017-01-12 21:43 - 2017-01-12 21:43 - 00000000 ____D C:\Users\HalfDarkShadow\Documents\Fruitbat Factory
2017-01-11 11:37 - 2016-12-21 04:01 - 01540224 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppobjs.dll
2017-01-11 11:37 - 2016-12-21 04:01 - 00692136 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppwinob.dll
2017-01-11 11:37 - 2016-12-21 03:25 - 01594416 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2017-01-11 11:37 - 2016-12-21 02:18 - 01372312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2017-01-11 11:37 - 2016-12-21 01:56 - 01502208 _____ (Microsoft Corporation) C:\WINDOWS\system32\RecoveryDrive.exe
2017-01-11 11:37 - 2016-12-21 00:41 - 04895744 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2017-01-11 11:37 - 2016-12-21 00:39 - 22373376 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2017-01-11 11:37 - 2016-12-21 00:15 - 07839232 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2017-01-11 11:37 - 2016-12-21 00:06 - 03663872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2017-01-11 11:37 - 2016-12-21 00:03 - 18671616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2017-01-11 11:37 - 2016-12-20 23:48 - 05658624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2017-01-11 11:37 - 2016-10-25 01:55 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2016-12-28 10:01 - 2016-12-28 10:17 - 00000000 ____D C:\Users\HalfDarkShadow\Documents\phone backup
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-27 21:01 - 2012-09-13 14:38 - 00000000 ____D C:\Temp
2017-01-27 20:52 - 2014-04-21 10:31 - 00000000 ____D C:\Program Files (x86)\Google
2017-01-27 20:40 - 2015-07-30 07:52 - 00004166 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{226823A7-5B83-45D1-AF4C-C93FBFAD2FC5}
2017-01-27 20:32 - 2016-04-16 14:39 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
2017-01-27 20:15 - 2013-03-06 23:57 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2017-01-27 20:09 - 2015-10-30 02:21 - 00000000 ____D C:\WINDOWS\INF
2017-01-27 19:48 - 2014-07-18 15:24 - 00000000 ____D C:\Program Files\SoftEther VPN Client
2017-01-27 19:46 - 2015-12-13 15:04 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-01-27 19:46 - 2015-12-13 14:29 - 00000000 ____D C:\ProgramData\NVIDIA
2017-01-27 19:44 - 2015-10-30 01:28 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2017-01-27 18:15 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-01-27 17:15 - 2015-10-30 19:18 - 00000000 ____D C:\AdwCleaner
2017-01-27 16:05 - 2015-12-13 14:34 - 00000000 ____D C:\Users\HalfDarkShadow
2017-01-27 14:44 - 2013-02-08 22:44 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-01-27 02:13 - 2015-10-30 02:24 - 00000000 ___HD C:\Program Files\WindowsApps
2017-01-27 02:13 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-01-27 01:42 - 2015-12-13 17:21 - 00000000 ___DC C:\WINDOWS\Panther
2017-01-27 01:42 - 2015-06-26 09:00 - 00000000 ____D C:\ProgramData\BlueStacksSetup
2017-01-27 01:42 - 2015-03-28 22:49 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\TS3Client
2017-01-27 01:42 - 2013-12-01 23:37 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\Notepad++
2017-01-27 01:42 - 2012-09-04 18:47 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\uTorrent
2017-01-27 01:41 - 2016-10-01 11:26 - 00000000 ____D C:\WINDOWS\Minidump
2017-01-26 23:20 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\rescache
2017-01-26 23:06 - 2012-09-04 18:29 - 00000000 ____D C:\Program Files (x86)\Steam
2017-01-26 12:50 - 2012-09-04 18:59 - 00000000 ____D C:\ProgramData\Skype
2017-01-26 12:49 - 2015-12-12 19:04 - 00000000 ___RD C:\Program Files (x86)\Skype
2017-01-26 12:28 - 2012-10-17 22:12 - 00000000 ____D C:\ProgramData\AVAST Software
2017-01-24 21:14 - 2016-08-30 20:36 - 00000016 _____ C:\Users\HalfDarkShadow\AppData\Roaming\msregsvv.dll
2017-01-24 21:14 - 2016-08-30 20:36 - 00000016 _____ C:\ProgramData\autobk.inc
2017-01-24 20:34 - 2013-03-08 17:08 - 00000000 ____D C:\Program Files (x86)\ASIO4ALL v2
2017-01-24 20:10 - 2016-11-21 06:31 - 00000000 ___HD C:\$WINDOWS.~BT
2017-01-23 11:24 - 2016-06-14 22:22 - 00000000 ____D C:\Users\HalfDarkShadow\Desktop\[例大祭13][Pizuya's Cell] スウィートジョーカーの偽切札 (v0+jpg)
2017-01-17 18:11 - 2012-09-17 19:40 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\Audacity
2017-01-17 17:27 - 2012-12-23 15:48 - 00000000 ____D C:\Program Files (x86)\VstPlugins
2017-01-17 17:18 - 2016-10-25 22:40 - 00001236 _____ C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\LINE.lnk
2017-01-17 17:18 - 2016-10-25 22:40 - 00001234 _____ C:\Users\HalfDarkShadow\Desktop\LINE.lnk
2017-01-17 17:18 - 2016-08-30 20:36 - 00001282 _____ C:\Users\HalfDarkShadow\Desktop\Custom Shop.lnk
2017-01-17 17:18 - 2016-06-06 22:19 - 00002024 _____ C:\ProgramData\Microsoft\Windows\Start Menu\SoftEther VPN Client Manager.lnk
2017-01-17 17:18 - 2016-06-06 16:09 - 00001442 _____ C:\Users\HalfDarkShadow\Desktop\PSO2 Tweaker - Shortcut.lnk
2017-01-17 17:18 - 2016-02-24 15:00 - 00001089 _____ C:\Users\HalfDarkShadow\Desktop\Pimsleur Japanese complete - Shortcut.lnk
2017-01-17 17:18 - 2016-01-06 21:10 - 00002079 _____ C:\Users\Public\Desktop\InputMapper.lnk
2017-01-17 17:18 - 2015-12-13 14:46 - 00001507 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2017-01-17 17:18 - 2015-10-30 02:19 - 00002425 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immersive Control Panel.lnk
2017-01-17 17:18 - 2015-10-30 02:19 - 00002289 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PrintDialog.lnk
2017-01-17 17:18 - 2015-10-30 02:19 - 00002287 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Devices Flow.lnk
2017-01-17 17:18 - 2015-10-30 02:18 - 00000853 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Desktop.lnk
2017-01-17 17:18 - 2015-10-30 02:17 - 00002313 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MiracastView.lnk
2017-01-17 17:18 - 2015-08-26 22:19 - 00002080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Evolve.lnk
2017-01-17 17:18 - 2015-07-30 07:17 - 00002388 _____ C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-01-17 17:18 - 2015-07-30 07:06 - 00001023 _____ C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Optional Features.lnk
2017-01-17 17:18 - 2015-06-28 22:04 - 00000915 _____ C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\osu!.lnk
2017-01-17 17:18 - 2014-05-31 20:38 - 00001016 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PPSSPP.lnk
2017-01-17 17:18 - 2014-02-04 21:41 - 00001159 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MusicBrainz Picard.lnk
2017-01-17 17:18 - 2014-01-21 20:06 - 00001758 _____ C:\Users\HalfDarkShadow\Desktop\Freeware Games.lnk
2017-01-17 17:18 - 2014-01-21 20:06 - 00001123 _____ C:\Users\HalfDarkShadow\Desktop\Sonic and Knuckles 3.lnk
2017-01-17 17:18 - 2013-10-19 22:18 - 00002036 _____ C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pokemon Showdown.lnk
2017-01-17 17:18 - 2013-10-09 00:01 - 00001031 _____ C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\HeroesGo.lnk
2017-01-17 17:18 - 2013-07-15 17:05 - 00001267 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Content Manager Assistant for PlayStation®.lnk
2017-01-17 17:18 - 2013-03-03 23:12 - 00001031 _____ C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\RaidCall.lnk
2017-01-17 17:18 - 2012-11-21 00:59 - 00002453 _____ C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlanetSide 2.lnk
2017-01-17 17:18 - 2012-10-29 02:23 - 00000951 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Anki.lnk
2017-01-17 17:18 - 2012-10-28 21:58 - 00000913 _____ C:\Users\HalfDarkShadow\Desktop\cmvs32 - Shortcut.lnk
2017-01-17 17:18 - 2012-10-20 11:58 - 00001738 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rainmeter.lnk
2017-01-17 17:18 - 2012-10-17 20:35 - 00000981 _____ C:\ProgramData\Microsoft\Windows\Start Menu\WinRAR.lnk
2017-01-17 17:18 - 2012-10-11 14:57 - 00001518 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Application Manager.lnk
2017-01-17 17:18 - 2012-10-09 16:01 - 00001226 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe After Effects CS6.lnk
2017-01-17 17:18 - 2012-10-09 16:00 - 00001507 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ExtendScript Toolkit CS6.lnk
2017-01-17 17:18 - 2012-10-09 16:00 - 00001069 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS6 (64bit).lnk
2017-01-17 17:18 - 2012-10-09 15:59 - 00001122 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Media Encoder CS6.lnk
2017-01-17 17:18 - 2012-10-09 15:34 - 00001031 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Download Assistant.lnk
2017-01-17 17:18 - 2012-09-22 11:43 - 00001233 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Audition CS6.lnk
2017-01-17 17:18 - 2012-09-22 11:42 - 00000985 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Help.lnk
2017-01-17 17:18 - 2012-09-17 19:40 - 00001007 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
2017-01-17 17:18 - 2012-09-04 22:22 - 00002474 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Messenger.lnk
2017-01-17 17:18 - 2012-09-04 22:22 - 00001362 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2017-01-17 17:18 - 2012-09-04 22:22 - 00001293 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
2017-01-17 17:18 - 2012-09-04 18:02 - 00002429 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2017-01-17 17:06 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\addins
2017-01-17 13:30 - 2014-08-16 20:52 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Supraball
2017-01-17 13:30 - 2014-08-16 20:50 - 00000000 ____D C:\Program Files (x86)\Supraball
2017-01-17 13:30 - 2012-09-04 18:49 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2017-01-17 13:29 - 2016-12-13 01:57 - 00002381 ____R C:\Users\HalfDarkShadow\Desktop\gbf-rаidfindеr.lnk
2017-01-17 13:29 - 2014-07-09 19:46 - 00003193 ____R C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk
2017-01-17 13:19 - 2012-09-19 22:23 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\Adobe
2017-01-16 18:57 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\oobe
2017-01-13 01:03 - 2014-09-01 16:00 - 00000000 ____D C:\Users\HalfDarkShadow\Documents\a freeware games
2017-01-12 16:31 - 2015-10-23 22:48 - 00000513 _____ C:\Users\HalfDarkShadow\Documents\Backup-codes-kevin.eatatkevs.txt
2017-01-12 01:00 - 2013-07-23 23:23 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-01-12 00:49 - 2012-09-04 17:09 - 135657872 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-01-12 00:48 - 2015-10-30 02:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-01-11 23:28 - 2015-12-13 14:29 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2017-01-11 23:28 - 2015-12-13 14:29 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2017-01-11 23:28 - 2015-12-13 14:29 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2017-01-11 23:28 - 2012-09-04 18:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2017-01-11 11:32 - 2015-09-15 00:17 - 00000000 ____D C:\Users\HalfDarkShadow\AppData\Roaming\Mp3tag
2017-01-11 11:15 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-01-11 11:15 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\Macromed
 
==================== Files in the root of some directories =======
 
2012-10-29 01:29 - 2010-01-15 09:36 - 0075040 _____ () C:\Program Files (x86)\Common Files\SpeechUninstall.exe
2017-01-17 17:30 - 2017-01-17 17:30 - 0000033 _____ () C:\Users\HalfDarkShadow\AppData\Roaming\.pgbiasfx
2017-01-17 13:30 - 2017-01-17 13:30 - 0140288 _____ () C:\Users\HalfDarkShadow\AppData\Roaming\Installer.dat
2016-08-30 20:36 - 2017-01-24 21:14 - 0000016 _____ () C:\Users\HalfDarkShadow\AppData\Roaming\msregsvv.dll
2015-03-18 17:57 - 2015-03-18 17:57 - 0001456 _____ () C:\Users\HalfDarkShadow\AppData\Local\Adobe Save for Web 13.0 Prefs
2013-11-25 23:48 - 2013-11-26 11:53 - 0005632 _____ () C:\Users\HalfDarkShadow\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-06-06 15:58 - 2016-06-06 16:06 - 0000600 _____ () C:\Users\HalfDarkShadow\AppData\Local\PUTTY.RND
2015-10-09 23:39 - 2015-10-09 23:39 - 0007605 _____ () C:\Users\HalfDarkShadow\AppData\Local\Resmon.ResmonCfg
2008-02-05 13:28 - 2008-02-05 13:28 - 0000051 _____ () C:\Users\HalfDarkShadow\AppData\Local\setup.txt
2016-08-30 20:36 - 2017-01-24 21:14 - 0000016 _____ () C:\ProgramData\autobk.inc
2015-12-13 14:30 - 2015-12-13 14:30 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-01-02 21:38 - 2014-11-03 21:38 - 0000032 ____R () C:\ProgramData\hash.dat
 
Files to move or delete:
====================
C:\ProgramData\hash.dat
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-01-27 16:27
 
==================== End of FRST.txt ============================

 

 

Thank you so much for any help I can get, and feel free to let me know if there is any additional information you would need.


Edited by HalfDarkShadow, 27 January 2017 - 10:57 PM.


BC AdBot (Login to Remove)

 


#2 HalfDarkShadow

HalfDarkShadow
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 28 January 2017 - 07:48 PM

Just for a quick update, today I haven't been able to replicate the adware issue. What I mean is the certain sites that it was happening is just not appearing. I've only done since yesterday was put my desktop to sleep mode.

 

The only things now is one I noticed the pages take longer to load and/or respond. Specifically what holds everything up are the legitimate ads onto the site. For example lets say I go onto youtube.com and play a video, if I click anywhere else to go (i.e. click to watch another video, go back to the home page), it would load the page, but the sound from whatever video was playing prior would still be playing and I can't really click anything else until the ads load up properly. With the avast browser extension and adblock plus enabled, every website loads up normally. When I see what's being block (adblock and when Inspecting vai CRTL+SHIFT J) and seeing what Avast's tracking picks up, I'm not seeing anything out of the ordinary, or the usual culprits from the other night.

So I have no idea what's going on there.

Lastly is that those two cmd.exe still comes up, though a lot less frequently but it's still an issue that as I mentioned in the original post, only started happening when my desktop became infected with malware.

 

That's all and wanted to mention regarding those bits, though I'm not sure if it really helps anyway (just following the preparation guide link as to be as specific as possible / to explain what exactly happens with my computer).

 

Thanks again!


Edited by HalfDarkShadow, 28 January 2017 - 07:49 PM.


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:10:34 AM

Posted 01 February 2017 - 01:05 PM

HalfDarkShadow:

 

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil and  I would like to address you by your first name, if that is alright with you since we will be working together.
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
I will need some time to review your FRST logs.  That will take a day or two.  This Forum is quite busy and I apologize for the delay in your topic being picked up.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#4 HalfDarkShadow

HalfDarkShadow
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 01 February 2017 - 04:31 PM

 

HalfDarkShadow:

 

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil and  I would like to address you by your first name, if that is alright with you since we will be working together.
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
I will need some time to review your FRST logs.  That will take a day or two.  This Forum is quite busy and I apologize for the delay in your topic being picked up.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil

 

 

Thank you very much for the time! My name is Kevin by the by, so feel free to address me as such!

 

Unfortunately since I originally made this post, there has been one scan since then (Malwarebytes automatically set by default to do a schedule scan in the middle of the night a few nights ago).

Would I need to create another FRST logs file again?

 

Feel free to let me know if there's anything else you need, and I deeply apologize for the inconvenience again.


Edited by HalfDarkShadow, 01 February 2017 - 04:33 PM.


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:10:34 AM

Posted 02 February 2017 - 06:43 AM

HalfDarkShadow:

Thank you for your your post. I am still analyzing your FRST logs, but based on my analysis, so far, I do have some questions for you.

First though, don't be concerned about the scheduled MBAM scan, UNLESS it detected something and removed it. If so, please copy and paste the MBAM scan log into your next reply.

I do prefer that all logs be copied and pasted into replies. It makes it easier, and faster, for me.

.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: If you haven't configured and turned on the Windows 10 System Restore Points, please do so now. Instructions can be found at this link.

.

:step2: Do you recognize this program, in your list of Installed Programs in the Addition.txt file?
 

‚µ‚ ‚킹‰Æ‘°•” (HKLM\...\‚µ‚ ‚킹‰Æ‘°•”) (Version: - )


If not, please go to the Control Panel, Add/Remove Programs, and uninstall it.

.

:step3: You have Akamai Netsession installed on your computer. You should review the information at this link and decide whether you want to keep it. If not, please uninstall it.

.

:step4: You should consider disabling and removing the Avast Firefox extensions: "Safe Price" and "Web Reputation" See this link for more information.

.

:step5: Is there a reason that you are still running an older version of Windows 10? You are running Build 1511. The newest build is 1607, and it has been around for almost six months?
Please do not update to that build until we finish disinfecting your computer, but I am curious as to why you are running an older version of Windows 10 Pro x64?

.

:step6: In going over your logs I noticed that you have uTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

.

 

:step7: So in your reply, please ...

 

  1. Provide the MBAM scan log, if any malware was detected and removed.
  2. Tell me whether you have turned on System Restore Points?
  3. Tell me whether you recognize the program I asked about, and did you try to uninstall it?  Was the uninstall successful?
  4. Tell me whether you uninstalled Akamai Netsession or want to keep it?
  5. Tell me whether you decided to keep, or uninstall, the Firefox browser extensions that I identified?
  6. Explain to me why you are running an older version of Windows 10?
  7. Do you intent to keep using P2P software; or, did you uninstall uTorrent?

 

.

 

I hope to finish analyzing your FRST logs in the next day or two.  Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#6 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:10:34 AM

Posted 02 February 2017 - 02:14 PM

HalfDarkShadow:

 

Just an unhappy update.  I had hoped to complete analyzing your FRST logs this afternoon, but we just got power back.  It went out about 10:00 and came back just a few minutes ago.  I live in rural Cape Breton, Nova Scotia, Canada, and the reliability of the power can be an issue.  Today, the outage was allegedly caused by "planned maintenance".

 

I hope to get your logs analyzed by tomorrow, at the latest.  Unfortunately, I also have other things on the go, so I am really busy right now, but I will do my best.  "Real life" gets in the way of my malware-eradication career! :smash:

 

Thank you for your patience.

 

Have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:10:34 AM

Posted 03 February 2017 - 02:16 PM

HalfDarkShadow:

Thank you for your patience while I analyzed your FRST logs. My analysis is complete, but I would like to get answers to the questions below, in addition to the answers that I previously requested in this post.

.

:step1: I have some more questions:

  • Did you install the RaidCall plug-in in Firefox? If not, and you don't remember installing it, please uninstall it. It is a Potentially Unwanted Program (PUP) often bundled with other software downloads.
  • Do you know anything about this Desktop folder: C:\Users\HalfDarkShadow\Desktop\[???13][Pizuya's Cell] ?????????????? (v0+jpg)
  • Do you recognize this program listed as last in the Addition.txt as an installed program on your computer: ??????? (HKLM\...\???????) (Version: - )

.

Once I get answers to my questions, I will be able to finalize my FRST fixlist.txt file for your computer and begin to move forward to disinfect your computer.

 

Awaiting your responses.  Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:10:34 AM

Posted 04 February 2017 - 11:56 AM

Kevin:

 

Thank you for permission to address you by your first name.  Do you still require assistance?  It has been three days since you last posted.

 

According to Forum policy, topics must be concluded after five days of non-response from the Topic Starter.
 
If I have not heard from you in another two days, I will conclude your topic.  You can always reopen it by sending a Personal Message to a Moderator.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#9 HalfDarkShadow

HalfDarkShadow
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 04 February 2017 - 08:58 PM

HalfDarkShadow:

Thank you for your your post. I am still analyzing your FRST logs, but based on my analysis, so far, I do have some questions for you.

First though, don't be concerned about the scheduled MBAM scan, UNLESS it detected something and removed it. If so, please copy and paste the MBAM scan log into your next reply.

I do prefer that all logs be copied and pasted into replies. It makes it easier, and faster, for me.

 
Thank you so much for all the help again I truly appreciate the time!
The scan at the time, and it did remove tons of Hijack.HostFile it was detecting (even when I was letting Malwarebytes do full scans when everything started happening, it did consistently pick up 92 to 140 Hijack.HostFile files. I couldn't find much about it online other than it may be dangerous or a false positive?).

 

I'll paste that scan here:

 
-Log Details-
Scan Date: 1/31/17
Scan Time: 7:19 PM
Logfile: MBAM Report Scan 1-31-17.txt
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1145
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 480492
Time Elapsed: 30 min, 30 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Disabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 148
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
Hijack.HostFile, C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS, Replaced, [212], [363651],1.0.1145
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
I'll continue your responses in the next reply to make it a bit easier!


#10 HalfDarkShadow

HalfDarkShadow
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 04 February 2017 - 09:28 PM

OK, let's get started ...

.

:step1: If you haven't configured and turned on the Windows 10 System Restore Points, please do so now. Instructions can be found at this link.
        I just finished enabling/creating it.
.

:step2: Do you recognize this program, in your list of Installed Programs in the Addition.txt file?
 

‚µ‚ ‚킹‰Æ‘°•” (HKLM\...\‚µ‚ ‚킹‰Æ‘°•”) (Version: - )


If not, please go to the Control Panel, Add/Remove Programs, and uninstall it.

 

   No worries I figured out what it was. For some reason the .txt file didn't put in the correct characters (しあわせ家族部) but it's safe.

.

:step3: You have Akamai Netsession installed on your computer. You should review the information at this link and decide whether you want to keep it. If not, please uninstall it.
    Finished removing.
.

:step4: You should consider disabling and removing the Avast Firefox extensions: "Safe Price" and "Web Reputation" See this link for more information.
    Removed.
.

:step5: Is there a reason that you are still running an older version of Windows 10? You are running Build 1511. The newest build is 1607, and it has been around for almost six months?
Please do not update to that build until we finish disinfecting your computer, but I am curious as to why you are running an older version of Windows 10 Pro x64?
    Hmm, this is very strange as I wasn't even aware of this. I regularly Update when it's available, so I decided to check via Settings > Update & Security and it was saying I was all caught up. After a few more tries oddly it finally said "Windows Update Available. Featured Update to Windows 10 version 1607. I Scheduled it as late as possible and will update when appropriate, after disinfecting.
.

:step6: In going over your logs I noticed that you have uTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

 

Removed.
.

 

:step7: So in your reply, please ...

 

  1. Provide the MBAM scan log, if any malware was detected and removed.
  2. Tell me whether you have turned on System Restore Points?
  3. Tell me whether you recognize the program I asked about, and did you try to uninstall it?  Was the uninstall successful?
  4. Tell me whether you uninstalled Akamai Netsession or want to keep it?
  5. Tell me whether you decided to keep, or uninstall, the Firefox browser extensions that I identified?
  6. Explain to me why you are running an older version of Windows 10?
  7. Do you intent to keep using P2P software; or, did you uninstall uTorrent?

 

.

 

I hope to finish analyzing your FRST logs in the next day or two.  Thank you and have a great day.

 

Regards,

-Phil

 

My responses are within the quote bolded.



#11 HalfDarkShadow

HalfDarkShadow
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 04 February 2017 - 09:46 PM

HalfDarkShadow:

Thank you for your patience while I analyzed your FRST logs. My analysis is complete, but I would like to get answers to the questions below, in addition to the answers that I previously requested in this post.

.

:step1: I have some more questions:

  • Did you install the RaidCall plug-in in Firefox? If not, and you don't remember installing it, please uninstall it. It is a Potentially Unwanted Program (PUP) often bundled with other software downloads.

I don't believe I ever did install this or knew about it. Actually, I just realized I don't have Firefox installed. I did maybe over a year ago but nothing at all recently. I'm not even sure where to begin to find these files (I briefly went though my programs folder and Programs and Features (Change or Uninstall) and I couldn't find anything or what I should be looking for specifically.

 

This also applies to the 'Avast Firefox extensions: "Safe Price" and "Web Reputation"' you mentioned from the previous reply. I assumed it was Chrome's extension (which I did remove) but anything related to Firefox I have no idea.

  • Do you know anything about this Desktop folder: C:\Users\HalfDarkShadow\Desktop\[???13][Pizuya's Cell] ?????????????? (v0+jpg)

   This is also safe. It's just music files from a CD I own ([例大祭13][Pizuya's Cell] スウィートジョーカーの偽切札 (v0+jpg)). Just like the reply before, the .txt file seemed to not put in the characters in correctly.

  • Do you recognize this program listed as last in the Addition.txt as an installed program on your computer: ??????? (HKLM\...\???????) (Version: - )

    This is safe as well previously mentioned in the earlier reply.

Once I get answers to my questions, I will be able to finalize my FRST fixlist.txt file for your computer and begin to move forward to disinfect your computer.

 

Awaiting your responses.  Thank you and have a great day.

 

Regards,

-Phil

 

My responses are within the quote above.

 

 

Kevin:

 

Thank you for permission to address you by your first name.  Do you still require assistance?  It has been three days since you last posted.

 

According to Forum policy, topics must be concluded after five days of non-response from the Topic Starter.
 
If I have not heard from you in another two days, I will conclude your topic.  You can always reopen it by sending a Personal Message to a Moderator.
 
Thank you and have a great day.
 
Regards,
-Phil

 

 

I apologize for the late reply again. I meant to respond much earlier, but unfortunately other obligations get in the way :P

You can probably guess from the recent replies I'd still require some assistance if it isn't too much trouble.

 

Edit: Before I forget, nothing else has changed regarding the state of my computer. I still get these 2 cmd.exe files every few minutes or so, but they only stay up for maybe a second before they disappear. They're stacked ontop of each other so only the first one is visible, but it doesn't seem to load any text in time before it closes. Beyond that, there have been no other scans or anything like that.

 

Thanks again!

 - Kevin


Edited by HalfDarkShadow, 04 February 2017 - 09:55 PM.


#12 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:10:34 AM

Posted 05 February 2017 - 07:12 AM

Kevin:

Thank you for your responses to my questions. That is important information for me to have. Interesting about Firefox not being installed currrently. I am also going to go after any remnants of Akamai Netsession that might have survived the uninstall.

Thank you for holding off the Windows update - that would just add more confusion at this time. We will do the update to Build 1607, once we have sorted out your computer.

.

:step1: Please run a FRST "Fix" for me.

Copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the folder: C:\Users\HalfDarkShadow\Downloads.

NOTE: It is important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

CreateRestorePoint:
CloseProcesses:

(Akamai Technologies, Inc.) C:\Users\HalfDarkShadow\AppData\Local\Akamai\netsession_win.exe
C:\Users\HalfDarkShadow\AppData\Local\Akamai
HKU\S-1-5-21-22681376-1415523870-3786703371-1000\...\Run: [Akamai NetSession Interface] => C:\Users\HalfDarkShadow\AppData\Local\Akamai\netsession_win.exe [4440896 2012-08-10] (Akamai Technologies, Inc.)
HKU\S-1-5-21-22681376-1415523870-3786703371-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION
GroupPolicy\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
BHO-x32: No Name -> {3C6301ED-0F78-4AF2-8150-D9C052361A8E} -> No File
Toolbar: HKLM-x32 - No Name - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} -  No File
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2017-01-26]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2017-01-26]
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
File: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
File: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF Plugin-x32: @raidcall.en/RCplugin -> C:\Users\HalfDarkShadow\AppData\Roaming\raidcall\plugins\nprcplugin.dll [2013-02-05] (Raidcall)
U3 idsvc; no ImagePath
File: C:\Users\HalfDarkShadow\Downloads\BIAS_FX_Windows64bit_v1_4_3_2063.msi
File: C:\WINDOWS\aebfadb84e4bad417a9124f99a60a3c7.exe
File: C:\Users\HalfDarkShadow\Downloads\WITS-1.1-all.zip
Folder: C:\Users\HalfDarkShadow\Desktop\[???13][Pizuya's Cell] ?????????????? (v0+jpg)
File: C:\Users\HalfDarkShadow\AppData\Roaming\.pgbiasfx
CMD: type C:\Users\HalfDarkShadow\AppData\Roaming\.pgbiasfx
C:\ProgramData\hash.dat
CustomCLSID: HKU\S-1-5-21-22681376-1415523870-3786703371-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\HalfDarkShadow\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay => No File
CustomCLSID: HKU\S-1-5-21-22681376-1415523870-3786703371-1000_Classes\CLSID\{087B3AE3-E237-4467-B8DB-5A38AB959AC9}\InprocServer32 -> C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl_x64.dll => No File
CustomCLSID: HKU\S-1-5-21-22681376-1415523870-3786703371-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\HalfDarkShadow\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-22681376-1415523870-3786703371-1000_Classes\CLSID\{3B092F0C-7696-40E3-A80F-68D74DA84210}\InprocServer32 -> C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl_x64.dll => No File
CustomCLSID: HKU\S-1-5-21-22681376-1415523870-3786703371-1000_Classes\CLSID\{63542C48-9552-494A-84F7-73AA6A7C99C1}\InprocServer32 -> C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl_x64.dll => No File
CustomCLSID: HKU\S-1-5-21-22681376-1415523870-3786703371-1000_Classes\CLSID\{7BC0E710-5703-45BE-A29D-5D46D8B39262}\InprocServer32 -> C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\ooofilt_x64.dll => No File
CustomCLSID: HKU\S-1-5-21-22681376-1415523870-3786703371-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78Shortcut: C:\Users\HalfDarkShadow\Desktop\gbf-r?idfind?r.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
D-A8F59079A8D5}\localserver32 -> no filepath
CustomCLSID: HKU\S-1-5-21-22681376-1415523870-3786703371-1000_Classes\CLSID\{AE424E85-F6DF-4910-A6A9-438797986431}\InprocServer32 -> C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\propertyhdl_x64.dll => No File
CustomCLSID: HKU\S-1-5-21-22681376-1415523870-3786703371-1000_Classes\CLSID\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\InprocServer32 -> C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl_x64.dll => No File
CustomCLSID: HKU\S-1-5-21-22681376-1415523870-3786703371-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\HalfDarkShadow\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
File: C:\Users\HalfDarkShadow\AppData\Local\SkypePlugin\7.18.0.51\EdgeCalling.exe
Task: {33750546-85A7-4B0D-9CF0-309A1279716A} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {33EDF096-050A-4F5B-B686-1EE109E83FBB} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {3A896D6F-9CFE-4545-B1B7-D6A5B18BD841} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {518061D6-38C4-414F-90C3-2A4FF274FF7C} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {548E848A-140E-43B7-9E1E-AA5C2A1D67EB} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {8065E5C5-CBDB-46E4-9B06-DE4E6ED81800} - \{780A0E47-0D7A-0978-7D11-0F0B087F1108} -> No File <==== ATTENTION
Task: {A44C2F2A-5EFC-44CF-9CA0-D96CB97AE613} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {A49E5EC6-B924-40B2-BAE6-E0F27E1A1F38} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {A6CDD10D-6B46-45FF-853B-3A092FB8F441} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {DE649AF0-3176-4782-AC5C-482C8B60F51C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {E95E89A8-98DF-4F68-9A65-08A93802F498} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {F57551FD-4925-4979-AD1D-CE667DCB177A} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Shortcut: C:\Users\HalfDarkShadow\Desktop\gbf-rаidfindеr.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Grаnbluе Fаntаsy.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Аnthuriа - Grаnbluе Fаntаsy Wiki.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\グランブルーファンタジー[СhrоmеАpps版].lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Intеrnеt Ехplоrеr.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Lаunсh Intеrnеt Ехplоrеr Вrоwsеr.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\グランブルーファンタジー[СhrоmеАpps版] (1).lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\HalfDarkShadow\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Grаnbluе Fаntаsy.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\HalfDarkShadow\Desktop\[???13][Pizuya's Cell] ?????????????? (v0+jpg)\Gr?nblu? F?nt?sy.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Hosts:
  • Right click FRST64.exe, and select "Run as Administrator".
  • Then press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log to the Downloads folder (Fixlog.txt). Please copy and paste the contents into your reply.

.

 

Thank you and have a great day.

Regards,
-Phil


Edited by garioch7, 05 February 2017 - 07:16 AM.

Member of the Unified Network of Instructors and Trusted Eliminators


#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:10:34 AM

Posted 08 February 2017 - 07:02 AM

Kevin:

 

Are you still there?  Do you still require assistance?  It has been three days since I last posted to you.
 
According to Forum policy, topics must be concluded after five days of non-response from the Topic Starter.
 
If I have not heard from you in another two days, I will conclude your topic.  You can always reopen it by sending a Personal Message to a Moderator.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#14 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:10:34 AM

Posted 10 February 2017 - 05:49 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users