Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with vmxclient.exe


  • This topic is locked This topic is locked
20 replies to this topic

#1 Waster555

Waster555

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 25 February 2017 - 06:11 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-02-2017
Ran by kb6565 (administrator) on ORANGE (25-02-2017 05:38:05)
Running from C:\Users\kb6565\Desktop\bleepingcomputer
Loaded Profiles: kb6565 (Available Profiles: kb6565)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Intel Corporation) C:\Windows\System32\DptfParticipantProcessorService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyConfigTDPService.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\DragonAssistant3\DragonAssistantMaintenance.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\dataup\dataup.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyCriticalService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\System32\ibtsiva.exe
(Lenovo(beijing) Limited) C:\Windows\System32\LenovoWiFiHotspotSvr.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Lenovo Smart Voice\LsvUIService.exe
(PointGrab LTD) C:\Program Files (x86)\Lenovo\Motion Control\PGService.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(KeepSolid Inc.) C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe
(PointGrab LTD) C:\Program Files (x86)\Lenovo\Motion Control\PG_Service_Launcher.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Lenovo) C:\ProgramData\LenovoTransition\Server\x64\ymc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmServiceHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(SoftPerfect) C:\Program Files\NetWorx\networx.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
() C:\Program Files (x86)\nellies\irrigated.exe
() C:\Program Files (x86)\svcvmx\svcvmx.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Lenovo Smart Voice\LsvTrayLoad.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Lenovo Smart Voice\LsvController.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(qdcomsvc Inc.) C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
(ct Corp.) C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe
(splsrv Corp.) C:\Windows\SysWOW64\splsrv.exe
(winscr) C:\Program Files (x86)\winscr\winscr.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
() C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Calculator.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Nenad Hrg SoftwareOK) C:\Users\kb6565\Desktop\DesktopOK_x64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Windows\SysWOW64\IntelCpHeciSvc.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
Failed to access process -> vmxclient.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [DptfPolicyLpmServiceHelper] => C:\WINDOWS\system32\DptfPolicyLpmServiceHelper.exe [111976 2013-08-02] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13656792 2013-10-04] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1353432 2013-09-26] (Realtek Semiconductor)
HKLM\...\Run: [Energy Manager] => C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe [59923440 2014-05-21] (Lenovo(beijing) Limited)
HKLM\...\Run: [Lenovo Utility] => C:\Program Files (x86)\Lenovo\Energy Manager\Utility.exe [80880 2014-05-21] (Lenovo(beijing) Limited)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3944136 2015-06-03] (Synaptics Incorporated)
HKLM\...\Run: [NetWorx] => C:\Program Files\NetWorx\networx.exe [7698248 2016-06-29] (SoftPerfect)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3113592 2015-08-25] (Logitech, Inc.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [2075480 2013-06-24] (Flexera Software LLC.)
HKLM-x32\...\Run: [Virtual Account Numbers] => C:\Program Files (x86)\Virtual Account Numbers\CitiVAN.exe [435712 2015-07-14] (Orbiscom Ltd. All rights reserved.)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [26220296 2017-02-06] (Dropbox, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)
HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [Speech Recognition] => C:\windows\Speech\Common\sapisvr.exe [45056 2015-10-30] (Microsoft Corporation)
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [HP Officejet 4630 series (NET)] => C:\Program Files\HP\HP Officejet 4630 series\Bin\ScanToPCActivationApp.exe [3487240 2014-07-21] (Hewlett-Packard Development Company, LP)
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27427808 2017-02-08] (Skype Technologies S.A.)
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [Amazon Music] => C:\Users\kb6565\AppData\Local\Amazon Music\Amazon Music Helper.exe [3494376 2016-12-14] ()
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [VPN Unlimited] => C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-launcher.exe [76120 2016-09-03] (KeepSolid Inc.)
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [irrigated] => C:\Program Files (x86)\nellies\irrigated.exe [50803 2016-11-23] ()
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [AirDroid 3] => C:\Program Files (x86)\AirDroid\AirDroid.exe [8651896 2017-01-18] (Sand Studio)
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [individuated] => "C:\Program Files (x86)\Bridging\sunburns.exe"
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\RunOnce: [Uninstall C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64"
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\MountPoints2: {e65c5052-5820-11e4-827f-e82aea722b6b} - "G:\WD SmartWare.exe" autoplay=true
ShellIconOverlayIdentifiers: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\amd64\FileSyncShell64.dll [2016-02-10] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\amd64\FileSyncShell64.dll [2016-02-10] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\amd64\FileSyncShell64.dll [2016-02-10] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\FileSyncShell.dll [2016-02-10] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\FileSyncShell.dll [2016-02-10] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\FileSyncShell.dll [2016-02-10] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Printkey2000.lnk [2016-11-23]
ShortcutTarget: Printkey2000.lnk -> C:\Program Files (x86)\PrintKey2000\Printkey2000.exe (Fred's Software)
Startup: C:\Users\kb6565\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2016-11-23]
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BootExecute: autocheck autochk * sdnclean64.exe
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3ca704b5-ea2e-48fd-a02c-730fcc98d22e}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{bb7e9a15-3d0e-449b-bd25-ef6e54a40027}: [DhcpNameServer] 10.200.0.1
Tcpip\..\Interfaces\{E83C2C13-8E3B-4C13-AE1D-34ADEA60154B}: [DhcpNameServer] 209.222.18.222 209.222.18.218

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://my.yahoo.com/
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3724564687-3091530008-2351571219-1001 -> {0E25F6E8-6429-40EF-9C22-813373DA0C14} URL =
BHO: Youtube AdBlock -> {95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B} -> C:\Program Files (x86)\Youtube AdBlock\IEEF\W31HwnT.dll => No File
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO-x32: Virtual Account Numbers Helper -> {17424104-1444-4810-85D7-B4DA413C5A9A} -> C:\Program Files (x86)\Virtual Account Numbers\CitiVANHelper.dll [2015-07-14] (Orbiscom Ltd. All rights reserved.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-07-28] (Oracle Corporation)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2014-08-26] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-07-28] (Oracle Corporation)
Toolbar: HKLM-x32 - Virtual Account Numbers - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANToolbar.dll [2015-07-14] (Orbiscom Ltd. All rights reserved.)
Toolbar: HKU\S-1-5-21-3724564687-3091530008-2351571219-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} hxxp://content.systemrequirementslab.com/bin/srldetect_intel_4.5.24.0.cab
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 [2017-02-25]
FF Homepage: Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 -> hxxps://my.yahoo.com/
FF Extension: (Safelinking) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\contact@safelinking.net.xpi [2016-11-23]
FF Extension: (Simple Form Fill) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\simpleformfill@sblask.xpi [2017-01-02]
FF Extension: (uBlock Origin) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\uBlock0@raymondhill.net.xpi [2017-02-20]
FF Extension: (Zoom Page) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\zoompage@DW-dev.xpi [2016-11-23]
FF Extension: (Linkification) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}.xpi [2016-11-23]
FF Extension: (Map With Google) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\{74591c01-3a7f-469e-ad4e-5d8d708dc4c5}.xpi [2016-12-16]
FF Extension: (Video DownloadHelper) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2016-12-30]
FF Extension: (DownThemAll!) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2016-11-23]
FF Extension: (SHA-1 deprecation staged rollout) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\features\{cc6c9302-c7e5-454f-b1ed-ea755452da1b}\disableSHA1rollout@mozilla.org.xpi [2017-02-19]
FF HKLM-x32\...\Firefox\Extensions: [citius@orbiscom] - C:\Program Files (x86)\Virtual Account Numbers
FF Extension: (Virtual Account Numbers for Firefox) - C:\Program Files (x86)\Virtual Account Numbers [2016-03-22] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: (Logitech SetPoint) - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2016-12-09] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_24_0_0_221.dll [2017-02-15] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_221.dll [2017-02-15] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-08-08] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-08-08] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-07-28] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-07-28] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 BitMeterCaptureService; C:\Program Files (x86)\Codebox\BitMeterOS\BitMeterCaptureService.exe [180970 2014-08-03] () [File not signed]
S2 BitMeterWebService; C:\Program Files (x86)\Codebox\BitMeterOS\BitMeterWebService.exe [245962 2014-08-03] () [File not signed]
R2 DAMSvc; C:\Program Files (x86)\Nuance\DragonAssistant3\DragonAssistantMaintenance.exe [4279056 2014-01-27] (Nuance Communications, Inc.)
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-02-11] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-02-11] (Dropbox, Inc.)
R2 DbxSvc; C:\WINDOWS\system32\DbxSvc.exe [46400 2017-02-06] (Dropbox, Inc.)
R2 DptfParticipantProcessorService; C:\WINDOWS\system32\DptfParticipantProcessorService.exe [115632 2013-08-02] (Intel Corporation)
R2 DptfPolicyConfigTDPService; C:\WINDOWS\system32\DptfPolicyConfigTDPService.exe [116656 2013-08-02] (Intel Corporation)
R2 DptfPolicyCriticalService; C:\WINDOWS\system32\DptfPolicyCriticalService.exe [148688 2013-08-02] (Intel Corporation)
R2 DptfPolicyLpmService; C:\WINDOWS\system32\DptfPolicyLpmService.exe [124880 2013-08-02] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [373744 2016-11-01] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
S3 Intel® TA SAM; C:\Program Files (x86)\Intel Corporation\Intel® Technology Access\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [18152 2016-08-12] (Intel Corporation)
S2 Intel® TechnologyAccessLegacyCSLoader; C:\Program Files\Intel Corporation\Intel® Technology Access\LegacyCsLoaderService.exe [153296 2016-04-26] (Intel® Corporation)
S2 Intel® TechnologyAccessService; C:\Program Files\Intel Corporation\Intel® Technology Access\IntelTechnologyAccessService.exe [478416 2016-04-26] (Intel® Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [177376 2016-08-12] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-08-08] (Intel Corporation)
R2 LenovoWiFiHotspotSvr; C:\Windows\System32\LenovoWiFiHotspotSvr.exe [198192 2014-05-21] (Lenovo(beijing) Limited)
R2 LsvUIService; C:\Program Files (x86)\Lenovo\Lenovo Smart Voice\LsvUIService.exe [70416 2014-05-21] (Lenovo)
S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 PGService; C:\Program Files (x86)\Lenovo\Motion Control\PGService.exe [167176 2014-02-24] (PointGrab LTD)
R2 PG_Service_Launcher; C:\Program Files (x86)\Lenovo\Motion Control\PG_Service_Launcher.exe [512776 2014-02-24] (PointGrab LTD)
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed]
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [288472 2013-09-13] (Realtek Semiconductor)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [249032 2015-06-03] (Synaptics Incorporated)
R2 VPNUnlimitedService; C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe [61784 2016-09-03] (KeepSolid Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2016-10-25] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-10-25] (Microsoft Corporation)
R2 windowsmanagementservice; C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION
R2 ymc; C:\ProgramData\LenovoTransition\Server\x64\ymc.exe [34576 2014-05-21] (Lenovo)
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
R3 DptfDevPch; C:\WINDOWS\system32\DRIVERS\DptfDevPch.sys [114680 2013-08-02] (Intel Corporation)
R3 DptfDevProc; C:\WINDOWS\system32\DRIVERS\DptfDevProc.sys [287160 2013-08-02] (Intel Corporation)
R3 DptfManager; C:\WINDOWS\system32\DRIVERS\DptfManager.sys [494272 2013-08-02] (Intel Corporation)
R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2017-02-22] () [File not signed]
R3 ibtusb; C:\WINDOWS\system32\DRIVERS\ibtusb.sys [230656 2016-12-12] (Intel Corporation)
S3 INETMON; C:\windows\System32\Drivers\INETMON.sys [29088 2013-08-01] ()
R2 inpoutx64; C:\WINDOWS\System32\Drivers\inpoutx64.sys [15008 2014-08-25] (Highresolution Enterprises [www.highrez.co.uk])
R3 ISCT; C:\WINDOWS\System32\drivers\ISCTD64.sys [47008 2013-07-30] ()
R3 MEIx64; C:\WINDOWS\system32\DRIVERS\TeeDriverx64.sys [99288 2013-12-19] (Intel Corporation)
R1 ndisrd; C:\WINDOWS\system32\DRIVERS\ndisrfl.sys [50448 2015-07-28] (Intel Corporation)
S3 NetTap630; C:\WINDOWS\system32\DRIVERS\nettap630.sys [76560 2015-07-29] (Intel Corporation)
R3 NETwNb64; C:\WINDOWS\System32\drivers\Netwbw02.sys [3485696 2015-10-30] (Intel Corporation)
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [42696 2015-06-03] (Synaptics Incorporated)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
S3 wsvd; C:\WINDOWS\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2016-10-28] (Zemana Ltd.)
S3 AndnetBus; \SystemRoot\System32\drivers\lgandnetbus64.sys [X]
S3 AndNetDiag; \SystemRoot\system32\DRIVERS\lgandnetdiag64.sys [X]
S3 ANDNetModem; \SystemRoot\system32\DRIVERS\lgandnetmodem64.sys [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
S0 MBAMSwissArmy; system32\drivers\MBAMSwissArmy.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-25 05:37 - 2017-02-25 05:38 - 00000000 ____D C:\FRST
2017-02-25 05:32 - 2017-02-25 05:38 - 00000000 ____D C:\Users\kb6565\Desktop\bleepingcomputer
2017-02-24 15:54 - 2017-02-24 15:54 - 00000000 ____D C:\Program Files (x86)\regtool
2017-02-24 15:48 - 2017-02-24 15:48 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-02-24 15:47 - 2017-02-24 15:50 - 00000000 ____D C:\WINDOWS\pss
2017-02-24 15:09 - 2017-02-24 15:09 - 00001035 _____ C:\Users\kb6565\Desktop\adwcleaner_6.043.exe - Shortcut.lnk
2017-02-24 15:06 - 2017-02-24 15:06 - 00001954 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-02-24 15:06 - 2017-02-24 15:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-02-24 15:05 - 2017-02-24 15:05 - 00000000 ____D C:\Program Files\Malwarebytes
2017-02-24 14:46 - 2017-02-24 15:12 - 00000000 ____D C:\Program Files (x86)\svcvmx
2017-02-24 14:46 - 2017-02-24 14:57 - 00000000 ____D C:\Users\kb6565\AppData\Local\llssoft
2017-02-24 14:44 - 2017-02-24 14:44 - 00000000 ____D C:\WINDOWS\LastGood.Tmp
2017-02-24 14:39 - 2017-02-24 14:39 - 01852928 _____ (splsrv Corp.) C:\WINDOWS\SysWOW64\splsrv.exe
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\winscr
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\qdcomsvc
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\dataup
2017-02-24 14:38 - 2017-02-24 14:38 - 00000000 ____D C:\Users\kb6565\AppData\Roaming\c
2017-02-24 14:38 - 2017-02-24 14:38 - 00000000 ____D C:\ProgramData\1487965132
2017-02-24 14:15 - 2017-02-24 14:26 - 00000000 ____D C:\Users\kb6565\AppData\LocalLow\uTorrent
2017-02-22 17:12 - 2017-02-22 17:12 - 00051784 _____ C:\WINDOWS\system32\Drivers\drmkpro64.sys
2017-02-11 12:40 - 2017-02-11 12:40 - 00001275 _____ C:\Users\Public\Desktop\Boilsoft Video Splitter.lnk
2017-02-11 12:39 - 2017-02-11 12:39 - 00003284 _____ C:\WINDOWS\System32\Tasks\{74BD1B3A-16F3-43AB-BC2B-43AF812C2A6C}
2017-02-08 02:19 - 2017-02-08 02:19 - 00000522 _____ C:\Users\kb6565\Documents\Vizio TVs Spy on You How to Stop It.txt
2017-02-07 19:24 - 2017-02-07 19:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2017-02-06 23:38 - 2017-02-06 23:38 - 00046400 _____ (Dropbox, Inc.) C:\WINDOWS\system32\DbxSvc.exe
2017-02-06 23:38 - 2017-02-06 23:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-stable.sys
2017-02-06 23:38 - 2017-02-06 23:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-dev.sys
2017-02-06 23:38 - 2017-02-06 23:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-canary.sys
2017-01-30 15:21 - 2017-01-30 15:21 - 00368912 _____ C:\WINDOWS\system32\FNTCACHE.DAT

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-25 05:40 - 2016-12-07 08:31 - 03248964 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
2017-02-25 05:23 - 2015-11-27 17:55 - 00000922 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job
2017-02-25 05:16 - 2016-02-11 12:02 - 00000000 ___RD C:\Users\kb6565\Dropbox
2017-02-25 05:01 - 2015-11-25 23:29 - 00881036 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-02-25 05:01 - 2015-10-30 02:21 - 00000000 ____D C:\WINDOWS\INF
2017-02-25 04:58 - 2015-07-01 06:11 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2017-02-25 03:52 - 2014-07-17 14:55 - 00004152 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{E80161FA-1393-4669-920B-07515554C930}
2017-02-24 19:46 - 2016-06-30 21:50 - 00000000 ____D C:\Users\kb6565\AppData\Roaming\vlc
2017-02-24 19:18 - 2016-11-21 03:33 - 00000000 ____D C:\Users\kb6565\AppData\LocalLow\Mozilla
2017-02-24 19:18 - 2016-03-26 14:37 - 00001345 _____ C:\Users\kb6565\Desktop\Dropbox.lnk
2017-02-24 19:17 - 2016-09-13 11:24 - 00005152 _____ C:\Users\kb6565\Desktop\DesktopOK.ini
2017-02-24 15:59 - 2015-11-27 17:55 - 00000918 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job
2017-02-24 15:59 - 2015-11-25 23:33 - 00000000 __SHD C:\Users\kb6565\IntelGraphicsProfiles
2017-02-24 15:59 - 2015-11-25 23:21 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-02-24 15:58 - 2015-11-25 23:27 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-02-24 15:58 - 2015-10-30 01:28 - 01048576 ___SH C:\WINDOWS\system32\config\BBI
2017-02-24 15:44 - 2016-10-28 06:35 - 00000000 ____D C:\AdwCleaner
2017-02-24 15:05 - 2014-12-12 19:03 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-02-24 15:00 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-02-24 14:55 - 2015-11-25 23:22 - 00000000 ____D C:\Users\kb6565
2017-02-24 14:52 - 2014-08-11 13:31 - 00000000 ____D C:\Users\kb6565\AppData\Local\ElevatedDiagnostics
2017-02-24 14:50 - 2016-12-14 02:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-24 14:44 - 2015-11-26 01:36 - 00000000 ____D C:\WINDOWS\Minidump
2017-02-24 14:44 - 2014-05-21 14:03 - 00143724 ____N C:\WINDOWS\Minidump\022417-20625-01.dmp
2017-02-24 14:26 - 2014-07-19 11:10 - 00000000 ____D C:\Users\kb6565\AppData\Roaming\uTorrent
2017-02-24 12:52 - 2015-10-30 02:24 - 00000000 ___HD C:\Program Files\WindowsApps
2017-02-23 10:49 - 2014-07-23 01:34 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-02-23 10:47 - 2014-07-23 01:34 - 138020592 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-02-22 01:32 - 2015-10-30 02:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-02-22 00:14 - 2015-10-31 10:55 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-02-21 20:08 - 2014-07-24 22:21 - 00000979 _____ C:\Users\kb6565\Desktop\ReNamer.lnk
2017-02-20 04:22 - 2014-07-18 10:35 - 00000714 _____ C:\Users\kb6565\Desktop\Se4dr5ft6.txt
2017-02-19 07:02 - 2014-07-18 10:19 - 00000000 ____D C:\Users\kb6565\Desktop\Books For Kindle
2017-02-15 02:57 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-02-15 02:57 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-02-15 01:45 - 2014-08-01 10:18 - 00000000 ____D C:\Users\kb6565\AppData\Roaming\Skype
2017-02-15 01:16 - 2016-08-19 12:02 - 00000000 ___RD C:\Program Files (x86)\Skype
2017-02-15 01:16 - 2014-08-01 10:18 - 00000000 ____D C:\ProgramData\Skype
2017-02-11 12:40 - 2014-07-19 07:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Boilsoft
2017-02-11 12:40 - 2014-07-19 07:16 - 00000000 ____D C:\Program Files (x86)\Boilsoft
2017-02-08 15:16 - 2014-07-18 10:35 - 00001094 _____ C:\Users\kb6565\Desktop\CC.txt
2017-02-07 19:24 - 2015-11-27 17:55 - 00000000 ____D C:\Program Files (x86)\Dropbox
2017-02-07 13:07 - 2014-07-18 10:35 - 00001014 _____ C:\Users\kb6565\Desktop\New Releases .txt
2017-02-06 14:45 - 2015-10-30 02:26 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-02-06 14:45 - 2015-10-30 02:26 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2017-02-05 13:19 - 2014-07-18 10:21 - 00000000 ____D C:\Users\kb6565\Desktop\Misc. PDFs & TXTs
2017-02-05 12:59 - 2015-12-06 13:53 - 00000000 ____D C:\Users\kb6565\Desktop\TurboTax 2015
2017-02-05 12:58 - 2017-01-02 19:13 - 00001170 _____ C:\Users\kb6565\Desktop\cloudLibrary-2.0.lnk
2017-02-05 12:58 - 2016-12-29 10:00 - 00001582 _____ C:\Users\kb6565\Desktop\iexplore.exe.lnk
2017-02-05 12:58 - 2016-11-23 19:35 - 00001615 _____ C:\Users\kb6565\Desktop\firefox.exe.lnk
2017-02-05 12:58 - 2016-10-01 20:59 - 00001010 _____ C:\Users\kb6565\Desktop\Newsbin for NewsDemon 64.lnk
2017-02-05 12:58 - 2016-09-23 13:02 - 00001257 _____ C:\Users\kb6565\Desktop\Amazon Drive.lnk
2017-02-05 12:58 - 2016-09-23 12:34 - 00001290 _____ C:\Users\kb6565\Desktop\Amazon Music.lnk
2017-02-05 12:58 - 2016-09-02 06:10 - 00001519 _____ C:\Users\kb6565\Desktop\Auslogics Duplicate File Finder.lnk
2017-02-05 12:58 - 2016-08-28 13:25 - 00000969 _____ C:\Users\kb6565\Desktop\CDisplay.lnk
2017-02-05 12:58 - 2016-06-30 22:36 - 00001046 _____ C:\Users\kb6565\Desktop\abcAVI Tag Editor.lnk
2017-02-05 12:58 - 2016-03-11 19:56 - 00001822 _____ C:\Users\kb6565\Desktop\uTorrent.exe - Shortcut.lnk
2017-02-05 12:58 - 2014-09-12 03:59 - 00001265 _____ C:\Users\kb6565\Desktop\SWF & FLV Player.lnk
2017-02-05 12:58 - 2014-08-15 22:18 - 00001949 _____ C:\Users\kb6565\Desktop\AsfTools 3.1.lnk
2017-02-05 12:58 - 2014-07-27 23:45 - 00001540 _____ C:\Users\kb6565\Desktop\Printkey2000.exe - Shortcut.lnk
2017-01-30 15:22 - 2017-01-11 14:24 - 00000000 ____D C:\AirDroid
2017-01-30 15:22 - 2017-01-07 15:36 - 00000000 ____D C:\Users\kb6565\AppData\Roaming\AirDroid
2017-01-30 13:54 - 2017-01-02 01:23 - 00000297 _____ C:\Users\kb6565\Desktop\Katewood Prop. Taxes 2013 thru 2017.txt
2017-01-30 13:20 - 2016-12-14 02:09 - 00061848 _____ C:\Users\kb6565\Desktop\Comcast 1-28.eml
2017-01-28 10:50 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\ModemLogs
2017-01-28 10:50 - 2014-05-21 14:32 - 00000000 ____D C:\WINDOWS\System32\Tasks\Lenovo
2017-01-28 10:49 - 2015-10-30 02:24 - 00000000 ___SD C:\WINDOWS\Downloaded Program Files
2017-01-28 10:47 - 2016-06-30 22:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\abcAVI Tag Editor
2017-01-28 10:47 - 2014-07-19 07:31 - 00000000 ____D C:\Users\kb6565\AppData\Local\CrashDumps
2017-01-28 00:46 - 2016-03-10 10:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

==================== Files in the root of some directories =======

2016-01-13 22:49 - 2016-01-13 22:49 - 0000043 _____ () C:\Users\kb6565\AppData\Roaming\WB.CFG
2016-11-23 19:04 - 2016-11-23 19:04 - 0034216 _____ () C:\Users\kb6565\AppData\Local\22705.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0127729 _____ () C:\Users\kb6565\AppData\Local\37703.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0054804 _____ () C:\Users\kb6565\AppData\Local\52984.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0049460 _____ () C:\Users\kb6565\AppData\Local\85953.exe
2016-11-22 19:11 - 2016-11-22 19:11 - 0004608 _____ () C:\Users\kb6565\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-15 17:18 - 2015-03-15 17:18 - 0007597 _____ () C:\Users\kb6565\AppData\Local\Resmon.ResmonCfg
2016-11-23 19:23 - 2016-11-23 19:24 - 0000003 _____ () C:\Users\kb6565\AppData\Local\run1.txt
2016-06-01 22:44 - 2016-06-01 22:44 - 0000000 _____ () C:\Users\kb6565\AppData\Local\{6E0994E5-79C4-4793-A33C-D5975EE1A0E5}
2015-07-03 18:45 - 2015-07-03 18:45 - 0000057 _____ () C:\ProgramData\Ament.ini
2015-11-25 23:21 - 2015-11-25 23:21 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-02-24 14:18 - 2016-03-12 07:06 - 0000774 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

Some files in TEMP:
====================
2016-10-20 12:26 - 2016-10-20 12:26 - 2458672 _____ (The OpenSSL Project, http://www.openssl.org/) C:\Users\kb6565\AppData\Local\Temp\libeay32.dll
2016-10-20 12:26 - 2016-10-20 12:26 - 0970912 _____ (Microsoft Corporation) C:\Users\kb6565\AppData\Local\Temp\msvcr120.dll
2016-10-20 12:26 - 2016-10-20 12:26 - 0772672 _____ () C:\Users\kb6565\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-17 10:35

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 25 February 2017 - 06:23 AM

Hello Waster555 and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
    
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Sincerely
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 25 February 2017 - 08:03 AM

Hi Waster55,

 

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

 

uTorrent

C:\Program Files (x86)\svcvmx
C:\Program Files (x86)\nellies
C:\Program Files (x86)\winscr
C:\Program Files (x86)\regtool
C:\Program Files (x86)\qdcomsvc
C:\Program Files (x86)\dataup

C:\Program Files (x86)\cpx

 

And PC restart now.

============================================================

Step 1:
FRST Script:
Please download this attached Attached File  Fixlist.txt   6.77KB   23 downloads  and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

NOT : It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
and fixlist.txt are in the same location or the fix will not work.
 
Step 2:
Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 Waster555

Waster555
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 25 February 2017 - 08:58 AM

Fixlist.txt Log
CreateRestorePoint:
CloseProcesses:
Task: {08788575-603C-4664-878F-4624CF5F643D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {10E48639-CDCD-42E5-B8C8-01B01A34CA2F} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {2B61C473-A7A8-4874-8D4E-7FEB06CC15FC} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {2F090F64-CC61-4771-9693-38FD2EC33A19} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {33F09F4F-1373-4BA3-9357-0BCB3DBA2BF7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {6202DB17-0516-499E-BD99-577BB4D2452F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {690B4F19-6615-4749-B0B0-4357DAD54AC9} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8D83D0B5-EF31-4040-8383-A5C95C54DF35} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {9122172D-1EDD-490F-B6BF-CBD086837578} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {A7BC33F8-1E0D-4FE5-9802-108159E7DCC0} - System32\Tasks\{01211B35-AF0F-4624-AAE3-A41EFBB961C7} => pcalua.exe -a "C:\Users\kb6565\AppData\Roaming\Browser Extensions\uninstall.exe"
Task: {AD842A19-5CDE-4674-9B18-139791C6C8ED} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {B1F3FEA4-CF7E-4A2F-B385-698A1A2AD389} - \{68CBA00B-12E5-41E7-83F0-8386F729CA72} -> No File <==== ATTENTION
Task: {DD4DBF84-024E-4053-A666-78FC109E4D13} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Shortcut: C:\Users\kb6565\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Int?rn?t ??pl?r?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\kb6565\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rn?t ??pl?r?r ?r?ws?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\kb6565\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Fir?f??.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.bat (No File)
C:\Program Files (x86)\dataup\dataup.exe
C:\Program Files (x86)\dataup
2017-01-13 20:09 - 2017-01-13 20:09 - 00896512 _____ () C:\Program Files (x86)\svcvmx\svcvmx.exe
2017-01-20 20:18 - 2017-01-20 20:18 - 01087488 _____ () C:\Program Files (x86)\svcvmx\vmxclient.exe
C:\Program Files (x86)\dataup\help_dll.dll
C:\Program Files (x86)\svcvmx\libcef.dll
2016-05-31 11:43 - 2016-05-31 11:43 - 01976832 _____ () C:\Program Files (x86)\svcvmx\libglesv2.dll
2016-05-31 11:44 - 2016-05-31 11:44 - 00075264 _____ () C:\Program Files (x86)\svcvmx\libegl.dll
2016-06-15 17:15 - 2016-06-15 17:15 - 17599640 _____ () C:\Program Files (x86)\svcvmx\pepflashplayer.dll
AlternateDataStreams: C:\ProgramData\TEMP:B3503B59 [512]
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
C:\Program Files (x86)\dataup\dataup.exe
C:\Program Files (x86)\nellies\irrigated.exe
C:\Program Files (x86)\svcvmx\svcvmx.exe
C:\Program Files (x86)\svcvmx\vmxclient.exe
C:\Program Files (x86)\svcvmx\vmxclient.exe
C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe
C:\Users\kb6565\AppData\Local\Temp
C:\Program Files (x86)\winscr\winscr.exe
HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [irrigated] => C:\Program Files (x86)\nellies\irrigated.exe [50803 2016-11-23] ()
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\MountPoints2: {e65c5052-5820-11e4-827f-e82aea722b6b} - "G:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://my.yahoo.com/
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3724564687-3091530008-2351571219-1001 -> {0E25F6E8-6429-40EF-9C22-813373DA0C14} URL =
BHO: Youtube AdBlock -> {95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B} -> C:\Program Files (x86)\Youtube AdBlock\IEEF\W31HwnT.dll => No File
Toolbar: HKU\S-1-5-21-3724564687-3091530008-2351571219-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
FF ProfilePath: C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 [2017-02-25]
FF Homepage: Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 -> hxxps://my.yahoo.com/
CHR dev: Chrome dev build detected! <======= ATTENTION
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed]
R2 windowsmanagementservice; C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION
S3 dbx; system32\DRIVERS\dbx.sys [X]
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\winscr
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\qdcomsvc
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\dataup
D C:\ProgramData\1487965132
C:\Program Files (x86)\regtool
2016-11-23 19:04 - 2016-11-23 19:04 - 0034216 _____ () C:\Users\kb6565\AppData\Local\22705.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0127729 _____ () C:\Users\kb6565\AppData\Local\37703.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0054804 _____ () C:\Users\kb6565\AppData\Local\52984.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0049460 _____ () C:\Users\kb6565\AppData\Local\85953.exe
2015-03-15 17:18 - 2015-03-15 17:18 - 0007597 _____ () C:\Users\kb6565\AppData\Local\Resmon.ResmonCfg
2016-11-23 19:23 - 2016-11-23 19:24 - 0000003 _____ () C:\Users\kb6565\AppData\Local\run1.txt
C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2016-10-20 12:26 - 2016-10-20 12:26 - 0970912 _____ (Microsoft Corporation) C:\Users\kb6565\AppData\Local\Temp\msvcr120.dll
2016-10-20 12:26 - 2016-10-20 12:26 - 0772672 _____ () C:\Users\kb6565\AppData\Local\Temp\sqlite3.dll
C:\Users\kb6565\AppData\Local\Temp
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
EmptyTemp:
Hosts:

# AdwCleaner v6.043 - Logfile created 25/02/2017 at 08:28:11
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-24.1 [Local]
# Operating System : Windows 10 Home  (X64)
# Username : kb6565 - ORANGE
# Running from : C:\Users\kb6565\Desktop\bleepingcomputer\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

[-] Service deleted: Dataup
[-] Service deleted: windowsmanagementservice


***** [ Folders ] *****

[#] Folder deleted on reboot: C:\Program Files (x86)\dataup
[-] Folder deleted: C:\Program Files (x86)\regtool


***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Dataup
[-] Key deleted: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\windowsmanagementservice
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [cpx]


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [4897 Bytes] - [28/10/2016 06:37:32]
C:\AdwCleaner\AdwCleaner[C2].txt - [6612 Bytes] - [23/11/2016 19:27:14]
C:\AdwCleaner\AdwCleaner[C3].txt - [1807 Bytes] - [24/11/2016 05:33:15]
C:\AdwCleaner\AdwCleaner[C4].txt - [1936 Bytes] - [24/02/2017 14:55:10]
C:\AdwCleaner\AdwCleaner[C5].txt - [2205 Bytes] - [24/02/2017 15:12:50]
C:\AdwCleaner\AdwCleaner[C6].txt - [2541 Bytes] - [24/02/2017 15:44:41]
C:\AdwCleaner\AdwCleaner[C7].txt - [1818 Bytes] - [25/02/2017 08:28:11]
C:\AdwCleaner\AdwCleaner[S0].txt - [4555 Bytes] - [28/10/2016 06:36:22]
C:\AdwCleaner\AdwCleaner[S1].txt - [1288 Bytes] - [28/10/2016 06:43:02]
C:\AdwCleaner\AdwCleaner[S2].txt - [6203 Bytes] - [23/11/2016 19:26:40]
C:\AdwCleaner\AdwCleaner[S3].txt - [1937 Bytes] - [24/11/2016 05:33:05]
C:\AdwCleaner\AdwCleaner[S4].txt - [1653 Bytes] - [24/11/2016 08:06:58]
C:\AdwCleaner\AdwCleaner[S5].txt - [2888 Bytes] - [24/02/2017 14:50:07]
C:\AdwCleaner\AdwCleaner[S6].txt - [1941 Bytes] - [24/02/2017 14:54:10]
C:\AdwCleaner\AdwCleaner[S7].txt - [2230 Bytes] - [24/02/2017 15:11:59]
C:\AdwCleaner\AdwCleaner[S8].txt - [2556 Bytes] - [24/02/2017 15:44:31]
C:\AdwCleaner\AdwCleaner[S9].txt - [2727 Bytes] - [25/02/2017 08:25:31]

########## EOF - C:\AdwCleaner\AdwCleaner[C7].txt - [2621 Bytes] ##########


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 10 Home x64
Ran by kb6565 (Administrator) on Sat 02/25/2017 at  8:35:38.78
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 6

Failed to delete: C:\Program Files (x86)\dataup (Folder)
Successfully deleted: C:\ProgramData\productdata (Folder)
Successfully deleted: C:\ProgramData\Start Menu\Programs\search.lnk (Shortcut)
Successfully deleted: C:\Users\kb6565\AppData\Local\crashrpt (Folder)
Successfully deleted: C:\WINDOWS\wininit.ini (File)
Successfully deleted: C:\Program Files (x86)\regtool (Folder)

Deleted the following from C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\prefs.js
user_pref(browser.urlbar.suggest.searches, true);

Registry: 5

Failed to delete: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\cpx (Registry Value)
Failed to delete: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx (Registry Value)
Failed to delete: HKLM\SYSTEM\CurrentControlSet\services\Dataup (Registry Key)
Failed to delete: HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0E25F6E8-6429-40EF-9C22-813373DA0C14} (Registry Key)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 02/25/2017 at  8:47:15.24
End of JRT log
~~~~~~~~~~~



#5 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 25 February 2017 - 09:07 AM

The operation Fixlist  is not successful. Please try run 1.step fixfist.
Read the instructions well.

 

NOT: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 Waster555

Waster555
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 25 February 2017 - 12:39 PM

I have run FRST64.exe in folder with Fixlist.txt 3 times. No Fixlog.txt) pops up, only FRST.txt and Addition.txt. Results of FRST.txt copied and pasted below.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-02-2017
Ran by kb6565 (administrator) on ORANGE (25-02-2017 11:49:20)
Running from C:\Users\kb6565\Desktop\bleepingcomputer\FRST
Loaded Profiles: kb6565 (Available Profiles: kb6565)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\DragonAssistant3\DragonAssistantMaintenance.exe
() C:\Program Files (x86)\dataup\dataup.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyCriticalService.exe
(Intel Corporation) C:\Windows\System32\DptfParticipantProcessorService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyConfigTDPService.exe
(Intel Corporation) C:\Windows\System32\ibtsiva.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Lenovo(beijing) Limited) C:\Windows\System32\LenovoWiFiHotspotSvr.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Lenovo Smart Voice\LsvUIService.exe
(PointGrab LTD) C:\Program Files (x86)\Lenovo\Motion Control\PGService.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(PointGrab LTD) C:\Program Files (x86)\Lenovo\Motion Control\PG_Service_Launcher.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(KeepSolid Inc.) C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe
(Lenovo) C:\ProgramData\LenovoTransition\Server\x64\ymc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
() C:\Program Files (x86)\svcvmx\svcvmx.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(qdcomsvc Inc.) C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
(ct Corp.) C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe
(splsrv Corp.) C:\Windows\SysWOW64\splsrv.exe
Failed to access process -> svchost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Calculator.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(winscr) C:\Program Files (x86)\winscr\winscr.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [DptfPolicyLpmServiceHelper] => C:\WINDOWS\system32\DptfPolicyLpmServiceHelper.exe [111976 2013-08-02] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13656792 2013-10-04] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1353432 2013-09-26] (Realtek Semiconductor)
HKLM\...\Run: [Energy Manager] => C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe [59923440 2014-05-21] (Lenovo(beijing) Limited)
HKLM\...\Run: [Lenovo Utility] => C:\Program Files (x86)\Lenovo\Energy Manager\Utility.exe [80880 2014-05-21] (Lenovo(beijing) Limited)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3944136 2015-06-03] (Synaptics Incorporated)
HKLM\...\Run: [NetWorx] => C:\Program Files\NetWorx\networx.exe [7698248 2016-06-29] (SoftPerfect)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3113592 2015-08-25] (Logitech, Inc.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [2075480 2013-06-24] (Flexera Software LLC.)
HKLM-x32\...\Run: [Virtual Account Numbers] => C:\Program Files (x86)\Virtual Account Numbers\CitiVAN.exe [435712 2015-07-14] (Orbiscom Ltd. All rights reserved.)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [26220296 2017-02-06] (Dropbox, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)
HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [Speech Recognition] => C:\windows\Speech\Common\sapisvr.exe [45056 2015-10-30] (Microsoft Corporation)
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [HP Officejet 4630 series (NET)] => C:\Program Files\HP\HP Officejet 4630 series\Bin\ScanToPCActivationApp.exe [3487240 2014-07-21] (Hewlett-Packard Development Company, LP)
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27427808 2017-02-08] (Skype Technologies S.A.)
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [Amazon Music] => C:\Users\kb6565\AppData\Local\Amazon Music\Amazon Music Helper.exe [3494376 2016-12-14] ()
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [VPN Unlimited] => C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-launcher.exe [76120 2016-09-03] (KeepSolid Inc.)
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [irrigated] => C:\Program Files (x86)\nellies\irrigated.exe [50803 2016-11-23] ()
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [AirDroid 3] => C:\Program Files (x86)\AirDroid\AirDroid.exe [8651896 2017-01-18] (Sand Studio)
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [individuated] => "C:\Program Files (x86)\Bridging\sunburns.exe"
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\RunOnce: [Uninstall C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64"
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\MountPoints2: {e65c5052-5820-11e4-827f-e82aea722b6b} - "G:\WD SmartWare.exe" autoplay=true
ShellIconOverlayIdentifiers: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\amd64\FileSyncShell64.dll [2016-02-10] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\amd64\FileSyncShell64.dll [2016-02-10] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\amd64\FileSyncShell64.dll [2016-02-10] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\FileSyncShell.dll [2016-02-10] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\FileSyncShell.dll [2016-02-10] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\kb6565\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\FileSyncShell.dll [2016-02-10] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Printkey2000.lnk [2016-11-23]
ShortcutTarget: Printkey2000.lnk -> C:\Program Files (x86)\PrintKey2000\Printkey2000.exe (Fred's Software)
Startup: C:\Users\kb6565\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2016-11-23]
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BootExecute: autocheck autochk * sdnclean64.exe
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3ca704b5-ea2e-48fd-a02c-730fcc98d22e}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{bb7e9a15-3d0e-449b-bd25-ef6e54a40027}: [DhcpNameServer] 10.200.0.1
Tcpip\..\Interfaces\{E83C2C13-8E3B-4C13-AE1D-34ADEA60154B}: [DhcpNameServer] 209.222.18.222 209.222.18.218

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://my.yahoo.com/
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Youtube AdBlock -> {95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B} -> C:\Program Files (x86)\Youtube AdBlock\IEEF\W31HwnT.dll => No File
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO-x32: Virtual Account Numbers Helper -> {17424104-1444-4810-85D7-B4DA413C5A9A} -> C:\Program Files (x86)\Virtual Account Numbers\CitiVANHelper.dll [2015-07-14] (Orbiscom Ltd. All rights reserved.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-07-28] (Oracle Corporation)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2014-08-26] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-07-28] (Oracle Corporation)
Toolbar: HKLM-x32 - Virtual Account Numbers - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANToolbar.dll [2015-07-14] (Orbiscom Ltd. All rights reserved.)
Toolbar: HKU\S-1-5-21-3724564687-3091530008-2351571219-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} hxxp://content.systemrequirementslab.com/bin/srldetect_intel_4.5.24.0.cab
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 [2017-02-25]
FF Homepage: Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 -> hxxps://my.yahoo.com/
FF Extension: (Safelinking) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\contact@safelinking.net.xpi [2016-11-23]
FF Extension: (Simple Form Fill) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\simpleformfill@sblask.xpi [2017-01-02]
FF Extension: (uBlock Origin) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\uBlock0@raymondhill.net.xpi [2017-02-20]
FF Extension: (Zoom Page) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\zoompage@DW-dev.xpi [2016-11-23]
FF Extension: (Linkification) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}.xpi [2016-11-23]
FF Extension: (Map With Google) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\{74591c01-3a7f-469e-ad4e-5d8d708dc4c5}.xpi [2016-12-16]
FF Extension: (Video DownloadHelper) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2016-12-30]
FF Extension: (DownThemAll!) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2016-11-23]
FF Extension: (SHA-1 deprecation staged rollout) - C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972\features\{cc6c9302-c7e5-454f-b1ed-ea755452da1b}\disableSHA1rollout@mozilla.org.xpi [2017-02-19]
FF HKLM-x32\...\Firefox\Extensions: [citius@orbiscom] - C:\Program Files (x86)\Virtual Account Numbers
FF Extension: (Virtual Account Numbers for Firefox) - C:\Program Files (x86)\Virtual Account Numbers [2016-03-22] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: (Logitech SetPoint) - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2016-12-09] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_24_0_0_221.dll [2017-02-15] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_221.dll [2017-02-15] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-08-08] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-08-08] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-07-28] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-07-28] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 BitMeterCaptureService; C:\Program Files (x86)\Codebox\BitMeterOS\BitMeterCaptureService.exe [180970 2014-08-03] () [File not signed]
S2 BitMeterWebService; C:\Program Files (x86)\Codebox\BitMeterOS\BitMeterWebService.exe [245962 2014-08-03] () [File not signed]
R2 DAMSvc; C:\Program Files (x86)\Nuance\DragonAssistant3\DragonAssistantMaintenance.exe [4279056 2014-01-27] (Nuance Communications, Inc.)
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-02-11] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-02-11] (Dropbox, Inc.)
R2 DbxSvc; C:\WINDOWS\system32\DbxSvc.exe [46400 2017-02-06] (Dropbox, Inc.)
R2 DptfParticipantProcessorService; C:\WINDOWS\system32\DptfParticipantProcessorService.exe [115632 2013-08-02] (Intel Corporation)
R2 DptfPolicyConfigTDPService; C:\WINDOWS\system32\DptfPolicyConfigTDPService.exe [116656 2013-08-02] (Intel Corporation)
R2 DptfPolicyCriticalService; C:\WINDOWS\system32\DptfPolicyCriticalService.exe [148688 2013-08-02] (Intel Corporation)
R2 DptfPolicyLpmService; C:\WINDOWS\system32\DptfPolicyLpmService.exe [124880 2013-08-02] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [373744 2016-11-01] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
S3 Intel® TA SAM; C:\Program Files (x86)\Intel Corporation\Intel® Technology Access\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [18152 2016-08-12] (Intel Corporation)
S2 Intel® TechnologyAccessLegacyCSLoader; C:\Program Files\Intel Corporation\Intel® Technology Access\LegacyCsLoaderService.exe [153296 2016-04-26] (Intel® Corporation)
S2 Intel® TechnologyAccessService; C:\Program Files\Intel Corporation\Intel® Technology Access\IntelTechnologyAccessService.exe [478416 2016-04-26] (Intel® Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [177376 2016-08-12] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-08-08] (Intel Corporation)
R2 LenovoWiFiHotspotSvr; C:\Windows\System32\LenovoWiFiHotspotSvr.exe [198192 2014-05-21] (Lenovo(beijing) Limited)
R2 LsvUIService; C:\Program Files (x86)\Lenovo\Lenovo Smart Voice\LsvUIService.exe [70416 2014-05-21] (Lenovo)
S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 PGService; C:\Program Files (x86)\Lenovo\Motion Control\PGService.exe [167176 2014-02-24] (PointGrab LTD)
R2 PG_Service_Launcher; C:\Program Files (x86)\Lenovo\Motion Control\PG_Service_Launcher.exe [512776 2014-02-24] (PointGrab LTD)
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed]
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [288472 2013-09-13] (Realtek Semiconductor)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [249032 2015-06-03] (Synaptics Incorporated)
R2 VPNUnlimitedService; C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe [61784 2016-09-03] (KeepSolid Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2016-10-25] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-10-25] (Microsoft Corporation)
R2 windowsmanagementservice; C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION
R2 ymc; C:\ProgramData\LenovoTransition\Server\x64\ymc.exe [34576 2014-05-21] (Lenovo)
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
R3 DptfDevPch; C:\WINDOWS\system32\DRIVERS\DptfDevPch.sys [114680 2013-08-02] (Intel Corporation)
R3 DptfDevProc; C:\WINDOWS\system32\DRIVERS\DptfDevProc.sys [287160 2013-08-02] (Intel Corporation)
R3 DptfManager; C:\WINDOWS\system32\DRIVERS\DptfManager.sys [494272 2013-08-02] (Intel Corporation)
R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2017-02-22] () [File not signed]
S3 ibtusb; C:\WINDOWS\system32\DRIVERS\ibtusb.sys [230656 2016-12-12] (Intel Corporation)
S3 INETMON; C:\windows\System32\Drivers\INETMON.sys [29088 2013-08-01] ()
R2 inpoutx64; C:\WINDOWS\System32\Drivers\inpoutx64.sys [15008 2014-08-25] (Highresolution Enterprises [www.highrez.co.uk])
R3 ISCT; C:\WINDOWS\System32\drivers\ISCTD64.sys [47008 2013-07-30] ()
R3 MEIx64; C:\WINDOWS\system32\DRIVERS\TeeDriverx64.sys [99288 2013-12-19] (Intel Corporation)
R1 ndisrd; C:\WINDOWS\system32\DRIVERS\ndisrfl.sys [50448 2015-07-28] (Intel Corporation)
S3 NetTap630; C:\WINDOWS\system32\DRIVERS\nettap630.sys [76560 2015-07-29] (Intel Corporation)
R3 NETwNb64; C:\WINDOWS\System32\drivers\Netwbw02.sys [3485696 2015-10-30] (Intel Corporation)
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [42696 2015-06-03] (Synaptics Incorporated)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
S3 wsvd; C:\WINDOWS\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2016-10-28] (Zemana Ltd.)
S3 AndnetBus; \SystemRoot\System32\drivers\lgandnetbus64.sys [X]
S3 AndNetDiag; \SystemRoot\system32\DRIVERS\lgandnetdiag64.sys [X]
S3 ANDNetModem; \SystemRoot\system32\DRIVERS\lgandnetmodem64.sys [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-25 09:31 - 2017-02-25 09:31 - 00000000 ____D C:\Program Files (x86)\regtool
2017-02-25 08:47 - 2017-02-25 08:47 - 00001634 _____ C:\Users\kb6565\Desktop\JRT.txt
2017-02-25 06:20 - 2017-02-25 07:50 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-02-25 06:20 - 2017-02-25 06:20 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-02-25 06:19 - 2017-02-25 07:31 - 00000000 ____D C:\Users\kb6565\Desktop\mbar
2017-02-25 06:19 - 2017-02-25 06:19 - 00109272 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2017-02-25 05:37 - 2017-02-25 11:49 - 00000000 ____D C:\FRST
2017-02-25 05:32 - 2017-02-25 11:48 - 00000000 ____D C:\Users\kb6565\Desktop\bleepingcomputer
2017-02-24 15:48 - 2017-02-24 15:48 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-02-24 15:47 - 2017-02-24 15:50 - 00000000 ____D C:\WINDOWS\pss
2017-02-24 15:09 - 2017-02-24 15:09 - 00001035 _____ C:\Users\kb6565\Desktop\adwcleaner_6.043.exe - Shortcut.lnk
2017-02-24 15:06 - 2017-02-24 15:06 - 00001954 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-02-24 15:06 - 2017-02-24 15:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-02-24 15:05 - 2017-02-24 15:05 - 00000000 ____D C:\Program Files\Malwarebytes
2017-02-24 14:46 - 2017-02-24 15:12 - 00000000 ____D C:\Program Files (x86)\svcvmx
2017-02-24 14:46 - 2017-02-24 14:57 - 00000000 ____D C:\Users\kb6565\AppData\Local\llssoft
2017-02-24 14:44 - 2017-02-24 14:44 - 00000000 ____D C:\WINDOWS\LastGood.Tmp
2017-02-24 14:39 - 2017-02-24 14:39 - 01852928 _____ (splsrv Corp.) C:\WINDOWS\SysWOW64\splsrv.exe
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\winscr
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\qdcomsvc
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\dataup
2017-02-24 14:38 - 2017-02-24 14:38 - 00000000 ____D C:\Users\kb6565\AppData\Roaming\c
2017-02-24 14:15 - 2017-02-24 14:26 - 00000000 ____D C:\Users\kb6565\AppData\LocalLow\uTorrent
2017-02-22 17:12 - 2017-02-22 17:12 - 00051784 _____ C:\WINDOWS\system32\Drivers\drmkpro64.sys
2017-02-11 12:40 - 2017-02-11 12:40 - 00001275 _____ C:\Users\Public\Desktop\Boilsoft Video Splitter.lnk
2017-02-11 12:39 - 2017-02-11 12:39 - 00003284 _____ C:\WINDOWS\System32\Tasks\{74BD1B3A-16F3-43AB-BC2B-43AF812C2A6C}
2017-02-08 02:19 - 2017-02-08 02:19 - 00000522 _____ C:\Users\kb6565\Documents\Vizio TVs Spy on You How to Stop It.txt
2017-02-07 19:24 - 2017-02-07 19:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2017-02-06 23:38 - 2017-02-06 23:38 - 00046400 _____ (Dropbox, Inc.) C:\WINDOWS\system32\DbxSvc.exe
2017-02-06 23:38 - 2017-02-06 23:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-stable.sys
2017-02-06 23:38 - 2017-02-06 23:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-dev.sys
2017-02-06 23:38 - 2017-02-06 23:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-canary.sys
2017-01-30 15:21 - 2017-01-30 15:21 - 00368912 _____ C:\WINDOWS\system32\FNTCACHE.DAT

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-25 11:57 - 2015-07-01 06:11 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2017-02-25 11:52 - 2016-12-07 08:31 - 00332442 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
2017-02-25 11:51 - 2016-11-21 03:33 - 00000000 ____D C:\Users\kb6565\AppData\LocalLow\Mozilla
2017-02-25 11:23 - 2015-11-27 17:55 - 00000922 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job
2017-02-25 10:10 - 2014-07-17 14:55 - 00004152 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{E80161FA-1393-4669-920B-07515554C930}
2017-02-25 09:41 - 2015-11-25 23:29 - 00881036 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-02-25 09:41 - 2015-10-30 02:21 - 00000000 ____D C:\WINDOWS\INF
2017-02-25 08:29 - 2015-11-25 23:33 - 00000000 __SHD C:\Users\kb6565\IntelGraphicsProfiles
2017-02-25 08:29 - 2015-11-25 23:21 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-02-25 08:28 - 2016-10-28 06:35 - 00000000 ____D C:\AdwCleaner
2017-02-25 08:28 - 2015-11-27 17:55 - 00000918 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job
2017-02-25 08:28 - 2015-11-25 23:27 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-02-25 08:28 - 2015-10-30 01:28 - 01048576 ___SH C:\WINDOWS\system32\config\BBI
2017-02-25 08:19 - 2014-07-19 11:10 - 00000000 ____D C:\Users\kb6565\AppData\Roaming\uTorrent
2017-02-25 08:17 - 2016-06-30 21:50 - 00000000 ____D C:\Users\kb6565\AppData\Roaming\vlc
2017-02-25 07:31 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\Resources
2017-02-25 07:30 - 2014-07-18 10:19 - 00000000 ____D C:\Users\kb6565\Desktop\Books For Kindle
2017-02-25 06:21 - 2014-12-12 19:03 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-02-25 05:48 - 2015-10-30 02:24 - 00000000 ___HD C:\Program Files\WindowsApps
2017-02-25 05:48 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-02-25 05:48 - 2014-07-17 14:54 - 00000000 ____D C:\Users\kb6565\AppData\Local\Packages
2017-02-25 05:16 - 2016-02-11 12:02 - 00000000 ___RD C:\Users\kb6565\Dropbox
2017-02-24 19:18 - 2016-03-26 14:37 - 00001345 _____ C:\Users\kb6565\Desktop\Dropbox.lnk
2017-02-24 19:17 - 2016-09-13 11:24 - 00005152 _____ C:\Users\kb6565\Desktop\DesktopOK.ini
2017-02-24 14:55 - 2015-11-25 23:22 - 00000000 ____D C:\Users\kb6565
2017-02-24 14:52 - 2014-08-11 13:31 - 00000000 ____D C:\Users\kb6565\AppData\Local\ElevatedDiagnostics
2017-02-24 14:50 - 2016-12-14 02:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-24 14:44 - 2015-11-26 01:36 - 00000000 ____D C:\WINDOWS\Minidump
2017-02-24 14:44 - 2014-05-21 14:03 - 00143724 ____N C:\WINDOWS\Minidump\022417-20625-01.dmp
2017-02-23 10:49 - 2014-07-23 01:34 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-02-23 10:47 - 2014-07-23 01:34 - 138020592 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-02-22 01:32 - 2015-10-30 02:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-02-22 00:14 - 2015-10-31 10:55 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-02-21 20:08 - 2014-07-24 22:21 - 00000979 _____ C:\Users\kb6565\Desktop\ReNamer.lnk
2017-02-20 04:22 - 2014-07-18 10:35 - 00000714 _____ C:\Users\kb6565\Desktop\Se4dr5ft6.txt
2017-02-15 02:57 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-02-15 02:57 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-02-15 01:45 - 2014-08-01 10:18 - 00000000 ____D C:\Users\kb6565\AppData\Roaming\Skype
2017-02-15 01:16 - 2016-08-19 12:02 - 00000000 ___RD C:\Program Files (x86)\Skype
2017-02-15 01:16 - 2014-08-01 10:18 - 00000000 ____D C:\ProgramData\Skype
2017-02-11 12:40 - 2014-07-19 07:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Boilsoft
2017-02-11 12:40 - 2014-07-19 07:16 - 00000000 ____D C:\Program Files (x86)\Boilsoft
2017-02-08 15:16 - 2014-07-18 10:35 - 00001094 _____ C:\Users\kb6565\Desktop\CC.txt
2017-02-07 19:24 - 2015-11-27 17:55 - 00000000 ____D C:\Program Files (x86)\Dropbox
2017-02-07 13:07 - 2014-07-18 10:35 - 00001014 _____ C:\Users\kb6565\Desktop\New Releases .txt
2017-02-06 14:45 - 2015-10-30 02:26 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-02-06 14:45 - 2015-10-30 02:26 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2017-02-05 13:19 - 2014-07-18 10:21 - 00000000 ____D C:\Users\kb6565\Desktop\Misc. PDFs & TXTs
2017-02-05 12:59 - 2015-12-06 13:53 - 00000000 ____D C:\Users\kb6565\Desktop\TurboTax 2015
2017-02-05 12:58 - 2017-01-02 19:13 - 00001170 _____ C:\Users\kb6565\Desktop\cloudLibrary-2.0.lnk
2017-02-05 12:58 - 2016-12-29 10:00 - 00001582 _____ C:\Users\kb6565\Desktop\iexplore.exe.lnk
2017-02-05 12:58 - 2016-11-23 19:35 - 00001615 _____ C:\Users\kb6565\Desktop\firefox.exe.lnk
2017-02-05 12:58 - 2016-10-01 20:59 - 00001010 _____ C:\Users\kb6565\Desktop\Newsbin for NewsDemon 64.lnk
2017-02-05 12:58 - 2016-09-23 13:02 - 00001257 _____ C:\Users\kb6565\Desktop\Amazon Drive.lnk
2017-02-05 12:58 - 2016-09-23 12:34 - 00001290 _____ C:\Users\kb6565\Desktop\Amazon Music.lnk
2017-02-05 12:58 - 2016-09-02 06:10 - 00001519 _____ C:\Users\kb6565\Desktop\Auslogics Duplicate File Finder.lnk
2017-02-05 12:58 - 2016-08-28 13:25 - 00000969 _____ C:\Users\kb6565\Desktop\CDisplay.lnk
2017-02-05 12:58 - 2016-06-30 22:36 - 00001046 _____ C:\Users\kb6565\Desktop\abcAVI Tag Editor.lnk
2017-02-05 12:58 - 2016-03-11 19:56 - 00001822 _____ C:\Users\kb6565\Desktop\uTorrent.exe - Shortcut.lnk
2017-02-05 12:58 - 2014-09-12 03:59 - 00001265 _____ C:\Users\kb6565\Desktop\SWF & FLV Player.lnk
2017-02-05 12:58 - 2014-08-15 22:18 - 00001949 _____ C:\Users\kb6565\Desktop\AsfTools 3.1.lnk
2017-02-05 12:58 - 2014-07-27 23:45 - 00001540 _____ C:\Users\kb6565\Desktop\Printkey2000.exe - Shortcut.lnk
2017-01-30 15:22 - 2017-01-11 14:24 - 00000000 ____D C:\AirDroid
2017-01-30 15:22 - 2017-01-07 15:36 - 00000000 ____D C:\Users\kb6565\AppData\Roaming\AirDroid
2017-01-30 13:54 - 2017-01-02 01:23 - 00000297 _____ C:\Users\kb6565\Desktop\Katewood Prop. Taxes 2013 thru 2017.txt
2017-01-30 13:20 - 2016-12-14 02:09 - 00061848 _____ C:\Users\kb6565\Desktop\Comcast 1-28.eml
2017-01-28 10:50 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\ModemLogs
2017-01-28 10:50 - 2014-05-21 14:32 - 00000000 ____D C:\WINDOWS\System32\Tasks\Lenovo
2017-01-28 10:49 - 2015-10-30 02:24 - 00000000 ___SD C:\WINDOWS\Downloaded Program Files
2017-01-28 10:47 - 2016-06-30 22:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\abcAVI Tag Editor
2017-01-28 10:47 - 2014-07-19 07:31 - 00000000 ____D C:\Users\kb6565\AppData\Local\CrashDumps
2017-01-28 00:46 - 2016-03-10 10:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

==================== Files in the root of some directories =======

2016-01-13 22:49 - 2016-01-13 22:49 - 0000043 _____ () C:\Users\kb6565\AppData\Roaming\WB.CFG
2016-11-23 19:04 - 2016-11-23 19:04 - 0034216 _____ () C:\Users\kb6565\AppData\Local\22705.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0127729 _____ () C:\Users\kb6565\AppData\Local\37703.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0054804 _____ () C:\Users\kb6565\AppData\Local\52984.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0049460 _____ () C:\Users\kb6565\AppData\Local\85953.exe
2016-11-22 19:11 - 2016-11-22 19:11 - 0004608 _____ () C:\Users\kb6565\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-15 17:18 - 2015-03-15 17:18 - 0007597 _____ () C:\Users\kb6565\AppData\Local\Resmon.ResmonCfg
2016-11-23 19:23 - 2016-11-23 19:24 - 0000003 _____ () C:\Users\kb6565\AppData\Local\run1.txt
2016-06-01 22:44 - 2016-06-01 22:44 - 0000000 _____ () C:\Users\kb6565\AppData\Local\{6E0994E5-79C4-4793-A33C-D5975EE1A0E5}
2015-07-03 18:45 - 2015-07-03 18:45 - 0000057 _____ () C:\ProgramData\Ament.ini
2015-11-25 23:21 - 2015-11-25 23:21 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-02-24 14:18 - 2016-03-12 07:06 - 0000774 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

Some files in TEMP:
====================
2016-10-20 12:26 - 2016-10-20 12:26 - 2458672 _____ (The OpenSSL Project, http://www.openssl.org/) C:\Users\kb6565\AppData\Local\Temp\libeay32.dll
2016-10-20 12:26 - 2016-10-20 12:26 - 0970912 _____ (Microsoft Corporation) C:\Users\kb6565\AppData\Local\Temp\msvcr120.dll
2016-10-20 12:26 - 2016-10-20 12:26 - 0772672 _____ () C:\Users\kb6565\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-17 10:35

==================== End of FRST.txt ============================



#7 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 25 February 2017 - 02:20 PM

Operation failed again  ! Try the following.

 

Run FRST fixlist

 

NOT : It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Please open notepad (Start > All Programs > Accessories > Notepad)
  • Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
  • Save it to the Desktop, and name it: fixlist.txt
CreateRestorePoint:
CloseProcesses:
Task: {08788575-603C-4664-878F-4624CF5F643D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {10E48639-CDCD-42E5-B8C8-01B01A34CA2F} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {2B61C473-A7A8-4874-8D4E-7FEB06CC15FC} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {2F090F64-CC61-4771-9693-38FD2EC33A19} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {33F09F4F-1373-4BA3-9357-0BCB3DBA2BF7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {6202DB17-0516-499E-BD99-577BB4D2452F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {690B4F19-6615-4749-B0B0-4357DAD54AC9} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8D83D0B5-EF31-4040-8383-A5C95C54DF35} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {9122172D-1EDD-490F-B6BF-CBD086837578} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {A7BC33F8-1E0D-4FE5-9802-108159E7DCC0} - System32\Tasks\{01211B35-AF0F-4624-AAE3-A41EFBB961C7} => pcalua.exe -a "C:\Users\kb6565\AppData\Roaming\Browser Extensions\uninstall.exe"
Task: {AD842A19-5CDE-4674-9B18-139791C6C8ED} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {B1F3FEA4-CF7E-4A2F-B385-698A1A2AD389} - \{68CBA00B-12E5-41E7-83F0-8386F729CA72} -> No File <==== ATTENTION
Task: {DD4DBF84-024E-4053-A666-78FC109E4D13} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Shortcut: C:\Users\kb6565\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Int?rn?t ??pl?r?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\kb6565\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rn?t ??pl?r?r ?r?ws?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\kb6565\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Fir?f??.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.bat (No File)
C:\Program Files (x86)\dataup\dataup.exe
C:\Program Files (x86)\dataup
2017-01-13 20:09 - 2017-01-13 20:09 - 00896512 _____ () C:\Program Files (x86)\svcvmx\svcvmx.exe
2017-01-20 20:18 - 2017-01-20 20:18 - 01087488 _____ () C:\Program Files (x86)\svcvmx\vmxclient.exe
C:\Program Files (x86)\dataup\help_dll.dll
C:\Program Files (x86)\svcvmx\libcef.dll
2016-05-31 11:43 - 2016-05-31 11:43 - 01976832 _____ () C:\Program Files (x86)\svcvmx\libglesv2.dll
2016-05-31 11:44 - 2016-05-31 11:44 - 00075264 _____ () C:\Program Files (x86)\svcvmx\libegl.dll
2016-06-15 17:15 - 2016-06-15 17:15 - 17599640 _____ () C:\Program Files (x86)\svcvmx\pepflashplayer.dll
AlternateDataStreams: C:\ProgramData\TEMP:B3503B59 [512]
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
C:\Program Files (x86)\dataup\dataup.exe
C:\Program Files (x86)\nellies\irrigated.exe
C:\Program Files (x86)\svcvmx\svcvmx.exe
C:\Program Files (x86)\svcvmx\vmxclient.exe
C:\Program Files (x86)\svcvmx\vmxclient.exe
C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe
C:\Users\kb6565\AppData\Local\Temp
C:\Program Files (x86)\winscr\winscr.exe
HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [irrigated] => C:\Program Files (x86)\nellies\irrigated.exe [50803 2016-11-23] ()
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\MountPoints2: {e65c5052-5820-11e4-827f-e82aea722b6b} - "G:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://my.yahoo.com/
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3724564687-3091530008-2351571219-1001 -> {0E25F6E8-6429-40EF-9C22-813373DA0C14} URL =
BHO: Youtube AdBlock -> {95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B} -> C:\Program Files (x86)\Youtube AdBlock\IEEF\W31HwnT.dll => No File
Toolbar: HKU\S-1-5-21-3724564687-3091530008-2351571219-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
FF ProfilePath: C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 [2017-02-25]
FF Homepage: Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 -> hxxps://my.yahoo.com/
CHR dev: Chrome dev build detected! <======= ATTENTION
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed]
R2 windowsmanagementservice; C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION
S3 dbx; system32\DRIVERS\dbx.sys [X]
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\winscr
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\qdcomsvc
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\dataup
D C:\ProgramData\1487965132
C:\Program Files (x86)\regtool
2016-11-23 19:04 - 2016-11-23 19:04 - 0034216 _____ () C:\Users\kb6565\AppData\Local\22705.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0127729 _____ () C:\Users\kb6565\AppData\Local\37703.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0054804 _____ () C:\Users\kb6565\AppData\Local\52984.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0049460 _____ () C:\Users\kb6565\AppData\Local\85953.exe
2015-03-15 17:18 - 2015-03-15 17:18 - 0007597 _____ () C:\Users\kb6565\AppData\Local\Resmon.ResmonCfg
2016-11-23 19:23 - 2016-11-23 19:24 - 0000003 _____ () C:\Users\kb6565\AppData\Local\run1.txt
C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2016-10-20 12:26 - 2016-10-20 12:26 - 0970912 _____ (Microsoft Corporation) C:\Users\kb6565\AppData\Local\Temp\msvcr120.dll
2016-10-20 12:26 - 2016-10-20 12:26 - 0772672 _____ () C:\Users\kb6565\AppData\Local\Temp\sqlite3.dll
C:\Users\kb6565\AppData\Local\Temp
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
EmptyTemp:
Hosts:

NOTICE: This script is written specifically for this computer!!!

  • Running this on another computer may cause damage to the Operating System.
  • Now, please run FRST, and press the Fix button, just once, and wait.
  • When done, the tool creates a report on the Desktop called: Fixlog.txt

>> Please post the Fixlog.txt in your reply.
======================================================

Any issue ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 Waster555

Waster555
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 25 February 2017 - 03:24 PM

Same result. FRST.txt and Addition.txt appeared in folder with FRST64.exe and fixlist.txt. No Fixlog.txt.



#9 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 25 February 2017 - 03:47 PM

You may be making a mistake at one point. FRST the software in computer folder i see.Where did you save the correction list file? Fixlist file also should be inside the BleepingComputer folder.

 

Both files must be in the same place. Then press the Fix button.

 

Fixlist + FRST ==>on the Desktop
or
Fixlist + FRST ==>inside the BleepingComputer folder


Edited by olgun52, 25 February 2017 - 03:50 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 Waster555

Waster555
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 25 February 2017 - 05:37 PM

FRST64.exe and fixlist.txt were ln a folder titled FRST, which was in bleepingcomputer folder. I will start over and download FRST64.exe and fixlist.txt and put them on desktop, not in another folder and run FRST64.exe from desktop. Will post results.



#11 Waster555

Waster555
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 25 February 2017 - 07:09 PM

Ran from desktop, same result (FRST.txt and Addition.txt appeared). Could virus be interfering with FRST?



#12 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 26 February 2017 - 06:48 AM

Ran from desktop, same result (FRST.txt and Addition.txt appeared). Could virus be interfering with FRST?

No,no. I understand you. But ,you should press the Fix button.
When you press the Fix button, the fixlog file will automatically be on your desktop.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 Waster555

Waster555
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 26 February 2017 - 12:22 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 25-02-2017
Ran by kb6565 (26-02-2017 10:57:19) Run:1
Running from C:\Users\kb6565\Desktop
Loaded Profiles: kb6565 (Available Profiles: kb6565)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
Task: {08788575-603C-4664-878F-4624CF5F643D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {10E48639-CDCD-42E5-B8C8-01B01A34CA2F} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {2B61C473-A7A8-4874-8D4E-7FEB06CC15FC} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {2F090F64-CC61-4771-9693-38FD2EC33A19} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {33F09F4F-1373-4BA3-9357-0BCB3DBA2BF7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {6202DB17-0516-499E-BD99-577BB4D2452F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {690B4F19-6615-4749-B0B0-4357DAD54AC9} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8D83D0B5-EF31-4040-8383-A5C95C54DF35} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {9122172D-1EDD-490F-B6BF-CBD086837578} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {A7BC33F8-1E0D-4FE5-9802-108159E7DCC0} - System32\Tasks\{01211B35-AF0F-4624-AAE3-A41EFBB961C7} => pcalua.exe -a "C:\Users\kb6565\AppData\Roaming\Browser Extensions\uninstall.exe"
Task: {AD842A19-5CDE-4674-9B18-139791C6C8ED} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {B1F3FEA4-CF7E-4A2F-B385-698A1A2AD389} - \{68CBA00B-12E5-41E7-83F0-8386F729CA72} -> No File <==== ATTENTION
Task: {DD4DBF84-024E-4053-A666-78FC109E4D13} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Shortcut: C:\Users\kb6565\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Int?rn?t ??pl?r?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\kb6565\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rn?t ??pl?r?r ?r?ws?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\kb6565\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Fir?f??.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.bat (No File)
C:\Program Files (x86)\dataup\dataup.exe
C:\Program Files (x86)\dataup
2017-01-13 20:09 - 2017-01-13 20:09 - 00896512 _____ () C:\Program Files (x86)\svcvmx\svcvmx.exe
2017-01-20 20:18 - 2017-01-20 20:18 - 01087488 _____ () C:\Program Files (x86)\svcvmx\vmxclient.exe
C:\Program Files (x86)\dataup\help_dll.dll
C:\Program Files (x86)\svcvmx\libcef.dll
2016-05-31 11:43 - 2016-05-31 11:43 - 01976832 _____ () C:\Program Files (x86)\svcvmx\libglesv2.dll
2016-05-31 11:44 - 2016-05-31 11:44 - 00075264 _____ () C:\Program Files (x86)\svcvmx\libegl.dll
2016-06-15 17:15 - 2016-06-15 17:15 - 17599640 _____ () C:\Program Files (x86)\svcvmx\pepflashplayer.dll
AlternateDataStreams: C:\ProgramData\TEMP:B3503B59 [512]
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
C:\Program Files (x86)\dataup\dataup.exe
C:\Program Files (x86)\nellies\irrigated.exe
C:\Program Files (x86)\svcvmx\svcvmx.exe
C:\Program Files (x86)\svcvmx\vmxclient.exe
C:\Program Files (x86)\svcvmx\vmxclient.exe
C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe
C:\Users\kb6565\AppData\Local\Temp
C:\Program Files (x86)\winscr\winscr.exe
HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [irrigated] => C:\Program Files (x86)\nellies\irrigated.exe [50803 2016-11-23] ()
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\MountPoints2: {e65c5052-5820-11e4-827f-e82aea722b6b} - "G:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://my.yahoo.com/
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3724564687-3091530008-2351571219-1001 -> {0E25F6E8-6429-40EF-9C22-813373DA0C14} URL =
BHO: Youtube AdBlock -> {95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B} -> C:\Program Files (x86)\Youtube AdBlock\IEEF\W31HwnT.dll => No File
Toolbar: HKU\S-1-5-21-3724564687-3091530008-2351571219-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
FF ProfilePath: C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 [2017-02-25]
FF Homepage: Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 -> hxxps://my.yahoo.com/
CHR dev: Chrome dev build detected! <======= ATTENTION
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed]
R2 windowsmanagementservice; C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION
S3 dbx; system32\DRIVERS\dbx.sys [X]
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\winscr
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\qdcomsvc
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\dataup
D C:\ProgramData\1487965132
C:\Program Files (x86)\regtool
2016-11-23 19:04 - 2016-11-23 19:04 - 0034216 _____ () C:\Users\kb6565\AppData\Local\22705.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0127729 _____ () C:\Users\kb6565\AppData\Local\37703.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0054804 _____ () C:\Users\kb6565\AppData\Local\52984.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0049460 _____ () C:\Users\kb6565\AppData\Local\85953.exe
2015-03-15 17:18 - 2015-03-15 17:18 - 0007597 _____ () C:\Users\kb6565\AppData\Local\Resmon.ResmonCfg
2016-11-23 19:23 - 2016-11-23 19:24 - 0000003 _____ () C:\Users\kb6565\AppData\Local\run1.txt
C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2016-10-20 12:26 - 2016-10-20 12:26 - 0970912 _____ (Microsoft Corporation) C:\Users\kb6565\AppData\Local\Temp\msvcr120.dll
2016-10-20 12:26 - 2016-10-20 12:26 - 0772672 _____ () C:\Users\kb6565\AppData\Local\Temp\sqlite3.dll
C:\Users\kb6565\AppData\Local\Temp
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
EmptyTemp:
Hosts:
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{08788575-603C-4664-878F-4624CF5F643D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{08788575-603C-4664-878F-4624CF5F643D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{10E48639-CDCD-42E5-B8C8-01B01A34CA2F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{10E48639-CDCD-42E5-B8C8-01B01A34CA2F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2B61C473-A7A8-4874-8D4E-7FEB06CC15FC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2B61C473-A7A8-4874-8D4E-7FEB06CC15FC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2F090F64-CC61-4771-9693-38FD2EC33A19} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F090F64-CC61-4771-9693-38FD2EC33A19} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{33F09F4F-1373-4BA3-9357-0BCB3DBA2BF7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{33F09F4F-1373-4BA3-9357-0BCB3DBA2BF7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6202DB17-0516-499E-BD99-577BB4D2452F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6202DB17-0516-499E-BD99-577BB4D2452F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{690B4F19-6615-4749-B0B0-4357DAD54AC9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{690B4F19-6615-4749-B0B0-4357DAD54AC9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8D83D0B5-EF31-4040-8383-A5C95C54DF35} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8D83D0B5-EF31-4040-8383-A5C95C54DF35} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9122172D-1EDD-490F-B6BF-CBD086837578} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9122172D-1EDD-490F-B6BF-CBD086837578} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A7BC33F8-1E0D-4FE5-9802-108159E7DCC0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7BC33F8-1E0D-4FE5-9802-108159E7DCC0} => key removed successfully
C:\WINDOWS\System32\Tasks\{01211B35-AF0F-4624-AAE3-A41EFBB961C7} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{01211B35-AF0F-4624-AAE3-A41EFBB961C7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AD842A19-5CDE-4674-9B18-139791C6C8ED} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD842A19-5CDE-4674-9B18-139791C6C8ED} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B1F3FEA4-CF7E-4A2F-B385-698A1A2AD389} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B1F3FEA4-CF7E-4A2F-B385-698A1A2AD389} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{68CBA00B-12E5-41E7-83F0-8386F729CA72} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DD4DBF84-024E-4053-A666-78FC109E4D13} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD4DBF84-024E-4053-A666-78FC109E4D13} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully
"C:\Users\kb6565\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Int?rn?t ??pl?r?r.lnk" => Could not move.
"C:\Users\kb6565\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rn?t ??pl?r?r ?r?ws?r.lnk" => Could not move.
"C:\Users\kb6565\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Fir?f??.lnk" => Could not move.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk" => Could not move.
Could not move "C:\Program Files (x86)\dataup\dataup.exe" => Scheduled to move on reboot.

"C:\Program Files (x86)\dataup" folder move:

Could not move "C:\Program Files (x86)\dataup" => Scheduled to move on reboot.

Could not move "C:\Program Files (x86)\svcvmx\svcvmx.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\vmxclient.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\dataup\help_dll.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\libcef.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\libglesv2.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\libegl.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\pepflashplayer.dll" => Scheduled to move on reboot.
C:\ProgramData\TEMP => ":B3503B59" ADS removed successfully.

========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F =========

ERROR: Access is denied.



========= End of Reg: =========


========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F =========

The operation completed successfully.



========= End of Reg: =========

Could not move "C:\Program Files (x86)\dataup\dataup.exe" => Scheduled to move on reboot.
C:\Program Files (x86)\nellies\irrigated.exe => moved successfully
Could not move "C:\Program Files (x86)\svcvmx\svcvmx.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\vmxclient.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\vmxclient.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe" => Scheduled to move on reboot.
Could not move "C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe" => Scheduled to move on reboot.

"C:\Users\kb6565\AppData\Local\Temp" folder move:

Could not move "C:\Users\kb6565\AppData\Local\Temp" => Scheduled to move on reboot.

C:\Program Files (x86)\winscr\winscr.exe => moved successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx => value could not remove.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\svcvmx => value could not remove.
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\Software\Microsoft\Windows\CurrentVersion\Run\\irrigated => value removed successfully
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e65c5052-5820-11e4-827f-e82aea722b6b} => key removed successfully
HKCR\CLSID\{e65c5052-5820-11e4-827f-e82aea722b6b} => key not found.
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoLowDiskSpaceChecks => value removed successfully
HKLM\SOFTWARE\Policies\Google => key removed successfully
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0E25F6E8-6429-40EF-9C22-813373DA0C14} => key not found.
HKCR\CLSID\{0E25F6E8-6429-40EF-9C22-813373DA0C14} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B} => key removed successfully
HKCR\CLSID\{95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B} => key not found.
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully
C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 => moved successfully
C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 => path removed successfully
FF Homepage: Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 -> hxxps://my.yahoo.com/ => not found
CHR dev: Chrome dev build detected! <======= ATTENTION => Error: No automatic fix found for this entry.
Dataup => Unable to stop service.
HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected
qdcomsvc => Unable to stop service.
HKLM\System\CurrentControlSet\Services\qdcomsvc => key could not remove, key could be protected
windowsmanagementservice => Unable to stop service.
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\dbx => key removed successfully
dbx => service removed successfully
C:\Program Files (x86)\winscr => moved successfully
C:\Program Files (x86)\qdcomsvc => moved successfully

"C:\Program Files (x86)\dataup" folder move:

Could not move "C:\Program Files (x86)\dataup" => Scheduled to move on reboot.

D C:\ProgramData\1487965132 => Error: No automatic fix found for this entry.
C:\Program Files (x86)\regtool => moved successfully
C:\Users\kb6565\AppData\Local\22705.exe => moved successfully
C:\Users\kb6565\AppData\Local\37703.exe => moved successfully
C:\Users\kb6565\AppData\Local\52984.exe => moved successfully
C:\Users\kb6565\AppData\Local\85953.exe => moved successfully
C:\Users\kb6565\AppData\Local\Resmon.ResmonCfg => moved successfully
C:\Users\kb6565\AppData\Local\run1.txt => moved successfully
C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc => moved successfully
"C:\Users\kb6565\AppData\Local\Temp\msvcr120.dll" => not found.
"C:\Users\kb6565\AppData\Local\Temp\sqlite3.dll" => not found.

"C:\Users\kb6565\AppData\Local\Temp" folder move:

Could not move "C:\Users\kb6565\AppData\Local\Temp" => Scheduled to move on reboot.


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.8.10586 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 59625638 B
Java, Flash, Steam htmlcache => 14798 B
Windows/system/drivers => 16143830 B
Edge => 2512079 B
Chrome => 0 B
Firefox => 376979346 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 1277952 B
LocalService => 16322 B
NetworkService => 0 B
kb6565 => 1483731251 B

RecycleBin => 24275726093 B
EmptyTemp: => 24.4 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 26-02-2017 11:38:58)

"C:\Program Files (x86)\dataup\dataup.exe" => Could not move
"C:\Program Files (x86)\dataup" => Could not move
"C:\Program Files (x86)\svcvmx\svcvmx.exe" => Could not move
"C:\Program Files (x86)\svcvmx\vmxclient.exe" => Could not move
"C:\Program Files (x86)\dataup\help_dll.dll" => Could not move
"C:\Program Files (x86)\svcvmx\libcef.dll" => Could not move
"C:\Program Files (x86)\svcvmx\libglesv2.dll" => Could not move
"C:\Program Files (x86)\svcvmx\libegl.dll" => Could not move
"C:\Program Files (x86)\svcvmx\pepflashplayer.dll" => Could not move
"C:\Program Files (x86)\dataup\dataup.exe" => Could not move
"C:\Program Files (x86)\svcvmx\svcvmx.exe" => Could not move
"C:\Program Files (x86)\svcvmx\vmxclient.exe" => Could not move
"C:\Program Files (x86)\svcvmx\vmxclient.exe" => Could not move
C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe => Is moved successfully
"C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe" => Could not move
C:\Users\kb6565\AppData\Local\Temp => moved successfully
"C:\Program Files (x86)\dataup" => Could not move
C:\Users\kb6565\AppData\Local\Temp => Is moved successfully

Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\qdcomsvc => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected

==== End of Fixlog 11:39:04 ====



#14 Waster555

Waster555
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 26 February 2017 - 01:09 PM

# AdwCleaner v6.043 - Logfile created 26/02/2017 at 13:01:12
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-24.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : kb6565 - ORANGE
# Running from : C:\Users\kb6565\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

[-] Service deleted: Dataup
[-] Service deleted: windowsmanagementservice

***** [ Folders ] *****

[#] Folder deleted on reboot: C:\Program Files (x86)\dataup
[-] Folder deleted: C:\Program Files (x86)\regtool


***** [ Files ] *****

***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Dataup
[-] Key deleted: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\windowsmanagementservice
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [cpx]


***** [ Web browsers ] *****

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1364 Bytes] - [26/02/2017 13:01:12]
C:\AdwCleaner\AdwCleaner[S0].txt - [1616 Bytes] - [26/02/2017 12:58:36]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1510 Bytes] ##########



#15 Waster555

Waster555
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 26 February 2017 - 01:50 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 10 Home x64
Ran by kb6565 (Administrator) on Sun 02/26/2017 at 13:43:37.75
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


File System: 1

Failed to delete: C:\Program Files (x86)\dataup (Folder)

Registry: 4

Failed to delete: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\cpx (Registry Value)
Failed to delete: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx (Registry Value)
Failed to delete: HKLM\SYSTEM\CurrentControlSet\services\Dataup (Registry Key)
Failed to delete: HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice (Registry Key)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 02/26/2017 at 13:47:28.18
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users