Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent.Gen(svchost.exe) returns after remove.


  • Please log in to reply
55 replies to this topic

#1 ergsdrgdfuno

ergsdrgdfuno

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 22 February 2017 - 01:06 PM

Hello!

My son accidentally install some programs (MalwareBytes3 and Advanced Uninstaller pro) for an unofficial web page. i´m suspect of this and uninstall the programs, then i´m download  for the official pages some antivirus programs (malwarebytes and hitman pro) and install in my computer. At first Malwarebytes not run, so i´m left hitmanpro handle the deal, the program run and found a lot of threads. Hitman pro remove the threats and then i can run malwarebytes the program detected Trojan.Agent.Gen, C:\USERS\ROBERTO\APPDATA\LOCAL\TEMP\SVCHOST.EXE, the file is put in quarantine and remove it. 

 

after the virus remove im restart the computer and run the antivirus. everithing seems normal, no threats found, but eventually (hours after) malwarebytes detect another time the same file.

 

 

 

i´m  attach the frst scan result

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-02-2017
Ran by roberto (administrator) on ROTO-PC (22-02-2017 11:43:38)
Running from C:\Users\roberto\Desktop
Loaded Profiles: roberto (Available Profiles: roberto)
Platform: Microsoft Windows 7 Ultimate  (X86) Language: Español (España, internacional)
Internet Explorer Version 8 (Default browser: "C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe" -osint -url "%1")
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Mozilla Corporation) C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM\...\Policies\Explorer: [NoDriveAutoRun-] 0
HKLM\...\Policies\Explorer: [NoDriveTypeAutoRun-] 0
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\...\Policies\Explorer: [NoDriveAutoRun-] 0
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\...\Policies\Explorer: [NoDriveTypeAutoRun-] 0
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\...\Winlogon: [Shell] explorer.exe <==== ATTENTION
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Control Panel\Desktop\\SCRNSAVE.EXE ->
BootExecute: autocheck autochk * Partizan
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.2.9.18 10.3.9.18 10.3.1.100
Tcpip\..\Interfaces\{5D9C33E7-287C-405F-9BEC-59B43185EE15}: [DhcpNameServer] 10.2.9.18 10.3.9.18 10.3.1.100
Tcpip\..\Interfaces\{A53290CC-D57F-47D1-8BAF-C1B504C48810}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
SearchScopes: HKLM -> DefaultScope {E921F400-D383-4B1B-9DE6-FCFCACFC1173} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2012-09-03] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2012-09-03] (Oracle Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation)
Prefixes: [home]=>  <==== ATTENTION
Prefixes: [www]=>  <==== ATTENTION
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF DefaultProfile: kbp5rj4x.default
FF ProfilePath: C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default [2017-02-22]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\kbp5rj4x.default -> DuckDuckGo
FF Extension: (Clear Console) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\clearConsole@penzil.com.xpi [2016-11-10]
FF Extension: (MEGA) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\firefox@mega.co.nz.xpi [2017-02-18]
FF Extension: (Facebook™ Disconnect) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\jid0-dBgF7UkIiOsWqvBng4hYu@jetpack.xpi [2016-11-10]
FF Extension: (AdF.ly Skipper ★WORKING★) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\jid0-hyjN250ZzTOOX3evFwwAQBxE4ik@jetpack.xpi [2016-04-29]
FF Extension: (Google search link fix) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\jid0-XWJxt5VvCXkKzQK99PhZqAn7Xbg@jetpack.xpi [2017-01-31]
FF Extension: (Lightbeam) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi [2016-11-09]
FF Extension: (uBlock Origin) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\uBlock0@raymondhill.net.xpi [2017-02-20]
FF Extension: (uMatrix) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\uMatrix@raymondhill.net.xpi [2016-11-09]
FF Extension: (Clean Links) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\{158d7cb3-7039-4a75-8e0b-3bd0a464edd2}.xpi [2016-11-09]
FF Extension: (FirefoxAdKiller) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\{b1df372d-8b32-4c7d-b6b4-9c5b78cf6fb1}.xpi [2016-05-12]
FF Extension: (Video DownloadHelper) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2016-12-30]
FF Extension: (Adblock Plus) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-23]
FF Extension: (Greasemonkey) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2016-08-21]
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll [2012-09-03] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.7.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2012-09-03] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll [2012-04-11] ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-07-27] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
StartMenuInternet: FIREFOX.EXE - C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [3303888 2017-01-20] (Malwarebytes)
S2 USBSafelyRemoveService; C:\Program Files\USB Safely Remove\USBSRService.exe [742744 2012-01-31] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)
S2 ZAMSvc; C:\Program Files\Zemana AntiMalware\ZAM.exe [14416624 2017-02-02] (Copyright 2017.)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 bomebus; C:\Windows\System32\DRIVERS\bomebus.sys [27720 2010-10-13] (Bome Software)
S3 bomemidi; C:\Windows\System32\drivers\bomemidi.sys [24136 2010-10-13] (Bome Software)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [219584 2017-02-22] (Malwarebytes)
U3 Partizan; C:\Windows\System32\drivers\Partizan.sys [35816 2017-02-09] (Greatis Software)
S3 RegGuard; C:\Windows\system32\Drivers\regguard.sys [24416 2017-02-15] (Greatis Software)
R3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [347136 2009-07-13] (Realtek Semiconductor Corporation                           )
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [477240 2012-07-18] (Duplex Secure Ltd.)
S3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [25216 2010-02-25] (The OpenVPN Project)
S3 WISOVD; C:\Program Files\WinISO Computing\WinISO\bin\driver\WISOVD_win7_x86.sys [6144 2012-02-09] () [File not signed]
S1 ZAM; C:\Windows\System32\drivers\zam32.sys [181496 2017-02-15] (Zemana Ltd.)
S1 ZAM_Guard; C:\Windows\System32\drivers\zamguard32.sys [181496 2017-02-15] (Zemana Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-22 11:43 - 2017-02-22 11:44 - 00009638 _____ C:\Users\roberto\Desktop\FRST.txt
2017-02-22 11:41 - 2017-02-22 11:35 - 01764864 _____ (Farbar) C:\Users\roberto\Desktop\FRST.exe
2017-02-22 11:35 - 2017-02-22 11:35 - 01764864 _____ (Farbar) C:\Users\roberto\Downloads\FRST.exe
2017-02-21 20:53 - 2017-02-21 21:34 - 109274968 _____ (Kaspersky Lab ZAO) C:\Users\roberto\Downloads\KVRT.exe
2017-02-21 15:16 - 2017-02-21 15:16 - 00001460 _____ C:\Users\roberto\Desktop\mb2.txt
2017-02-21 15:03 - 2017-02-22 09:10 - 00219584 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-02-21 15:03 - 2017-02-22 09:10 - 00094656 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-02-21 15:03 - 2017-02-22 09:10 - 00039360 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-02-21 15:03 - 2017-02-21 16:31 - 00152512 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-02-21 15:03 - 2017-02-21 16:07 - 00063264 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-02-21 15:03 - 2017-02-21 15:03 - 00002069 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-02-21 15:03 - 2017-02-21 15:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-02-21 15:03 - 2017-01-20 07:47 - 00059976 _____ C:\Windows\system32\Drivers\mbae.sys
2017-02-21 15:02 - 2017-02-21 15:02 - 00000000 ____D C:\Program Files\Malwarebytes
2017-02-21 14:48 - 2017-02-21 14:57 - 00007709 _____ C:\Users\roberto\Desktop\MB-CheckResult.txt
2017-02-21 14:35 - 2017-02-21 14:36 - 02070992 _____ (Malwarebytes Corporation) C:\Users\roberto\Downloads\mb-check-3.0.3.1005.exe
2017-02-21 07:39 - 2017-02-22 11:43 - 00000000 ____D C:\FRST
2017-02-21 07:39 - 2017-02-21 07:57 - 00040318 _____ C:\Users\roberto\Downloads\Addition.txt
2017-02-21 07:39 - 2017-02-21 07:57 - 00024350 _____ C:\Users\roberto\Downloads\FRST.txt
2017-02-21 07:35 - 2017-02-21 07:35 - 00566128 _____ (Malwarebytes) C:\Users\roberto\Downloads\mbam-clean-2.3.0.1001.exe
2017-02-21 07:30 - 2017-02-21 07:30 - 01663040 _____ (Malwarebytes) C:\Users\roberto\Downloads\JRT.exe
2017-02-20 16:03 - 2017-02-20 16:05 - 55566792 _____ (Malwarebytes ) C:\Users\roberto\Downloads\mb3-setup-consumer-3.0.6.1469.exe
2017-02-20 13:38 - 2017-02-20 13:38 - 00000000 ____D C:\Users\roberto\AppData\Local\VS Revo Group
2017-02-20 13:37 - 2017-02-20 13:37 - 00001279 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2017-02-20 13:37 - 2017-02-20 13:37 - 00000000 ____D C:\ProgramData\VS Revo Group
2017-02-20 13:37 - 2017-02-20 13:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2017-02-20 13:37 - 2017-02-20 13:37 - 00000000 ____D C:\Program Files\VS Revo Group
2017-02-20 13:37 - 2016-12-21 14:52 - 00035632 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys
2017-02-20 13:18 - 2017-02-20 13:19 - 11523496 _____ (VS Revo Group ) C:\Users\roberto\Downloads\RevoUninProSetup.exe
2017-02-17 08:49 - 2017-02-17 08:49 - 00000000 ____D C:\Users\roberto\Downloads\mbam-chameleon-3.1.33.0
2017-02-16 14:43 - 2017-02-21 15:37 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2017-02-15 15:37 - 2017-02-15 15:37 - 00001114 _____ C:\Users\roberto\Desktop\iExplore.exe - Acceso directo.lnk
2017-02-15 15:18 - 2017-02-15 15:18 - 00001017 _____ C:\Users\Public\Desktop\FileASSASSIN.lnk
2017-02-15 15:18 - 2017-02-15 15:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN
2017-02-15 15:18 - 2017-02-15 15:18 - 00000000 ____D C:\Program Files\FileASSASSIN
2017-02-15 15:15 - 2017-02-15 15:16 - 16563352 _____ (Malwarebytes Corp.) C:\Users\roberto\Downloads\mbar-1.09.3.1001.exe
2017-02-15 15:15 - 2017-02-15 15:15 - 00167034 _____ C:\Users\roberto\Downloads\fileassassin-setup-1.06.exe
2017-02-15 15:15 - 2017-02-15 15:15 - 00065232 _____ (Malwarebytes) C:\Users\roberto\Downloads\regassassin-setup-1.03.exe
2017-02-15 15:13 - 2017-02-15 15:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2017-02-15 15:13 - 2017-02-15 15:13 - 00000000 ____D C:\Program Files\7-Zip
2017-02-15 15:05 - 2017-02-15 16:22 - 00000000 ____D C:\Program Files\HitmanPro
2017-02-15 15:05 - 2017-02-15 15:05 - 00001897 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2017-02-15 15:05 - 2017-02-15 15:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2017-02-15 13:17 - 2017-02-15 13:17 - 00430280 _____ (ESET) C:\Users\roberto\Downloads\esetsirefefcleaner.exe
2017-02-15 13:17 - 2017-02-15 13:17 - 00001114 _____ C:\Users\roberto\Downloads\esetsirefefcleaner.exe_20170215.131748.1512.zip
2017-02-15 13:09 - 2017-02-15 13:10 - 00000020 _____ C:\Users\roberto\defogger_reenable
2017-02-15 12:23 - 2017-02-15 12:23 - 01110564 _____ (Igor Pavlov) C:\Users\roberto\Downloads\7z1604.exe
2017-02-15 12:21 - 2017-02-15 12:21 - 06705178 _____ C:\Users\roberto\Downloads\mbam-chameleon-3.1.33.0.zip
2017-02-15 10:15 - 2017-02-15 10:15 - 00181496 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard32.sys
2017-02-15 10:15 - 2017-02-15 10:15 - 00181496 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam32.sys
2017-02-15 10:15 - 2017-02-15 10:15 - 00001937 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2017-02-15 10:15 - 2017-02-15 10:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2017-02-15 10:02 - 2017-02-15 10:03 - 05677776 _____ (Zemana Ltd. ) C:\Users\roberto\Downloads\Zemana.AntiMalware.Setup.exe
2017-02-15 09:27 - 2017-02-15 16:02 - 00000392 _____ C:\Windows\system32\.crusader
2017-02-15 09:23 - 2017-02-21 22:49 - 00000153 _____ C:\Users\roberto\Desktop\mailcomp1.txt
2017-02-15 08:17 - 2017-02-15 08:17 - 00000022 _____ C:\Users\roberto\Downloads\ESETPoweliksCleaner.exe_20170215.081726.3828.zip
2017-02-14 21:29 - 2017-02-16 16:09 - 00409344 _____ C:\Users\roberto\Desktop\regrunlog.txt
2017-02-14 20:03 - 2017-02-20 16:42 - 01523880 _____ C:\Windows\ntbtlog.txt
2017-02-14 19:37 - 2017-02-21 16:30 - 00037491 _____ C:\Windows\ZAM.krnl.trace
2017-02-14 19:37 - 2017-02-21 16:30 - 00010060 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-02-14 19:37 - 2017-02-15 10:15 - 00000000 ____D C:\Program Files\Zemana AntiMalware
2017-02-14 19:37 - 2017-02-14 14:22 - 00000000 ____D C:\Users\roberto\AppData\Local\Zemana
2017-02-14 19:34 - 2017-02-14 20:06 - 00000588 __RSH C:\ProgramData\ntuser.pol
2017-02-10 10:04 - 2017-02-14 16:26 - 00000000 ____D C:\ProgramData\Innovative Solutions
2017-02-10 10:04 - 2017-02-14 14:24 - 00000000 ____D C:\Program Files\Common Files\Innovative Solutions
2017-02-10 10:04 - 2017-02-14 14:22 - 00000000 ____D C:\Users\roberto\AppData\Local\Innovative Solutions
2017-02-10 09:59 - 2017-02-14 14:22 - 00000000 ____D C:\Users\roberto\Downloads\UnHackMe.8.60.Build.560.KaranPC
2017-02-10 09:41 - 2017-02-10 09:41 - 00000000 ____D C:\Users\roberto\AppData\Roaming\Obsidium
2017-02-10 01:53 - 2017-02-15 12:14 - 00000000 ____D C:\AdwCleaner
2017-02-10 01:41 - 2017-02-10 01:43 - 143174936 _____ (Microsoft Corporation) C:\Users\roberto\Downloads\msert.exe
2017-02-10 01:33 - 2017-02-10 01:33 - 04015056 _____ C:\Users\roberto\Downloads\adwcleaner_6.043.exe
2017-02-10 01:13 - 2017-02-15 09:26 - 00000000 ____D C:\ProgramData\HitmanPro
2017-02-09 21:00 - 2017-02-09 21:00 - 00039192 _____ (Greatis Software) C:\Windows\system32\Partizan.exe
2017-02-09 21:00 - 2017-02-09 21:00 - 00035816 _____ (Greatis Software) C:\Windows\system32\Drivers\Partizan.sys
2017-02-09 20:30 - 2017-02-22 11:36 - 00002574 _____ C:\Users\roberto\Desktop\Rkill.txt
2017-02-09 20:28 - 2017-02-09 20:28 - 00000022 _____ C:\Users\roberto\Downloads\ESETPoweliksCleaner.exe_20170209.202809.4088.zip
2017-02-09 20:23 - 2017-02-09 20:23 - 00050477 _____ C:\Users\roberto\Downloads\Defogger.exe
2017-02-09 20:05 - 2017-02-09 20:05 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\roberto\Downloads\iExplore.exe
2017-02-09 18:49 - 2017-02-09 18:49 - 00518272 _____ (ESET) C:\Users\roberto\Downloads\ESETPoweliksCleaner.exe
2017-02-09 18:44 - 2017-02-09 18:44 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\roberto\Downloads\rkill.com
2017-02-09 18:02 - 2017-02-09 18:02 - 11581544 _____ (SurfRight B.V.) C:\Users\roberto\Downloads\HitmanPro_x64.exe
2017-02-09 18:01 - 2017-02-09 18:02 - 11005320 _____ (SurfRight B.V.) C:\Users\roberto\Downloads\hitmanpro.exe
2017-02-08 08:17 - 2017-02-14 14:24 - 00000000 ____D C:\Users\roberto\Downloads\ProcessExplorer
2017-02-03 20:03 - 2017-02-03 20:03 - 01932769 _____ C:\Users\roberto\Downloads\ProcessExplorer.zip
2017-02-03 17:59 - 2017-02-03 18:57 - 00001299 _____ C:\0
2017-02-03 13:59 - 2017-02-03 13:59 - 00000012 _____ C:\Users\roberto\Desktop\sfcd.txt
2017-02-03 13:55 - 2017-02-22 09:33 - 00000000 ____D C:\Users\roberto\AppData\LocalLow\Mozilla
2017-02-03 13:03 - 2017-02-03 13:05 - 18608239 _____ C:\Users\roberto\Downloads\UnHackMe.8.60.Build.560.KaranPC.rar
2017-02-01 16:39 - 2017-02-14 14:24 - 00000000 ____D C:\Windows\pss
2017-02-01 13:42 - 2017-02-15 12:55 - 00024416 _____ (Greatis Software) C:\Windows\system32\Drivers\regguard.sys
2017-02-01 13:38 - 2017-02-20 15:01 - 00000000 ____D C:\Users\Public\Documents\regruninfo
2017-02-01 13:38 - 2017-02-14 14:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe
2017-02-01 13:38 - 2011-11-03 12:58 - 00012800 _____ (Greatis Software, LLC.) C:\Windows\system32\Drivers\UnHackMeDrv.sys
2017-02-01 12:18 - 2017-02-01 12:18 - 00058155 _____ C:\Users\roberto\Desktop\Filecheckreport.txt
2017-02-01 08:49 - 2017-02-14 14:22 - 00000000 ____D C:\Windows\RestoreSafeDeleted
2017-02-01 07:29 - 2017-02-14 14:24 - 00000000 ____D C:\Users\roberto\AppData\Roaming\dvdcss

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-22 09:10 - 2012-06-11 09:05 - 00000264 _____ C:\Windows\system32\PARTIZAN.TXT
2017-02-21 16:30 - 2009-07-13 22:34 - 00014192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-21 16:30 - 2009-07-13 22:34 - 00014192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-21 16:27 - 2009-07-13 22:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-21 16:24 - 2009-07-13 20:37 - 00000000 ____D C:\Windows\inf
2017-02-21 15:41 - 2011-01-09 19:00 - 00000000 ____D C:\Users\roberto
2017-02-21 15:02 - 2012-04-19 01:29 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-02-20 13:55 - 2015-12-21 02:20 - 00000000 ____D C:\Users\roberto\Downloads\wint2015
2017-02-16 16:09 - 2015-11-21 10:02 - 00000000 ____D C:\Users\roberto\Documents\RegRun2
2017-02-15 15:11 - 2016-12-10 17:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDFab 8 Qt
2017-02-15 15:11 - 2016-12-10 17:10 - 00000000 ____D C:\Program Files\DVDFab 8 Qt
2017-02-15 09:27 - 2015-11-02 03:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privacy Eraser Pro
2017-02-15 09:27 - 2011-01-09 20:55 - 00000000 ____D C:\Program Files\WinRAR
2017-02-15 08:14 - 2016-01-24 00:02 - 00000000 ____D C:\Users\roberto\AppData\Roaming\USBSafelyRemove
2017-02-15 08:14 - 2009-07-13 22:53 - 00032630 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-02-14 14:24 - 2015-11-17 05:28 - 00000000 ____D C:\Program Files\Mozilla Firefox 4.0 Beta 10
2017-02-14 14:24 - 2012-06-11 09:01 - 00000000 ____D C:\Program Files\UnHackMe
2017-02-14 14:24 - 2012-03-24 22:38 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-02-14 14:24 - 2011-04-30 14:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ableton
2017-02-14 14:24 - 2009-07-13 20:37 - 00000000 ____D C:\Windows\registration
2017-02-14 14:24 - 2009-07-13 20:37 - 00000000 ____D C:\Windows\AppCompat
2017-02-10 03:49 - 2012-09-10 11:46 - 00000000 ____D C:\Users\roberto\AppData\Roaming\vlc
2017-02-10 03:18 - 2011-01-09 19:03 - 00006528 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-10 03:18 - 2009-07-14 02:48 - 19898132 _____ C:\Windows\system32\perfh00A.dat
2017-02-10 03:18 - 2009-07-14 02:48 - 07470144 _____ C:\Windows\system32\perfc00A.dat
2017-02-01 17:21 - 2013-11-09 10:44 - 00001668 _____ C:\Windows\system32\ASOROSet.bin
2017-02-01 17:14 - 2013-11-09 10:43 - 00000000 ____D C:\Windows\system32\config\RCCBakup
2017-02-01 16:39 - 2015-11-02 03:07 - 00000000 ____D C:\Users\roberto\AppData\Local\ElevatedDiagnostics
2017-02-01 13:38 - 2012-06-11 09:01 - 00000002 RSHOT C:\Windows\winstart.bat
2017-02-01 13:38 - 2009-07-13 20:04 - 00002577 _____ C:\Windows\system32\config.nt
2017-02-01 13:38 - 2009-07-13 20:04 - 00001688 _____ C:\Windows\system32\autoexec.nt
2017-02-01 13:03 - 2012-11-27 13:35 - 00000374 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2017-02-01 10:43 - 2009-07-13 22:52 - 00000000 ____D C:\Windows\Downloaded Program Files
2017-01-31 16:21 - 2017-01-18 07:41 - 00000000 ____D C:\Users\roberto\Downloads\11
2017-01-31 12:29 - 2017-01-16 04:08 - 00000000 ____D C:\Users\roberto\Downloads\musto
2017-01-31 12:28 - 2017-01-16 04:12 - 00000000 ____D C:\Users\roberto\Downloads\wint2016
2017-01-31 09:45 - 2016-11-25 01:13 - 00000000 ____D C:\Users\roberto\Downloads\Aut2016

==================== Files in the root of some directories =======

2016-05-23 09:51 - 2016-05-23 09:51 - 0000034 _____ () C:\Users\roberto\AppData\Roaming\AdobeWLCMCache.dat
2015-10-29 11:23 - 2015-11-01 09:50 - 0033280 __RSH () C:\Users\roberto\AppData\Roaming\Thumbs.db
2015-11-19 02:32 - 2016-01-12 19:57 - 0007607 ____R () C:\Users\roberto\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-14 16:06

==================== End of FRST.txt ============================   



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 PM

Posted 22 February 2017 - 02:37 PM

Hello ergsdrgdfuno and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
    
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
 ==============================
 
Addition.txt is created by default from the first run of FRST, can you check inside this folder: C:\FRST\Logs I need to see that log before we progress. If no Addition log inside the Logs folder run FRST scan one more time, ensure "Addition" is checked in the optional scan box.

 

Sincerely
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 ergsdrgdfuno

ergsdrgdfuno
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 23 February 2017 - 09:24 AM

hello Yılmaz! thank you for your fast reply and sorry for delay.

 

i have two questions.

 

1 i have an external drive but was not connected at the time of the attack. i have no connected it for fear of being infected. is necessary connect the drive for the scans?

 

2 i´m not sure if i have cracked software because sometimes i´m share the computer with my son an other family relatives. There is a way of knowing if this happens?

 

 

this is  the frst scan

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-02-2017
Ran by roberto (administrator) on ROTO-PC (23-02-2017 07:50:32)
Running from C:\Users\roberto\Desktop
Loaded Profiles: roberto (Available Profiles: roberto)
Platform: Microsoft Windows 7 Ultimate  (X86) Language: Español (España, internacional)
Internet Explorer Version 8 (Default browser: "C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe" -osint -url "%1")
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM\...\Policies\Explorer: [NoDriveAutoRun-] 0
HKLM\...\Policies\Explorer: [NoDriveTypeAutoRun-] 0
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\...\Policies\Explorer: [NoDriveAutoRun-] 0
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\...\Policies\Explorer: [NoDriveTypeAutoRun-] 0
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\...\Winlogon: [Shell] explorer.exe <==== ATTENTION
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Control Panel\Desktop\\SCRNSAVE.EXE ->
ShellExecuteHooks: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL -> No File
ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 1 (GFS Unread Stub)] -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL -> No File
ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 2 (GFS Stub)] -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL -> No File
ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)] -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} => C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL -> No File
ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 3 (GFS Folder)] -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL -> No File
ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 4 (GFS Unread Mark)] -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL -> No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.2.9.18 10.3.9.18 10.3.1.100
Tcpip\..\Interfaces\{5D9C33E7-287C-405F-9BEC-59B43185EE15}: [DhcpNameServer] 10.2.9.18 10.3.9.18 10.3.1.100
Tcpip\..\Interfaces\{A53290CC-D57F-47D1-8BAF-C1B504C48810}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
SearchScopes: HKLM -> DefaultScope {E921F400-D383-4B1B-9DE6-FCFCACFC1173} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL => No File
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2012-09-03] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2012-09-03] (Oracle Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GRA32A~1.DLL No File
Prefixes: [home]=>  <==== ATTENTION
Prefixes: [www]=>  <==== ATTENTION
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF DefaultProfile: kbp5rj4x.default
FF ProfilePath: C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default [2017-02-23]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\kbp5rj4x.default -> DuckDuckGo
FF Extension: (Clear Console) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\clearConsole@penzil.com.xpi [2016-11-10]
FF Extension: (MEGA) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\firefox@mega.co.nz.xpi [2017-02-18]
FF Extension: (Facebook™ Disconnect) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\jid0-dBgF7UkIiOsWqvBng4hYu@jetpack.xpi [2016-11-10]
FF Extension: (AdF.ly Skipper ★WORKING★) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\jid0-hyjN250ZzTOOX3evFwwAQBxE4ik@jetpack.xpi [2016-04-29]
FF Extension: (Google search link fix) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\jid0-XWJxt5VvCXkKzQK99PhZqAn7Xbg@jetpack.xpi [2017-01-31]
FF Extension: (Lightbeam) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi [2016-11-09]
FF Extension: (uBlock Origin) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\uBlock0@raymondhill.net.xpi [2017-02-20]
FF Extension: (uMatrix) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\uMatrix@raymondhill.net.xpi [2016-11-09]
FF Extension: (Clean Links) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\{158d7cb3-7039-4a75-8e0b-3bd0a464edd2}.xpi [2016-11-09]
FF Extension: (FirefoxAdKiller) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\{b1df372d-8b32-4c7d-b6b4-9c5b78cf6fb1}.xpi [2016-05-12]
FF Extension: (Video DownloadHelper) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2016-12-30]
FF Extension: (Adblock Plus) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-23]
FF Extension: (Greasemonkey) - C:\Users\roberto\AppData\Roaming\Mozilla\Firefox\Profiles\kbp5rj4x.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2017-02-23]
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll [2012-09-03] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.7.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2012-09-03] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll [2012-04-11] ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-07-27] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
StartMenuInternet: FIREFOX.EXE - C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [3303888 2017-01-20] (Malwarebytes)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)
S2 ZAMSvc; C:\Program Files\Zemana AntiMalware\ZAM.exe [14416624 2017-02-02] (Copyright 2017.)
S3 Microsoft Office Groove Audit Service; "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 bomebus; C:\Windows\System32\DRIVERS\bomebus.sys [27720 2010-10-13] (Bome Software)
S3 bomemidi; C:\Windows\System32\drivers\bomemidi.sys [24136 2010-10-13] (Bome Software)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [219584 2017-02-23] (Malwarebytes)
R3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [347136 2009-07-13] (Realtek Semiconductor Corporation                           )
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [477240 2012-07-18] (Duplex Secure Ltd.)
S3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [25216 2010-02-25] (The OpenVPN Project)
S1 ZAM; C:\Windows\System32\drivers\zam32.sys [181496 2017-02-15] (Zemana Ltd.)
S1 ZAM_Guard; C:\Windows\System32\drivers\zamguard32.sys [181496 2017-02-15] (Zemana Ltd.)
U0 Partizan; system32\drivers\Partizan.sys [X]
S3 WISOVD; \??\C:\Program Files\WinISO Computing\WinISO\bin\driver\WISOVD_win7_x86.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-23 07:50 - 2017-02-23 07:50 - 00000000 ____D C:\Users\roberto\Desktop\FRST-OlderVersion
2017-02-22 11:44 - 2017-02-22 11:44 - 00039366 _____ C:\Users\roberto\Desktop\Addition.txt
2017-02-22 11:43 - 2017-02-23 07:50 - 00010287 _____ C:\Users\roberto\Desktop\FRST.txt
2017-02-22 11:41 - 2017-02-23 07:50 - 01765376 _____ (Farbar) C:\Users\roberto\Desktop\FRST.exe
2017-02-22 11:35 - 2017-02-22 11:35 - 01764864 _____ (Farbar) C:\Users\roberto\Downloads\FRST.exe
2017-02-21 20:53 - 2017-02-21 21:34 - 109274968 _____ (Kaspersky Lab ZAO) C:\Users\roberto\Downloads\KVRT.exe
2017-02-21 15:16 - 2017-02-21 15:16 - 00001460 _____ C:\Users\roberto\Desktop\mb2.txt
2017-02-21 15:03 - 2017-02-23 07:49 - 00219584 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-02-21 15:03 - 2017-02-22 09:10 - 00094656 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-02-21 15:03 - 2017-02-22 09:10 - 00039360 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-02-21 15:03 - 2017-02-21 16:31 - 00152512 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-02-21 15:03 - 2017-02-21 16:07 - 00063264 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-02-21 15:03 - 2017-02-21 15:03 - 00002069 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-02-21 15:03 - 2017-02-21 15:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-02-21 15:03 - 2017-01-20 07:47 - 00059976 _____ C:\Windows\system32\Drivers\mbae.sys
2017-02-21 15:02 - 2017-02-21 15:02 - 00000000 ____D C:\Program Files\Malwarebytes
2017-02-21 14:48 - 2017-02-21 14:57 - 00007709 _____ C:\Users\roberto\Desktop\MB-CheckResult.txt
2017-02-21 14:35 - 2017-02-21 14:36 - 02070992 _____ (Malwarebytes Corporation) C:\Users\roberto\Downloads\mb-check-3.0.3.1005.exe
2017-02-21 07:39 - 2017-02-23 07:50 - 00000000 ____D C:\FRST
2017-02-21 07:35 - 2017-02-21 07:35 - 00566128 _____ (Malwarebytes) C:\Users\roberto\Downloads\mbam-clean-2.3.0.1001.exe
2017-02-21 07:30 - 2017-02-21 07:30 - 01663040 _____ (Malwarebytes) C:\Users\roberto\Downloads\JRT.exe
2017-02-20 16:03 - 2017-02-20 16:05 - 55566792 _____ (Malwarebytes ) C:\Users\roberto\Downloads\mb3-setup-consumer-3.0.6.1469.exe
2017-02-20 13:38 - 2017-02-20 13:38 - 00000000 ____D C:\Users\roberto\AppData\Local\VS Revo Group
2017-02-20 13:37 - 2017-02-20 13:37 - 00001279 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2017-02-20 13:37 - 2017-02-20 13:37 - 00000000 ____D C:\ProgramData\VS Revo Group
2017-02-20 13:37 - 2017-02-20 13:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2017-02-20 13:37 - 2017-02-20 13:37 - 00000000 ____D C:\Program Files\VS Revo Group
2017-02-20 13:37 - 2016-12-21 14:52 - 00035632 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys
2017-02-20 13:18 - 2017-02-20 13:19 - 11523496 _____ (VS Revo Group ) C:\Users\roberto\Downloads\RevoUninProSetup.exe
2017-02-17 08:49 - 2017-02-17 08:49 - 00000000 ____D C:\Users\roberto\Downloads\mbam-chameleon-3.1.33.0
2017-02-16 14:43 - 2017-02-21 15:37 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2017-02-15 15:37 - 2017-02-15 15:37 - 00001114 _____ C:\Users\roberto\Desktop\iExplore.exe - Acceso directo.lnk
2017-02-15 15:18 - 2017-02-15 15:18 - 00001017 _____ C:\Users\Public\Desktop\FileASSASSIN.lnk
2017-02-15 15:18 - 2017-02-15 15:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN
2017-02-15 15:18 - 2017-02-15 15:18 - 00000000 ____D C:\Program Files\FileASSASSIN
2017-02-15 15:15 - 2017-02-15 15:16 - 16563352 _____ (Malwarebytes Corp.) C:\Users\roberto\Downloads\mbar-1.09.3.1001.exe
2017-02-15 15:15 - 2017-02-15 15:15 - 00167034 _____ C:\Users\roberto\Downloads\fileassassin-setup-1.06.exe
2017-02-15 15:15 - 2017-02-15 15:15 - 00065232 _____ (Malwarebytes) C:\Users\roberto\Downloads\regassassin-setup-1.03.exe
2017-02-15 15:13 - 2017-02-15 15:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2017-02-15 15:13 - 2017-02-15 15:13 - 00000000 ____D C:\Program Files\7-Zip
2017-02-15 15:05 - 2017-02-15 16:22 - 00000000 ____D C:\Program Files\HitmanPro
2017-02-15 15:05 - 2017-02-15 15:05 - 00001897 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2017-02-15 15:05 - 2017-02-15 15:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2017-02-15 13:17 - 2017-02-15 13:17 - 00430280 _____ (ESET) C:\Users\roberto\Downloads\esetsirefefcleaner.exe
2017-02-15 13:17 - 2017-02-15 13:17 - 00001114 _____ C:\Users\roberto\Downloads\esetsirefefcleaner.exe_20170215.131748.1512.zip
2017-02-15 13:09 - 2017-02-15 13:10 - 00000020 _____ C:\Users\roberto\defogger_reenable
2017-02-15 12:23 - 2017-02-15 12:23 - 01110564 _____ (Igor Pavlov) C:\Users\roberto\Downloads\7z1604.exe
2017-02-15 12:21 - 2017-02-15 12:21 - 06705178 _____ C:\Users\roberto\Downloads\mbam-chameleon-3.1.33.0.zip
2017-02-15 10:15 - 2017-02-15 10:15 - 00181496 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard32.sys
2017-02-15 10:15 - 2017-02-15 10:15 - 00181496 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam32.sys
2017-02-15 10:15 - 2017-02-15 10:15 - 00001937 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2017-02-15 10:15 - 2017-02-15 10:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2017-02-15 10:02 - 2017-02-15 10:03 - 05677776 _____ (Zemana Ltd. ) C:\Users\roberto\Downloads\Zemana.AntiMalware.Setup.exe
2017-02-15 09:27 - 2017-02-15 16:02 - 00000392 _____ C:\Windows\system32\.crusader
2017-02-15 09:23 - 2017-02-21 22:49 - 00000153 _____ C:\Users\roberto\Desktop\mailcomp1.txt
2017-02-15 08:17 - 2017-02-15 08:17 - 00000022 _____ C:\Users\roberto\Downloads\ESETPoweliksCleaner.exe_20170215.081726.3828.zip
2017-02-14 21:29 - 2017-02-16 16:09 - 00409344 _____ C:\Users\roberto\Desktop\regrunlog.txt
2017-02-14 20:03 - 2017-02-20 16:42 - 01523880 _____ C:\Windows\ntbtlog.txt
2017-02-14 19:37 - 2017-02-21 16:30 - 00037491 _____ C:\Windows\ZAM.krnl.trace
2017-02-14 19:37 - 2017-02-21 16:30 - 00010060 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-02-14 19:37 - 2017-02-15 10:15 - 00000000 ____D C:\Program Files\Zemana AntiMalware
2017-02-14 19:37 - 2017-02-14 14:22 - 00000000 ____D C:\Users\roberto\AppData\Local\Zemana
2017-02-14 19:34 - 2017-02-14 20:06 - 00000588 __RSH C:\ProgramData\ntuser.pol
2017-02-10 10:04 - 2017-02-14 16:26 - 00000000 ____D C:\ProgramData\Innovative Solutions
2017-02-10 10:04 - 2017-02-14 14:24 - 00000000 ____D C:\Program Files\Common Files\Innovative Solutions
2017-02-10 10:04 - 2017-02-14 14:22 - 00000000 ____D C:\Users\roberto\AppData\Local\Innovative Solutions
2017-02-10 09:41 - 2017-02-10 09:41 - 00000000 ____D C:\Users\roberto\AppData\Roaming\Obsidium
2017-02-10 01:53 - 2017-02-15 12:14 - 00000000 ____D C:\AdwCleaner
2017-02-10 01:41 - 2017-02-10 01:43 - 143174936 _____ (Microsoft Corporation) C:\Users\roberto\Downloads\msert.exe
2017-02-10 01:33 - 2017-02-10 01:33 - 04015056 _____ C:\Users\roberto\Downloads\adwcleaner_6.043.exe
2017-02-10 01:13 - 2017-02-15 09:26 - 00000000 ____D C:\ProgramData\HitmanPro
2017-02-09 20:30 - 2017-02-23 07:47 - 00002778 _____ C:\Users\roberto\Desktop\Rkill.txt
2017-02-09 20:28 - 2017-02-09 20:28 - 00000022 _____ C:\Users\roberto\Downloads\ESETPoweliksCleaner.exe_20170209.202809.4088.zip
2017-02-09 20:23 - 2017-02-09 20:23 - 00050477 _____ C:\Users\roberto\Downloads\Defogger.exe
2017-02-09 20:05 - 2017-02-09 20:05 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\roberto\Downloads\iExplore.exe
2017-02-09 18:49 - 2017-02-09 18:49 - 00518272 _____ (ESET) C:\Users\roberto\Downloads\ESETPoweliksCleaner.exe
2017-02-09 18:44 - 2017-02-09 18:44 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\roberto\Downloads\rkill.com
2017-02-09 18:02 - 2017-02-09 18:02 - 11581544 _____ (SurfRight B.V.) C:\Users\roberto\Downloads\HitmanPro_x64.exe
2017-02-09 18:01 - 2017-02-09 18:02 - 11005320 _____ (SurfRight B.V.) C:\Users\roberto\Downloads\hitmanpro.exe
2017-02-08 08:17 - 2017-02-14 14:24 - 00000000 ____D C:\Users\roberto\Downloads\ProcessExplorer
2017-02-03 20:03 - 2017-02-03 20:03 - 01932769 _____ C:\Users\roberto\Downloads\ProcessExplorer.zip
2017-02-03 17:59 - 2017-02-03 18:57 - 00001299 _____ C:\0
2017-02-03 13:59 - 2017-02-03 13:59 - 00000012 _____ C:\Users\roberto\Desktop\sfcd.txt
2017-02-03 13:55 - 2017-02-23 07:45 - 00000000 ____D C:\Users\roberto\AppData\LocalLow\Mozilla
2017-02-01 16:39 - 2017-02-14 14:24 - 00000000 ____D C:\Windows\pss
2017-02-01 12:18 - 2017-02-01 12:18 - 00058155 _____ C:\Users\roberto\Desktop\Filecheckreport.txt
2017-02-01 08:49 - 2017-02-14 14:22 - 00000000 ____D C:\Windows\RestoreSafeDeleted
2017-02-01 07:29 - 2017-02-14 14:24 - 00000000 ____D C:\Users\roberto\AppData\Roaming\dvdcss

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-23 07:40 - 2012-06-11 09:01 - 00000000 ____D C:\Program Files\UnHackMe
2017-02-23 07:40 - 2012-06-11 08:57 - 00000000 ____D C:\Program Files\WinISO Computing
2017-02-23 07:39 - 2016-01-23 23:59 - 00000000 ____D C:\Program Files\USB Safely Remove
2017-02-23 07:38 - 2016-01-24 00:02 - 00000000 ____D C:\Users\roberto\AppData\Roaming\USBSafelyRemove
2017-02-23 07:38 - 2012-06-11 09:21 - 00000000 ____D C:\Users\roberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\USB Safely Remove
2017-02-23 07:36 - 2012-06-11 09:05 - 00000372 _____ C:\Windows\system32\PARTIZAN.TXT
2017-02-23 07:27 - 2011-01-09 21:13 - 00000000 ____D C:\Program Files\Microsoft Office
2017-02-21 16:30 - 2009-07-13 22:34 - 00014192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-21 16:30 - 2009-07-13 22:34 - 00014192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-21 16:27 - 2009-07-13 22:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-21 16:24 - 2009-07-13 20:37 - 00000000 ____D C:\Windows\inf
2017-02-21 15:41 - 2011-01-09 19:00 - 00000000 ____D C:\Users\roberto
2017-02-21 15:02 - 2012-04-19 01:29 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-02-20 13:55 - 2015-12-21 02:20 - 00000000 ____D C:\Users\roberto\Downloads\wint2015
2017-02-16 16:09 - 2015-11-21 10:02 - 00000000 ____D C:\Users\roberto\Documents\RegRun2
2017-02-15 09:27 - 2011-01-09 20:55 - 00000000 ____D C:\Program Files\WinRAR
2017-02-15 08:14 - 2009-07-13 22:53 - 00032630 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-02-14 14:24 - 2015-11-17 05:28 - 00000000 ____D C:\Program Files\Mozilla Firefox 4.0 Beta 10
2017-02-14 14:24 - 2012-03-24 22:38 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-02-14 14:24 - 2011-04-30 14:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ableton
2017-02-14 14:24 - 2009-07-13 20:37 - 00000000 ____D C:\Windows\registration
2017-02-14 14:24 - 2009-07-13 20:37 - 00000000 ____D C:\Windows\AppCompat
2017-02-10 03:49 - 2012-09-10 11:46 - 00000000 ____D C:\Users\roberto\AppData\Roaming\vlc
2017-02-10 03:18 - 2011-01-09 19:03 - 00006528 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-10 03:18 - 2009-07-14 02:48 - 19898132 _____ C:\Windows\system32\perfh00A.dat
2017-02-10 03:18 - 2009-07-14 02:48 - 07470144 _____ C:\Windows\system32\perfc00A.dat
2017-02-01 17:21 - 2013-11-09 10:44 - 00001668 _____ C:\Windows\system32\ASOROSet.bin
2017-02-01 17:14 - 2013-11-09 10:43 - 00000000 ____D C:\Windows\system32\config\RCCBakup
2017-02-01 16:39 - 2015-11-02 03:07 - 00000000 ____D C:\Users\roberto\AppData\Local\ElevatedDiagnostics
2017-02-01 13:38 - 2012-06-11 09:01 - 00000002 RSHOT C:\Windows\winstart.bat
2017-02-01 13:38 - 2009-07-13 20:04 - 00002577 _____ C:\Windows\system32\config.nt
2017-02-01 13:38 - 2009-07-13 20:04 - 00001688 _____ C:\Windows\system32\autoexec.nt
2017-02-01 13:03 - 2012-11-27 13:35 - 00000374 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2017-02-01 10:43 - 2009-07-13 22:52 - 00000000 ____D C:\Windows\Downloaded Program Files
2017-01-31 16:21 - 2017-01-18 07:41 - 00000000 ____D C:\Users\roberto\Downloads\11
2017-01-31 12:29 - 2017-01-16 04:08 - 00000000 ____D C:\Users\roberto\Downloads\musto
2017-01-31 12:28 - 2017-01-16 04:12 - 00000000 ____D C:\Users\roberto\Downloads\wint2016
2017-01-31 09:45 - 2016-11-25 01:13 - 00000000 ____D C:\Users\roberto\Downloads\Aut2016

==================== Files in the root of some directories =======

2016-05-23 09:51 - 2016-05-23 09:51 - 0000034 _____ () C:\Users\roberto\AppData\Roaming\AdobeWLCMCache.dat
2015-10-29 11:23 - 2015-11-01 09:50 - 0033280 __RSH () C:\Users\roberto\AppData\Roaming\Thumbs.db
2015-11-19 02:32 - 2016-01-12 19:57 - 0007607 ____R () C:\Users\roberto\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-14 16:06

==================== End of FRST.txt ============================

 

 

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 23-02-2017
Ran by roberto (23-02-2017 07:51:17)
Running from C:\Users\roberto\Desktop
Microsoft Windows 7 Ultimate  (X86) (2011-01-10 01:00:13)
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Accounts: =============================

Administrador (S-1-5-21-2915382099-2896471491-3075281560-500 - Administrator - Disabled)
HomeGroupUser$ (S-1-5-21-2915382099-2896471491-3075281560-1002 - Limited - Enabled)
Invitado (S-1-5-21-2915382099-2896471491-3075281560-501 - Limited - Disabled)
roberto (S-1-5-21-2915382099-2896471491-3075281560-1000 - Administrator - Enabled) => C:\Users\roberto

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Malwarebytes (Disabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Disabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 16.04 (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
Adobe Reader X (10.1.4) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.4 - Adobe Systems Incorporated)
DivX Setup (HKLM\...\DivX Setup) (Version: 2.6.0.34 - DivX, LLC)
FileASSASSIN (HKLM\...\FileASSASSIN) (Version: 1.06 - Malwarebytes)
FontManagementSystem (HKLM\...\{3F2E8044-BA23-4604-AB00-BB164410964C}) (Version: 4.3.0 - Summitsoft)
FUJIFILM MyFinePix Studio 2.0 (HKLM\...\FinePix Genie_is1) (Version:  - )
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.15.281 - SurfRight B.V.)
Java 7 Update 7 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217007FF}) (Version: 7.0.70 - Oracle)
Java™ 6 Update 29 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216023FF}) (Version: 6.0.290 - Oracle)
JavaFX 2.1.1 (HKLM\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
Malwarebytes versión 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.10411.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual Studio Tools for Applications 2.0 - ENU (HKLM\...\{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual Studio Tools for Applications 2.0 Runtime (HKLM\...\{299C0434-4F4E-341F-A916-4E07AEB35E79}) (Version: 9.0.30729 - Microsoft Corporation)
Mozilla Firefox 51.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 51.0.1 (x86 en-US)) (Version: 51.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 51.0.1.6234 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
Revo Uninstaller Pro 3.1.8 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.8 - VS Revo Group, Ltd.)
Update Manager (Version: 4.60 - Corel Corporation) Hidden
VC80CRTRedist - 8.0.50727.6195 (Version: 1.2.0 - DivX, Inc) Hidden
VLC media player (HKLM\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Zemana AntiMalware (HKLM\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.72.101 - Zemana Ltd.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {13EEB900-6E48-44D1-A63D-FD8B47071B95} - System32\Tasks\{7E1102E6-FCC3-4595-8754-33BEBA44F1CF} => pcalua.exe -a "C:\Program Files\vghd\uninstall.exe" -d "C:\Program Files\vghd"
Task: {15DD26BF-5565-46AF-9B7B-212C5E7C4638} - System32\Tasks\{265236C0-9EA6-47E9-BA74-45190914D3A6} => pcalua.exe -a C:\Windows\system32\DivXControlPanelApplet.cpl -c DivX Control Panel
Task: {174E1BC4-52BE-4917-A3FA-0B96838E968D} - System32\Tasks\{9F25AE14-58C6-4EDA-B4C8-247A92E54702} => pcalua.exe -a C:\Users\roberto\Downloads\abrViewer.Net_1.0.2_Install.exe -d "C:\Users\roberto\Downloads\Nueva carpeta (2)\Thousands\Thousands\Thousands of Fonts\Fonts &amp; Brushes\Brushes"
Task: {17D1F221-7D11-4A41-9DB6-4C4AA798A148} - System32\Tasks\{95313EE9-31AB-45EF-962B-C59819246003} => pcalua.exe -a "D:\musicapopular mexicana\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2+320.models\VirtuaGirls\angsha_full.EXE" -d "D:\musicapopular mexicana\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2+320.models\VirtuaGirls (the data entry has 1 more characters).
Task: {24C41DC3-B18C-45E1-972D-37D33A983F53} - System32\Tasks\{B2108543-5FC3-4C27-B327-325A49BF773C} => pcalua.exe -a "D:\musicapopular mexicana\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2+320.models\VG2 Extra Girls\christineyoung.exe" -d "D:\musicapopular mexicana\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2+320.models\VG2  (the data entry has 12 more characters).
Task: {2598A32E-B6DC-4DE1-846A-28F7A4E226FB} - System32\Tasks\{AFF5B8B4-8FF9-44D5-BDF6-F867E3B0E71D} => pcalua.exe -a "D:\Japanese Mega Learning Pack\08.Miscellaneous\Game\Knuckles\KnucklesSetup\Setup.Exe" -d "D:\Japanese Mega Learning Pack\08.Miscellaneous\Game\Knuckles\KnucklesSetup"
Task: {25E01A44-87E5-461F-981E-C43C25510A0A} - System32\Tasks\{733219A0-9596-4868-8DC9-994C71117FEA} => C:\Program Files\abalonekiss\姫酪農\Himerakuno.exe
Task: {31254CB1-0F0A-425C-B874-257B4A99E230} - \Your File Updater -> No File <==== ATTENTION
Task: {3362EC5C-5B32-4174-B44D-EFAE90B76BFB} - System32\Tasks\{FB0FC81A-A988-4644-82D0-0ACDC8E2B91E} => C:\Program Files\abalonekiss\姫酪農\Himerakuno.exe
Task: {3B025CB8-26FF-4CBF-AC24-34F8ECB09BB2} - System32\Tasks\{FDA260C1-9B52-424F-893D-1A4AC4890F66} => pcalua.exe -a C:\Windows\system32\pcwrun.exe -c "C:\Program Files\FUJIFILM\MyFinePix Studio\Loader.exe"
Task: {3D6CF0A6-A0EE-4849-A353-C3511BC36198} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2915382099-2896471491-3075281560-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe
Task: {406FFAD1-E1A4-46CA-8879-24618C4E9B38} - \ParetoLogic Registration3 -> No File <==== ATTENTION
Task: {43237398-F9B9-4D6D-A78A-C893ECEC8EC5} - System32\Tasks\{D5BE2247-0101-48D6-960A-D04A72FBE9F5} => pcalua.exe -a C:\PROGRA~1\DAP\DAPREMOVE.EXE
Task: {47A7B0B7-7E34-44CF-B7AB-52A727AC32CE} - System32\Tasks\{A585D31F-2DFD-4CD8-A441-514501206D26} => pcalua.exe -a "D:\musicapopular mexicana\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2+320.models\VG2 Extra Girls\sunnyleone.exe" -d "D:\musicapopular mexicana\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2+320.models\VG2 Extr (the data entry has 8 more characters).
Task: {4B868E24-D150-4610-A4C3-ADAFA6E6BC6C} - System32\Tasks\{C80534E4-2170-4AC0-9FDF-94BB8351AC9B} => pcalua.exe -a "C:\Users\roberto\Desktop\Nueva carpeta\DirectX9c\DXSETUP.exe" -d "C:\Users\roberto\Desktop\Nueva carpeta\DirectX9c"
Task: {4C6D5FCE-463F-4F1E-AD8F-C918ADDFD029} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-2915382099-2896471491-3075281560-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe
Task: {4CE280E2-3E49-4DE9-AAB5-02D68BE837ED} - System32\Tasks\{7D819F7F-F168-41C0-B82E-09133A047145} => C:\Program Files\abalonekiss\姫酪農\Himerakuno.exe
Task: {57CB8033-4D88-463A-9D3B-CFCDDDC2DB2A} - \ParetoLogic Update Version3 Startup Task -> No File <==== ATTENTION
Task: {5968C8D1-D443-48EC-8187-9CA28B473EEB} - System32\Tasks\{40EE0B60-A3F5-46A0-B941-478D55D28E87} => pcalua.exe -a "C:\Users\roberto\Downloads\[160814] [SPLUSH WAVE] Crystal Mahjongg [Comiket 90]\(C90) (同人ゲーム) [160814] [SPLUSH WAVE] Crystal Mahjongg\setup.exe" -d "C:\Users\roberto\Downloads\[160814] [SPLUSH WAVE] Crystal Mahjongg [Comiket 90]\(C90) (同人ゲーム) [160814] [SPLUSH WAVE] Crystal Mahjongg"
Task: {5DD9E2CC-9843-46C6-B992-E3C0C9016383} - System32\Tasks\{8D92E647-024A-47F9-9CA6-244BBF295C54} => pcalua.exe -a "C:\Users\roberto\Downloads\Renueva IP v.1.3 - CSoft Solutions.exe" -d C:\Users\roberto\Downloads
Task: {652D6800-0CB0-442B-A2EE-28302EBC72B5} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2915382099-2896471491-3075281560-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe
Task: {6754843A-B410-4E9C-A0E8-A60D802CC7A7} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-2915382099-2896471491-3075281560-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe
Task: {6F2A3633-91DD-4FF1-8FBC-82B78389D21D} - System32\Tasks\{813E2B83-F2F7-430A-8908-B82BED05DB71} => C:\Program Files\abalonekiss\姫酪農\Himerakuno.exe
Task: {71ED3092-5EE4-4F9B-B7D7-59467131764A} - System32\Tasks\{D724E14A-4AB3-4996-AE2D-77906A9C0BAA} => pcalua.exe -a C:\Windows\system32\pcwrun.exe -c "C:\Program Files\Renueva IP\Renueva IP.exe"
Task: {73ADA4E2-7FB1-4947-A609-B52043DEE039} - System32\Tasks\{24CDDA86-E786-4A2F-A960-F2D18C1D06E1} => pcalua.exe -a C:\Users\roberto\Downloads\re3_install_win.exe -d C:\Users\roberto\Downloads
Task: {76336977-1C3A-4508-9047-B87C0E25480F} - System32\Tasks\{CCD9796B-AA4C-4D3F-9D29-95EB46F5697A} => C:\Program Files\abalonekiss\姫酪農\Himerakuno.exe
Task: {78A79DDA-7B74-4778-A2AA-005F93B1DF2B} - System32\Tasks\{377411D4-8E21-44AC-A67A-8FDFFC4C6B23} => pcalua.exe -a C:\Users\roberto\AppData\Local\Temp\DAPREMOVE.EXE -d C:\Users\roberto\AppData\Local\Temp <==== ATTENTION
Task: {7E6E8A08-AD5C-403E-911C-B017E819F156} - System32\Tasks\{70B032FA-F9B5-4DC7-8963-DA5B8C1E5838} => pcalua.exe -a C:\PROGRA~1\Ableton\LIVE82~1.1\Install\UNWISE.EXE -c C:\PROGRA~1\Ableton\LIVE82~1.1\Install\INSTALL.LOG
Task: {7EF3E046-DCF0-4421-88DB-3ADDB5A630F6} - System32\Tasks\{6E67A74B-5BC9-41A9-8066-628FAC3AFA9E} => pcalua.exe -a "C:\Program Files\UnHackMe\unins000.exe"
Task: {8A0D9152-FAA8-4E44-AE8A-09F14147D7A8} - System32\Tasks\{D93416D0-2470-49BA-BE55-76D18DD5BFB0} => pcalua.exe -a C:\Users\roberto\Desktop\imei\MTKUSB_Driver_6235\InstallDriver.exe -d C:\Users\roberto\Desktop\imei\MTKUSB_Driver_6235
Task: {929EAD1C-2617-4257-8C42-ECE8772E472D} - System32\Tasks\{5F3C09B7-46E5-485F-9482-5010197676D7} => C:\Program Files\iTunes\iTunes.exe
Task: {9B21A49E-77E7-4A7D-93C1-888261568F29} - System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2915382099-2896471491-3075281560-1000 => C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe
Task: {9D483624-7F4A-4037-9BEE-1F50BE70A1A9} - System32\Tasks\{22997B04-7F07-4A59-924A-6B9F399ECFD5} => C:\Program Files\iTunes\iTunes.exe
Task: {A16B3927-CF8C-4AD5-80CC-11661FDEB356} - System32\Tasks\{2C5E9B82-8963-4705-B486-A56ADBDC6984} => C:\Program Files\FUJIFILM\MyFinePix Studio\Loader.exe [2013-07-10] ()
Task: {B2130389-9078-42C7-A2E8-39D592863569} - System32\Tasks\{855DC89F-3287-4205-BE98-B8E262B39CCC} => pcalua.exe -a "C:\Program Files\Ableton\Live 8.2.1\Program\InstallHelper.exe" -d "C:\Program Files\Ableton\Live 8.2.1\Program"
Task: {C1165B49-3151-4EA7-8F59-B828DF44CB57} - System32\Tasks\{7ADEEF8A-1B28-4CA4-8DAA-C5CFBCF6289F} => pcalua.exe -a "D:\musicapopular mexicana\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2+320.models\VG2 Extra Girls\ariagiovanni.exe" -d "D:\musicapopular mexicana\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2+320.models\VG2 Ex (the data entry has 10 more characters).
Task: {C35D6D39-D9FB-4992-8548-07AFEFBFF5F5} - System32\Tasks\{A6779566-FDC2-46FD-A436-6A8DDA7604DF} => C:\Program Files\abalonekiss\姫酪農\Himerakuno.exe
Task: {D2C6690B-62DA-44B3-A469-2E816F31A853} - \WS.Booster-S-667284051 -> No File <==== ATTENTION
Task: {D3E9E5AB-B722-4516-8F70-1B0042C34798} - System32\Tasks\{71C40D8F-89C5-4036-BC94-E53B727F6D01} => C:\Program Files\VideoLAN\VLC\vlc.exe [2016-06-01] (VideoLAN)
Task: {D7397DBE-E747-4554-AB3C-EA5C791CCC7A} - System32\Tasks\{099A7703-43C7-4A77-8C4E-6182F0AC6C3C} => pcalua.exe -a "D:\musicapopular mexicana\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2+320.models\VG2 Extra Girls\annamariegoddard.exe" -d "D:\musicapopular mexicana\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2.320.models\Virtua.Girl.2+320.models\VG (the data entry has 14 more characters).
Task: {DEC917F7-8CD1-4F5D-919E-67CEE97E5134} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-2915382099-2896471491-3075281560-1000 => C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
Task: {EFCF014E-036C-483A-94CD-DC60656E816D} - System32\Tasks\{40A9A99C-A683-45DA-A9F4-1A0418D2D097} => pcalua.exe -a "C:\Program Files\Vg\VirtuaGirl2.exe" -d C:\PROGRA~1\Vg
Task: {F0508E8F-56D2-4E09-95CC-7D531C0E9632} - System32\Tasks\{28A6B938-EC47-4A07-935C-02393423F435} => pcalua.exe -a "C:\Users\roberto\Desktop\Nueva carpeta\Install.exe" -d "C:\Users\roberto\Desktop\Nueva carpeta"
Task: {FB0B33C6-A79F-4D07-90E3-E9CAD2ED6C69} - System32\Tasks\UnHackMe Task Scheduler => C:\Program Files\UnHackMe\hackmon.exe
Task: {FD498123-681B-4B0A-AC1B-672D21121172} - System32\Tasks\{F7EA282B-A460-4F44-886C-526D29D17E6B} => pcalua.exe -a E:\setup.exe -d E:\
Task: {FDF8C924-0121-428B-949F-9BD8996C6123} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-2915382099-2896471491-3075281560-1000 => C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe
Task: {FFCEC211-CFF5-4034-8DA0-A72212694373} - System32\Tasks\{95CEC085-E066-444D-87DC-6C84115BD3EC} => C:\Program Files\FUJIFILM\MyFinePix Studio\Loader.exe [2013-07-10] ()

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2017-02-21 15:03 - 2017-01-20 07:47 - 01732896 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
2011-01-09 20:55 - 2010-03-15 11:28 - 00141824 _____ () C:\Program Files\WinRAR\rarext.dll
2017-02-15 10:15 - 2017-02-15 10:15 - 00130928 _____ () C:\Program Files\Zemana AntiMalware\ZAMShellExt32.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"
e"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 20:04 - 2017-02-14 17:54 - 00000826 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 10.2.9.18 - 10.3.9.18
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: ST2012_Svc => 2
MSCONFIG\startupreg: ZAM => "C:\Program Files\Zemana AntiMalware\ZAM.exe" /minimized

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [TCP Query User{8977D608-3961-4CF4-AFF6-17258C7783E0}C:\program files\videolan\vlc\vlc.exe] => (Allow) C:\program files\videolan\vlc\vlc.exe
FirewallRules: [UDP Query User{81FC59A1-8653-4E1F-AFDD-9DC0C2379E8F}C:\program files\videolan\vlc\vlc.exe] => (Allow) C:\program files\videolan\vlc\vlc.exe
FirewallRules: [{6997565D-C5F4-42E4-B53D-919DC84F6A8B}] => (Allow) C:\Program Files\YourFileDownloader\Downloader.exe
FirewallRules: [{D270FDD8-7E60-4253-8C0D-3ACC0BD4EBA3}] => (Allow) C:\Program Files\YourFileDownloader\Downloader.exe
FirewallRules: [{7A5F7FE0-2AC5-4744-BA4A-0C6423AE93A3}] => (Allow) C:\Program Files\YourFileDownloader\YourFile.exe
FirewallRules: [{2AE7283E-4CCC-44D3-AB8D-010BBF322680}] => (Allow) C:\Program Files\YourFileDownloader\YourFile.exe
FirewallRules: [TCP Query User{8024E54F-B608-4ABA-B22C-D75963405660}C:\program files\1clickdownload\1clickdownloader.exe] => (Allow) C:\program files\1clickdownload\1clickdownloader.exe
FirewallRules: [UDP Query User{A3F30E8D-09F4-4257-91DF-F54927829808}C:\program files\1clickdownload\1clickdownloader.exe] => (Allow) C:\program files\1clickdownload\1clickdownloader.exe
FirewallRules: [TCP Query User{E7D05885-C964-4AC2-A32A-CB02463E7847}C:\program files\autodesk\showcase 2013\bin\showcase.exe] => (Block) C:\program files\autodesk\showcase 2013\bin\showcase.exe
FirewallRules: [UDP Query User{CAC47205-9617-4DEB-9C17-52CF417D0DC3}C:\program files\autodesk\showcase 2013\bin\showcase.exe] => (Block) C:\program files\autodesk\showcase 2013\bin\showcase.exe
FirewallRules: [{E3B660F3-EB29-4A10-A0F5-AEEE37D70FF5}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{797C642B-AD29-4DD7-BD9B-AF92CE4CCD40}] => (Allow) C:\Users\roberto\AppData\Local\Facebook\Video\Skype\FacebookVideoCalling.exe
FirewallRules: [{52DEA2A1-4A61-4A98-9317-642DD5571D17}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{B33CE76A-3A09-4601-887F-76A95E57D7A4}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{886F1525-99BF-41AA-B0A5-D92953BCD40C}C:\program files\touchosc bridge\touchosc bridge.exe] => (Allow) C:\program files\touchosc bridge\touchosc bridge.exe
FirewallRules: [UDP Query User{A0A58D8C-5C19-495F-A190-3DE7F8D3FD0E}C:\program files\touchosc bridge\touchosc bridge.exe] => (Allow) C:\program files\touchosc bridge\touchosc bridge.exe
FirewallRules: [TCP Query User{1E3D495F-618E-4315-A6E8-05E445E2989A}C:\users\roberto\desktop\beaubryte_droid_fighter\for apple ios\step 3 - install touchosc editor on computer\touchosceditor for pc.exe] => (Allow) C:\users\roberto\desktop\beaubryte_droid_fighter\for apple ios\step 3 - install touchosc editor on computer\touchosceditor for pc.exe
FirewallRules: [UDP Query User{EE4B3267-034C-4127-BCE9-80540A2F11D1}C:\users\roberto\desktop\beaubryte_droid_fighter\for apple ios\step 3 - install touchosc editor on computer\touchosceditor for pc.exe] => (Allow) C:\users\roberto\desktop\beaubryte_droid_fighter\for apple ios\step 3 - install touchosc editor on computer\touchosceditor for pc.exe
FirewallRules: [TCP Query User{FC13448F-97A1-4AFC-9DBB-5A3D6969EEA9}C:\users\roberto\documents\touchosceditor for pc.exe] => (Allow) C:\users\roberto\documents\touchosceditor for pc.exe
FirewallRules: [UDP Query User{223F0D37-9C45-4C9E-AEC7-D67574CFEA36}C:\users\roberto\documents\touchosceditor for pc.exe] => (Allow) C:\users\roberto\documents\touchosceditor for pc.exe
FirewallRules: [{89DF06AB-A550-4C60-B3D6-D269E8F6EA91}] => (Allow) C:\Windows\System32\msiexec.exe
FirewallRules: [{7FA99EDE-3032-42B6-B536-93ED3DA67744}] => (Allow) C:\Windows\System32\msiexec.exe
FirewallRules: [{DC5DBE90-F941-4FC3-98F5-26B6255FC55E}] => (Allow) C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe
FirewallRules: [{E6311066-44C0-46C8-AF37-59CA4F3F2A97}] => (Allow) C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe
FirewallRules: [{350C626F-13C6-443B-B02C-1CC9BC5E4581}] => (Allow) C:\Program Files\GoforFiles\goforfilesdl.exe
FirewallRules: [{0D8931F8-AE61-455E-9AAD-27D166087177}] => (Allow) C:\Program Files\GoforFiles\goforfilesdl.exe
FirewallRules: [{3B2B194F-DAE2-43B3-8A06-F1D7E13DBD24}] => (Allow) C:\Program Files\GoforFiles\GoforFiles.exe
FirewallRules: [{5CD38CA0-7106-4263-BBC5-5C14C6DBE469}] => (Allow) C:\Program Files\GoforFiles\GoforFiles.exe
FirewallRules: [{E4B5DDF0-7E83-451B-AA43-92BFF616EEA4}] => (Block) %ProgramFiles%\Common Files\Protexis\License Service\PsiService_2.exe
FirewallRules: [{03F6F195-B273-4B22-B1D0-A0D601FED6CA}] => (Block) %ProgramFiles%\Common Files\Protexis\License Service\PsiService_2.exe
FirewallRules: [{1256A931-B25B-4096-84AB-A24D5A0949EC}] => (Block) %ProgramFiles%\Corel\CorelDRAW Graphics Suite X6\Programs\CorelDRW.exe
FirewallRules: [{4A84CD5E-CDDB-4C77-98F0-A444CEED19F2}] => (Block) %ProgramFiles%\Corel\CorelDRAW Graphics Suite X6\Programs\CorelDRW.exe
FirewallRules: [{6A897B28-CC34-4BDC-A646-D516023E5FB7}] => (Block) %ProgramFiles%\Corel\CorelDRAW Graphics Suite X6\Programs\CorelPP.exe
FirewallRules: [{2ED27542-C1AC-4B0A-9A57-60B233C6621F}] => (Block) %ProgramFiles%\Corel\CorelDRAW Graphics Suite X6\Programs\CorelPP.exe
FirewallRules: [{37C2F3F6-692F-4C89-AD78-2D072DF47B32}] => (Block) %ProgramFiles%\Corel\CorelDRAW Graphics Suite X6\Programs\CdrConv.exe
FirewallRules: [{61D7A579-CDC7-45DF-BC8B-6D9CA4DDBBE4}] => (Block) %ProgramFiles%\Corel\CorelDRAW Graphics Suite X6\Programs\CdrConv.exe
FirewallRules: [{9FD78522-B6AF-44DE-B9A2-AD76870EC4B6}] => (Block) %ProgramFiles%\Corel\CorelDRAW Graphics Suite X6\Programs\PrintWiz.exe
FirewallRules: [{7DB89461-FD14-4F27-A119-B5D4AB3D70C9}] => (Block) %ProgramFiles%\Corel\CorelDRAW Graphics Suite X6\Programs\PrintWiz.exe
FirewallRules: [{6E097D0A-BA56-4DF4-A36C-F2A4AEE259AF}] => (Block) %ProgramFiles%\Corel\CorelDRAW Graphics Suite X6\Programs\BarCode.exe
FirewallRules: [{E98D5BEB-6849-4DF1-B1C3-CA0575F8B5B9}] => (Block) %ProgramFiles%\Corel\CorelDRAW Graphics Suite X6\Programs\BarCode.exe
FirewallRules: [TCP Query User{7DD0A6F0-7E44-4B29-A543-FD84D669EAD4}C:\program files\mozilla firefox 4.0 beta 10\firefox.exe] => (Block) C:\program files\mozilla firefox 4.0 beta 10\firefox.exe
FirewallRules: [UDP Query User{C30FAEE7-C869-4070-AD90-C49A4354E676}C:\program files\mozilla firefox 4.0 beta 10\firefox.exe] => (Block) C:\program files\mozilla firefox 4.0 beta 10\firefox.exe
FirewallRules: [TCP Query User{99BFD05B-297F-4D85-A766-23B7AE71E87C}C:\program files\mozilla firefox 4.0 beta 10\firefox.exe] => (Block) C:\program files\mozilla firefox 4.0 beta 10\firefox.exe
FirewallRules: [UDP Query User{F40F444C-437C-4866-AC43-D3B0E2BFE4D3}C:\program files\mozilla firefox 4.0 beta 10\firefox.exe] => (Block) C:\program files\mozilla firefox 4.0 beta 10\firefox.exe
FirewallRules: [TCP Query User{0660B703-361A-432E-8EBE-A755450BD73E}D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe] => (Block) D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe
FirewallRules: [UDP Query User{87A9E10E-EFE0-45F7-A138-425CE552F125}D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe] => (Block) D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe
FirewallRules: [TCP Query User{E8114E2B-4361-40D1-8611-193B80A7720D}D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe] => (Allow) D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe
FirewallRules: [UDP Query User{6DD364D8-1477-4073-A3D0-9F941C66240B}D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe] => (Allow) D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe
FirewallRules: [{006F5F04-E83B-4CF9-89AF-87677C794F3A}] => (Allow) C:\Users\roberto\AppData\Local\Temp\nsl3299.tmp\Installer-camstudio.exe
FirewallRules: [{B1CC817F-3ED2-4864-BE98-8FDA781D3E15}] => (Allow) C:\Users\roberto\AppData\Local\Temp\nsl3299.tmp\Installer-camstudio.exe
FirewallRules: [TCP Query User{F2055899-8D64-4126-ABC5-9829FDE4896F}C:\program files\spyware terminator\spywareterminatorupdate.exe] => (Block) C:\program files\spyware terminator\spywareterminatorupdate.exe
FirewallRules: [UDP Query User{CF1C2DBA-C1DD-4C44-8043-52DE299BC04F}C:\program files\spyware terminator\spywareterminatorupdate.exe] => (Block) C:\program files\spyware terminator\spywareterminatorupdate.exe
FirewallRules: [TCP Query User{DA38D3CA-A58C-4BB3-AF5F-DDB7B87F3FAD}C:\program files\videolan\vlc\vlc.exe] => (Block) C:\program files\videolan\vlc\vlc.exe
FirewallRules: [UDP Query User{AA2C447E-A298-4E0E-A430-4A4D6DB1EB45}C:\program files\videolan\vlc\vlc.exe] => (Block) C:\program files\videolan\vlc\vlc.exe
FirewallRules: [TCP Query User{C0DC9FDD-F0F0-4DAD-94E1-C3AE5337DECC}C:\users\roberto\appdata\roaming\utorrent\utorrent.exe] => (Block) C:\users\roberto\appdata\roaming\utorrent\utorrent.exe
FirewallRules: [UDP Query User{C4D86139-11A2-4746-BD60-4572E7C28AF0}C:\users\roberto\appdata\roaming\utorrent\utorrent.exe] => (Block) C:\users\roberto\appdata\roaming\utorrent\utorrent.exe
FirewallRules: [{6E0BD108-9E5E-4733-A9D0-215B0619D9F6}] => (Allow) C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe
FirewallRules: [{B2E43FD5-5C94-44DE-850F-74194F856DB6}] => (Allow) C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe
FirewallRules: [TCP Query User{3D61DED5-FE38-4CFB-939B-AA1C80C5065F}C:\users\roberto\appdata\roaming\utorrent\utorrent.exe] => (Block) C:\users\roberto\appdata\roaming\utorrent\utorrent.exe
FirewallRules: [UDP Query User{3D8678FA-8ACD-42BB-873C-2C4C2942B33A}C:\users\roberto\appdata\roaming\utorrent\utorrent.exe] => (Block) C:\users\roberto\appdata\roaming\utorrent\utorrent.exe

==================== Restore Points =========================

15-02-2017 10:10:39 RegRun Virus Scan
15-02-2017 10:30:14 RegRun Virus Scan
15-02-2017 12:31:01 Checkpoint by HitmanPro
15-02-2017 12:41:09 RegRun Virus Scan
20-02-2017 13:39:08 Revo Uninstaller Pro's restore point - Adobe Flash Player 24 ActiveX
20-02-2017 13:42:01 Revo Uninstaller Pro's restore point - Adobe Flash Player 24 NPAPI
20-02-2017 15:52:28 Revo Uninstaller Pro's restore point - Malwarebytes version 3.0.6.1469
21-02-2017 08:04:02 Removed Corel Graphics - Windows Shell Extension.
21-02-2017 14:59:27 Revo Uninstaller Pro's restore point - Malwarebytes versión 3.0.6.1469
21-02-2017 15:37:17 Checkpoint by HitmanPro

==================== Faulty Device Manager Devices =============

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (02/23/2017 07:43:58 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: No se pudo crear el punto de restauración (proceso = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" ; descripción = Revo Uninstaller Pro's restore point - Compresor WinRAR; error = 0x8007043c).

Error: (02/23/2017 07:42:40 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: No se pudo crear el punto de restauración (proceso = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" ; descripción = Revo Uninstaller Pro's restore point - Complemento Guardar como PDF de Microsoft para programas de Microsoft Office 2007; error = 0x8007043c).

Error: (02/23/2017 07:40:58 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: No se pudo crear el punto de restauración (proceso = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" ; descripción = Revo Uninstaller Pro's restore point - Paquete de compatibilidad para 2007 Office system; error = 0x8007043c).

Error: (02/23/2017 07:40:34 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: No se pudo crear el punto de restauración (proceso = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" ; descripción = Revo Uninstaller Pro's restore point - WinISO; error = 0x8007043c).

Error: (02/23/2017 07:40:16 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: No se pudo crear el punto de restauración (proceso = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" ; descripción = Revo Uninstaller Pro's restore point - Privacy Eraser Pro; error = 0x8007043c).

Error: (02/23/2017 07:39:23 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: No se pudo crear el punto de restauración (proceso = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" ; descripción = Revo Uninstaller Pro's restore point - UnHackMe 5.99 release; error = 0x8007043c).

Error: (02/23/2017 07:38:34 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: No se pudo crear el punto de restauración (proceso = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" ; descripción = Revo Uninstaller Pro's restore point - USB Safely Remove 5.0; error = 0x8007043c).

Error: (02/23/2017 07:37:23 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Error al generar el contexto de activación para "C:\Users\roberto\Downloads\HitmanPro_x64.exe".
No se encontró el ensamblado dependiente Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0".
Use sxstrace.exe para obtener un diagnóstico detallado.

Error: (02/23/2017 07:33:54 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: No se pudo crear el punto de restauración (proceso = C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISPRO /dll OSETUP.DLL; descripción = Removed Microsoft Office Visio Professional 2007; error = 0x8007043c).

Error: (02/23/2017 07:33:51 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: No se pudo crear el punto de restauración (proceso = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" ; descripción = Revo Uninstaller Pro's restore point - Microsoft Office Visio Professional 2007; error = 0x8007043c).


System errors:
=============
Error: (02/23/2017 07:50:09 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: El servicio Examinador de equipos depende del servicio Servidor, el cual no pudo iniciarse debido al siguiente error:
No se puede iniciar el servicio o grupo de dependencia.

Error: (02/23/2017 07:50:09 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: El servicio Examinador de equipos depende del servicio Servidor, el cual no pudo iniciarse debido al siguiente error:
No se puede iniciar el servicio o grupo de dependencia.

Error: (02/23/2017 07:50:09 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: El servicio Examinador de equipos depende del servicio Servidor, el cual no pudo iniciarse debido al siguiente error:
No se puede iniciar el servicio o grupo de dependencia.

Error: (02/23/2017 07:49:59 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: El servicio Examinador de equipos depende del servicio Servidor, el cual no pudo iniciarse debido al siguiente error:
No se puede iniciar el servicio o grupo de dependencia.

Error: (02/23/2017 07:49:59 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: El servicio Examinador de equipos depende del servicio Servidor, el cual no pudo iniciarse debido al siguiente error:
No se puede iniciar el servicio o grupo de dependencia.

Error: (02/23/2017 07:49:59 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: El servicio Examinador de equipos depende del servicio Servidor, el cual no pudo iniciarse debido al siguiente error:
No se puede iniciar el servicio o grupo de dependencia.

Error: (02/23/2017 07:49:56 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: El servicio Proveedor de Grupo Hogar depende del servicio Host de proveedor de detección de función, el cual no pudo iniciarse debido al siguiente error:
No se puede iniciar el servicio o grupo de dependencia.

Error: (02/23/2017 07:49:56 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: Error de DCOM "1084" al intentar iniciar el servicio WSearch con argumentos "" para ejecutar el servidor:
{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (02/23/2017 07:49:55 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: El servicio Examinador de equipos depende del servicio Servidor, el cual no pudo iniciarse debido al siguiente error:
No se puede iniciar el servicio o grupo de dependencia.

Error: (02/23/2017 07:49:55 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: El servicio Examinador de equipos depende del servicio Servidor, el cual no pudo iniciarse debido al siguiente error:
No se puede iniciar el servicio o grupo de dependencia.


==================== Memory info ===========================

Processor: AMD Athlon™ 64 X2 Dual Core Processor 5600+
Percentage of memory in use: 25%
Total physical RAM: 1790.49 MB
Available physical RAM: 1338.2 MB
Total Virtual: 3580.98 MB
Available Virtual: 3172.38 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:345.48 GB) (Free:51.4 GB) NTFS
Drive d: () (Fixed) (Total:585.94 GB) (Free:44.53 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 89BB7C42)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=345.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=585.9 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



#4 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 PM

Posted 23 February 2017 - 05:22 PM

Hi ergsdrgdfuno,
 
Sorry for the delay

 

Is the external drive clean ? I do not see any sign of crack software.
================================================================================
For Mozilla Firefox 4.0 Beta and Mozilla 51 version
How to clear the Firefox cache
https://support.mozilla.org/t5/Cookies-and-cache/How-to-clear-the-Firefox-cache/ta-p/2472
Next >>>
Uninstall Firefox from your computer

https://support.mozilla.org/t5/Install-and-Update/Uninstall-Firefox-from-your-computer/ta-p/1364
PC restart now.

Then we will do a clean installation.
========================================================================================
uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.
You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove
Partizan antirootkit or Partizan
HitmanPro
UnHackMe
Mozilla Firefox 4.0 Beta
Mozilla Firefox 51
Java 7 Update 7
Java™ 6 Update 29
JavaFX 2.1.1

Adobe Reader 10.
ParetoLogic Registration
DAPREMOVE
WS-Booster

  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish
  • PC restart now.

=================================================================================

Step 1:
FRST Script:
Please download this attached Attached File  Fixlist.txt   11.02KB   3 downloads  and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

NOT : It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
and fixlist.txt are in the same location or the fix will not work.

next >>

Boot to Safemode with Networking
To Enter Safemode

  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
  • Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode
 
next....

  • Please download rkill (Courtesy of Bleepingcomputer.com).
  • There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
  • Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
  • Note: You only need to get one of the tools to run, not all of them.

1. rkill.exe

2. rkill.com

3. rkill.scr

4. WiNlOgOn.exe

5. uSeRiNiT.exe

 
next....
 
Scan with Malwarebytes Antimalware free

  • Please update the database by clicking on the "Update Now" button.
  • Following the update and click "Settings" and go to "Detection and Protection"
  • Make sure "Scan for Rootkits" is checked.
  • Click on Dashboard, then click on Scan Now to start the scan.
  • If Malware or Potentially Unwanted Programs ''PUPs'' are found, you will receive a prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on "View Detailed Log".
  • After viewing the results, please click on the "Copy to Clipboard" button and then OK.
  • Return to our forum. Paste your log into your next reply.

==========================================================================================

In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog
  • MBAM log
  • Rkill log

Any issue ?

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 ergsdrgdfuno

ergsdrgdfuno
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 25 February 2017 - 12:25 PM

Hi Yilmaz!

 

thanks for your help and sorry for the reply time.

 

Im not sure if the external drive is infected, it will be necessary to repeat the process with the device connected to be sure if it is infected, or with a simple scan with malwarebytes is enough.

 

 

 

im post the logs  

 

 

1 Fixlog .

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 25-02-2017
Ran by roberto (25-02-2017 10:34:51) Run:1
Running from C:\Users\roberto\Desktop
Loaded Profiles: roberto (Available Profiles: roberto)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKLM\...\Policies\Explorer: [NoDriveAutoRun-] 0
HKLM\...\Policies\Explorer: [NoDriveTypeAutoRun-] 0
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\...\Policies\Explorer: [NoDriveAutoRun-] 0
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\...\Policies\Explorer: [NoDriveTypeAutoRun-] 0
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\...\Winlogon: [Shell] explorer.exe <==== ATTENTION
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
SearchScopes: HKLM -> DefaultScope {E921F400-D383-4B1B-9DE6-FCFCACFC1173} URL =
BHO: Java・Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2012-09-03] (Oracle Corporation)
BHO: Java・Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2012-09-03] (Oracle Corporation)
Prefixes: [home]=>  <==== ATTENTION
Prefixes: [www]=>  <==== ATTENTION
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll [2012-09-03] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.7.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2012-09-03] (Oracle Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-07-27] (Adobe Systems Inc.)
StartMenuInternet: FIREFOX.EXE - C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe
2017-02-21 20:53 - 2017-02-21 21:34 - 109274968 _____ (Kaspersky Lab ZAO) C:\Users\roberto\Downloads\KVRT.exe
(SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2017-02-15 15:18 - 2017-02-15 15:18 - 00001017 _____ C:\Users\Public\Desktop\FileASSASSIN.lnk
2017-02-15 15:18 - 2017-02-15 15:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN
2017-02-15 15:18 - 2017-02-15 15:18 - 00000000 ____D C:\Program Files\FileASSASSIN
C:\Users\roberto\Downloads\mbar-1.09.3.1001.exe
C:\Users\roberto\Downloads\fileassassin-setup-1.06.exe
C:\Users\roberto\Downloads\regassassin-setup-1.03.exe
C:\Users\roberto\defogger_reenable
C:\Users\roberto\Downloads\ESETPoweliksCleaner.exe_20170215.081726.3828.zip
2017-02-09 20:28 - 2017-02-09 20:28 - 00000022 _____ C:\Users\roberto\Downloads\ESETPoweliksCleaner.exe_20170209.202809.4088.zip
2017-02-03 13:55 - 2017-02-22 09:33 - 00000000 ____D C:\Users\roberto\AppData\LocalLow\Mozilla
C:\Program Files\Mozilla Firefox 4.0 Beta 10
2016-05-23 09:51 - 2016-05-23 09:51 - 0000034 _____ () C:\Users\roberto\AppData\Roaming\AdobeWLCMCache.dat
2015-10-29 11:23 - 2015-11-01 09:50 - 0033280 __RSH () C:\Users\roberto\AppData\Roaming\Thumbs.db
2015-11-19 02:32 - 2016-01-12 19:57 - 0007607 ____R () C:\Users\roberto\AppData\Local\Resmon.ResmonCfg
ShellExecuteHooks: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL -> No File
ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 1 (GFS Unread Stub)] -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL -> No File
ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 2 (GFS Stub)] -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL -> No File
ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)] -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} => C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL -> No File
ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 3 (GFS Folder)] -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL -> No File
ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 4 (GFS Unread Mark)] -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL -> No File
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
SearchScopes: HKLM -> DefaultScope {E921F400-D383-4B1B-9DE6-FCFCACFC1173} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL => No File
Task: {13EEB900-6E48-44D1-A63D-FD8B47071B95} - System32\Tasks\{7E1102E6-FCC3-4595-8754-33BEBA44F1CF} => pcalua.exe -a "C:\Program Files\vghd\uninstall.exe" -d "C:\Program Files\vghd"
Task: {25E01A44-87E5-461F-981E-C43C25510A0A} - System32\Tasks\{733219A0-9596-4868-8DC9-994C71117FEA} => C:\Program Files\abalonekiss\???\Himerakuno.exe
Task: {31254CB1-0F0A-425C-B874-257B4A99E230} - \Your File Updater -> No File <==== ATTENTION
Task: {3362EC5C-5B32-4174-B44D-EFAE90B76BFB} - System32\Tasks\{FB0FC81A-A988-4644-82D0-0ACDC8E2B91E} => C:\Program Files\abalonekiss\???\Himerakuno.exe
C:\Program Files\abalonekiss
Task: {406FFAD1-E1A4-46CA-8879-24618C4E9B38} - \ParetoLogic Registration3 -> No File <==== ATTENTION
Task: {4CE280E2-3E49-4DE9-AAB5-02D68BE837ED} - System32\Tasks\{7D819F7F-F168-41C0-B82E-09133A047145} => C:\Program Files\abalonekiss\???\Himerakuno.exe
Task: {57CB8033-4D88-463A-9D3B-CFCDDDC2DB2A} - \ParetoLogic Update Version3 Startup Task -> No File <==== ATTENTION
Task: {6F2A3633-91DD-4FF1-8FBC-82B78389D21D} - System32\Tasks\{813E2B83-F2F7-430A-8908-B82BED05DB71} => C:\Program Files\abalonekiss\???\Himerakuno.exe
Task: {76336977-1C3A-4508-9047-B87C0E25480F} - System32\Tasks\{CCD9796B-AA4C-4D3F-9D29-95EB46F5697A} => C:\Program Files\abalonekiss\???\Himerakuno.exe
Task: {78A79DDA-7B74-4778-A2AA-005F93B1DF2B} - System32\Tasks\{377411D4-8E21-44AC-A67A-8FDFFC4C6B23} => pcalua.exe -a C:\Users\roberto\AppData\Local\Temp\DAPREMOVE.EXE -d C:\Users\roberto\AppData\Local\Temp <==== ATTENTION
Task: {43237398-F9B9-4D6D-A78A-C893ECEC8EC5} - System32\Tasks\{D5BE2247-0101-48D6-960A-D04A72FBE9F5} => pcalua.exe -a C:\PROGRA~1\DAP\DAPREMOVE.EXE
Task: {7E6E8A08-AD5C-403E-911C-B017E819F156} - System32\Tasks\{70B032FA-F9B5-4DC7-8963-DA5B8C1E5838} => pcalua.exe -a C:\PROGRA~1\Ableton\LIVE82~1.1\Install\UNWISE.EXE -c C:\PROGRA~1\Ableton\LIVE82~1.1\Install\INSTALL.LOG
Task: {7EF3E046-DCF0-4421-88DB-3ADDB5A630F6} - System32\Tasks\{6E67A74B-5BC9-41A9-8066-628FAC3AFA9E} => pcalua.exe -a "C:\Program Files\UnHackMe\unins000.exe"
Task: {B2130389-9078-42C7-A2E8-39D592863569} - System32\Tasks\{855DC89F-3287-4205-BE98-B8E262B39CCC} => pcalua.exe -a "C:\Program Files\Ableton\Live 8.2.1\Program\InstallHelper.exe" -d "C:\Program Files\Ableton\Live 8.2.1\Program"
Task: {C35D6D39-D9FB-4992-8548-07AFEFBFF5F5} - System32\Tasks\{A6779566-FDC2-46FD-A436-6A8DDA7604DF} => C:\Program Files\abalonekiss\???\Himerakuno.exe
Task: {D2C6690B-62DA-44B3-A469-2E816F31A853} - \WS.Booster-S-667284051 -> No File <==== ATTENTION
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
C:\program files\mozilla firefox 4.0 beta 10
FirewallRules: [TCP Query User{7DD0A6F0-7E44-4B29-A543-FD84D669EAD4}C:\program files\mozilla firefox 4.0 beta 10\firefox.exe] => (Block) C:\program files\mozilla firefox 4.0 beta 10\firefox.exe
FirewallRules: [UDP Query User{C30FAEE7-C869-4070-AD90-C49A4354E676}C:\program files\mozilla firefox 4.0 beta 10\firefox.exe] => (Block) C:\program files\mozilla firefox 4.0 beta 10\firefox.exe
FirewallRules: [TCP Query User{99BFD05B-297F-4D85-A766-23B7AE71E87C}C:\program files\mozilla firefox 4.0 beta 10\firefox.exe] => (Block) C:\program files\mozilla firefox 4.0 beta 10\firefox.exe
FirewallRules: [UDP Query User{F40F444C-437C-4866-AC43-D3B0E2BFE4D3}C:\program files\mozilla firefox 4.0 beta 10\firefox.exe] => (Block) C:\program files\mozilla firefox 4.0 beta 10\firefox.exe
FirewallRules: [TCP Query User{0660B703-361A-432E-8EBE-A755450BD73E}D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe] => (Block) D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe
FirewallRules: [UDP Query User{87A9E10E-EFE0-45F7-A138-425CE552F125}D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe] => (Block) D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe
FirewallRules: [TCP Query User{E8114E2B-4361-40D1-8611-193B80A7720D}D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe] => (Allow) D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe
FirewallRules: [UDP Query User{6DD364D8-1477-4073-A3D0-9F941C66240B}D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe] => (Allow) D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe
FirewallRules: [{006F5F04-E83B-4CF9-89AF-87677C794F3A}] => (Allow) C:\Users\roberto\AppData\Local\Temp\nsl3299.tmp\Installer-camstudio.exe
FirewallRules: [{B1CC817F-3ED2-4864-BE98-8FDA781D3E15}] => (Allow) C:\Users\roberto\AppData\Local\Temp\nsl3299.tmp\Installer-camstudio.exe
FirewallRules: [TCP Query User{F2055899-8D64-4126-ABC5-9829FDE4896F}C:\program files\spyware terminator\spywareterminatorupdate.exe] => (Block) C:\program files\spyware terminator\spywareterminatorupdate.exe
FirewallRules: [UDP Query User{CF1C2DBA-C1DD-4C44-8043-52DE299BC04F}C:\program files\spyware terminator\spywareterminatorupdate.exe] => (Block) C:\program files\spyware terminator\spywareterminatorupdate.exe
FirewallRules: [{6E0BD108-9E5E-4733-A9D0-215B0619D9F6}] => (Allow) C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe
FirewallRules: [{B2E43FD5-5C94-44DE-850F-74194F856DB6}] => (Allow) C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe
Task: {FB0B33C6-A79F-4D07-90E3-E9CAD2ED6C69} - System32\Tasks\UnHackMe Task Scheduler => C:\Program Files\UnHackMe\hackmon.exe
File: C:\0
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
EmptyTemp:
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDriveAutoRun- => value removed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDriveTypeAutoRun- => value removed successfully.
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDriveAutoRun- => value removed successfully.
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDriveTypeAutoRun- => value removed successfully.
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Google => key removed successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found.
HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found.
HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\home => value restored successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\www => value restored successfully
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully
HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2 => key removed successfully.
C:\Windows\system32\npDeployJava1.dll => moved successfully
HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2 => key not found.
"C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll" => not found.
HKLM\Software\MozillaPlugins\Adobe Reader => key not found.
"C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll" => not found.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\\Default => value restored successfully
C:\Users\roberto\Downloads\KVRT.exe => moved successfully
C:\Windows\system32\bootdelete.exe
C:\Windows\system32\bootdelete.exe => No running process found
C:\Users\Public\Desktop\FileASSASSIN.lnk => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN => moved successfully
C:\Program Files\FileASSASSIN => moved successfully
C:\Users\roberto\Downloads\mbar-1.09.3.1001.exe => moved successfully
C:\Users\roberto\Downloads\fileassassin-setup-1.06.exe => moved successfully
C:\Users\roberto\Downloads\regassassin-setup-1.03.exe => moved successfully
C:\Users\roberto\defogger_reenable => moved successfully
C:\Users\roberto\Downloads\ESETPoweliksCleaner.exe_20170215.081726.3828.zip => moved successfully
C:\Users\roberto\Downloads\ESETPoweliksCleaner.exe_20170209.202809.4088.zip => moved successfully
"C:\Users\roberto\AppData\LocalLow\Mozilla" => not found.
"C:\Program Files\Mozilla Firefox 4.0 Beta 10" => not found.
C:\Users\roberto\AppData\Roaming\AdobeWLCMCache.dat => moved successfully
C:\Users\roberto\AppData\Roaming\Thumbs.db => moved successfully
C:\Users\roberto\AppData\Local\Resmon.ResmonCfg => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{B5A7F190-DDA6-4420-B3BA-52453494E6CD} => value removed successfully.
HKCR\CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 1 (GFS Unread Stub) => key removed successfully.
HKCR\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 2 (GFS Stub) => key removed successfully.
HKCR\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) => key removed successfully.
HKCR\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 3 (GFS Folder) => key removed successfully.
HKCR\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 4 (GFS Unread Mark) => key removed successfully.
HKCR\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => key not found.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} => key removed successfully.
HKCR\CLSID\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{13EEB900-6E48-44D1-A63D-FD8B47071B95} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{13EEB900-6E48-44D1-A63D-FD8B47071B95} => key removed successfully.
C:\Windows\System32\Tasks\{7E1102E6-FCC3-4595-8754-33BEBA44F1CF} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7E1102E6-FCC3-4595-8754-33BEBA44F1CF} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{25E01A44-87E5-461F-981E-C43C25510A0A} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{25E01A44-87E5-461F-981E-C43C25510A0A} => key removed successfully.
C:\Windows\System32\Tasks\{733219A0-9596-4868-8DC9-994C71117FEA} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{733219A0-9596-4868-8DC9-994C71117FEA} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{31254CB1-0F0A-425C-B874-257B4A99E230} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{31254CB1-0F0A-425C-B874-257B4A99E230} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Your File Updater => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3362EC5C-5B32-4174-B44D-EFAE90B76BFB} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3362EC5C-5B32-4174-B44D-EFAE90B76BFB} => key removed successfully.
C:\Windows\System32\Tasks\{FB0FC81A-A988-4644-82D0-0ACDC8E2B91E} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{FB0FC81A-A988-4644-82D0-0ACDC8E2B91E} => key removed successfully.
"C:\Program Files\abalonekiss" => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{406FFAD1-E1A4-46CA-8879-24618C4E9B38} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{406FFAD1-E1A4-46CA-8879-24618C4E9B38} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ParetoLogic Registration3 => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4CE280E2-3E49-4DE9-AAB5-02D68BE837ED} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4CE280E2-3E49-4DE9-AAB5-02D68BE837ED} => key removed successfully.
C:\Windows\System32\Tasks\{7D819F7F-F168-41C0-B82E-09133A047145} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7D819F7F-F168-41C0-B82E-09133A047145} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{57CB8033-4D88-463A-9D3B-CFCDDDC2DB2A} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{57CB8033-4D88-463A-9D3B-CFCDDDC2DB2A} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ParetoLogic Update Version3 Startup Task => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6F2A3633-91DD-4FF1-8FBC-82B78389D21D} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F2A3633-91DD-4FF1-8FBC-82B78389D21D} => key removed successfully.
C:\Windows\System32\Tasks\{813E2B83-F2F7-430A-8908-B82BED05DB71} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{813E2B83-F2F7-430A-8908-B82BED05DB71} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{76336977-1C3A-4508-9047-B87C0E25480F} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{76336977-1C3A-4508-9047-B87C0E25480F} => key removed successfully.
C:\Windows\System32\Tasks\{CCD9796B-AA4C-4D3F-9D29-95EB46F5697A} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{CCD9796B-AA4C-4D3F-9D29-95EB46F5697A} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{78A79DDA-7B74-4778-A2AA-005F93B1DF2B} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{78A79DDA-7B74-4778-A2AA-005F93B1DF2B} => key removed successfully.
C:\Windows\System32\Tasks\{377411D4-8E21-44AC-A67A-8FDFFC4C6B23} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{377411D4-8E21-44AC-A67A-8FDFFC4C6B23} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{43237398-F9B9-4D6D-A78A-C893ECEC8EC5} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{43237398-F9B9-4D6D-A78A-C893ECEC8EC5} => key removed successfully.
C:\Windows\System32\Tasks\{D5BE2247-0101-48D6-960A-D04A72FBE9F5} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{D5BE2247-0101-48D6-960A-D04A72FBE9F5} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7E6E8A08-AD5C-403E-911C-B017E819F156} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7E6E8A08-AD5C-403E-911C-B017E819F156} => key removed successfully.
C:\Windows\System32\Tasks\{70B032FA-F9B5-4DC7-8963-DA5B8C1E5838} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{70B032FA-F9B5-4DC7-8963-DA5B8C1E5838} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7EF3E046-DCF0-4421-88DB-3ADDB5A630F6} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7EF3E046-DCF0-4421-88DB-3ADDB5A630F6} => key removed successfully.
C:\Windows\System32\Tasks\{6E67A74B-5BC9-41A9-8066-628FAC3AFA9E} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{6E67A74B-5BC9-41A9-8066-628FAC3AFA9E} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B2130389-9078-42C7-A2E8-39D592863569} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B2130389-9078-42C7-A2E8-39D592863569} => key removed successfully.
C:\Windows\System32\Tasks\{855DC89F-3287-4205-BE98-B8E262B39CCC} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{855DC89F-3287-4205-BE98-B8E262B39CCC} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C35D6D39-D9FB-4992-8548-07AFEFBFF5F5} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C35D6D39-D9FB-4992-8548-07AFEFBFF5F5} => key removed successfully.
C:\Windows\System32\Tasks\{A6779566-FDC2-46FD-A436-6A8DDA7604DF} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{A6779566-FDC2-46FD-A436-6A8DDA7604DF} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D2C6690B-62DA-44B3-A469-2E816F31A853} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D2C6690B-62DA-44B3-A469-2E816F31A853} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WS.Booster-S-667284051 => key not found.

========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F =========

"Reg" no se reconoce como un comando interno o externo,
programa o archivo por lotes ejecutable.

========= End of Reg: =========

========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F =========

"Reg" no se reconoce como un comando interno o externo,
programa o archivo por lotes ejecutable.

========= End of Reg: =========

"C:\program files\mozilla firefox 4.0 beta 10" => not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{7DD0A6F0-7E44-4B29-A543-FD84D669EAD4}C:\program files\mozilla firefox 4.0 beta 10\firefox.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{C30FAEE7-C869-4070-AD90-C49A4354E676}C:\program files\mozilla firefox 4.0 beta 10\firefox.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{99BFD05B-297F-4D85-A766-23B7AE71E87C}C:\program files\mozilla firefox 4.0 beta 10\firefox.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{F40F444C-437C-4866-AC43-D3B0E2BFE4D3}C:\program files\mozilla firefox 4.0 beta 10\firefox.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{0660B703-361A-432E-8EBE-A755450BD73E}D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{87A9E10E-EFE0-45F7-A138-425CE552F125}D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{E8114E2B-4361-40D1-8611-193B80A7720D}D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{6DD364D8-1477-4073-A3D0-9F941C66240B}D:\programas\processing-2.2.1-windows32\processing-2.2.1\java\bin\java.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{006F5F04-E83B-4CF9-89AF-87677C794F3A} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B1CC817F-3ED2-4864-BE98-8FDA781D3E15} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{F2055899-8D64-4126-ABC5-9829FDE4896F}C:\program files\spyware terminator\spywareterminatorupdate.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{CF1C2DBA-C1DD-4C44-8043-52DE299BC04F}C:\program files\spyware terminator\spywareterminatorupdate.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6E0BD108-9E5E-4733-A9D0-215B0619D9F6} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B2E43FD5-5C94-44DE-850F-74194F856DB6} => value removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FB0B33C6-A79F-4D07-90E3-E9CAD2ED6C69} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FB0B33C6-A79F-4D07-90E3-E9CAD2ED6C69} => key removed successfully.
C:\Windows\System32\Tasks\UnHackMe Task Scheduler => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UnHackMe Task Scheduler => key removed successfully.

========================= File: C:\0 ========================

File not signed
MD5: F55CD717F905EC7ADDE803E842D49338
Creation and modification date: 2017-02-03 17:59 - 2017-02-03 18:57
Size: 0001299
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:

====== End of File: ======

========= bitsadmin /reset /allusers =========

"bitsadmin" no se reconoce como un comando interno o externo,
programa o archivo por lotes ejecutable.

========= End of CMD: =========

========= ipconfig /flushdns =========

"ipconfig" no se reconoce como un comando interno o externo,
programa o archivo por lotes ejecutable.

========= End of CMD: =========

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 25207131 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 29184 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 260184 B
LocalService => 66708 B
NetworkService => 71048 B
roberto => 130317989 B

RecycleBin => 125076878 B
EmptyTemp: => 268 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 10:35:14 ====

 

 

 

 

 

 

2 rkill log

 

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/25/2017 11:02:09 AM in x86 mode. (Safe Mode)
Windows Version: Windows 7 Ultimate

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * Sistema de eventos COM+ (EventSystem) is not Running.
   Startup Type set to: Automatic

 * Centro de seguridad (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 02/25/2017 11:02:33 AM
Execution time: 0 hours(s), 0 minute(s), and 23 seconds(s)

 

 

 

 

3 mbam log

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/25/17
Scan Time: 11:03 AM
Logfile: malwarebytes1.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1355
License: Free

-System Information-
OS: Windows 7
CPU: x86
File System: NTFS
User: ROTO-PC\roberto

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 270955
Time Elapsed: 6 min, 47 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

 

 



#6 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 PM

Posted 25 February 2017 - 02:33 PM

Thanks

 

Please be sure to run our tools with administrator rights.
 
ComboFix run:
 
* IMPORTANT : 1   Place ComboFix.exe on your Desktop
* IMPORTANT : 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.
 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 ergsdrgdfuno

ergsdrgdfuno
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 25 February 2017 - 03:44 PM

thanks.

 

i´m sure  i´ll conect my external drive (F),  but i can not see in the  log file Combofix.txt. Maybe i do not know how to read it.

 

 

 

 

this is the combofix.txt

 

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.pol
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\wininit.ini
D:\install.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Sed
.
.
(((((((((((((((((((((((((   Files Created from 2017-01-25 to 2017-02-25  )))))))))))))))))))))))))))))))
.
.
2017-02-25 20:14 . 2017-02-25 20:16 -------- d-----w- c:\users\roberto\AppData\Local\temp
2017-02-25 16:46 . 2017-02-25 20:16 219584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2017-02-25 16:46 . 2017-01-20 13:47 59976 ----a-w- c:\windows\system32\drivers\mbae.sys
2017-02-25 16:46 . 2017-02-25 16:46 -------- d-----w- c:\program files\Malwarebytes
2017-02-25 16:05 . 2017-02-25 16:05 47056 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2017-02-25 15:33 . 2017-02-25 15:33 -------- d-----w- c:\program files\VS Revo Group
2017-02-21 13:39 . 2017-02-25 16:37 -------- d-----w- C:\FRST
2017-02-20 19:37 . 2017-02-20 19:37 -------- d-----w- c:\programdata\VS Revo Group
2017-02-16 20:43 . 2017-02-21 21:37 12872 ----a-w- c:\windows\system32\bootdelete.exe
2017-02-15 21:13 . 2017-02-15 21:13 -------- d-----w- c:\program files\7-Zip
2017-02-15 16:15 . 2017-02-15 16:15 181496 ----a-w- c:\windows\system32\drivers\zamguard32.sys
2017-02-15 16:15 . 2017-02-15 16:15 181496 ----a-w- c:\windows\system32\drivers\zam32.sys
2017-02-15 16:07 . 2017-01-09 19:45 9561744 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0A3F1ED9-800E-408A-9110-DC69B0E98C26}\mpengine.dll
2017-02-15 01:37 . 2017-02-15 16:15 -------- d-----w- c:\program files\Zemana AntiMalware
2017-02-15 01:37 . 2017-02-14 20:22 -------- d-----w- c:\users\roberto\AppData\Local\Zemana
2017-02-10 16:13 . 2017-02-14 23:01 -------- d-----w- c:\users\roberto\Microsoft
2017-02-10 16:12 . 2017-02-15 03:40 -------- d-----w- c:\program files\Microsoft
2017-02-10 16:04 . 2017-02-14 20:24 -------- d-----w- c:\program files\Common Files\Innovative Solutions
2017-02-10 15:41 . 2017-02-10 15:41 -------- d-----w- c:\users\roberto\AppData\Roaming\Obsidium
2017-02-10 07:53 . 2017-02-15 18:14 -------- d-----w- C:\AdwCleaner
2017-02-01 14:49 . 2017-02-14 20:22 -------- d-----w- c:\windows\RestoreSafeDeleted
2017-02-01 13:29 . 2017-02-14 20:24 -------- d-----w- c:\users\roberto\AppData\Roaming\dvdcss
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-02-01 19:38 . 2012-06-11 15:01 2 --shatr- c:\windows\winstart.bat
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes TrayApp"="c:\program files\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe" [2017-01-20 2780112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZAM]
2017-02-03 04:25 14416624 ----a-w- c:\program files\Zemana AntiMalware\ZAM.exe
.
R1 ZAM;ZAM Helper Driver;c:\windows\System32\drivers\zam32.sys [2017-02-15 181496]
R1 ZAM_Guard;ZAM Guard Driver;c:\windows\System32\drivers\zamguard32.sys [2017-02-15 181496]
R2 ZAMSvc;ZAM Controller Service;c:\program files\Zemana AntiMalware\ZAM.exe [2017-02-03 14416624]
R3 bomemidi;Bome's Virtual MIDI Port;c:\windows\system32\drivers\bomemidi.sys [2010-10-13 24136]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2017-02-25 47056]
R3 WISOVD;WISOVD;c:\program files\WinISO Computing\WinISO\bin\driver\WISOVD_win7_x86.sys [x]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S2 MBAMService;Malwarebytes Service;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe [2017-01-20 3303888]
S3 bomebus;Bome's Virtual MIDI Port Bus Service;c:\windows\system32\DRIVERS\bomebus.sys [2010-10-13 27720]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2017-02-25 219584]
S3 RTL8187B;Adaptador de red inalambrica USB 2.0 Realtek RTL8187B 802.11b/g 54Mbps;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-07-13 347136]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - WS2IFSL
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 10.2.9.18 10.3.9.18 10.3.1.100
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-MBAMSwissArmy
AddRemove-FileASSASSIN - c:\program files\FileASSASSIN\uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2017-02-25  14:18:24 - machine was rebooted
ComboFix-quarantined-files.txt  2017-02-25 20:18
.
Pre-Run: 58,073,899,008 bytes libres
Post-Run: 57,409,245,184 bytes libres
.
- - End Of File - - D8DF83AD902C6D83A780D4D484158B1B
A36C5E4F47E84449FF07ED3517B43A31
 



#8 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 PM

Posted 25 February 2017 - 04:17 PM

Good work.

 

Java update:
Updating Java and Clearing Cache:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to update.

  • Download the latest version of Java Runtime Environment (JRE) 8
  • Recommended Version is 8 Update 121
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows Offline (86-bit)  and save the file.
  • Close any programs you may have running - especially your web browser.

See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Installed Applications and Applets
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

=================================================================================

 

Please download Adobe Acrobat Reader DC to your PC's desktop.

  • Install the new downloaded updated software.

Note that the McAfee Security scan and  True Key by Intel Security is prechecked. You may wish to uncheck it before downloading.

==========================================================================

If you want, you can install Mozilla Firefox

https://www.mozilla.org/tr/firefox/new/

========================================================

 

Please download and run RogueKiller  32/64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 ergsdrgdfuno

ergsdrgdfuno
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 26 February 2017 - 07:35 PM

thanks! sorry for delay!

 

RogueKiller V12.9.8.0 [Feb 21 2017] (Free) by Adlice Software
correo : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Sitio web : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Sistema Operativo : Windows 7 (6.1.7600) 32 bits version
Iniciado en : Modo Normal
Usuario : roberto [Administrador]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Modo : Escanear -- Fecha : 02/26/2017 18:02:22 (Duration : 00:16:55)

¤¤¤ Procesos : 0 ¤¤¤

¤¤¤ Registro : 22 ¤¤¤
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96} -> Encontrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 ([][][])  -> Encontrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 ([][][])  -> Encontrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5D9C33E7-287C-405F-9BEC-59B43185EE15} | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 ([][][])  -> Encontrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5D9C33E7-287C-405F-9BEC-59B43185EE15} | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 ([][][])  -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6997565D-C5F4-42E4-B53D-919DC84F6A8B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\YourFileDownloader\Downloader.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D270FDD8-7E60-4253-8C0D-3ACC0BD4EBA3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\YourFileDownloader\Downloader.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7A5F7FE0-2AC5-4744-BA4A-0C6423AE93A3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\YourFileDownloader\YourFile.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2AE7283E-4CCC-44D3-AB8D-010BBF322680} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\YourFileDownloader\YourFile.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{8024E54F-B608-4ABA-B22C-D75963405660}C:\program files\1clickdownload\1clickdownloader.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\program files\1clickdownload\1clickdownloader.exe|Name=1ClickDownloader|Desc=1ClickDownloader|Edge=TRUE|Defer=App| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A3F30E8D-09F4-4257-91DF-F54927829808}C:\program files\1clickdownload\1clickdownloader.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\program files\1clickdownload\1clickdownloader.exe|Name=1ClickDownloader|Desc=1ClickDownloader|Edge=TRUE|Defer=App| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DC5DBE90-F941-4FC3-98F5-26B6255FC55E} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe|Name=SweetPacksUpdateManager| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E6311066-44C0-46C8-AF37-59CA4F3F2A97} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe|Name=SweetPacksUpdateManager| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6997565D-C5F4-42E4-B53D-919DC84F6A8B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\YourFileDownloader\Downloader.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D270FDD8-7E60-4253-8C0D-3ACC0BD4EBA3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\YourFileDownloader\Downloader.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7A5F7FE0-2AC5-4744-BA4A-0C6423AE93A3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\YourFileDownloader\YourFile.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2AE7283E-4CCC-44D3-AB8D-010BBF322680} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\YourFileDownloader\YourFile.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{8024E54F-B608-4ABA-B22C-D75963405660}C:\program files\1clickdownload\1clickdownloader.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\program files\1clickdownload\1clickdownloader.exe|Name=1ClickDownloader|Desc=1ClickDownloader|Edge=TRUE|Defer=App| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A3F30E8D-09F4-4257-91DF-F54927829808}C:\program files\1clickdownload\1clickdownloader.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\program files\1clickdownload\1clickdownloader.exe|Name=1ClickDownloader|Desc=1ClickDownloader|Edge=TRUE|Defer=App| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DC5DBE90-F941-4FC3-98F5-26B6255FC55E} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe|Name=SweetPacksUpdateManager| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E6311066-44C0-46C8-AF37-59CA4F3F2A97} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe|Name=SweetPacksUpdateManager| [x] -> Encontrado
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0  -> Encontrado

¤¤¤ Tareas : 0 ¤¤¤

¤¤¤ Archivos : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Archivo de hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Cargado) ¤¤¤

¤¤¤ Navegadores Web : 0 ¤¤¤

¤¤¤ Chequeo MBR : ¤¤¤
+++++ PhysicalDrive0: Hitachi HDT721010SLA SCSI Disk Device +++++
--- User ---
[MBR] f848f4f28502b85cde4427308d80cf19
[BSP] d451dc789af0d69ca79cd24ad90d2530 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 353768 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 724723712 | Size: 599999 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Función incorrecta. )

+++++ PhysicalDrive1: Hitachi HTS541080G9AT00 USB Device +++++
--- User ---
[MBR] 525aabc764f437d0602d6745a6a2464d
[BSP] fad705457a8347fe0d1cdf9280c8307a : Empty|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0xb) [VISIBLE] Offset (sectors): 2 | Size: 76319 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] Solicitud no compatible. )

 



#10 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 PM

Posted 27 February 2017 - 03:51 AM

Thanks.

 

Please do this;

 

Please uninstall: YourFileDownloader

===================================

 

Please open RogueKiller again.

  • Close all the running processes
  • Double click the RogueKiller icon to run the program again.
    Vista/Win7 users should right click the icon and select Run as Administrator.
  • Wait for the Prescan to finish.
  • Make sure only the following lines are checked:-
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96} -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6997565D-C5F4-42E4-B53D-919DC84F6A8B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\YourFileDownloader\Downloader.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D270FDD8-7E60-4253-8C0D-3ACC0BD4EBA3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\YourFileDownloader\Downloader.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7A5F7FE0-2AC5-4744-BA4A-0C6423AE93A3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\YourFileDownloader\YourFile.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2AE7283E-4CCC-44D3-AB8D-010BBF322680} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\YourFileDownloader\YourFile.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{8024E54F-B608-4ABA-B22C-D75963405660}C:\program files\1clickdownload\1clickdownloader.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\program files\1clickdownload\1clickdownloader.exe|Name=1ClickDownloader|Desc=1ClickDownloader|Edge=TRUE|Defer=App| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A3F30E8D-09F4-4257-91DF-F54927829808}C:\program files\1clickdownload\1clickdownloader.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\program files\1clickdownload\1clickdownloader.exe|Name=1ClickDownloader|Desc=1ClickDownloader|Edge=TRUE|Defer=App| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DC5DBE90-F941-4FC3-98F5-26B6255FC55E} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe|Name=SweetPacksUpdateManager| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E6311066-44C0-46C8-AF37-59CA4F3F2A97} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe|Name=SweetPacksUpdateManager| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6997565D-C5F4-42E4-B53D-919DC84F6A8B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\YourFileDownloader\Downloader.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D270FDD8-7E60-4253-8C0D-3ACC0BD4EBA3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\YourFileDownloader\Downloader.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7A5F7FE0-2AC5-4744-BA4A-0C6423AE93A3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\YourFileDownloader\YourFile.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2AE7283E-4CCC-44D3-AB8D-010BBF322680} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\YourFileDownloader\YourFile.exe|Name=YourFile Downloader| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{8024E54F-B608-4ABA-B22C-D75963405660}C:\program files\1clickdownload\1clickdownloader.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\program files\1clickdownload\1clickdownloader.exe|Name=1ClickDownloader|Desc=1ClickDownloader|Edge=TRUE|Defer=App| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A3F30E8D-09F4-4257-91DF-F54927829808}C:\program files\1clickdownload\1clickdownloader.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\program files\1clickdownload\1clickdownloader.exe|Name=1ClickDownloader|Desc=1ClickDownloader|Edge=TRUE|Defer=App| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DC5DBE90-F941-4FC3-98F5-26B6255FC55E} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe|Name=SweetPacksUpdateManager| [x] -> Encontrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E6311066-44C0-46C8-AF37-59CA4F3F2A97} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe|Name=SweetPacksUpdateManager| [x] -> Encontrado
  • Now click the Delete button.
  • Please copy and paste the report in your next reply. A copy of the RKreport.txt can be found on your desktop.

========================================

 ESET Online Scanner:

Temporarily disable your AntiVirus and AntiSpyware protection - instructions here.

  • Please visit the ESET Online Scanner website
  • Click the SCAN NOW button to download the esetonlinescanner_enu.exe file to the Desktop
  • Double click esetonlinescanner_enu.exe. Accept the Terms of Use
  • Select Enable detection of potentially unwanted applications
  • In Advanced Settings: make sure that Clean threats automatically is unchecked 
  • And Enable detection of potentially unsafe applications, Enable detection of suspicious applications, Scan archives, and Enable Anti-Stealth technology are all checked.
  • Click Scan
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When completed it'll show a list of "Threats found", click beneath it on Save to text file.... and save it as ESET log.txt on your Desktop.
  • Delete found harmfulPlace a checkmark at Delete application's data on close, click Finish and close the program.

Don't forget to re-enable previously switched-off protection software!

--------------------------------------------------------------------------------------------------------

 

How is your machine now and Any issue ?


Edited by olgun52, 27 February 2017 - 03:54 AM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 ergsdrgdfuno

ergsdrgdfuno
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 27 February 2017 - 12:45 PM

hello!

 

im can not uninstall YourFileDownloader becuase is not listed in my list of programs in control panel. Revo uninstaller no show it either. i´m try to find in windows browser but  i can not find it.

 

I continue anyway?



#12 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 PM

Posted 27 February 2017 - 01:24 PM

I continue anyway?

Yes,please. You run roğuekiller and Eset.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 ergsdrgdfuno

ergsdrgdfuno
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 01 March 2017 - 12:25 AM

hello! thank you for your help!

i´m run both programs, with roguekiller i have no problem i´m check the indicated lines and i´m click the delete button.

I realized  that Roguekiller put them in quarantine.  It will be necessary  to delete from there?

i will  put the report after  next.

with ESET  i´m run the program, finished the scan more than 23 000 "Threats found"   mostly says Win32/Ramnit.A VIrus.

i´m dont know if I should delete all of them or what? Some seem important part of Windows or something like.

i´m search on the web for the name of the threat and looks bad.

i will should post  or attach the ESETlog.txt? its to long

the machine runs like normal, im only use the internet browser. i´m use Mozilla and  runs normal but internet explorer when i´m open it show this message:

Internet explorer default search provider.

a  program has corrupted the configuration of the search provider.

Internet Explorer has reset  this setting to the original search provider, Bing (www.bing.com).

I´m close this an then shows another message:

security alert

you are about to view pages over a secure connection.

the latter shows the option "dont show again" but im not sure if i will check it.


this the report of roguekiller.  

   

RogueKiller V12.9.9.0 [Feb 27 2017] (Free) by Adlice Software
correo : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Sitio web : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Sistema Operativo : Windows 7 (6.1.7600) 32 bits version
Iniciado en : Modo seguro con soporte de red
Usuario : roberto [Administrador]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Modo : Borrar -- Fecha : 02/28/2017 12:37:20 (Duration : 00:16:32)

¤¤¤ Procesos : 0 ¤¤¤

¤¤¤ Registro : 22 ¤¤¤
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96} -> Borrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 ([][][])  -> No seleccionado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 ([][][])  -> No seleccionado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5D9C33E7-287C-405F-9BEC-59B43185EE15} | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 ([][][])  -> No seleccionado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5D9C33E7-287C-405F-9BEC-59B43185EE15} | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 ([][][])  -> No seleccionado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6997565D-C5F4-42E4-B53D-919DC84F6A8B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\YourFileDownloader\Downloader.exe|Name=YourFile Downloader| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D270FDD8-7E60-4253-8C0D-3ACC0BD4EBA3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\YourFileDownloader\Downloader.exe|Name=YourFile Downloader| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7A5F7FE0-2AC5-4744-BA4A-0C6423AE93A3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\YourFileDownloader\YourFile.exe|Name=YourFile Downloader| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2AE7283E-4CCC-44D3-AB8D-010BBF322680} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\YourFileDownloader\YourFile.exe|Name=YourFile Downloader| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{8024E54F-B608-4ABA-B22C-D75963405660}C:\program files\1clickdownload\1clickdownloader.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\program files\1clickdownload\1clickdownloader.exe|Name=1ClickDownloader|Desc=1ClickDownloader|Edge=TRUE|Defer=App| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A3F30E8D-09F4-4257-91DF-F54927829808}C:\program files\1clickdownload\1clickdownloader.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\program files\1clickdownload\1clickdownloader.exe|Name=1ClickDownloader|Desc=1ClickDownloader|Edge=TRUE|Defer=App| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DC5DBE90-F941-4FC3-98F5-26B6255FC55E} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe|Name=SweetPacksUpdateManager| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E6311066-44C0-46C8-AF37-59CA4F3F2A97} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe|Name=SweetPacksUpdateManager| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6997565D-C5F4-42E4-B53D-919DC84F6A8B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\YourFileDownloader\Downloader.exe|Name=YourFile Downloader| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D270FDD8-7E60-4253-8C0D-3ACC0BD4EBA3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\YourFileDownloader\Downloader.exe|Name=YourFile Downloader| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7A5F7FE0-2AC5-4744-BA4A-0C6423AE93A3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\YourFileDownloader\YourFile.exe|Name=YourFile Downloader| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2AE7283E-4CCC-44D3-AB8D-010BBF322680} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\YourFileDownloader\YourFile.exe|Name=YourFile Downloader| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{8024E54F-B608-4ABA-B22C-D75963405660}C:\program files\1clickdownload\1clickdownloader.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\program files\1clickdownload\1clickdownloader.exe|Name=1ClickDownloader|Desc=1ClickDownloader|Edge=TRUE|Defer=App| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A3F30E8D-09F4-4257-91DF-F54927829808}C:\program files\1clickdownload\1clickdownloader.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\program files\1clickdownload\1clickdownloader.exe|Name=1ClickDownloader|Desc=1ClickDownloader|Edge=TRUE|Defer=App| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DC5DBE90-F941-4FC3-98F5-26B6255FC55E} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe|Name=SweetPacksUpdateManager| [x] -> Borrado
[PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E6311066-44C0-46C8-AF37-59CA4F3F2A97} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe|Name=SweetPacksUpdateManager| [x] -> Borrado
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0  -> No seleccionado

¤¤¤ Tareas : 0 ¤¤¤

¤¤¤ Archivos : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Archivo de hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: No cargado [0xc000035f]) ¤¤¤

¤¤¤ Navegadores Web : 0 ¤¤¤

¤¤¤ Chequeo MBR : ¤¤¤
+++++ PhysicalDrive0: Hitachi HDT721010SLA SCSI Disk Device +++++
--- User ---
[MBR] f848f4f28502b85cde4427308d80cf19
[BSP] d451dc789af0d69ca79cd24ad90d2530 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 353768 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 724723712 | Size: 599999 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Función incorrecta. )

+++++ PhysicalDrive1: Hitachi HTS541080G9AT00 USB Device +++++
--- User ---
[MBR] 525aabc764f437d0602d6745a6a2464d
[BSP] fad705457a8347fe0d1cdf9280c8307a : Empty|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0xb) [VISIBLE] Offset (sectors): 2 | Size: 76319 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] Solicitud no compatible. )

 



#14 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 PM

Posted 01 March 2017 - 05:36 AM

RogueKiller software , try running again in safe mode
Boot into Safe Mode

Reboot your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

Click Scan to scan the system.
When the scan completes > Close out the program >  Fix anything!
==================
You can send the Eset log file  piecemeal .
========================================

with ESET  i´m run the program, finished the scan more than 23 000 "Threats found"   mostly says Win32/Ramnit.A VIrus.

i´m search on the web for the name of the threat and looks bad.

This is not good news. You can remove all.

Internet explorer default search provider.

a  program has corrupted the configuration of the search provider.

Internet Explorer has reset  this setting to the original search provider, Bing (www.bing.com).

This is not problem.You can make one browser default. You can delete the Bing.

I´m close this an then shows another message:
security alert

"dont show again" You can give approval, OK ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 ergsdrgdfuno

ergsdrgdfuno
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 01 March 2017 - 11:11 AM

hello!

im run roguekiller again  in safe mode

Click Scan to scan the system.
When the scan completes > Close out the program >  Fix anything!

 

i have to delete all items on the list?

i will post the roguekiller.txt after next

==================

 

 

 i´m begun to delete all threats in ESET many are .exe and are programs. that i have given for lost.

 

You can send the Eset log file  piecemeal .

one question, i will started to send my first ESETlog.txt? or better, i do after delete all threats

========================================

 

this is the roguekiller report in safemode.

 

RogueKiller V12.9.9.0 [Feb 27 2017] (Free) by Adlice Software
correo : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Sitio web : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Sistema Operativo : Windows 7 (6.1.7600) 32 bits version
Iniciado en : Modo seguro con soporte de red
Usuario : roberto [Administrador]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Modo : Escanear -- Fecha : 03/01/2017 09:12:02 (Duration : 00:16:35)

¤¤¤ Procesos : 0 ¤¤¤

¤¤¤ Registro : 4 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 ([][][])  -> Encontrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5D9C33E7-287C-405F-9BEC-59B43185EE15} | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 ([][][])  -> Encontrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5D9C33E7-287C-405F-9BEC-59B43185EE15} | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 ([][][])  -> Encontrado
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2915382099-2896471491-3075281560-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0  -> Encontrado

¤¤¤ Tareas : 0 ¤¤¤

¤¤¤ Archivos : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Archivo de hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: No cargado [0xc000035f]) ¤¤¤

¤¤¤ Navegadores Web : 0 ¤¤¤

¤¤¤ Chequeo MBR : ¤¤¤
+++++ PhysicalDrive0: Hitachi HDT721010SLA SCSI Disk Device +++++
--- User ---
[MBR] f848f4f28502b85cde4427308d80cf19
[BSP] d451dc789af0d69ca79cd24ad90d2530 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 353768 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 724723712 | Size: 599999 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Función incorrecta. )

+++++ PhysicalDrive1: Hitachi HTS541080G9AT00 USB Device +++++
--- User ---
[MBR] 525aabc764f437d0602d6745a6a2464d
[BSP] fad705457a8347fe0d1cdf9280c8307a : Empty|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0xb) [VISIBLE] Offset (sectors): 2 | Size: 76319 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] Solicitud no compatible. )

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users