Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sso.anbtr redirect in chrome and IE, please help, CAN'T BROWSE


  • This topic is locked This topic is locked
11 replies to this topic

#1 Jason B

Jason B

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 17 February 2017 - 07:34 PM

https://www.google.com/search?q=sso.anbtr.com+might+attempt+to+install&biw=1540&bih=990&source=lnms&tbm=isch&sa=X&ved=0ahUKEwic95qHrZjSAhVMxoMKHQ6DDsQQ_AUICigF#tbm=isch&q=sso.anbtr.com&imgrc=bpyevlW1eHTc4M:

sso.anbtr


I'm getting this re-sirect in Chrome and IE and it's driving me nuts! http://sso.anbtr.com/domain/
Please tell me best tool to fix this.

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:32 PM

Posted 19 February 2017 - 11:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

===

If somehow you can download this tool with an other computer copy the file to the Desktop of the compromised computer and run as suggested.

#3 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 19 February 2017 - 12:01 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-02-2017 01
Ran by Jason (administrator) on JASON-PC (19-02-2017 11:57:34)
Running from C:\Users\Jason\Desktop
Loaded Profiles: Jason (Available Profiles: Jason)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(FileZilla Project) C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service.exe
(arvato digital services llc) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(arvato digital services llc) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(X10) C:\Program Files (x86)\Common Files\X10\Common\X10nets.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Apple Inc.) D:\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Spotify Ltd) C:\Users\Jason\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe
(Melloware Inc) C:\Program Files (x86)\Melloware\X10Commander\X10Commander.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Wondershare) C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Python Software Foundation) C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex DLNA Server.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\Jason\Desktop\FRST64 (1).exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [iTunesHelper] => D:\iTunes\iTunesHelper.exe [176952 2016-03-19] (Apple Inc.)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-06-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2087264 2014-09-11] (Wondershare)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [5915776 2016-03-21] (Safer-Networking Ltd.)
HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\Run: [Spotify Web Helper] => C:\Users\Jason\AppData\Roaming\Spotify\SpotifyWebHelper.exe [2018360 2015-09-08] (Spotify Ltd)
HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\Run: [uTorrent] => C:\Users\Jason\AppData\Roaming\uTorrent\uTorrent.exe [2143936 2017-02-14] (BitTorrent Inc.)
HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\Run: [Plex Media Server] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe [13082608 2016-12-15] (Plex, Inc.)
HKU\S-1-5-18\...\Run: [Plex Media Server] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe [13082608 2016-12-15] (Plex, Inc.)
HKU\S-1-5-18\...\Run: [KSS] => "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe" autorun
AppInit_DLLs: C:\Windows\Jaksta\AC\x64\jaudcap.dll => C:\Windows\Jaksta\AC\x64\jaudcap.dll [312096 2015-04-24] (Jaksta Technologies Pty Ltd)
AppInit_DLLs-x32: C:\Windows\Jaksta\AC\x86\jaudcap.dll => C:\Windows\Jaksta\AC\x86\jaudcap.dll [264992 2015-04-24] (Jaksta Technologies Pty Ltd)
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\system32\CbFsMntNtf3.dll (EldoS Corporation)
SSODL-x32: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll (EldoS Corporation)
ShellIconOverlayIdentifiers: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\Windows\system32\CbFsMntNtf3.dll [2012-04-09] (EldoS Corporation)
ShellIconOverlayIdentifiers-x32: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\Windows\SysWOW64\CbFsMntNtf3.dll [2012-04-09] (EldoS Corporation)
Startup: C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X10 Commander.lnk [2017-02-17]
ShortcutTarget: X10 Commander.lnk -> C:\Program Files (x86)\Melloware\X10Commander\X10Commander.exe (Melloware Inc)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
AutoConfigURL: [S-1-5-21-1011703464-4262661669-2174859873-1000] => hxxp://blockerstop.com/wpad.dat?20f4eca85f40b12a81d586656ee9f44a25592390
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{5AE6F918-F36D-410E-B489-44C90396880E}: [NameServer] 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
Tcpip\..\Interfaces\{631FAA63-4341-42B2-80C8-CEA12EE16198}: [DhcpNameServer] 192.168.1.1
ManualProxies: 0hxxp://blockerstop.com/wpad.dat?20f4eca85f40b12a81d586656ee9f44a25592390
 
Internet Explorer:
==================
SearchScopes: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000 -> DefaultScope {C281CEC5-FA42-4B36-9D4B-042B5BB32B6E} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000 -> {C281CEC5-FA42-4B36-9D4B-042B5BB32B6E} URL = hxxps://www.google.com/search?q={searchTerms}
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll [2016-10-21] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-10-21] (Oracle Corporation)
DPF: HKLM-x32 {EAA105FE-7BBD-4196-8B96-D46743894195} hxxp://burtman.dyndns.org/plugin/mjpegcontrol.cab
 
FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2016-03-08] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-20] (Google)
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-10-21] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-10-21] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @samsungsmartcam.com/npwViewer -> C:\Program Files (x86)\Samsung\SmartCam\npwViewer_lib.dll [2016-04-29] (Samsung Techwin)
FF Plugin-x32: @samsungsmartcam.com/npwViewer_turn -> C:\Program Files (x86)\Samsung\SmartCam\npwViewer_lib_turn.dll [2016-04-29] (Samsung Techwin)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-09-12] (Adobe Systems Inc.)
FF Plugin-x32: samsungtechwin.com/SmartCamFinder -> C:\Program Files (x86)\Samsung\SmartCam\npSmartCamFinder.dll [2016-04-29] (Samsung Techwin)
FF Plugin HKU\S-1-5-21-1011703464-4262661669-2174859873-1000: @samsungsmartcam.com/npwViewer -> C:\Program Files (x86)\Samsung\SmartCam\npwViewer_lib.dll [2016-04-29] (Samsung Techwin)
FF Plugin HKU\S-1-5-21-1011703464-4262661669-2174859873-1000: @samsungsmartcam.com/npwViewer_turn -> C:\Program Files (x86)\Samsung\SmartCam\npwViewer_lib_turn.dll [2016-04-29] (Samsung Techwin)
FF Plugin HKU\S-1-5-21-1011703464-4262661669-2174859873-1000: samsungtechwin.com/SmartCamFinder -> C:\Program Files (x86)\Samsung\SmartCam\npSmartCamFinder.dll [2016-04-29] (Samsung Techwin)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default [2017-02-19]
CHR Extension: (Bitmoji) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfgdeiadkckfbkeigkoncpdieiiefpig [2016-11-24]
CHR Extension: (Adblock Plus) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-10-28]
CHR Extension: (Adblock for Youtube™) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmedhionkhpnakcndndgjdbohmhepckk [2017-01-06]
CHR Extension: (Adblock for Youtube) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhapkppdbakhkophacdmchjgdnjeeki [2015-04-08]
CHR Extension: (Kindle Cloud Reader) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\icdipabjmbhpdkjaihfjoikhjjeneebd [2017-01-14]
CHR Extension: (Adblock ) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmmcjggioimiogfnjfaibdkahkbbmmod [2015-04-20]
CHR Extension: (Adblock Pro) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgadmgamdmljakgklekanjgomphobjlp [2015-04-08]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-23]
CHR Extension: (Unseen) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\oclokcfejikeggpnhgakanfbdnlafaon [2016-08-03]
CHR Extension: (Chrome Media Router) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-13]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
R2 FileZilla Server; C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe [774656 2015-01-09] (FileZilla Project) [File not signed]
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
R2 PlexUpdateService; C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service.exe [1919472 2016-12-15] (Plex, Inc.)
R2 PSI_SVC_2; C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2014-04-30] (arvato digital services llc)
R2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [337776 2014-04-30] (arvato digital services llc)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [4088608 2016-09-21] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [235984 2016-11-24] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 x10nets; C:\Program Files (x86)\Common Files\X10\Common\X10nets.exe [20480 2010-11-01] (X10) [File not signed]
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 cbfs3; C:\Windows\System32\DRIVERS\cbfs3.sys [352144 2012-04-09] (EldoS Corporation)
R3 jakstaVA; C:\Windows\System32\DRIVERS\jaksta_va.sys [103816 2014-12-08] (e2eSoft)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
R3 tpg64win7; C:\Windows\System32\DRIVERS\tpg64win7.sys [648808 2012-02-22] (TP-LINK TECHNOLOGIES CO., LTD)
R3 XUIF; C:\Windows\System32\Drivers\x10ufx2.sys [32792 2009-05-13] (X10 Wireless Technology, Inc.)
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-19 11:57 - 2017-02-19 11:57 - 00016376 _____ C:\Users\Jason\Desktop\FRST.txt
2017-02-19 11:56 - 2017-02-19 11:56 - 02422784 _____ (Farbar) C:\Users\Jason\Desktop\FRST64 (1).exe
2017-02-19 06:14 - 2017-02-19 06:14 - 00002121 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2017-02-19 06:14 - 2017-02-19 06:14 - 00000000 ____D C:\Program Files\Microsoft Security Client
2017-02-19 06:14 - 2017-02-19 06:14 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2017-02-18 22:33 - 2017-02-18 22:33 - 00000000 ____D C:\ProgramData\Sophos
2017-02-18 22:32 - 2017-02-18 22:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2017-02-18 22:32 - 2017-02-18 22:32 - 00000000 ____D C:\Program Files (x86)\Sophos
2017-02-18 22:30 - 2017-02-18 22:30 - 00004073 _____ C:\Users\Jason\Desktop\JRT.txt
2017-02-18 15:22 - 2017-02-18 22:09 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2017-02-18 15:22 - 2017-02-18 22:09 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab
2017-02-17 23:00 - 2017-02-17 23:01 - 00002040 _____ C:\Users\Jason\Desktop\Rkill.txt
2017-02-17 22:02 - 2017-02-17 22:23 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-02-17 22:00 - 2017-02-17 22:23 - 00000000 ____D C:\Users\Jason\Desktop\mbar
2017-02-17 21:39 - 2017-02-18 22:31 - 00000000 ____D C:\Users\Jason\Desktop\virus stuff txt
2017-02-17 19:31 - 2017-02-18 21:58 - 00000000 ____D C:\ProgramData\Kaspersky Lab Setup Files
2017-02-17 18:28 - 2017-02-17 21:59 - 00001737 _____ C:\Users\Public\Desktop\Download Hitman Pro 3.7...lnk
2017-02-17 16:23 - 2017-02-17 18:01 - 00033545 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-02-17 16:23 - 2017-02-17 18:01 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2017-02-17 16:23 - 2017-02-17 16:26 - 00004731 _____ C:\Windows\ZAM.krnl.trace
2017-02-17 16:23 - 2017-02-17 16:23 - 00000000 ____D C:\Users\Jason\AppData\Local\Zemana
2017-01-30 02:00 - 2017-01-30 02:00 - 00003164 _____ C:\Users\Jason\Desktop\rose.tif
2017-01-20 12:28 - 2017-01-20 12:28 - 00000000 ____D C:\ProgramData\Protexis
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-19 11:57 - 2015-05-05 12:43 - 00000000 ____D C:\FRST
2017-02-19 11:50 - 2014-05-13 11:11 - 00000000 ____D C:\Users\Jason\AppData\Roaming\vlc
2017-02-19 06:43 - 2014-10-02 18:15 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-02-19 06:42 - 2009-07-13 23:45 - 00021872 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-19 06:42 - 2009-07-13 23:45 - 00021872 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-19 06:40 - 2009-07-14 00:13 - 00778834 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-19 06:40 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2017-02-19 06:35 - 2014-05-09 16:27 - 00000000 ____D C:\Users\Jason\AppData\Roaming\uTorrent
2017-02-19 06:33 - 2016-01-22 20:04 - 00000000 ____D C:\Program Files\Common Files\AV
2017-02-19 06:33 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-19 06:30 - 2014-05-09 14:02 - 00007602 _____ C:\Users\Jason\AppData\Local\Resmon.ResmonCfg
2017-02-19 06:14 - 2014-05-09 12:55 - 00001945 _____ C:\Windows\epplauncher.mif
2017-02-19 02:47 - 2014-05-07 23:06 - 00000000 ____D C:\Users\Jason\AppData\Local\ElevatedDiagnostics
2017-02-18 22:28 - 2016-06-15 02:35 - 00000000 ____D C:\Users\Jason\AppData\Local\PlutoTV
2017-02-18 22:23 - 2015-02-11 13:19 - 00000000 ____D C:\AdwCleaner
2017-02-17 22:01 - 2014-10-02 18:15 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-02-17 21:59 - 2016-12-30 12:11 - 00001126 _____ C:\Users\Jason\Desktop\psp.exe - Shortcut (2).lnk
2017-02-17 21:59 - 2016-12-29 20:19 - 00001134 _____ C:\Users\Jason\Desktop\psp.exe - Shortcut.lnk
2017-02-17 21:59 - 2016-10-28 00:39 - 00000997 _____ C:\Users\Jason\Desktop\Downloads - Shortcut (2).lnk
2017-02-17 21:59 - 2016-10-27 19:40 - 00001087 _____ C:\Users\Public\Desktop\Cute Video Cutter Free Version.lnk
2017-02-17 21:59 - 2016-06-14 01:51 - 00002561 _____ C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2017-02-17 21:59 - 2016-01-21 13:15 - 00001212 _____ C:\Users\Public\Desktop\Free Video Cutter Joiner.lnk
2017-02-17 21:59 - 2015-11-23 12:14 - 00000359 _____ C:\Users\Jason\Desktop\Recycle Bin - Shortcut.lnk
2017-02-17 21:59 - 2015-09-21 20:08 - 00001078 _____ C:\Users\Jason\Desktop\Tenorshare Reiboot.lnk
2017-02-17 21:59 - 2015-09-08 14:01 - 00001115 _____ C:\Users\Public\Desktop\iMazing.lnk
2017-02-17 21:59 - 2015-04-25 03:59 - 00001247 _____ C:\Users\Public\Desktop\Any Video to DVD Converter and Burner.lnk
2017-02-17 21:59 - 2015-04-25 01:09 - 00001303 _____ C:\Users\Public\Desktop\Replay Media Catcher 6.lnk
2017-02-17 21:59 - 2015-04-18 20:37 - 00001777 _____ C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk
2017-02-17 21:59 - 2015-04-18 20:37 - 00001771 _____ C:\Users\Jason\Desktop\Spotify.lnk
2017-02-17 21:59 - 2015-04-08 22:13 - 00001404 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foxit Advanced PDF Editor.lnk
2017-02-17 21:59 - 2015-04-08 22:13 - 00001386 _____ C:\Users\Public\Desktop\Foxit Advanced PDF Editor.lnk
2017-02-17 21:59 - 2015-03-30 10:41 - 00001243 _____ C:\Users\Jason\Desktop\EUdora.EXE - Shortcut.lnk
2017-02-17 21:59 - 2015-02-22 19:55 - 00001235 _____ C:\Users\Public\Desktop\Ron's Editor.lnk
2017-02-17 21:59 - 2015-02-13 12:03 - 00001068 _____ C:\Users\Public\Desktop\VLC media player.lnk
2017-02-17 21:59 - 2015-02-03 12:38 - 00001399 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2017-02-17 21:59 - 2015-02-03 12:38 - 00001381 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2017-02-17 21:59 - 2015-02-03 12:22 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2017-02-17 21:59 - 2015-01-11 00:35 - 00002085 _____ C:\Users\Public\Desktop\FileZilla Server Interface.lnk
2017-02-17 21:59 - 2014-12-10 14:49 - 00002359 _____ C:\Users\Public\Desktop\Logitech Harmony Remote Software 7.lnk
2017-02-17 21:59 - 2014-10-02 18:15 - 00001104 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2017-02-17 21:59 - 2014-09-16 11:28 - 00001182 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2017-02-17 21:59 - 2014-09-16 11:28 - 00001164 _____ C:\Users\Public\Desktop\TeamViewer 9.lnk
2017-02-17 21:59 - 2014-09-03 15:37 - 00000999 _____ C:\Users\Jason\Desktop\Core FTP LE.lnk
2017-02-17 21:59 - 2014-07-29 11:56 - 00000900 _____ C:\Users\Jason\Desktop\Desktop - Shortcut.lnk
2017-02-17 21:59 - 2014-07-16 18:25 - 00001196 _____ C:\Users\Public\Desktop\TVMOBiLi.lnk
2017-02-17 21:59 - 2014-06-06 11:23 - 00002537 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Excel Viewer.lnk
2017-02-17 21:59 - 2014-05-09 20:53 - 00002519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2017-02-17 21:59 - 2014-05-09 14:38 - 00000956 _____ C:\Users\Jason\Desktop\Downloads - Shortcut.lnk
2017-02-17 21:59 - 2014-05-09 14:38 - 00000893 _____ C:\Users\Jason\Desktop\Videos - Shortcut.lnk
2017-02-17 21:59 - 2014-05-08 00:25 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2017-02-17 21:59 - 2014-05-08 00:25 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2017-02-17 21:59 - 2014-05-07 22:09 - 00000355 _____ C:\Users\Jason\Desktop\Computer - Shortcut.lnk
2017-02-17 21:59 - 2009-07-14 00:01 - 00001282 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
2017-02-17 21:59 - 2009-07-13 23:57 - 00001352 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
2017-02-17 21:59 - 2009-07-13 23:57 - 00001330 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
2017-02-17 21:59 - 2009-07-13 23:57 - 00001246 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
2017-02-17 21:59 - 2009-07-13 23:54 - 00001210 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
2017-02-17 21:59 - 2009-07-13 23:49 - 00001266 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
2017-02-17 18:29 - 2016-10-28 02:06 - 00002210 ____R C:\Users\Jason\Desktop\Gооglе Сhrоmе.lnk
2017-02-17 18:29 - 2015-05-12 09:45 - 00002222 ____R C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk
2017-02-17 18:29 - 2015-05-12 09:45 - 00002210 ____R C:\Users\Public\Desktop\Gооglе Сhrоmе.lnk
2017-02-17 18:29 - 2014-08-09 10:43 - 00001917 ____R C:\Users\Public\Desktop\iЕхplоrеr.lnk
2017-02-17 18:29 - 2014-08-09 10:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iExplorer
2017-02-17 18:29 - 2014-08-09 10:43 - 00000000 ____D C:\Program Files (x86)\iExplorer
2017-02-17 18:29 - 2014-05-09 13:56 - 00001984 ____R C:\Users\Jason\Desktop\Intеrnеt Ехplоrеr.lnk
2017-02-17 18:29 - 2014-05-07 21:31 - 00002126 ____R C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Ехplоrеr.lnk
2017-02-17 16:18 - 2009-07-13 23:45 - 00000000 ____D C:\Windows\Setup
2017-02-17 16:17 - 2015-02-03 12:38 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-02-13 11:12 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF
2017-02-08 12:00 - 2015-01-13 10:20 - 00000000 ____D C:\Users\Jason\AppData\Local\CrashDumps
2017-01-28 20:55 - 2014-05-07 22:49 - 00000000 ____D C:\ProgramData\X10 Settings
2017-01-25 12:39 - 2017-01-12 17:28 - 00000314 _____ C:\Users\Jason\Desktop\2006 Tundra Double Cab SS.txt
2017-01-20 22:03 - 2014-09-03 15:37 - 00000000 ____D C:\Users\Jason\AppData\Roaming\CoreFTP
2017-01-20 03:20 - 2015-03-04 12:06 - 00018187 _____ C:\Users\Jason\Desktop\notes.txt
 
==================== Files in the root of some directories =======
 
2015-02-03 12:49 - 2016-09-23 12:58 - 0151397 _____ () C:\Users\Jason\AppData\Local\ars.cache
2015-02-03 12:49 - 2016-09-23 12:59 - 0806033 _____ () C:\Users\Jason\AppData\Local\census.cache
2014-07-17 00:22 - 2014-07-17 00:22 - 0005632 _____ () C:\Users\Jason\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-02-03 12:25 - 2015-02-03 12:25 - 0000036 _____ () C:\Users\Jason\AppData\Local\housecall.guid.cache
2014-05-09 14:02 - 2017-02-19 06:30 - 0007602 _____ () C:\Users\Jason\AppData\Local\Resmon.ResmonCfg
2015-02-03 12:37 - 2016-09-23 12:44 - 0000010 _____ () C:\Users\Jason\AppData\Local\sponge.last.runtime.cache
 
Some files in TEMP:
====================
2017-02-19 06:47 - 2017-02-17 18:18 - 11581544 _____ (SurfRight B.V.) C:\Users\Jason\AppData\Local\Temp\HitmanPro.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-02-13 01:59
 
==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 18-02-2017 01
Ran by Jason (19-02-2017 11:58:04)
Running from C:\Users\Jason\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2014-05-08 02:30:00)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1011703464-4262661669-2174859873-500 - Administrator - Disabled)
Guest (S-1-5-21-1011703464-4262661669-2174859873-501 - Limited - Disabled)
Jason (S-1-5-21-1011703464-4262661669-2174859873-1000 - Administrator - Enabled) => C:\Users\Jason
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Spybot - Search and Destroy (Enabled - Up to date) {A16C3F68-9280-E053-1818-342707FECF4D}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\uTorrent) (Version: 3.4.9.43295 - BitTorrent Inc.)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
ActiveHome Scripting (HKLM-x32\...\AHSDK) (Version:  - )
Adobe Flash Player 24 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 24.0.0.194 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Any Video to DVD Converter and Burner 5.2.0.3 (HKLM-x32\...\{66712EEE-ECBC-4CA6-A475-any-video-to-dvd}_is1) (Version:  - TopVideoSoft,Inc.)
Apple Application Support (32-bit) (HKLM-x32\...\{FE5C2FAA-118D-4509-B51D-3F71CC9E1B3E}) (Version: 4.3 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{2937FD88-C9D6-4B82-B539-37CD0A572F42}) (Version: 4.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2E4AF2A6-50EA-4260-9BA4-5E582D11879A}) (Version: 9.3.0.15 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
ATI Catalyst Install Manager (HKLM\...\{BCC01139-903A-6FC7-3358-85B0AE332601}) (Version: 3.0.829.0 - ATI Technologies, Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Core FTP LE (HKLM-x32\...\CoreFTP) (Version:  - )
Corel PaintShop Pro X9 (HKLM-x32\...\_{998717E5-1031-4D28-A143-48ADAF062E5F}) (Version: 19.1.0.29 - Corel Corporation)
Corel Update Manager (Version: 2.3.129 - Corel corporation) Hidden
Cute Video Cutter 1.6.0.1 (HKLM-x32\...\Cute Video Cutter_is1) (Version:  - )
FileZilla Server (HKLM-x32\...\FileZilla Server) (Version: beta 0.9.49 - FileZilla Project)
Foxit Advanced PDF Editor 3 (HKLM-x32\...\B521582C-6BE3-491D-BCC8-FFB8301298E9_is1) (Version: 3.1.0.0 - Foxit Corporation)
Free Video Cutter Joiner 10.6 (HKLM-x32\...\{8C5A4758-C782-4200-B337-DB3466D33ADD}}_is1) (Version: 10.6 - DVDVideoMedia, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Earth Plug-in (HKLM-x32\...\{57BB4801-61C8-4E74-9672-2160728A461E}) (Version: 7.1.5.1557 - Google)
Google Earth Pro (HKLM-x32\...\{6D5E5B27-D872-4A5F-A1D9-CE681DB7B96A}) (Version: 7.1.7.2606 - Google)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
ICA (x32 Version: 19.1.0.29 - Corel Corporation) Hidden
iExplorer 3.8.3.0 (HKLM-x32\...\{7FD8B0C1-CDDA-4B4D-A577-B2E3570EA3A3}_is1) (Version:  - Macroplant LLC)
iMazing 1.2.4.0 (HKLM\...\iMazing_is1) (Version: 1.2.4.0 - DigiDNA)
IPM_PSP_COM64 (Version: 19.1.0.29 - Corel Corporation) Hidden
iTunes (HKLM\...\{A31C5565-90D9-4615-AE13-94D86C3836C7}) (Version: 12.3.3.17 - Apple Inc.)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Logitech Harmony Remote Software 7 (HKLM-x32\...\{5C6F884D-680C-448B-B4C9-22296EE1B206}) (Version: 7.7.0.0 - Logitech)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Excel Viewer (HKLM-x32\...\{95120000-003F-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
OpenOffice 4.1.1 (HKLM-x32\...\{9395F41D-0F80-432E-9A59-B8E477E7E163}) (Version: 4.11.9775 - Apache Software Foundation)
Plex Media Server (HKLM-x32\...\{d685b3b4-91da-4364-9e7d-f365a614d42b}) (Version: 1.3.3.3148 - Plex, Inc.)
Plex Media Server (x32 Version: 1.3.3148 - Plex, Inc.) Hidden
Pluto TV version 0.2.0 (HKLM-x32\...\Pluto TV_is1) (Version: 0.2.0 - Pluto TV)
Pluto TV version 0.3.0 (HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\Pluto TV_is1) (Version: 0.3.0 - Pluto TV)
PSPPContent (x32 Version: 19.1.0.29 - Corel Corporation) Hidden
PSPPHelp (x32 Version: 19.1.0.29 - Corel Corporation) Hidden
PSPPro64 (Version: 19.1.0.29 - Corel Corporation) Hidden
QuickTime (HKLM-x32\...\{0E64B098-8018-4256-BA23-C316A43AD9B0}) (Version: 7.72.80.56 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6251 - Realtek Semiconductor Corp.)
Remote Control USB Driver (HKLM-x32\...\{8471021C-F529-43DE-84DF-3612E10F58C4}) (Version: 2.3.2.317 - )
Remoteless Helper 2.3.0 (HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\Remoteless Helper 2.3.0) (Version:  - )
Replay Media Catcher 6 (6.0.0.70) (HKLM-x32\...\Replay Media Catcher 6) (Version: 6.0.0.70 - Applian Technologies)
Ron's Editor (Remove Only) (HKLM-x32\...\Ron's Editor_is1) (Version:  - )
Setup (x32 Version: 19.1.0.29 - Corel Corporation) Hidden
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.6 - Sophos Limited)
Spotify (HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\Spotify) (Version: 1.0.13.108.gcd94e7db - Spotify AB)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Stopping Plex (x32 Version: 1.3.3148 - Plex, Inc.) Hidden
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)
Tenorshare Reiboot (HKLM-x32\...\Tenorshare Reiboot) (Version: 3.1.0.6 - Tenorshare)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WebViewer Plugin (HKLM-x32\...\InstallShield_{2DEF112F-847B-4DC4-9FC9-97EB52E2D7FC}) (Version: 2.2.1.0 - Samsung Techwin Co., Ltd.)
WebViewer Plugin (x32 Version: 2.2.1.0 - Samsung Techwin Co., Ltd.) Hidden
X10 Commander 1.9.8 (HKLM-x32\...\{220CD0D3-0EF0-4F1F-9046-08373C799A98}_is1) (Version:  - Melloware Inc)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {3C22C4F9-46D4-41D8-81FD-B685433139BE} - System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-1011703464-4262661669-2174859873-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\RealUpgrade.exe 
Task: {4B82DF41-BACA-472E-868B-89E3138FEC68} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {54C7916D-3D82-4EBA-9510-ACBD65AF5021} - System32\Tasks\CorelUpdateHelperTask => C:\Program Files (x86)\Corel\CUH\v2\CUH.exe [2017-01-12] (Corel Corporation)
Task: {60E7F422-AFDD-4CC2-B7F2-4173F8B2A561} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-1011703464-4262661669-2174859873-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe 
Task: {7B7C5D14-7D81-45B9-92EE-62507451389B} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {858AD2DE-9C5B-4946-9888-AFB4EEEA10D5} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1011703464-4262661669-2174859873-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\RealUpgrade.exe 
Task: {A7F402AA-7ADC-41BD-9FCF-3F4156914652} - System32\Tasks\CorelUpdateHelperTaskCore => c:\Program Files (x86)\Corel\CUH\v2\CUH.exe [2017-01-12] (Corel Corporation)
Task: {BC84533F-0118-4721-BC59-B574E1100866} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => C:\Program Files\Microsoft Security Client\\MpCmdRun.exe [2016-11-14] (Microsoft Corporation)
Task: {CED60399-71F0-421A-A6B4-6DE29BD41EB9} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
Task: {FBC099D0-B236-4C0C-9FEE-A1F84821A0FE} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
Shortcut: C:\Users\Jason\Desktop\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\Jason\Desktop\Intеrnеt Ехplоrеr.lnk -> C:\Program Files\Internet Explorer\iexplore.bat ()
Shortcut: C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnеt Ехplоrеr (Nо Аdd-оns).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Lаunсh Intеrnеt Ехplоrеr Вrоwsеr.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
 
ShortcutWithArgument: C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Ехplоrеr.lnk -> C:\Program Files\Internet Explorer\iexplore.bat () -> hxxp://usa-aa.s3-website-us-east-1.amazonaws.com/?grp=3
ShortcutWithArgument: C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\2a6616a3987355e8\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-03-18 21:56 - 2016-03-18 21:56 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2016-03-18 21:56 - 2016-03-18 21:56 - 01329936 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2011-06-29 23:14 - 2011-06-29 23:14 - 00243712 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2011-03-14 13:20 - 2011-03-14 13:20 - 00098304 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Branding.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 00083440 _____ () C:\Program Files (x86)\Plex\Plex Media Server\zlib.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 00203248 _____ () C:\Program Files (x86)\Plex\Plex Media Server\libidn.dll
2015-02-03 12:38 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2015-02-03 12:38 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2015-02-03 12:38 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2015-02-03 12:38 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2015-02-03 12:38 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 01083376 _____ () C:\Program Files (x86)\Plex\Plex Media Server\libxml2.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 00115696 _____ () C:\Program Files (x86)\Plex\Plex Media Server\soci_core-vc80-3_0.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 00059888 _____ () C:\Program Files (x86)\Plex\Plex Media Server\soci_sqlite3-vc80-3_0.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 00772080 _____ () C:\Program Files (x86)\Plex\Plex Media Server\tag.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 01741296 _____ () C:\Program Files (x86)\Plex\Plex Media Server\opencv_imgproc2411.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 01962992 _____ () C:\Program Files (x86)\Plex\Plex Media Server\opencv_core2411.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 00025584 _____ () C:\Program Files (x86)\Plex\Plex Media Server\lyric_lite.dll
2015-04-25 02:15 - 2014-09-11 18:09 - 01498112 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll
2015-04-25 02:15 - 2014-05-19 17:19 - 00137728 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 00050160 _____ () C:\Program Files (x86)\Plex\Plex Media Server\DLLs\_socket.pyd
2016-12-15 13:53 - 2016-12-15 13:53 - 00071664 _____ () C:\Program Files (x86)\Plex\Plex Media Server\DLLs\_ssl.pyd
2016-12-15 13:53 - 2016-12-15 13:53 - 00024560 _____ () C:\Program Files (x86)\Plex\Plex Media Server\DLLs\_hashlib.pyd
2016-12-15 13:53 - 2016-12-15 13:53 - 00041456 _____ () C:\Program Files (x86)\Plex\Plex Media Server\Exts\simplejson\_speedups.pyd
2016-12-15 13:53 - 2016-12-15 13:53 - 00930288 _____ () C:\Program Files (x86)\Plex\Plex Media Server\Exts\lxml\etree.pyd
2016-12-15 13:53 - 2016-12-15 13:53 - 00074736 _____ () C:\Program Files (x86)\Plex\Plex Media Server\libexslt.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 00190960 _____ () C:\Program Files (x86)\Plex\Plex Media Server\libxslt.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 00218096 _____ () C:\Program Files (x86)\Plex\Plex Media Server\Exts\lxml\objectify.pyd
2016-12-15 13:53 - 2016-12-15 13:53 - 00018928 _____ () C:\Program Files (x86)\Plex\Plex Media Server\DLLs\select.pyd
2016-12-15 13:53 - 2016-12-15 13:53 - 00095728 _____ () C:\Program Files (x86)\Plex\Plex Media Server\DLLs\_ctypes.pyd
2016-12-15 13:53 - 2016-12-15 13:53 - 00143344 _____ () C:\Program Files (x86)\Plex\Plex Media Server\DLLs\pyexpat.pyd
2016-12-15 13:53 - 2016-12-15 13:53 - 00694256 _____ () C:\Program Files (x86)\Plex\Plex Media Server\DLLs\unicodedata.pyd
2017-02-02 15:19 - 2017-02-01 04:01 - 01870168 _____ () C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\libglesv2.dll
2017-02-02 15:19 - 2017-02-01 04:01 - 00085848 _____ () C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com
 
There are 7866 more sites.
 
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\...\123simsen.com -> www.123simsen.com
 
There are 7866 more sites.
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2016-12-22 01:45 - 2016-12-22 01:45 - 00000820 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: FileZilla Server Interface => "C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: Spotify => "C:\Users\Jason\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart
MSCONFIG\startupreg: Spotify Web Helper => "C:\Users\Jason\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
MSCONFIG\startupreg: uTorrent => "C:\Program Files (x86)\uTorrent\uTorrent.exe"  /MINIMIZED
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [TCP Query User{CDB5180F-9363-410F-8DB3-AAD0430DAD2C}D:\program files (x86)\melloware\x10commander\x10commander.exe] => (Allow) D:\program files (x86)\melloware\x10commander\x10commander.exe
FirewallRules: [UDP Query User{4870A02F-EC66-4544-BB5B-63F11671B968}D:\program files (x86)\melloware\x10commander\x10commander.exe] => (Allow) D:\program files (x86)\melloware\x10commander\x10commander.exe
FirewallRules: [{B9074C65-E5F5-42E0-9056-E2051B111061}] => (Allow) LPort=6003
FirewallRules: [{7ED18185-EB01-4F36-AEE1-99EFB21069A4}] => (Allow) C:\Program Files (x86)\Melloware\X10Commander\X10Commander.exe
FirewallRules: [{2AA281E1-6EB9-423C-97AC-4822A7FC70E9}] => (Allow) C:\Program Files (x86)\Melloware\X10Commander\X10Commander.exe
FirewallRules: [{DBD1CBE1-E3FA-4142-B51B-77C1F49EB00F}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{18A14BBF-B42C-488A-B45F-5EDE899BC65B}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{4F2A1430-5E5A-48FD-90D7-7E531F985407}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{36F8689B-1649-48D6-B85B-B6CF762533CC}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{C4C29809-BEFF-4350-870F-D7D7D6512964}] => (Allow) C:\Users\Jason\AppData\Roaming\Spotify\spotify.exe
FirewallRules: [{045A4FFD-F493-4774-ADE1-2CF3AE032B9C}] => (Allow) C:\Users\Jason\AppData\Roaming\Spotify\spotify.exe
FirewallRules: [TCP Query User{6CCA9483-6051-4A6D-899A-94D9B58E7C7E}C:\program files (x86)\remotelesshelper\remotelesshelper.exe] => (Allow) C:\program files (x86)\remotelesshelper\remotelesshelper.exe
FirewallRules: [UDP Query User{87467227-BD28-4AA8-A7C7-8D407B278256}C:\program files (x86)\remotelesshelper\remotelesshelper.exe] => (Allow) C:\program files (x86)\remotelesshelper\remotelesshelper.exe
FirewallRules: [{26436A04-6476-4D0D-B38F-6A1B8F026C61}] => (Allow) C:\Program Files (x86)\TVMOBiLi\bin\tvMobiliService.exe
FirewallRules: [TCP Query User{180E3148-A4BC-4A94-ACC1-34042353D2A4}C:\program files (x86)\melloware\x10commander\x10commander.exe] => (Allow) C:\program files (x86)\melloware\x10commander\x10commander.exe
FirewallRules: [UDP Query User{A4AA61A6-768C-4D8F-AEC4-51FE4DD53CC9}C:\program files (x86)\melloware\x10commander\x10commander.exe] => (Allow) C:\program files (x86)\melloware\x10commander\x10commander.exe
FirewallRules: [{DC566C8A-9F02-4FD4-BDAE-1746F1B0B503}] => (Allow) C:\Users\Jason\AppData\Roaming\Spotify\spotify.exe
FirewallRules: [{E52C4AFF-1F7C-4557-B029-208BDA99CBEC}] => (Allow) C:\Users\Jason\AppData\Roaming\Spotify\spotify.exe
FirewallRules: [{0A8FBE99-718A-4C04-8ED8-6AD9C077E1D8}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{55FF686A-65C0-49B3-85FF-9E37651AB3AD}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{7DD9F2DB-76DF-4352-B114-3A4D1D63CF10}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{2FD11DE1-FD76-466A-9D31-3084DAB86281}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{123DB4FE-5F6F-4372-9998-F11C59EF70A2}] => (Allow) LPort=30888
FirewallRules: [{33418E2B-1845-4E0E-B1D4-55848C8F2A44}] => (Allow) C:\Program Files (x86)\CoreFTP\coreftp.exe
FirewallRules: [{257269BC-E3EC-41B7-B3DB-0CCB202A41E5}] => (Allow) C:\Program Files (x86)\CoreFTP\coreftp.exe
FirewallRules: [{3924E6AD-FD62-41D7-ABC2-7B8E87922F71}] => (Allow) C:\Program Files (x86)\CoreFTP\coreftp.exe
FirewallRules: [{50EF1B91-EA10-4357-903D-F8FB0D3263D0}] => (Allow) C:\Program Files (x86)\CoreFTP\coreftp.exe
FirewallRules: [{6E6114FC-1464-4F20-9109-B71CB2B820A6}] => (Allow) C:\Program Files (x86)\YouTube Download Pool\G3\netclean.exe
FirewallRules: [{81679C20-5220-4B25-AFE4-6445167DAED6}] => (Allow) C:\Program Files (x86)\YouTube Download Pool\G3\youtubeserv.exe
FirewallRules: [{2AD86E2F-71D0-401F-B905-35053D81BCB3}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\jrmcp.exe
FirewallRules: [{FB9582F3-51E2-4A77-A5A3-01BEE46DEB7E}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\jrmcp.exe
FirewallRules: [{6C078EAE-EB47-4F63-B705-4734C4306B56}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\jbp.exe
FirewallRules: [{0B0DE64B-A1B1-44B1-980E-187826C804CA}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\jbp.exe
FirewallRules: [{59CD9F9C-8AAA-4BB5-9B94-6DFD7F0E8051}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\ffmpeg.exe
FirewallRules: [{7600BD56-2205-41B9-BCF5-C08427532363}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\ffmpeg.exe
FirewallRules: [{DD85F47E-F93B-4497-8481-DA6169CD14F4}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\dl.exe
FirewallRules: [{40724ACF-6259-4334-A599-471B1256314D}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\dl.exe
FirewallRules: [{1D9E01C9-F98B-48D4-AC1A-FD4F49324101}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\aria2c.exe
FirewallRules: [{7C5139BB-1526-4D87-BF5F-E6130B70A966}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\aria2c.exe
FirewallRules: [{F1085099-87B5-4879-953B-16969CD85DB4}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\qtCopy.exe
FirewallRules: [{A06C2295-BB2C-40E1-8DDA-5DD0F1CBDEF4}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\qtCopy.exe
FirewallRules: [{1003EB8C-37A6-40B0-A9A7-C578E93480BA}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{5BEAF48B-5B23-4F42-9B7D-43411823E3C4}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{FA4CF513-208D-410A-81E1-89EE5C8CB990}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{EE16B0D1-CFF0-46F3-A522-E8FB154FD680}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{55A4DDFF-CFBA-41A4-9917-38A90FCC906A}] => (Allow) D:\iTunes\iTunes.exe
FirewallRules: [{0DA6B468-6167-4767-B93A-A0D21A8E469F}] => (Allow) C:\Users\Jason\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{715A40FF-9BFD-4152-A971-A53545506B64}] => (Allow) C:\Users\Jason\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{8675B94C-7034-44B9-84A3-05FC47E2F4F0}] => (Allow) C:\Users\Jason\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{497A0E59-608A-492F-838C-C810AD6261F0}] => (Allow) C:\Users\Jason\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{9220163F-41EB-413E-A5EB-65153A162E33}] => (Allow) C:\Users\Jason\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{65F715F4-62DB-4338-881F-915AC43FCB94}] => (Allow) C:\Users\Jason\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{3323ED87-1AB4-48F6-B34C-531196735A69}C:\program files (x86)\internet explorer\iexplore.exe] => (Allow) C:\program files (x86)\internet explorer\iexplore.exe
FirewallRules: [UDP Query User{80FD7F00-E930-4408-A4F6-5399827802E5}C:\program files (x86)\internet explorer\iexplore.exe] => (Allow) C:\program files (x86)\internet explorer\iexplore.exe
FirewallRules: [{F3F98193-358E-4629-B633-93F2BB3C275B}] => (Allow) C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe
FirewallRules: [{71A38C82-3E3F-466B-8720-8CF6DE73AEC2}] => (Allow) C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
FirewallRules: [{2553058D-BA11-49EC-B29A-345D3B275CB1}] => (Allow) C:\Program Files (x86)\Plex\Plex Media Server\Plex DLNA Server.exe
FirewallRules: [{C69337AE-B917-442F-BB79-2BF2CBBF988D}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [TCP Query User{83CD6323-5DC8-4414-B1EC-1858BDC912C2}C:\program files (x86)\google\chrome\application\сhrоmе.bаt.exe] => (Block) C:\program files (x86)\google\chrome\application\сhrоmе.bаt.exe
FirewallRules: [UDP Query User{4A795F07-28B6-4F74-999E-E361331AEF9D}C:\program files (x86)\google\chrome\application\сhrоmе.bаt.exe] => (Block) C:\program files (x86)\google\chrome\application\сhrоmе.bаt.exe
DomainProfile\AuthorizedApplications: [C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe] => Enabled:Logitech Harmony Remote Software 7
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe] => Enabled:Logitech Harmony Remote Software 7
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
 
==================== Restore Points =========================
 
17-02-2017 18:25:05 Checkpoint by HitmanPro
17-02-2017 18:25:26 Checkpoint by HitmanPro
17-02-2017 18:32:46 Windows Update
18-02-2017 22:27:48 JRT Pre-Junkware Removal
18-02-2017 22:31:58 Installed Sophos Virus Removal Tool.
 
==================== Faulty Device Manager Devices =============
 
Name: ZAM Helper Driver
Description: ZAM Helper Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: ZAM
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: ZAM Guard Driver
Description: ZAM Guard Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: ZAM_Guard
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/19/2017 06:34:39 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/18/2017 10:25:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/18/2017 10:07:35 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/18/2017 09:57:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/18/2017 09:52:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/18/2017 09:33:04 PM) (Source: MsiInstaller) (EventID: 11723) (User: Jason-pc)
Description: Application: Kaspersky Internet Security -- Error 1723. There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact Technical Support or the package vendor. Action SetInstallEnvVarsAgain, entry: SetEnvironmenVariables, library: C:\Users\Jason\AppData\Local\Temp\{3F8193D9-25F8-45AB-952B-388FC4F997AB}\msi_misc.dll
 
Error: (02/18/2017 09:31:32 PM) (Source: MsiInstaller) (EventID: 11500) (User: Jason-pc)
Description: Application: Kaspersky Secure Connection -- Error 1500. Another installation is in progress. You must complete that installation before continuing this one.
 
Error: (02/18/2017 09:31:31 PM) (Source: MsiInstaller) (EventID: 11500) (User: Jason-pc)
Description: Application: Kaspersky Secure Connection -- Error 1500. Another installation is in progress. You must complete that installation before continuing this one.
 
Error: (02/18/2017 09:31:31 PM) (Source: MsiInstaller) (EventID: 11500) (User: Jason-pc)
Description: Application: Kaspersky Secure Connection -- Error 1500. Another installation is in progress. You must complete that installation before continuing this one.
 
Error: (02/17/2017 10:44:37 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
 
System errors:
=============
Error: (02/19/2017 06:53:03 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.
 
Error: (02/19/2017 06:34:08 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.
 
Error: (02/19/2017 06:34:08 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.
 
Error: (02/19/2017 06:33:25 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 6:31:36 AM on ‎2/‎19/‎2017 was unexpected.
 
Error: (02/19/2017 06:21:12 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 0.0.0.0
 
Update Source: Microsoft Update Server
 
Update Stage: Download
 
 
Signature Type: AntiVirus
 
Update Type: Full
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: 
 
Previous Engine Version: 0.0.0.0
 
Error code: 0x800704c7
 
Error description: The operation was canceled by the user.
 
Error: (02/18/2017 10:23:58 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: 
An instance of the service is already running.
 
Error: (02/18/2017 10:23:28 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.
 
Error: (02/18/2017 10:23:28 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
Error: (02/18/2017 10:23:28 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The iPod Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (02/18/2017 10:23:28 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
 
CodeIntegrity:
===================================
  Date: 2015-04-08 01:50:14.037
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-04-08 01:50:14.012
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-04-08 01:50:12.332
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-04-08 01:50:12.307
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-03-30 12:02:56.263
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-03-30 12:02:56.238
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: AMD Athlon™ II X4 645 Processor
Percentage of memory in use: 24%
Total physical RAM: 14079.28 MB
Available physical RAM: 10654.38 MB
Total Virtual: 28156.74 MB
Available Virtual: 24167.23 MB
 
==================== Drives ================================
 
Drive c: (win7) (Fixed) (Total:97.66 GB) (Free:34.61 GB) NTFS
Drive d: (data) (Fixed) (Total:833.85 GB) (Free:43.9 GB) NTFS
Drive e: (OS) (Fixed) (Total:1385.93 GB) (Free:123.66 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive f: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.08 GB) NTFS
Drive g: (HP_RECOVERY) (Fixed) (Total:11.23 GB) (Free:11.11 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 4D4238FF)
Partition 1: (Active) - (Size=97.7 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=833.9 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1397.3 GB) (Disk ID: F97DFB8E)
Partition 1: (Not Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Active) - (Size=1385.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11.2 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

 

 

Attached Files


Edited by Jason B, 19 February 2017 - 12:02 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:32 PM

Posted 19 February 2017 - 02:06 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:

AutoConfigURL: [S-1-5-21-1011703464-4262661669-2174859873-1000] => hxxp://blockerstop.com/wpad.dat?20f4eca85f40b12a81d586656ee9f44a25592390
ManualProxies: 0hxxp://blockerstop.com/wpad.dat?20f4eca85f40b12a81d586656ee9f44a25592390
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-23]
CHR Extension: (Chrome Media Router) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-13]
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
Shortcut: C:\Users\Jason\Desktop\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\Jason\Desktop\Int?rn?t ??pl?r?r.lnk -> C:\Program Files\Internet Explorer\iexplore.bat ()
Shortcut: C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rn?t ??pl?r?r (N? ?dd-?ns).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rn?t ??pl?r?r ?r?ws?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
ShortcutWithArgument: C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ??pl?r?r.lnk -> C:\Program Files\Internet Explorer\iexplore.bat () -> hxxp://usa-aa.s3-website-us-east-1.amazonaws.com/?grp=3
FirewallRules: [{6E6114FC-1464-4F20-9109-B71CB2B820A6}] => (Allow) C:\Program Files (x86)\YouTube Download Pool\G3\netclean.exe
FirewallRules: [{81679C20-5220-4B25-AFE4-6445167DAED6}] => (Allow) C:\Program Files (x86)\YouTube Download Pool\G3\youtubeserv.exe
FirewallRules: [TCP Query User{83CD6323-5DC8-4414-B1EC-1858BDC912C2}C:\program files (x86)\google\chrome\application\?hr?m?.b?t.exe] => (Block) C:\program files (x86)\google\chrome\application\?hr?m?.b?t.exe
FirewallRules: [UDP Query User{4A795F07-28B6-4F74-999E-E361331AEF9D}C:\program files (x86)\google\chrome\application\?hr?m?.b?t.exe] => (Block) C:\program files (x86)\google\chrome\application\?hr?m?.b?t.exe
C:\Program Files\Internet Explorer\iexplore.bat
C:\Program Files (x86)\YouTube Download Pool\G3\netclean.exe


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
---

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.
===

Please post the Fixldog.txt and let me know what problem persists.

#5 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 19 February 2017 - 03:39 PM

Thank you, Did everything you said:
 

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-02-2017 01
Ran by Jason (19-02-2017 15:23:40) Run:2
Running from C:\Users\Jason\Desktop
Loaded Profiles: Jason (Available Profiles: Jason)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:
 
AutoConfigURL: [S-1-5-21-1011703464-4262661669-2174859873-1000] => hxxp://blockerstop.com/wpad.dat?20f4eca85f40b12a81d586656ee9f44a25592390
ManualProxies: 0hxxp://blockerstop.com/wpad.dat?20f4eca85f40b12a81d586656ee9f44a25592390
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-23]
CHR Extension: (Chrome Media Router) - C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-13]
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
Shortcut: C:\Users\Jason\Desktop\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\Jason\Desktop\Int?rn?t ??pl?r?r.lnk -> C:\Program Files\Internet Explorer\iexplore.bat ()
Shortcut: C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rn?t ??pl?r?r (N? ?dd-?ns).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rn?t ??pl?r?r ?r?ws?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
ShortcutWithArgument: C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ??pl?r?r.lnk -> C:\Program Files\Internet Explorer\iexplore.bat () -> hxxp://usa-aa.s3-website-us-east-1.amazonaws.com/?grp=3
FirewallRules: [{6E6114FC-1464-4F20-9109-B71CB2B820A6}] => (Allow) C:\Program Files (x86)\YouTube Download Pool\G3\netclean.exe
FirewallRules: [{81679C20-5220-4B25-AFE4-6445167DAED6}] => (Allow) C:\Program Files (x86)\YouTube Download Pool\G3\youtubeserv.exe
FirewallRules: [TCP Query User{83CD6323-5DC8-4414-B1EC-1858BDC912C2}C:\program files (x86)\google\chrome\application\?hr?m?.b?t.exe] => (Block) C:\program files (x86)\google\chrome\application\?hr?m?.b?t.exe
FirewallRules: [UDP Query User{4A795F07-28B6-4F74-999E-E361331AEF9D}C:\program files (x86)\google\chrome\application\?hr?m?.b?t.exe] => (Block) C:\program files (x86)\google\chrome\application\?hr?m?.b?t.exe
C:\Program Files\Internet Explorer\iexplore.bat
C:\Program Files (x86)\YouTube Download Pool\G3\netclean.exe
 
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
 
========= RemoveProxy: =========
 
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully
HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
HKU\S-1-5-21-1011703464-4262661669-2174859873-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value not found.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758} => value removed successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\System\CurrentControlSet\Services\ZAMSvc => key removed successfully
ZAMSvc => service removed successfully
HKLM\System\CurrentControlSet\Services\ZAM => key removed successfully
ZAM => service removed successfully
HKLM\System\CurrentControlSet\Services\ZAM_Guard => key removed successfully
ZAM_Guard => service removed successfully
"C:\Users\Jason\Desktop\G??gl? ?hr?m?.lnk" => Could not move.
"C:\Users\Jason\Desktop\Int?rn?t ??pl?r?r.lnk" => Could not move.
"C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rn?t ??pl?r?r (N? ?dd-?ns).lnk" => Could not move.
"C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gl? ?hr?m?.lnk" => Could not move.
"C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rn?t ??pl?r?r ?r?ws?r.lnk" => Could not move.
"C:\Users\Jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\G??gl? ?hr?m?.lnk" => Could not move.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk" => Could not move.
C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ??pl?r?r.lnk => Could not remove or repair shortcut argument. The shortcut could be damaged.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6E6114FC-1464-4F20-9109-B71CB2B820A6} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{81679C20-5220-4B25-AFE4-6445167DAED6} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{83CD6323-5DC8-4414-B1EC-1858BDC912C2}C:\program files (x86)\google\chrome\application\?hr?m?.b?t.exe => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{4A795F07-28B6-4F74-999E-E361331AEF9D}C:\program files (x86)\google\chrome\application\?hr?m?.b?t.exe => value not found.
C:\Program Files\Internet Explorer\iexplore.bat => moved successfully
"C:\Program Files (x86)\YouTube Download Pool\G3\netclean.exe" => not found.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 123016805 B
Java, Flash, Steam htmlcache => 1041 B
Windows/system/drivers => 17518 B
Edge => 0 B
Chrome => 178749034 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 128 B
NetworkService => 23969212 B
Jason => 1158817491 B
 
RecycleBin => 0 B
EmptyTemp: => 1.4 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 15:24:21 ====

Now, ony my desktop, the shorcuts to chrome and IE, point to .bat files. If I got to the actual folders I can see the .exe files and the both browsers will open. I guess I should delete the .bat file for Iexplore.bat and chrome.bat? yes?

Edited by Jason B, 19 February 2017 - 03:41 PM.


#6 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 19 February 2017 - 03:50 PM

Ok, after checking gmail in chrome, I clicked a legit ebay link from an ebay notification and red screen is back again. THis is so weird! See attached and url...

 

Attached Files

  • Attached File  ebay.jpg   34.81KB   0 downloads


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:32 PM

Posted 20 February 2017 - 08:40 AM

Now, ony my desktop, the shorcuts to chrome and IE, point to .bat files. If I got to the actual folders I can see the .exe files and the both browsers will open. I guess I should delete the .bat file for Iexplore.bat and chrome.bat? yes?


Please remove these shorcuts.

===

Reset only the browser that are compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
===

Restart the computer normally to reset the registry.


If the problem persists let me know in which browser(s).

#8 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 20 February 2017 - 12:05 PM

I've done all you said and still am having same issues in both browsers. Now when I get an email for this thread and click the bleeping computer link to this thread in my email, it won't even load the site, and it says not secure.

Im writing from my iPhone. In both IE and chrome it puts http://xsso before any main website site url's I type in. It's driving me nuts.

I found a little info here. But don't know if this helps. I have one pc and a netgear router. Maybe you could connect to my pc?

https://productforums.google.com/forum/#!topic/chrome/5xQNbRx6Oeg

Attached Files


Edited by Jason B, 20 February 2017 - 01:06 PM.


#9 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 20 February 2017 - 01:17 PM

Ok, I seemed to have found unchecking these options in CHROME, fixes SOME the issues in chrome.... Not sure what to do for IE...
 
https://www.quora.com/Why-am-I-getting-this-malware-message-while-browsing-through-Google-Chrome

https://productforums.google.com/forum/#!topic/chrome/5xQNbRx6Oeg

Don't know what to think.. This fixed the issues on many sites in chrome, but not IE. but some still do it in Chrome and changes the URL to xsso before the domains.

Attached Files


Edited by Jason B, 20 February 2017 - 03:18 PM.


#10 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 21 February 2017 - 02:56 AM

Ok, I noticed something... My android tablet started to give the same errors in the chrome browser! Now, that's on wifi, so I went into the internet settings on my netgear router and under DNS it was no longer on automatic from ISP, it had this specified under DNS: 66.79.189.7

I changed it back to automatic and all the issues went away on all browsers! I don't know how this changed, but I did not change it! ANy idea how that happened? It seems fixed I think.


Edited by Jason B, 21 February 2017 - 02:58 AM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:32 PM

Posted 21 February 2017 - 08:31 AM


Your router was hacked.

Check this out.

How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

---


If you jeed you can reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:32 PM

Posted 27 February 2017 - 07:56 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users