Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Run Antivirus, possibly infected with vmx client.exe


  • This topic is locked This topic is locked
12 replies to this topic

#1 skillaz

skillaz

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 26 February 2017 - 05:25 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-02-2017
Ran by STT-3 (administrator) on TRADETRAVEL-3 (26-02-2017 17:15:16)
Running from C:\Users\STT-3\Desktop\New folder
Loaded Profiles: STT-3 (Available Profiles: STT-3)
Platform: Windows 10 Pro N Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files (x86)\dataup\dataup.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
() C:\Program Files (x86)\svcvmx\svcvmx.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(qdcomsvc Inc.) C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
(ct Corp.) C:\Users\STT-3\AppData\Local\Temp\20170226\ct.exe
(splsrv Corp.) C:\Windows\SysWOW64\splsrv.exe
(winscr) C:\Program Files (x86)\winscr\winscr.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.693_none_42ff55c9655f38bf\TiWorker.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avBugReport.exe
(Macrovision Corporation) C:\Users\STT-3\Downloads\install\data\Disk1\setup.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [16412952 2015-10-26] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1413384 2015-10-26] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_MICPKEY] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1413384 2015-10-26] (Realtek Semiconductor)
HKLM\...\Run: [StartCN] => C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe [8027016 2016-11-21] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9080768 2016-11-15] (AVAST Software)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-10-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [36760 2010-10-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [821144 2010-10-25] (Adobe Systems Inc.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [139776 2014-06-16] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [4513792 2014-05-22] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist Corporate\1165\G2AWinLogon_x64.dll (Citrix Systems, Inc.)
HKU\S-1-5-21-1064145775-1192110755-2523778263-1001\...\Run: [ctfmon] => C:\WINDOWS\system32\ctfmon.exe [10752 2016-07-16] (Microsoft Corporation)
HKU\S-1-5-21-1064145775-1192110755-2523778263-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27427808 2017-02-08] (Skype Technologies S.A.)
HKU\S-1-5-21-1064145775-1192110755-2523778263-1001\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe [1216416 2010-10-25] (Adobe Systems Incorporated)
HKU\S-1-5-21-1064145775-1192110755-2523778263-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8894680 2016-08-05] (Piriform Ltd)
HKU\S-1-5-21-1064145775-1192110755-2523778263-1001\...\Run: [26fdd018-e500-48b9-8b7b-5be0d2b270b4] => "C:\Program Files\W0KNUXXO0L\IU8FVQ5LC.exe"
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-08-30] (AVAST Software)
GroupPolicyScripts: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{979d87a8-b1c3-4917-97ac-d93b7ff4bdc5}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-1064145775-1192110755-2523778263-1001\Software\Microsoft\Internet Explorer\Main,Start Page = 
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-10-25] (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-08-30]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-08-30]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2015-11-13] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin HKU\S-1-5-21-1064145775-1192110755-2523778263-1001: @citrixonline.com/appdetectorplugin -> C:\Users\STT-3\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2016-03-09] (Citrix Online)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default [2017-02-26]
CHR Extension: (Google Slides) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-04-01]
CHR Extension: (Google Docs) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-01]
CHR Extension: (Google Drive) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-01]
CHR Extension: (YouTube) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-01]
CHR Extension: (Avast SafePrice) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-12-18]
CHR Extension: (Google Sheets) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-04-01]
CHR Extension: (Google Docs Offline) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-15]
CHR Extension: (Avast Online Security) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-12-19]
CHR Extension: (Chrome Web Store Payments) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-30]
CHR Extension: (Gmail) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-01]
CHR Extension: (Chrome Media Router) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-12]
CHR Profile: C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Profile 1 [2016-08-22]
CHR Profile: C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\System Profile [2016-08-22]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-10-14]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-10-14]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 AdaptiveSleepService; C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe [155016 2016-11-21] ()
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-08-30] (AVAST Software)
R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [File not signed]
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
S3 GoToAssist; C:\Program Files (x86)\Citrix\GoToAssist Corporate\1165\G2AC_Service.exe [309720 2016-03-09] (Citrix Systems, Inc.)
S3 LSEDT; C:\WINDOWS\System32\LSEDT.exe [32968 2016-09-23] (Lenovo)
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed]
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-09-15] (Microsoft Corporation)
R2 tbaseprovisioning; C:\WINDOWS\SysWOW64\tbaseprovisioning.exe [51224 2016-07-07] (Advanced Micro Devices, Inc.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [7500048 2016-09-20] (TeamViewer GmbH)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
R2 windowsmanagementservice; C:\Users\STT-3\AppData\Local\Temp\20170226\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION
S2 SogouSvc; "C:\Program Files (x86)\SogouInput\8.2.0.9257\SogouSvc.exe" [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 amdkmcsp; C:\WINDOWS\system32\DRIVERS\amdkmcsp.sys [109488 2016-07-07] (Advanced Micro Devices, Inc. )
R3 amdkmdag; C:\WINDOWS\System32\DriverStore\FileRepository\c0309377.inf_amd64_7ab08912e1e1da0a\atikmdag.sys [26568848 2017-01-25] (Advanced Micro Devices, Inc.)
R3 amdkmdap; C:\WINDOWS\System32\DriverStore\FileRepository\c0309377.inf_amd64_7ab08912e1e1da0a\atikmpag.sys [536600 2017-01-25] (Advanced Micro Devices, Inc.)
R0 amdkmpfd; C:\WINDOWS\System32\drivers\amdkmpfd.sys [82672 2015-10-14] (Advanced Micro Devices, Inc.)
R0 amdpsp; C:\WINDOWS\System32\DRIVERS\amdpsp.sys [260520 2016-07-07] (Advanced Micro Devices, Inc. )
S3 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [37656 2016-08-30] (AVAST Software)
R1 aswKbd; C:\WINDOWS\system32\drivers\aswKbd.sys [37144 2016-08-30] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [108816 2016-08-30] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr2.sys [103064 2016-08-30] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-08-30] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [969184 2016-09-13] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [513632 2016-09-22] (AVAST Software)
R2 aswStm; C:\WINDOWS\system32\drivers\aswStm.sys [163416 2016-08-30] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [293352 2016-10-13] (AVAST Software)
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [118848 2016-07-28] (Advanced Micro Devices)
R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2017-02-22] () [File not signed]
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 RSP2STOR; C:\WINDOWS\system32\DRIVERS\RtsP2Stor.sys [310528 2015-10-14] (Realtek Semiconductor Corp.)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek                                            )
R3 RtkBtFilter; C:\WINDOWS\system32\DRIVERS\RtkBtfilter.sys [593624 2015-12-29] (Realtek Semiconductor Corporation)
R3 RTWlanE; C:\WINDOWS\System32\drivers\rtwlane.sys [5144064 2016-07-16] (Realtek Semiconductor Corporation                           )
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-26 17:18 - 2017-02-26 17:18 - 00002217 _____ C:\Users\Public\Desktop\Brother Creative Center.lnk
2017-02-26 17:09 - 2017-02-26 17:09 - 00000000 ____D C:\Program Files (x86)\winscr
2017-02-26 17:09 - 2017-02-26 17:09 - 00000000 ____D C:\Program Files (x86)\regtool
2017-02-26 16:49 - 2017-02-26 16:49 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-02-26 16:47 - 2017-02-26 16:47 - 00000000 ____D C:\WINDOWS\pss
2017-02-26 16:10 - 2017-02-26 17:13 - 00000000 ____D C:\Users\STT-3\Desktop\New folder
2017-02-26 15:26 - 2017-02-26 17:01 - 00000000 ____D C:\AdwCleaner
2017-02-26 15:25 - 2017-02-26 17:15 - 00000000 ____D C:\FRST
2017-02-26 15:12 - 2017-02-26 15:12 - 00001914 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Unlocker.lnk
2017-02-26 15:12 - 2017-02-26 15:12 - 00000000 ____D C:\Program Files\Unlocker
2017-02-26 15:06 - 2017-02-26 15:06 - 00346112 _____ C:\Users\STT-3\Downloads\Unlocker x64 1.9.2.msi
2017-02-26 14:50 - 2017-02-26 14:50 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\STT-3\Downloads\rkill.exe
2017-02-26 14:50 - 2017-02-26 14:50 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\STT-3\Downloads\rkill.com
2017-02-26 14:49 - 2017-02-26 14:50 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\STT-3\Downloads\rkill.scr
2017-02-26 14:49 - 2017-02-26 14:49 - 04747704 _____ (AO Kaspersky Lab) C:\Users\STT-3\Downloads\tdsskiller.exe
2017-02-26 14:44 - 2017-02-26 14:44 - 00001912 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-02-26 14:44 - 2017-02-26 14:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-02-26 14:44 - 2017-02-26 14:44 - 00000000 ____D C:\Program Files\Malwarebytes
2017-02-26 14:44 - 2017-01-20 07:47 - 00077416 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-02-26 14:43 - 2017-02-26 14:43 - 06655184 _____ (AVAST Software) C:\Users\STT-3\Downloads\avast_free_antivirus_setup_online_a0b.exe
2017-02-26 14:42 - 2017-02-26 14:43 - 55566792 _____ (Malwarebytes ) C:\Users\STT-3\Downloads\mb3-setup-SEMFD.100SEM-3.0.6.1469.exe
2017-02-26 14:27 - 2017-02-26 14:29 - 143673616 _____ (Microsoft Corporation) C:\Users\STT-3\Downloads\msert (1).exe
2017-02-26 14:21 - 2017-02-26 14:17 - 00485032 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2017-02-26 14:05 - 2017-02-26 14:06 - 62008080 _____ (Microsoft Corporation) C:\Users\STT-3\Downloads\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
2017-02-26 13:51 - 2017-02-26 13:51 - 09261616 _____ (Piriform Ltd) C:\Users\STT-3\Downloads\ccsetup527.exe
2017-02-26 13:45 - 2017-02-26 13:46 - 00000000 ____D C:\Users\STT-3\Downloads\KMSpico 10.1.8 FINAL + Portable (Office and Windows 10 Activator) [TechTools]
2017-02-26 13:45 - 2017-02-26 13:45 - 00000000 ____D C:\Users\STT-3\Downloads\Windows Loader v2.2.2
2017-02-26 13:35 - 2017-02-26 13:36 - 01129376 _____ (Google Inc.) C:\Users\STT-3\Downloads\ChromeSetup.exe
2017-02-26 13:23 - 2017-02-26 17:07 - 00000000 ____D C:\Program Files (x86)\svcvmx
2017-02-26 13:23 - 2017-02-26 13:32 - 00000000 ____D C:\Users\STT-3\AppData\Local\llssoft
2017-02-26 13:21 - 2017-02-26 13:21 - 00000000 ____D C:\Users\STT-3\AppData\Roaming\ControlCenter4
2017-02-26 13:19 - 2017-02-26 13:21 - 00478220 _____ C:\WINDOWS\Minidump\022617-44515-01.dmp
2017-02-26 13:14 - 2017-02-26 13:14 - 00003406 _____ C:\WINDOWS\System32\Tasks\AGProxyCheck
2017-02-26 13:14 - 2017-02-26 13:14 - 00000000 ____H C:\WINDOWS\system32\BITF5AB.tmp
2017-02-26 13:13 - 2017-02-26 13:13 - 01852928 _____ (splsrv Corp.) C:\WINDOWS\SysWOW64\splsrv.exe
2017-02-26 13:13 - 2017-02-26 13:13 - 00000000 ____D C:\Users\STT-3\AppData\Roaming\c
2017-02-26 13:13 - 2017-02-26 13:13 - 00000000 ____D C:\ProgramData\1488132782
2017-02-26 13:13 - 2017-02-26 13:13 - 00000000 ____D C:\Program Files (x86)\qdcomsvc
2017-02-26 13:13 - 2017-02-26 13:13 - 00000000 ____D C:\Program Files (x86)\dataup
2017-02-26 13:00 - 2017-02-26 13:00 - 02387968 _____ C:\Users\STT-3\Downloads\KMSPico 10.2.1 Final.iso
2017-02-26 12:56 - 2017-02-26 12:56 - 00000000 ___RD C:\Users\STT-3\AppData\Roaming\Brother
2017-02-26 12:56 - 2017-02-26 12:56 - 00000000 ____D C:\Users\STT-3\AppData\LocalLow\Brother
2017-02-26 12:34 - 2017-02-26 12:34 - 00002132 _____ C:\Users\Public\Desktop\Brother Utilities.lnk
2017-02-26 12:34 - 2017-02-26 12:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Brother
2017-02-26 12:32 - 2017-02-26 12:32 - 00000000 ____D C:\ProgramData\ControlCenter4
2017-02-26 12:32 - 2017-02-26 12:32 - 00000000 ____D C:\Program Files (x86)\ControlCenter4
2017-02-26 12:32 - 2017-02-26 12:32 - 00000000 ____D C:\Program Files (x86)\Browny02
2017-02-26 12:32 - 2017-02-26 12:32 - 00000000 ____D C:\Brother
2017-02-26 12:32 - 2013-07-12 00:03 - 00251392 _____ (brother) C:\WINDOWS\system32\NSSRH64.dll
2017-02-26 12:32 - 2013-07-02 21:46 - 00065024 _____ (Brother Industries,Ltd) C:\WINDOWS\system32\Brnsplg.dll
2017-02-26 12:32 - 2013-03-08 01:45 - 00059904 _____ (Brother Industries,Ltd.) C:\WINDOWS\system32\BrWiaNCp.dll
2017-02-26 12:32 - 2013-03-08 01:44 - 00087040 _____ (Brother Industries, Ltd.) C:\WINDOWS\system32\BrNetSti.dll
2017-02-26 12:32 - 2005-04-21 23:36 - 00143360 _____ C:\WINDOWS\system32\BrSNMP64.dll
2017-02-26 12:31 - 2017-02-26 12:32 - 00000000 ____D C:\Program Files (x86)\Brother
2017-02-26 12:31 - 2017-02-26 12:31 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-02-26 12:31 - 2014-11-26 02:10 - 00180224 _____ (Brother Industries, Ltd.) C:\WINDOWS\SysWOW64\BROSNMP.DLL
2017-02-26 12:31 - 2014-11-26 02:10 - 00077824 _____ (Brother Industries, Ltd.) C:\WINDOWS\SysWOW64\BRLMW03A.DLL
2017-02-26 12:31 - 2014-11-26 02:10 - 00045056 _____ C:\WINDOWS\SysWOW64\BRTCPCON.DLL
2017-02-26 12:31 - 2014-11-26 02:10 - 00025299 _____ (Brother Industries, Ltd) C:\WINDOWS\SysWOW64\BRLM03A.DLL
2017-02-26 12:31 - 2014-11-26 02:10 - 00000114 _____ C:\WINDOWS\SysWOW64\BRLMW03A.INI
2017-02-26 12:31 - 2014-11-26 02:09 - 00000050 _____ C:\WINDOWS\system32\BRADM13A.DAT
2017-02-26 12:31 - 2014-11-25 11:08 - 00227840 _____ (Brother Industries, Ltd.) C:\WINDOWS\system32\BRCOM13A.DLL
2017-02-26 12:31 - 2013-07-12 14:03 - 00214016 ____N (brother) C:\WINDOWS\SysWOW64\NSSearch.dll
2017-02-26 12:31 - 2013-03-12 07:50 - 01442304 _____ (Brother Industries, Ltd.) C:\WINDOWS\system32\BrWi213b.dll
2017-02-26 12:31 - 2012-12-03 13:39 - 00002560 ____N (Brother Industries Ltd.) C:\WINDOWS\SysWOW64\BrDctF2S.dll
2017-02-26 12:31 - 2011-09-08 04:36 - 00279040 _____ (Brother Industries, Ltd.) C:\WINDOWS\system32\BrJDec.dll
2017-02-26 12:31 - 2010-03-15 19:45 - 00073728 ____N (Brother Industries Ltd.) C:\WINDOWS\SysWOW64\BrDctF2.dll
2017-02-26 12:31 - 2007-12-13 22:16 - 00005120 ____N (Brother Industries Ltd.) C:\WINDOWS\SysWOW64\BrDctF2L.dll
2017-02-26 12:29 - 2017-02-26 12:33 - 00000000 ____D C:\ProgramData\Brother
2017-02-26 12:27 - 2017-02-26 12:28 - 00000000 ____D C:\Users\STT-3\Downloads\install
2017-02-26 12:24 - 2017-02-26 12:27 - 173377416 _____ (A.I.SOFT,INC.) C:\Users\STT-3\Downloads\HL-L2380DW-inst-C1-US.EXE
2017-02-22 17:12 - 2017-02-22 17:12 - 00051784 _____ C:\WINDOWS\system32\Drivers\drmkpro64.sys
2017-02-21 15:03 - 2017-02-21 15:03 - 18946754 _____ C:\Users\STT-3\Desktop\SGJZG0806.pdf
2017-02-19 10:41 - 2017-02-19 10:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\搜狗拼音输入法
2017-02-19 10:41 - 2017-02-19 10:41 - 00000000 _____ C:\WINDOWS\SysWOW64\nswE0AF.tmp
2017-02-19 10:41 - 2017-02-19 10:41 - 00000000 _____ C:\WINDOWS\SysWOW64\nscE11F.tmp
2017-02-19 10:41 - 2017-02-19 10:41 - 00000000 _____ C:\WINDOWS\system32\nsrE0DF.tmp
2017-02-19 10:41 - 2017-02-19 10:41 - 00000000 _____ C:\WINDOWS\system32\nscE120.tmp
2017-02-15 01:53 - 2017-02-15 01:53 - 08905792 _____ (Sogou.com Inc.) C:\WINDOWS\system32\SogouPY.ime
2017-02-15 01:53 - 2017-02-15 01:53 - 05268544 _____ (Sogou.com Inc.) C:\WINDOWS\SysWOW64\SogouPY.ime
2017-02-15 01:53 - 2017-02-15 01:53 - 01907264 _____ (Sogou.com Inc.) C:\WINDOWS\system32\SogouTSF.ime
2017-02-15 01:53 - 2017-02-15 01:53 - 01183296 _____ (Sogou.com Inc.) C:\WINDOWS\SysWOW64\SogouTSF.ime
2017-02-07 11:47 - 2017-02-07 11:47 - 00330988 _____ C:\Users\STT-3\Downloads\GB2312''%BB%A4%D5%D5%20%2D%20Oct%2018%202016%20%2D%209%2D43%20AM.pdf
2017-01-30 11:45 - 2017-01-30 11:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Radeon Settings
2017-01-27 12:08 - 2017-01-27 12:08 - 00000000 ____D C:\WINDOWS\System32\Tasks\AVAST Software
2017-01-27 12:08 - 2017-01-27 12:08 - 00000000 ____D C:\Program Files\Common Files\AV
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-26 17:18 - 2016-07-16 06:45 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2017-02-26 17:08 - 2016-03-27 16:56 - 00000000 ____D C:\Users\STT-3\AppData\Roaming\Skype
2017-02-26 17:06 - 2016-09-23 19:22 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-02-26 17:06 - 2016-09-23 18:55 - 00135880 _____ (Lenovo) C:\WINDOWS\system32\wpbbin.exe
2017-02-26 17:06 - 2016-07-16 01:04 - 00786432 _____ C:\WINDOWS\system32\config\BBI
2017-02-26 16:48 - 2016-09-23 18:58 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2017-02-26 16:37 - 2016-11-14 16:05 - 01176064 ___SH C:\Users\STT-3\Downloads\Thumbs.db
2017-02-26 16:17 - 2016-07-16 01:04 - 00032768 _____ C:\WINDOWS\system32\config\ELAM
2017-02-26 15:57 - 2015-11-11 10:31 - 00000000 ____D C:\Program Files (x86)\SogouInput
2017-02-26 15:54 - 2015-10-19 15:48 - 00001379 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-02-26 15:54 - 2015-10-19 15:48 - 00001367 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-02-26 15:50 - 2016-09-23 18:56 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-02-26 14:45 - 2016-07-16 06:45 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-02-26 14:44 - 2015-10-14 19:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-02-26 14:43 - 2015-10-14 18:18 - 00000000 ____D C:\Users\STT-3\AppData\Local\Packages
2017-02-26 14:18 - 2016-07-16 06:45 - 00000000 ___HD C:\Program Files\WindowsApps
2017-02-26 13:58 - 2016-09-23 19:03 - 00000000 ____D C:\Users\STT-3
2017-02-26 13:55 - 2016-09-23 19:22 - 00003806 _____ C:\WINDOWS\System32\Tasks\AutoPico Daily Restart
2017-02-26 13:53 - 2015-10-14 19:04 - 00000000 ____D C:\Users\STT-3\AppData\Roaming\qBittorrent
2017-02-26 13:45 - 2015-10-14 19:04 - 00000000 ____D C:\Users\STT-3\Downloads\KMSpico 10.1.1 FINAL + Portable (Office and Windows 10 Activator) [TechTools.NET]
2017-02-26 13:30 - 2015-11-12 18:08 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2017-02-26 13:29 - 2016-09-29 15:28 - 00000000 ____D C:\WINDOWS\Minidump
2017-02-26 13:29 - 2016-09-29 15:27 - 621395232 _____ C:\WINDOWS\MEMORY.DMP
2017-02-26 13:26 - 2015-10-14 21:14 - 01069832 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-02-26 12:34 - 2016-07-16 06:44 - 00000000 ____D C:\WINDOWS\INF
2017-02-24 11:03 - 2015-11-11 10:31 - 00000000 ____D C:\Users\STT-3\AppData\LocalLow\SogouPY
2017-02-23 18:20 - 2015-10-14 18:45 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-02-23 18:17 - 2015-10-14 18:45 - 138020592 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-02-22 18:47 - 2016-03-27 16:55 - 00000000 ____D C:\ProgramData\Skype
2017-02-22 17:37 - 2016-07-16 06:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-02-22 10:07 - 2015-10-22 16:21 - 00000000 ____D C:\Users\STT-3\AppData\Local\Microsoft Help
2017-02-21 19:30 - 2016-12-09 17:25 - 00003286 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-02-21 19:30 - 2015-10-14 18:20 - 00002410 _____ C:\Users\STT-3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-02-21 19:30 - 2015-10-14 18:20 - 00000000 ___RD C:\Users\STT-3\OneDrive
2017-02-16 10:50 - 2016-07-16 06:45 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2017-02-06 14:48 - 2016-07-16 06:47 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-02-06 14:48 - 2016-07-16 06:47 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2017-02-02 16:18 - 2016-03-27 16:55 - 00000000 ___RD C:\Program Files (x86)\Skype
2017-01-30 11:44 - 2016-09-23 18:58 - 00000000 ____D C:\Program Files\AMD
 
==================== Files in the root of some directories =======
 
2015-10-14 18:32 - 2015-10-14 18:32 - 0000000 _____ () C:\Program Files (x86)\Common Files\AMD
2016-09-23 18:57 - 2016-09-23 18:57 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some files in TEMP:
====================
2017-02-26 14:52 - 2017-02-26 14:52 - 0079872 _____ () C:\Users\STT-3\AppData\Local\Temp\428W85OS6G32.exe
2017-02-26 13:12 - 2017-02-26 13:13 - 29136048 _____ (AppTrailers) C:\Users\STT-3\AppData\Local\Temp\AppTrailers.9.1.10amt.exe
2017-02-26 13:12 - 2017-02-26 13:12 - 0061440 _____ (The Gentee Group) C:\Users\STT-3\AppData\Local\Temp\genteert.dll
2017-02-26 13:13 - 2017-02-26 13:13 - 0453091 _____ (WeMonetize                                                  ) C:\Users\STT-3\AppData\Local\Temp\HIRFD8J.exe
2016-11-21 12:09 - 2016-11-25 12:16 - 0316320 _____ (Sogou.com) C:\Users\STT-3\AppData\Local\Temp\SGPYUp.exe
2017-02-26 13:12 - 2017-02-26 13:26 - 4446120 _____ () C:\Users\STT-3\AppData\Local\Temp\SystemHealer.exe
2017-02-26 14:09 - 2017-02-26 14:09 - 0046924 _____ () C:\Users\STT-3\AppData\Local\Temp\tu17p84.exe
2016-11-21 12:10 - 2016-11-21 12:10 - 34865328 _____ (Sogou.com) C:\Users\STT-3\AppData\Local\Temp\ZHUANGJIBIBEI.EXE
2017-02-01 14:33 - 2017-02-01 14:33 - 12788328 _____ (Google Inc.) C:\Users\STT-3\AppData\Local\Temp\{C0D150E7-A923-4DD9-B734-5C1A01ECE353}-56.0.2924.87_55.0.2883.87_chrome_updater.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-02-23 19:31
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:16 PM

Posted 27 February 2017 - 09:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Program Files (x86)\dataup\dataup.exe
() C:\Program Files (x86)\svcvmx\svcvmx.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(ct Corp.) C:\Users\STT-3\AppData\Local\Temp\20170226\ct.exe
(splsrv Corp.) C:\Windows\SysWOW64\splsrv.exe
(winscr) C:\Program Files (x86)\winscr\winscr.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKU\S-1-5-21-1064145775-1192110755-2523778263-1001\...\Run: [26fdd018-e500-48b9-8b7b-5be0d2b270b4] => "C:\Program Files\W0KNUXXO0L\IU8FVQ5LC.exe"
GroupPolicyScripts: Restriction <======= ATTENTION
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
CHR Extension: (Avast SafePrice) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-12-18]
CHR Extension: (Avast Online Security) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-12-19]
CHR Extension: (Chrome Web Store Payments) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-30]
CHR Extension: (Chrome Media Router) - C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-12]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-10-14]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-10-14]
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed]
R2 windowsmanagementservice; C:\Users\STT-3\AppData\Local\Temp\20170226\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION
S2 SogouSvc; "C:\Program Files (x86)\SogouInput\8.2.0.9257\SogouSvc.exe" [X]
R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2017-02-22] () [File not signed][/B]
C:\Program Files (x86)\dataup
C:\Program Files (x86)\svcvmx
C:\Users\STT-3\AppData\Local\Temp\20170226\ct.exe
(splsrv Corp.) C:\Windows\SysWOW64\splsrv.exe
C:\Program Files (x86)\winscr
C:\Program Files (x86)\svcvmx
C:\Program Files (x86)\qdcomsvc
C:\WINDOWS\System32\drivers\drmkpro64.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===
--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======


Please post the logs and let me know what problem persists.

p.s.
Include the Addition.txt log that was created by the Farbar tool.

#3 skillaz

skillaz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 27 February 2017 - 10:25 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 26-02-2017
Ran by STT-3 (27-02-2017 00:40:36) Run:1
Running from C:\Users\STT-3\Desktop\New folder
Loaded Profiles: STT-3 (Available Profiles: STT-3)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
Task: {08788575-603C-4664-878F-4624CF5F643D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {10E48639-CDCD-42E5-B8C8-01B01A34CA2F} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {2B61C473-A7A8-4874-8D4E-7FEB06CC15FC} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {2F090F64-CC61-4771-9693-38FD2EC33A19} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {33F09F4F-1373-4BA3-9357-0BCB3DBA2BF7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {6202DB17-0516-499E-BD99-577BB4D2452F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {690B4F19-6615-4749-B0B0-4357DAD54AC9} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8D83D0B5-EF31-4040-8383-A5C95C54DF35} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {9122172D-1EDD-490F-B6BF-CBD086837578} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {A7BC33F8-1E0D-4FE5-9802-108159E7DCC0} - System32\Tasks\{01211B35-AF0F-4624-AAE3-A41EFBB961C7} => pcalua.exe -a "C:\Users\kb6565\AppData\Roaming\Browser Extensions\uninstall.exe"
Task: {AD842A19-5CDE-4674-9B18-139791C6C8ED} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {B1F3FEA4-CF7E-4A2F-B385-698A1A2AD389} - \{68CBA00B-12E5-41E7-83F0-8386F729CA72} -> No File <==== ATTENTION
Task: {DD4DBF84-024E-4053-A666-78FC109E4D13} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Shortcut: C:\Users\kb6565\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Int?rn?t ??pl?r?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\kb6565\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rn?t ??pl?r?r ?r?ws?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat (No File)
Shortcut: C:\Users\kb6565\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Fir?f??.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.bat (No File)
C:\Program Files (x86)\dataup\dataup.exe
C:\Program Files (x86)\dataup
2017-01-13 20:09 - 2017-01-13 20:09 - 00896512 _____ () C:\Program Files (x86)\svcvmx\svcvmx.exe
2017-01-20 20:18 - 2017-01-20 20:18 - 01087488 _____ () C:\Program Files (x86)\svcvmx\vmxclient.exe
C:\Program Files (x86)\dataup\help_dll.dll
C:\Program Files (x86)\svcvmx\libcef.dll
2016-05-31 11:43 - 2016-05-31 11:43 - 01976832 _____ () C:\Program Files (x86)\svcvmx\libglesv2.dll
2016-05-31 11:44 - 2016-05-31 11:44 - 00075264 _____ () C:\Program Files (x86)\svcvmx\libegl.dll
2016-06-15 17:15 - 2016-06-15 17:15 - 17599640 _____ () C:\Program Files (x86)\svcvmx\pepflashplayer.dll
AlternateDataStreams: C:\ProgramData\TEMP:B3503B59 [512]
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
C:\Program Files (x86)\dataup\dataup.exe
C:\Program Files (x86)\nellies\irrigated.exe
C:\Program Files (x86)\svcvmx\svcvmx.exe
C:\Program Files (x86)\svcvmx\vmxclient.exe
C:\Program Files (x86)\svcvmx\vmxclient.exe
C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe
C:\Users\kb6565\AppData\Local\Temp
C:\Program Files (x86)\winscr\winscr.exe
HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Run: [irrigated] => C:\Program Files (x86)\nellies\irrigated.exe [50803 2016-11-23] ()
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\MountPoints2: {e65c5052-5820-11e4-827f-e82aea722b6b} - "G:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKU\S-1-5-21-3724564687-3091530008-2351571219-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://my.yahoo.com/
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3724564687-3091530008-2351571219-1001 -> {0E25F6E8-6429-40EF-9C22-813373DA0C14} URL =
BHO: Youtube AdBlock -> {95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B} -> C:\Program Files (x86)\Youtube AdBlock\IEEF\W31HwnT.dll => No File
Toolbar: HKU\S-1-5-21-3724564687-3091530008-2351571219-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
FF ProfilePath: C:\Users\kb6565\AppData\Roaming\Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 [2017-02-25]
FF Homepage: Mozilla\Firefox\Profiles\tuw1jqkk.default-1479947492972 -> hxxps://my.yahoo.com/
CHR dev: Chrome dev build detected! <======= ATTENTION
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed]
R2 windowsmanagementservice; C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION
S3 dbx; system32\DRIVERS\dbx.sys [X]
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\winscr
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\qdcomsvc
2017-02-24 14:39 - 2017-02-24 14:39 - 00000000 ____D C:\Program Files (x86)\dataup
D C:\ProgramData\1487965132
C:\Program Files (x86)\regtool
2016-11-23 19:04 - 2016-11-23 19:04 - 0034216 _____ () C:\Users\kb6565\AppData\Local\22705.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0127729 _____ () C:\Users\kb6565\AppData\Local\37703.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0054804 _____ () C:\Users\kb6565\AppData\Local\52984.exe
2016-11-23 19:04 - 2016-11-23 19:04 - 0049460 _____ () C:\Users\kb6565\AppData\Local\85953.exe
2015-03-15 17:18 - 2015-03-15 17:18 - 0007597 _____ () C:\Users\kb6565\AppData\Local\Resmon.ResmonCfg
2016-11-23 19:23 - 2016-11-23 19:24 - 0000003 _____ () C:\Users\kb6565\AppData\Local\run1.txt
C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2016-10-20 12:26 - 2016-10-20 12:26 - 0970912 _____ (Microsoft Corporation) C:\Users\kb6565\AppData\Local\Temp\msvcr120.dll
2016-10-20 12:26 - 2016-10-20 12:26 - 0772672 _____ () C:\Users\kb6565\AppData\Local\Temp\sqlite3.dll
C:\Users\kb6565\AppData\Local\Temp
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
EmptyTemp:
Hosts:
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{08788575-603C-4664-878F-4624CF5F643D} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{10E48639-CDCD-42E5-B8C8-01B01A34CA2F} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2B61C473-A7A8-4874-8D4E-7FEB06CC15FC} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F090F64-CC61-4771-9693-38FD2EC33A19} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{33F09F4F-1373-4BA3-9357-0BCB3DBA2BF7} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6202DB17-0516-499E-BD99-577BB4D2452F} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{690B4F19-6615-4749-B0B0-4357DAD54AC9} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8D83D0B5-EF31-4040-8383-A5C95C54DF35} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9122172D-1EDD-490F-B6BF-CBD086837578} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7BC33F8-1E0D-4FE5-9802-108159E7DCC0} => key not found. 
C:\WINDOWS\System32\Tasks\{01211B35-AF0F-4624-AAE3-A41EFBB961C7} => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{01211B35-AF0F-4624-AAE3-A41EFBB961C7} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD842A19-5CDE-4674-9B18-139791C6C8ED} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B1F3FEA4-CF7E-4A2F-B385-698A1A2AD389} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{68CBA00B-12E5-41E7-83F0-8386F729CA72} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD4DBF84-024E-4053-A666-78FC109E4D13} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key not found. 
C:\Users\kb6565\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Int?rn?t ??pl?r?r.lnk => not found.
C:\Users\kb6565\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rn?t ??pl?r?r ?r?ws?r.lnk => not found.
C:\Users\kb6565\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Fir?f??.lnk => not found.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk => not found.
Could not move "C:\Program Files (x86)\dataup\dataup.exe" => Scheduled to move on reboot.
 
"C:\Program Files (x86)\dataup" folder move:
 
Could not move "C:\Program Files (x86)\dataup" => Scheduled to move on reboot.
 
Could not move "C:\Program Files (x86)\svcvmx\svcvmx.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\vmxclient.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\dataup\help_dll.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\libcef.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\libglesv2.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\libegl.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\pepflashplayer.dll" => Scheduled to move on reboot.
"C:\ProgramData\TEMP" => ":B3503B59" ADS not found.
 
========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F =========
 
ERROR: Delete request is partially completed.
 
 
========= End of Reg: =========
 
 
========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
Could not move "C:\Program Files (x86)\dataup\dataup.exe" => Scheduled to move on reboot.
"C:\Program Files (x86)\nellies\irrigated.exe" => not found.
Could not move "C:\Program Files (x86)\svcvmx\svcvmx.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\vmxclient.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\svcvmx\vmxclient.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe" => Scheduled to move on reboot.
"C:\Users\kb6565\AppData\Local\Temp\20170224\ct.exe" => not found.
"C:\Users\kb6565\AppData\Local\Temp" => not found.
C:\Program Files (x86)\winscr\winscr.exe => moved successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx => value could not remove.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\svcvmx => value could not remove.
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 27-02-2017 22:24:20)
 
==> ATTENTION: ATTENTION: System is not rebooted.
"C:\Program Files (x86)\dataup\dataup.exe" => Could not move
"C:\Program Files (x86)\dataup" => Could not move
"C:\Program Files (x86)\svcvmx\svcvmx.exe" => Could not move
"C:\Program Files (x86)\svcvmx\vmxclient.exe" => Could not move
"C:\Program Files (x86)\dataup\help_dll.dll" => Could not move
"C:\Program Files (x86)\svcvmx\libcef.dll" => Could not move
"C:\Program Files (x86)\svcvmx\libglesv2.dll" => Could not move
"C:\Program Files (x86)\svcvmx\libegl.dll" => Could not move
"C:\Program Files (x86)\svcvmx\pepflashplayer.dll" => Could not move
"C:\Program Files (x86)\dataup\dataup.exe" => Could not move
"C:\Program Files (x86)\svcvmx\svcvmx.exe" => Could not move
"C:\Program Files (x86)\svcvmx\vmxclient.exe" => Could not move
"C:\Program Files (x86)\svcvmx\vmxclient.exe" => Could not move
"C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe" => Could not move
 
==== End of Fixlog 22:24:23 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:16 PM

Posted 28 February 2017 - 08:50 AM

I do not thing that it went as well as I expected.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script. <--- Important.

#5 skillaz

skillaz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 02 March 2017 - 10:50 PM

RogueKiller V12.9.9.0 (x64) [Feb 27 2017] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : STT-3 [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 03/02/2017 20:18:25 (Duration : 02:01:47)
 
¤¤¤ Processes : 2 ¤¤¤
[Suspicious.Path|VT.TR/Fuery.qmazf] ct.exe(5336) -- C:\Users\STT-3\AppData\Local\Temp\20170226\ct.exe[-] -> Killed [DbgObj]
[PUP.Gen0|VT.TR/Fuery.qmazf] (SVC) windowsmanagementservice -- C:\Users\STT-3\AppData\Local\Temp\20170226\ct.exe[-] -> ERROR [41c]
 
¤¤¤ Registry : 5 ¤¤¤
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | cpx : "C:\Program Files (x86)\cpx\cpx.exe" -starup [x] -> ERROR [5]
[PUP.Gen0|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dataup (C:\Program Files (x86)\dataup\dataup.exe) -> ERROR [5]
[PUP.Gen0|Suspicious.Path|VT.TR/Fuery.qmazf] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\windowsmanagementservice (C:\Users\STT-3\AppData\Local\Temp\20170226\ct.exe) -> ERROR [5]
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1064145775-1192110755-2523778263-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1064145775-1192110755-2523778263-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Replaced (1)
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 14 ¤¤¤
[PUP.Gen1][File] C:\Users\STT-3\Desktop\Gmail.lnk [LNK@] C:\Users\STT-3\AppData\Local\BrowserAir\Application\BrowserAir.exe http://mail.google.com -> Deleted
[PUP.Gen1][File] C:\Users\STT-3\Desktop\???????.lnk [LNK@] C:\Users\STT-3\AppData\Local\SogouExplorer\SogouExplorer.exe -> Deleted
[PUP.Gen1][File] C:\Users\STT-3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\???????\???????.lnk [LNK@] C:\Users\STT-3\AppData\Local\SogouExplorer\SogouExplorer.exe -> Deleted
[PUP.Gen1][File] C:\Users\STT-3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\???????\???????????.lnk [LNK@] C:\Users\STT-3\AppData\Local\SogouExplorer\5.1.7.15323\site.url -> Deleted
[PUP.Gen1][File] C:\Users\STT-3\AppData\Roaming\Microsoft\Windows\Start Menu\???????.lnk [LNK@] C:\Users\STT-3\AppData\Local\SogouExplorer\SogouExplorer.exe -> Deleted
[PUP.Gen1][File] C:\Users\STT-3\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\???????.lnk [LNK@] C:\Users\STT-3\AppData\Local\SogouExplorer\SogouExplorer.exe -> Deleted
[PUP.Gen0][File] C:\Windows\SECOH-QAD.exe -> Deleted
[PUP.Gen0|PUP.Gen1][Folder] C:\Program Files (x86)\dataup -> Removed at reboot [5]
[PUP.Gen0|PUP.Gen1][File] C:\Program Files (x86)\dataup\dataup.exe -> Removed at reboot [5]
[PUP.Gen0|PUP.Gen1][File] C:\Program Files (x86)\dataup\dataup.ini -> Removed at reboot [5]
[PUP.Gen0|PUP.Gen1][File] C:\Program Files (x86)\dataup\help_dll.dll -> Removed at reboot [5]
[PUP.Gen0|PUP.Gen1][File] C:\Program Files (x86)\dataup\NTSVC.ocx -> Removed at reboot [5]
[PUP.Gen1][Folder] C:\Program Files (x86)\regtool -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\regtool\regtool.exe -> Deleted
[PUP.Gen1][File] C:\Users\STT-3\Desktop\Gmail.lnk [LNK@] C:\Users\STT-3\AppData\Local\BrowserAir\Application\BrowserAir.exe http://mail.google.com -> Removed at reboot [2]
[PUP.Gen1][File] C:\Users\STT-3\Desktop\???????.lnk [LNK@] C:\Users\STT-3\AppData\Local\SogouExplorer\SogouExplorer.exe -> Removed at reboot [2]
[PUP.Gen1][File] C:\Users\STT-3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\???????\???????.lnk [LNK@] C:\Users\STT-3\AppData\Local\SogouExplorer\SogouExplorer.exe -> Removed at reboot [2]
[PUP.Gen1][File] C:\Users\STT-3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\???????\???????????.lnk [LNK@] C:\Users\STT-3\AppData\Local\SogouExplorer\5.1.7.15323\site.url -> Removed at reboot [2]
[PUP.Gen1][File] C:\Users\STT-3\AppData\Roaming\Microsoft\Windows\Start Menu\???????.lnk [LNK@] C:\Users\STT-3\AppData\Local\SogouExplorer\SogouExplorer.exe -> Removed at reboot [2]
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 3 ¤¤¤
[PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.keyword [www-searching.com] -> Deleted
[PUP.Gen1][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.url [http://www-searching.com/search.aspx?site=shdefault1&prd=smw&pid=s&shr=d&q={searchTerms}&s=h2qzamotn8174xbu,0b73dc47-827a-45c9-ab27-3699c930cff9,] -> Deleted
[PUP.Gen1][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.suggestions_url [http://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}] -> Deleted
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AAKX-08U6AA0 +++++
--- User ---
[MBR] f52fa54e592b875556d67a892ef7ad4d
[BSP] db0e2dd822ace1d23c104cb129d7f825 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 2048 | Size: 1000 MB
1 - [MAN-MOUNT]  | Offset (sectors): 2050048 | Size: 260 MB
2 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 2582528 | Size: 500 MB
3 - [MAN-MOUNT]  | Offset (sectors): 3606528 | Size: 128 MB
4 - Basic data partition | Offset (sectors): 3868672 | Size: 450051 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 925573120 | Size: 25000 MB
User = LL1 ... OK
User = LL2 ... OK


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:16 PM

Posted 03 March 2017 - 09:03 AM

Please run the Farbar tool one more time.
Post fresh FRST and Addition.txt file for my review.


Let me know what problem persists.

#7 skillaz

skillaz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 03 March 2017 - 09:47 AM

 
Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by STT-3 on Fri 03/03/2017 at  0:21:02.19.
Microsoft Windows 10 Pro N 10.0.14393  x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\STT-3\Downloads\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
3/3/2017 12:25:17 AM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~3\AMD deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\Users\STT-3\AppData\Local\ActiveSync deleted successfully
C:\Users\STT-3\AppData\Local\NetworkTiles deleted successfully
C:\Users\STT-3\AppData\Local\Opera Software deleted successfully
C:\Users\STT-3\AppData\Local\PeerDistRepub deleted successfully
C:\Users\STT-3\AppData\Local\VirtualStore deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Maps deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\PeerDistPub deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\PeerDistRepub deleted successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\NetworkTiles deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~3\1488132782 deleted
C:\PROGRA~3\Package Cache deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\WINDOWS\Syswow64\nsb9C40.tmp deleted
C:\WINDOWS\Syswow64\nscE11F.tmp deleted
C:\WINDOWS\Syswow64\nslB5D8.tmp deleted
C:\WINDOWS\Syswow64\nsq9BFF.tmp deleted
C:\WINDOWS\Syswow64\nsvB52A.tmp deleted
C:\WINDOWS\Syswow64\nswE0AF.tmp deleted
C:\WINDOWS\Syswow64\SET8647.tmp deleted
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"sp@avast.com"="C:\Program Files\AVAST Software\Avast\SafePrice\FF" [08/30/2016 12:08 AM]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"sp@avast.com"="C:\Program Files\AVAST Software\Avast\SafePrice\FF" [08/30/2016 12:08 AM]
 
==== Chromium Look ======================
 
Google Chrome Version: 46.0.2490.86
 
 
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Use Search Asst"="yes"
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Use Search Asst"="no"
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
 
==== Reset Google Chrome ======================
 
C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Profile 1\Preferences was reset successfully
C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Profile 1\Secure Preferences was reset successfully
C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Web Data will be reset at reboot
C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal will be reset at reboot
C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Profile 1\Web Data was reset successfully
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\STT-3\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\STT-3\AppData\Local\Microsoft\Windows\INetCache\IE\436F8ELN will be deleted at reboot
C:\Users\STT-3\AppData\Local\Microsoft\Windows\INetCache\IE\A1RGSAQ5 will be deleted at reboot
C:\Users\STT-3\AppData\Local\Microsoft\Windows\INetCache\IE\XR7DVY44 will be deleted at reboot
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Cache will be emptied at reboot
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=33 folders=32 28172407 bytes)
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\STT-3\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== Deleting Files / Folders ======================
 
"C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Web Data" not found
"C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal" not found
"C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0" deleted
"C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1" deleted
"C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2" deleted
"C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3" deleted
"C:\Users\STT-3\AppData\Local\Google\Chrome\User Data\Default\Cache\index" deleted
"C:\Users\STT-3\AppData\Local\Microsoft\Windows\INetCache\IE\436F8ELN" not found
"C:\Users\STT-3\AppData\Local\Microsoft\Windows\INetCache\IE\A1RGSAQ5" not found
"C:\Users\STT-3\AppData\Local\Microsoft\Windows\INetCache\IE\XR7DVY44" not found
 
==== EOF on Fri 03/03/2017 at  8:58:04.04 ======================


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:16 PM

Posted 03 March 2017 - 01:14 PM

Please execute the post no 6. request.

Let me know what problem persists.

#9 skillaz

skillaz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 04 March 2017 - 04:18 AM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 03-03-2017
Ran by STT-3 (04-03-2017 03:03:59)
Running from C:\Users\STT-3\Desktop\New folder
Windows 10 Pro N Version 1607 (X64) (2016-09-24 00:26:32)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1064145775-1192110755-2523778263-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1064145775-1192110755-2523778263-503 - Limited - Disabled)
Guest (S-1-5-21-1064145775-1192110755-2523778263-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-1064145775-1192110755-2523778263-1006 - Limited - Enabled)
STT-3 (S-1-5-21-1064145775-1192110755-2523778263-1001 - Administrator - Enabled) => C:\Users\STT-3
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Avast Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.0.0 - Adobe Systems)
AMD Install Manager (HKLM\...\AMD Catalyst Install Manager) (Version: 9.0.000.4 - Advanced Micro Devices, Inc.)
AMD Radeon Settings (HKLM\...\WUCCCApp) (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 12.3.2280 - AVAST Software)
Brother MFL-Pro Suite HL-L2380DW series (HKLM-x32\...\{F8ECC2FD-CE2B-4ED4-BDCC-90D0D34206FD}) (Version: 1.0.2.0 - Brother Industries, Ltd.)
Catalyst Control Center Next Localization BR (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization BR (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization BR (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization BR (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (Version: 2015.1129.2307.41591 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (Version: 2016.0624.1251.21301 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.21 - Piriform)
Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
GoToAssist Corporate (HKLM-x32\...\GoToAssist) (Version: 11.5.0.1165 - Citrix Systems, Inc.)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4734.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1064145775-1192110755-2523778263-1001\...\OneDriveSetup.exe) (Version: 17.3.6798.0207 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
qBittorrent 3.2.4 (HKLM-x32\...\qBittorrent) (Version: 3.2.4 - The qBittorrent project)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7586 - Realtek Semiconductor Corp.)
RogueKiller version 12.9.9.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.9.9.0 - Adlice Software)
SafeZone Stable 1.51.2220.62 (x32 Version: 1.51.2220.62 - Avast Software) Hidden
Skype™ 7.32 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.32.104 - Skype Technologies S.A.)
TeamViewer 11 (HKLM-x32\...\TeamViewer) (Version: 11.0.66695 - TeamViewer)
Unlocker (HKLM\...\{5993C960-4E90-4A00-A2F3-D0C4020A6992}) (Version: 1.9.2 - ajua Custom Installers)
WinRAR 5.30 beta 6 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.30.6 - win.rar GmbH)
搜狗拼音输入法 8.2正式版 (HKLM-x32\...\Sogou Input) (Version: 8.2.0.9257 - Sogou.com)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1064145775-1192110755-2523778263-1001_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\localserver32 -> C:\Users\STT-3\AppData\Local\SogouExplorer\SogouExplorer.exe => No File
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {04DC1BB0-C6CC-4A36-A0A9-714A8A968CE3} - System32\Tasks\AMD Updater => C:\Program Files\AMD\CIM\\Bin64\InstallManagerApp.exe [2016-08-11] (Advanced Micro Devices, Inc.)
Task: {119C45AE-5EDE-4282-844C-3E7F5E131944} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2017-02-23] (Microsoft Corporation)
Task: {43C3CBF8-0341-4D64-A2BE-EBD96C958667} - System32\Tasks\OneDrive Standalone Update Task => C:\Users\STT-3\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\OneDriveStandaloneUpdater.exe 
Task: {6D9B3C52-7021-4D8E-91D3-BD850B1E5ADB} - System32\Tasks\AGProxyCheck => C:\Program 
Task: {71B5636E-0A39-43A6-8004-7BDF3E4D5D45} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-08-05] (Piriform Ltd)
Task: {7C584367-8E0A-42D4-A9F5-5BD18C139C35} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {91591FF5-B9AB-421E-B9ED-B6453B116804} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-08-30] (AVAST Software)
Task: {A0F2030C-1A76-4461-B382-E22430804C12} - System32\Tasks\SafeZone scheduled Autoupdate 1468554715 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-09-06] (Avast Software)
Task: {A972A184-2DB5-4641-851F-FB0E9BE6F318} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-10-19] (Google Inc.)
Task: {B773203E-AE1B-46E8-A35A-1CFD23785ACC} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2017-01-27] (AVAST Software)
Task: {B8437251-D3D3-4C1F-BE33-9B0B536D556B} - System32\Tasks\AutoPico Daily Restart => C:\Users\STT-3\Downloads\KMSpico 
Task: {F87D2AB2-C627-47FA-AFF6-3D148204EFEA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-10-19] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
ShortcutWithArgument: C:\Users\STT-3\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\5d696d521de238c3\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-07-16 06:41 - 2016-07-16 06:41 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-12-13 13:50 - 2016-12-09 05:29 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2017-01-05 17:36 - 2017-01-05 17:36 - 00077824 _____ () C:\Program Files (x86)\dataup\dataup.exe
2017-02-26 12:32 - 2005-04-21 23:36 - 00143360 _____ () C:\WINDOWS\system32\BrSNMP64.dll
2016-12-13 13:50 - 2016-12-09 05:29 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2010-01-09 19:17 - 2010-01-09 19:17 - 04254560 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-01-21 00:40 - 2010-01-21 00:40 - 08794464 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2016-09-23 22:47 - 2016-09-23 22:47 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-01-11 04:44 - 2016-12-21 02:09 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2017-01-11 04:44 - 2016-12-21 01:54 - 09760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-01-11 04:44 - 2016-12-21 01:48 - 01401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-01-11 04:44 - 2016-12-21 01:48 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2017-01-11 04:44 - 2016-12-21 01:48 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2017-01-11 04:44 - 2016-12-21 01:48 - 02424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-01-11 04:44 - 2016-12-21 01:53 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2016-06-30 19:12 - 2016-06-30 19:12 - 00014336 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick.2\qtquick2plugin.dll
2016-06-30 19:12 - 2016-06-30 19:12 - 00739840 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Controls\qtquickcontrolsplugin.dll
2016-06-30 19:12 - 2016-06-30 19:12 - 00014336 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Window.2\windowplugin.dll
2016-06-30 19:12 - 2016-06-30 19:12 - 00071168 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Layouts\qquicklayoutsplugin.dll
2016-06-30 19:12 - 2016-06-30 19:12 - 00011776 _____ () C:\Program Files\AMD\CNext\CNext\libEGL.dll
2016-06-30 19:12 - 2016-06-30 19:12 - 02013696 _____ () C:\Program Files\AMD\CNext\CNext\libGLESv2.dll
2017-01-13 20:09 - 2017-01-13 20:09 - 00896512 _____ () C:\Program Files (x86)\svcvmx\svcvmx.exe
2017-01-20 20:18 - 2017-01-20 20:18 - 01087488 _____ () C:\Program Files (x86)\svcvmx\vmxclient.exe
2017-02-26 13:38 - 2017-02-01 04:47 - 02459992 _____ () C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\libglesv2.dll
2017-02-26 13:38 - 2017-02-01 04:47 - 00099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\libegl.dll
2016-03-10 12:54 - 2015-09-21 06:31 - 00053248 _____ () C:\Users\STT-3\Sabre Red Workspace\Profiles\B3PI_1236\mysabre.exe
2016-09-21 23:32 - 2016-09-21 23:32 - 00224768 _____ () C:\Program Files (x86)\dataup\help_dll.dll
2017-02-26 12:31 - 2009-02-27 16:38 - 00139264 ____R () C:\Program Files (x86)\Brother\BrUtilities\BrLogAPI.dll
2017-01-14 19:40 - 2017-01-14 19:40 - 53460992 _____ () C:\Program Files (x86)\svcvmx\libcef.dll
2016-05-31 11:43 - 2016-05-31 11:43 - 01976832 _____ () C:\Program Files (x86)\svcvmx\libglesv2.dll
2016-05-31 11:44 - 2016-05-31 11:44 - 00075264 _____ () C:\Program Files (x86)\svcvmx\libegl.dll
2016-12-13 13:50 - 2016-12-09 05:29 - 02681200 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2016-03-03 17:13 - 2016-03-03 17:07 - 00058616 _____ () C:\Users\STT-3\Sabre Red Workspace\Common\plugins\org.eclipse.equinox.launcher.i18n.win32.win32.x86_4.2.0.v201201111650\eclipse_4201.dll
2016-09-25 09:48 - 2016-09-25 09:48 - 00053248 _____ () C:\Users\STT-3\Sabre Red Workspace\Profiles\B3PI_1236\jnireg.dll
2016-03-03 17:11 - 2012-01-11 16:56 - 00162936 _____ () C:\Users\STT-3\Sabre Red Workspace\Common\plugins\com.genuitec.pulse.client.common.shortcut.win32_4.2.0.v201201111650\jshortcut_3213.dll
2016-03-03 17:11 - 2012-01-11 16:56 - 00110760 _____ () C:\Users\STT-3\Sabre Red Workspace\Common\plugins\com.genuitec.pulse.client.common.shortcut.win32_4.2.0.v201201111650\jregistrykey_3213.dll
2016-06-15 17:15 - 2016-06-15 17:15 - 17599640 _____ () C:\Program Files (x86)\svcvmx\pepflashplayer.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-07-30 17:47 - 2015-11-13 17:58 - 00003522 ____A C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1 209.34.83.73:443
127.0.0.1 209.34.83.73:43
127.0.0.1 209.34.83.73
127.0.0.1 209.34.83.67:443
127.0.0.1 209.34.83.67:43
127.0.0.1 209.34.83.67
127.0.0.1 ood.opsource.net
127.0.0.1 199.7.52.190:80
127.0.0.1 199.7.52.190
127.0.0.1 OCSP.SPO1.VERISIGN.COM
127.0.0.1 199.7.54.72:80
127.0.0.1 199.7.54.72
127.0.0.1 192.150.14.69
127.0.0.1 192.150.18.101
127.0.0.1 192.150.18.108
127.0.0.1 192.150.22.40
127.0.0.1 192.150.8.100
127.0.0.1 192.150.8.118
127.0.0.1 209-34-83-73.ood.opsource.net
127.0.0.1 3dns-1.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-4.adobe.com
127.0.0.1 3dns.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 activate-sjc0.adobe.com
 
There are 54 more lines.
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1064145775-1192110755-2523778263-1001\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: Dataup => 
MSCONFIG\Services: windowsmanagementservice => 
HKLM\...\StartupApproved\Run32: => "svcvmx1"
HKU\S-1-5-21-1064145775-1192110755-2523778263-1001\...\StartupApproved\Run: => "OneDrive"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{34DAED7A-3226-4860-A1E8-E311F5C1A9E1}] => (Allow) C:\Users\Public\SogouInput\USBDT\OctopusDownloader.exe
FirewallRules: [{4C177958-71F2-4ED1-A1D5-C0A1568A3A57}] => (Allow) C:\Users\Public\SogouInput\USBDT\OctopusDownloader.exe
FirewallRules: [{0537D4B1-EF6C-4338-A64F-E7ECEDBDBB30}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8268\SGMedalLoader.exe
FirewallRules: [{B443B0CC-75DC-4437-9A71-5C66ECA539A5}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8268\SGMedalLoader.exe
FirewallRules: [{56BBCCD7-7921-44CA-99F4-1C8280FCF979}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8268\userNetSchedule.exe
FirewallRules: [{64A3E582-A17B-4BA0-A238-BD7BF89D6944}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8268\userNetSchedule.exe
FirewallRules: [{7109DB73-8771-4152-84EC-BD787B35FB46}] => (Allow) C:\Program Files (x86)\SogouInput\Components\SogouComMgr.exe
FirewallRules: [{331655AC-3E24-4B44-9652-669463D729AB}] => (Allow) C:\Program Files (x86)\SogouInput\Components\SogouComMgr.exe
FirewallRules: [{5840C25E-FDBE-48ED-A180-8AB6547CCB47}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8268\SogouCloud.exe
FirewallRules: [{1FE07A7B-CDDB-4EF7-A23F-F6C04848DD9F}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8268\SogouCloud.exe
FirewallRules: [{26893C07-9844-4979-9CBF-19136202B5CF}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8268\SGDownload.exe
FirewallRules: [{C7C2C20E-5F74-48FA-A112-6E7888906901}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8268\SGDownload.exe
FirewallRules: [{24C55264-1264-452A-8459-3CE7B0E47C97}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8268\PinyinUp.exe
FirewallRules: [{F35A4556-FDD5-4583-AE68-905F485B11F7}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8268\PinyinUp.exe
FirewallRules: [{42146B6F-61EE-476B-B183-D04C40C8FFB8}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8268\SGTool.exe
FirewallRules: [{8E53AB23-963E-4B3E-A30C-69185C5EE4B8}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8268\SGTool.exe
FirewallRules: [{03827026-B59C-48F5-998D-E136821C03C7}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8051\SogouCloud.exe
FirewallRules: [{64A213DC-1C57-4135-8B98-341739394193}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8051\SogouCloud.exe
FirewallRules: [{5EA47601-DCB8-43EB-8D9B-D8F6E178E539}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8051\SGDownload.exe
FirewallRules: [{1F361CF7-C09A-4F9A-A1A1-A6656FCDD14B}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8051\SGDownload.exe
FirewallRules: [{43E67F8A-ABA7-4774-9D1D-59DD87E44EC4}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8051\SGTool.exe
FirewallRules: [{B95DF152-4AC6-40FD-AD0F-EA010732394C}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8051\SGTool.exe
FirewallRules: [{7AE25F9E-6A5B-486C-A899-93260EB435A2}] => (Allow) C:\Program Files (x86)\SogouInput\8.0.0.8051\SGTool.exe
FirewallRules: [TCP Query User{5377BB28-7917-4147-8D29-DD2DF55A1576}C:\program files (x86)\skype\phone\skype.exe] => (Block) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{7E0678C8-F3E4-4CA0-B717-717DD84F8151}C:\program files (x86)\skype\phone\skype.exe] => (Block) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [TCP Query User{1545D045-D4EE-49F3-B43C-79C5DC149A24}C:\users\stt-3\sabre red workspace\profiles\b3pi_1236\mysabre.exe] => (Block) C:\users\stt-3\sabre red workspace\profiles\b3pi_1236\mysabre.exe
FirewallRules: [UDP Query User{C92CBDBE-BC35-4E11-B305-F352B1DC4B3D}C:\users\stt-3\sabre red workspace\profiles\b3pi_1236\mysabre.exe] => (Block) C:\users\stt-3\sabre red workspace\profiles\b3pi_1236\mysabre.exe
FirewallRules: [{F4D068D9-2E75-4199-92BF-F10715991095}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{5515C478-7501-499F-9E12-219979E7C3CF}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{90C569F7-04D8-45C4-BAA6-C55A2E984520}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{CB99D62E-73F0-413B-84B4-838539861CC6}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [TCP Query User{4FEF0040-B869-49FD-9FBA-B17B1C66F7BA}C:\users\stt-3\sabre red workspace\profiles\b3pi_1236\mysabre.exe] => (Block) C:\users\stt-3\sabre red workspace\profiles\b3pi_1236\mysabre.exe
FirewallRules: [UDP Query User{FEC35EFE-55ED-45D5-87A9-A2AFC4BFDE3A}C:\users\stt-3\sabre red workspace\profiles\b3pi_1236\mysabre.exe] => (Block) C:\users\stt-3\sabre red workspace\profiles\b3pi_1236\mysabre.exe
FirewallRules: [TCP Query User{89BFDC71-5954-446D-AFB8-AD4827F203D5}C:\users\stt-3\appdata\local\sogouexplorer\sogouexplorer.exe] => (Block) C:\users\stt-3\appdata\local\sogouexplorer\sogouexplorer.exe
FirewallRules: [UDP Query User{F1A4A15E-960A-407B-8914-2730C76AC8D5}C:\users\stt-3\appdata\local\sogouexplorer\sogouexplorer.exe] => (Block) C:\users\stt-3\appdata\local\sogouexplorer\sogouexplorer.exe
FirewallRules: [{237D36F9-ACE1-45D0-BE47-88B84A01D7E2}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\SGTool.exe
FirewallRules: [{25D75E17-FD9D-4B96-8E65-C67E06D23ADF}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\SGTool.exe
FirewallRules: [{17F48A34-DC37-45BB-8A07-32723B3D0163}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\SGTool.exe
FirewallRules: [{10A93A6B-650A-44DB-AAA5-1BE43E7215BA}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\SGTool.exe
FirewallRules: [{F53DEA71-7A5D-4285-AF25-61680D4B94D1}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\PinyinUp.exe
FirewallRules: [{46B6630A-AFAC-44B9-9D6F-B2A1C059F0ED}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\PinyinUp.exe
FirewallRules: [{2134DA50-A2FD-4B0B-94D2-E277426AD6AD}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\PinyinUp.exe
FirewallRules: [{594D22AC-33D3-4ADA-A507-0C14AC809338}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\PinyinUp.exe
FirewallRules: [{9A013162-3005-4499-BCF2-8A608541B0E7}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\SGDownload.exe
FirewallRules: [{AD10D843-6F92-4EE0-B5C2-250DFEFB9512}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\SGDownload.exe
FirewallRules: [{DD5818E4-E870-4B34-AAEB-0E708F9F8957}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\SGDownload.exe
FirewallRules: [{74E83BE8-3347-4BE7-9D89-2379432C1623}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\SGDownload.exe
FirewallRules: [{99434317-DCC1-4166-B4ED-CA1FB16747CF}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\SogouCloud.exe
FirewallRules: [{474BF9D0-16D2-47A7-8346-5CD9C94676E3}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\SogouCloud.exe
FirewallRules: [{21D60446-6A5B-4C88-A86C-C0B21098AA4B}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\SogouCloud.exe
FirewallRules: [{05C1BAD8-F922-46D9-A89B-DC0C727F947F}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9094\SogouCloud.exe
FirewallRules: [TCP Query User{C548E1F2-F439-4F18-B3FF-3DC19CAE8450}C:\program files (x86)\skype\phone\skype.exe] => (Block) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{EB81DF3D-C883-49DB-818D-774DB2EEC066}C:\program files (x86)\skype\phone\skype.exe] => (Block) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{68648343-A1B8-404D-8CD6-97F9C8EF13C5}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SGTool.exe
FirewallRules: [{CD812EFF-CC65-4AD5-9FBD-DC5693C62BC2}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SGTool.exe
FirewallRules: [{DA93F6B7-6A6E-4324-AE69-DA6E5B25EA9A}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SGTool.exe
FirewallRules: [{AF72C473-DEB7-4670-9B0F-C3D8402D52A2}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SGTool.exe
FirewallRules: [{39B04A3C-39FC-4115-B934-39AF8BA1785C}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\PinyinUp.exe
FirewallRules: [{D8ED3BEB-755C-47EF-9673-4465D114600E}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\PinyinUp.exe
FirewallRules: [{BBA61CE5-7362-4C35-ACEE-A27671CE95FF}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\PinyinUp.exe
FirewallRules: [{9FBBB962-F570-481A-9F10-B391C5890F13}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\PinyinUp.exe
FirewallRules: [{961A3535-2723-4A88-8DB7-13F2A532EB90}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SGDownload.exe
FirewallRules: [{7BF5EA7A-A39A-4B33-B0D8-0ED3ABE7A52E}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SGDownload.exe
FirewallRules: [{D26917DB-1FDB-46C4-9B33-B08150E1E2C1}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SGDownload.exe
FirewallRules: [{D3D0F9E2-6EB3-4705-B53E-0C2EB216D5A7}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SGDownload.exe
FirewallRules: [{6CDE4642-06FB-48EE-93ED-554FF8011092}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SogouCloud.exe
FirewallRules: [{1450F26E-E7A6-41C2-8DD1-DE7B9F3EEFF1}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SogouCloud.exe
FirewallRules: [{4B264CB6-196B-4896-AAD2-13AB5395AB14}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SogouCloud.exe
FirewallRules: [{B30AA246-D495-4693-A364-F7BA0D60F0FC}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SogouCloud.exe
FirewallRules: [{C762B1EB-7679-429B-B2D9-6A7A5DA8D855}] => (Allow) C:\Program Files (x86)\SogouInput\Components\SogouComMgr.exe
FirewallRules: [{D91C5280-4771-4064-83D9-47357242246A}] => (Allow) C:\Program Files (x86)\SogouInput\Components\SogouComMgr.exe
FirewallRules: [{635E7E52-BF62-40D7-BA7B-33820A2035FF}] => (Allow) C:\Program Files (x86)\SogouInput\Components\SogouComMgr.exe
FirewallRules: [{F9625C20-BD83-4390-B318-9E22ADF9CAB1}] => (Allow) C:\Program Files (x86)\SogouInput\Components\SogouComMgr.exe
FirewallRules: [{5D6D7C53-1825-44BA-A50E-401B7977864E}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\userNetSchedule.exe
FirewallRules: [{2E88FD7D-5BA0-43E0-9AA9-2CBE62DDDF68}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\userNetSchedule.exe
FirewallRules: [{5A92D4C8-8573-43C2-B07E-7ED4BEBA203F}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\userNetSchedule.exe
FirewallRules: [{A68443C7-D323-475F-98EB-FD3E6C34693D}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\userNetSchedule.exe
FirewallRules: [{9CAAFCA9-3CEF-48B9-9079-5FC3909E3ABA}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SGMedalLoader.exe
FirewallRules: [{369F7411-07F9-4145-8B30-6D453DBCC2B2}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SGMedalLoader.exe
FirewallRules: [{8EA06157-414C-482E-9D40-ECB5593F0DE3}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SGMedalLoader.exe
FirewallRules: [{4B00E480-E00F-4543-8BB7-F9C00C897DE7}] => (Allow) C:\Program Files (x86)\SogouInput\8.2.0.9257\SGMedalLoader.exe
FirewallRules: [{2912F686-43F5-4F5F-94DB-9045F308135C}] => (Allow) C:\Users\Public\SogouInput\USBDT\OctopusDownloader.exe
FirewallRules: [{BF443F84-3161-4C1E-8312-FEB9C9B2A6E7}] => (Allow) C:\Users\Public\SogouInput\USBDT\OctopusDownloader.exe
FirewallRules: [{BF6ADC82-D5D1-4A09-9A1E-2FD0E374E6A1}] => (Allow) C:\Users\Public\SogouInput\USBDT\OctopusDownloader.exe
FirewallRules: [{583793D7-A013-4E08-8A8F-B25A9474D3D4}] => (Allow) C:\Users\Public\SogouInput\USBDT\OctopusDownloader.exe
FirewallRules: [{3C1C3577-4076-4929-93EE-26F076F2C50D}] => (Allow) LPort=54925
FirewallRules: [{F4506574-88A9-4EE4-9000-17C826E7A283}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [TCP Query User{4281BF47-76BF-4245-BAB8-7355B19FE6A1}C:\program files (x86)\qbittorrent\qbittorrent.exe] => (Allow) C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [UDP Query User{7394A2CC-854C-4BBD-8835-8E5C8B725B3E}C:\program files (x86)\qbittorrent\qbittorrent.exe] => (Allow) C:\program files (x86)\qbittorrent\qbittorrent.exe
 
==================== Restore Points =========================
 
03-03-2017 19:46:30 Scheduled Checkpoint
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/03/2017 11:27:46 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.14393.0, time stamp: 0x57899bb2
Faulting module name: CSGSuggestLib.dll, version: 0.0.0.0, time stamp: 0x585a25a7
Exception code: 0xc0000005
Fault offset: 0x0000000000036bc7
Faulting process id: 0x33ec
Faulting application start time: 0x01d2949fa5a835df
Faulting application path: C:\WINDOWS\system32\backgroundTaskHost.exe
Faulting module path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
Report Id: a93e0c7d-df5e-4101-a6c2-e4481684ec77
Faulting package full name: Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: CortanaUI
 
Error: (03/03/2017 07:46:43 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (03/03/2017 07:27:41 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.14393.0, time stamp: 0x57899bb2
Faulting module name: CSGSuggestLib.dll, version: 0.0.0.0, time stamp: 0x585a25a7
Exception code: 0xc0000005
Fault offset: 0x0000000000036bc7
Faulting process id: 0x468
Faulting application start time: 0x01d2947e1e954892
Faulting application path: C:\WINDOWS\system32\backgroundTaskHost.exe
Faulting module path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
Report Id: a1502319-1dc4-42a2-82a6-eac9a0b25842
Faulting package full name: Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: CortanaUI
 
Error: (03/03/2017 03:27:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.14393.0, time stamp: 0x57899bb2
Faulting module name: CSGSuggestLib.dll, version: 0.0.0.0, time stamp: 0x585a25a7
Exception code: 0xc0000005
Fault offset: 0x0000000000036bc7
Faulting process id: 0x2ed4
Faulting application start time: 0x01d2945c9781ff82
Faulting application path: C:\WINDOWS\system32\backgroundTaskHost.exe
Faulting module path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
Report Id: bfe5221a-3b82-42a0-84a6-107dd751968a
Faulting package full name: Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: CortanaUI
 
Error: (03/03/2017 11:27:42 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.14393.0, time stamp: 0x57899bb2
Faulting module name: CSGSuggestLib.dll, version: 0.0.0.0, time stamp: 0x585a25a7
Exception code: 0xc0000005
Fault offset: 0x0000000000036bc7
Faulting process id: 0x2338
Faulting application start time: 0x01d2943b107a7344
Faulting application path: C:\WINDOWS\system32\backgroundTaskHost.exe
Faulting module path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
Report Id: a5dd7728-804a-4214-8495-fae274093896
Faulting package full name: Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: CortanaUI
 
Error: (03/03/2017 08:57:57 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.14393.0, time stamp: 0x57899bb2
Faulting module name: CSGSuggestLib.dll, version: 0.0.0.0, time stamp: 0x585a25a7
Exception code: 0xc0000005
Fault offset: 0x0000000000036bc7
Faulting process id: 0x1448
Faulting application start time: 0x01d2942623305f3a
Faulting application path: C:\WINDOWS\system32\backgroundTaskHost.exe
Faulting module path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
Report Id: c7bcd88e-a157-435e-b107-73f2d93f2b26
Faulting package full name: Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: CortanaUI
 
Error: (03/03/2017 08:56:31 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: TRADETRAVEL-3)
Description: Activation of app microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (03/03/2017 08:56:27 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: TRADETRAVEL-3)
Description: Activation of app microsoft.windowscommunicationsapps_8wekyb3d8bbwe!ppleae38af2e007f4358a809ac99a64a67c1 failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (03/03/2017 07:22:33 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.14393.0, time stamp: 0x57899bb2
Faulting module name: CSGSuggestLib.dll, version: 0.0.0.0, time stamp: 0x585a25a7
Exception code: 0xc0000005
Fault offset: 0x0000000000036bc7
Faulting process id: 0x1cda4
Faulting application start time: 0x01d29418cef3bb5a
Faulting application path: C:\WINDOWS\system32\backgroundTaskHost.exe
Faulting module path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
Report Id: 9d1d6ee1-e834-4e22-9233-fdbc9abd44b8
Faulting package full name: Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: CortanaUI
 
Error: (03/03/2017 03:22:36 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.14393.0, time stamp: 0x57899bb2
Faulting module name: CSGSuggestLib.dll, version: 0.0.0.0, time stamp: 0x585a25a7
Exception code: 0xc0000005
Fault offset: 0x0000000000036bc7
Faulting process id: 0x1c2c0
Faulting application start time: 0x01d293f747eb4b45
Faulting application path: C:\WINDOWS\system32\backgroundTaskHost.exe
Faulting module path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
Report Id: c3caafd3-2cec-474c-a24c-b9e568fddc51
Faulting package full name: Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: CortanaUI
 
 
System errors:
=============
Error: (03/03/2017 08:59:46 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Management Service service failed to start due to the following error: 
The system cannot find the file specified.
 
Error: (03/03/2017 08:57:40 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (03/03/2017 08:57:39 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (03/03/2017 08:57:39 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (03/03/2017 08:57:37 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The avast! Antivirus service failed to start due to the following error: 
The requested resource is in use.
 
Error: (03/03/2017 08:56:36 AM) (Source: DCOM) (EventID: 10010) (User: TRADETRAVEL-3)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
 
Error: (03/03/2017 08:56:36 AM) (Source: DCOM) (EventID: 10010) (User: TRADETRAVEL-3)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
 
Error: (03/03/2017 08:56:31 AM) (Source: DCOM) (EventID: 10010) (User: TRADETRAVEL-3)
Description: The server microsoft.windowslive.calendar did not register with DCOM within the required timeout.
 
Error: (03/03/2017 08:56:27 AM) (Source: DCOM) (EventID: 10010) (User: TRADETRAVEL-3)
Description: The server microsoft.windowslive.calendar.AppXwkn9j84yh1kvnt49k5r8h6y1ecsv09hs.mca did not register with DCOM within the required timeout.
 
Error: (03/03/2017 08:56:20 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
 
CodeIntegrity:
===================================
  Date: 2017-02-26 13:30:00.482
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2016-11-21 15:17:22.527
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\SogouInput\Components\SogouComMgr.exe that did not meet the Microsoft signing level requirements.
 
  Date: 2016-11-21 14:47:21.954
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\SogouInput\8.0.0.8268\PinyinUp.exe that did not meet the Microsoft signing level requirements.
 
  Date: 2016-11-21 13:57:20.117
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\SogouInput\Components\SogouComMgr.exe that did not meet the Microsoft signing level requirements.
 
  Date: 2016-11-21 13:22:28.723
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\SogouInput\8.0.0.8268\PinyinUp.exe that did not meet the Microsoft signing level requirements.
 
  Date: 2016-11-21 13:12:28.443
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\SogouInput\Components\SogouComMgr.exe that did not meet the Microsoft signing level requirements.
 
  Date: 2016-11-21 12:52:27.811
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\SogouInput\Components\SogouComMgr.exe that did not meet the Microsoft signing level requirements.
 
  Date: 2016-11-21 12:42:27.330
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\SogouInput\8.0.0.8268\PinyinUp.exe that did not meet the Microsoft signing level requirements.
 
  Date: 2016-11-21 12:32:26.997
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\SogouInput\Components\SogouComMgr.exe that did not meet the Microsoft signing level requirements.
 
  Date: 2016-11-21 12:22:26.529
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\SogouInput\8.0.0.8268\PinyinUp.exe that did not meet the Microsoft signing level requirements.
 
 
==================== Memory info =========================== 
 
Processor: AMD A4-6210 APU with AMD Radeon R3 Graphics 
Percentage of memory in use: 63%
Total physical RAM: 3537.5 MB
Available physical RAM: 1281.73 MB
Total Virtual: 6155.72 MB
Available Virtual: 2278.23 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:439.5 GB) (Free:401.99 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 3A81C4CD)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:16 PM

Posted 04 March 2017 - 10:01 AM

The infection is still present, alright. Follow the instructions below please.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
drmkpro64.sys;dataup.exe;svcvmx.exe;qdcomsvc.exe;splsrv.exe;ct.exe;winscr.exe;vmxclient.exe
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;
I will submit a new fixlist.txt.

#11 skillaz

skillaz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 07 March 2017 - 05:19 PM

Farbar Recovery Scan Tool (x64) Version: 05-03-2017
Ran by STT-3 (07-03-2017 03:32:17)
Running from C:\Users\STT-3\Desktop\New folder
Boot Mode: Normal
 
================== Search Registry: "drmkpro64.sys;dataup.exe;svcvmx.exe;qdcomsvc.exe;splsrv.exe;ct.exe;winscr.exe;vmxclient.exe" ===========
 
 
===================== Search result for "drmkpro64.sys" ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drmkpro64]
"ImagePath"="system32\drivers\drmkpro64.sys"
 
 
===================== Search result for "dataup.exe" ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dataup]
"ImagePath"="C:\Program Files (x86)\dataup\dataup.exe"
 
 
===================== Search result for "svcvmx.exe" ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run]
"svcvmx"=""C:\Program Files (x86)\svcvmx\svcvmx.exe" -starup"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run]
"svcvmx1"=""C:\Program Files (x86)\svcvmx\svcvmx.exe" -starup"
 
 
===================== Search result for "qdcomsvc.exe" ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qdcomsvc]
"ImagePath"=""C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe" /svc"
 
 
===================== Search result for "ct.exe" ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5d04f46-b4b2-4202-a191-f780421b4200}]
"AppName"="imjpdct.exe"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers]
"SystemBinariesList"="win32k.sys:winlogon.exe:EXPLORER.EXE:CSRSS.Exe:dwm.exe:logon.scr:logonui.exe:lsass.exe:lsm.exe:ntkrpamp.exe:ntoskrnl.exe:RUNDLL32.EXE:services.exe:sppsvc.exe:smss.exe:spoolsv.exe:svchost.exe:taskeng.exe:WinInit.exe:WISPTIS.EXE:dllhost.exe:dllhst3g.exe:cscript.exe:mmc.exe:msiexec.exe:upnpcont.exe:wscript.exe:WUDFHost.exe:dfsvc.exe:dfsvc.exe:fdbs.exe:ntfsbs.exe:memdiag.exe:NETFXSBS10.exe:applaunch.exe:aspnet_compiler.exe:aspnet_regbrowsers.exe:aspnet_regiis.exe:aspnet_regsql.exe:aspnet_state.exe:aspnet_wp.exe:caspol.exe:csc.exe:CVTRES.EXE:dfsvc.exe:dw20.exe:IEExec.exe:ilasm.exe:InstallUtil.exe:jsc.exe:MSBuild.exe:mscorsvw.exe:ngen.exe:RegAsm.exe::RegSvcs.exe:vbc.exe:TrustedInstaller.exe:Aurora.scr:AutoChk.Exe:AUTOFMT.EXE:CHKDSK.EXE:CHKNTFS.EXE:consent.exe:PnPUnattend.exe:PnPutil.exe:RacAgent.exe:fsquirt.exe:Uninst.exe:updateWmc.exe:wmdc.exe:wmdsync.exe:mofcomp.exe:ScrCons.exe:smi2smir.exe:unsecapp.exe:wbemtest.exe:winmgmt.exe:wmic.exe:bfsvc.exe:Twunk_16.exe:Twunk_32.exe:wuauclt.exe:wsqmcons.exe:sapisvr.exe:WinSAT.exe:p2phost.exe:SearchProtocolHost.exe:WerFault.exe:drvinst.exe:ehshell.exe:UI0Detect.exe:ehtray.exe:HelpPane.exe:mrt.exe:SearchFilterHost.exe:mobsync.exe:Narrator.exe:SLUI.exe:taskmgr.exe:PresentationSettings.exe:vds.exe:sdclt.exe:irftp.exe:DFDWiz.exe:SndVol.exe:makecab.exe:msfeedssync.exe:unregmp2.exe:DeviceProperties.exe:rstrui.exe:MdRes.exe:netsh.exe:printui.exe:mcupdate.exe:4mmdat.sys:61883.sys:ACPI.sys:amdk7.sys:amdk8.sys:ASYNCMAC.SYS:atapi.sys:AVC.SYS:cdfs.sys:cdrom.sys:circlass.sys:cmbatt.sys:crusoe.sys:CSC.Sys:dc21x4vm.sys:disk.sys:dot4.sys:dot4usb.sys:drmkaud.sys:ecache.sys:fdc.sys:floppy.sys:hdaudbus.sys:HDAudio.sys:HIDBTH.SYS:HIDIR.SYS:i8042prt.sys:intelppm.sys:irenum.SYS:IRSIR.SYS:kbdclass.sys:kbdhid.sys:LOOP.SYS:mf.sys:monitor.sys:mouclass.sys:mouhid.sys:msisadrv.sys:msiscsi.sys:NDISWAN.SYS:nsiproxy.sys:ohci1394.sys:pci.sys:pciide.sys:powerfil.sys:processr.sys:rasl2tp.sys:raspppoe.sys:RASPPTP.SYS:RDPCDD.SYS:rfcomm.sys:sbp2port.sys:sdbus.sys:serenum.sys:serial.sys:sermouse.sys:sffdisk.sys:sffp_mmc.sys:smbios.sys:swenum.sys:tdx.sys:termdd.sys:tpm.sys:tunmp.sys:tunnel.sys:umbus.sys:update.sys:usb8023.sys:USBAudio.sys:USBCCGP.SYS:usbcir.sys:USBEHCI.sys:usbhub.sys:USBOHCI.sys:usbprint.sys:USBUHCI.sys:viac7.sys:wacompen.sys:wceusbsh.sys:winusb.sys:ws2ifsl.sys:xnacc.sys"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5d04f46-b4b2-4202-a191-f780421b4200}]
"AppName"="imjpdct.exe"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Interactive Services detection]
"EventMessageFile"="%SystemRoot%\System32\UI0Detect.exe"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UI0Detect]
"DisplayName"="@%SystemRoot%\system32\ui0detect.exe,-101"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UI0Detect]
"ImagePath"="%SystemRoot%\system32\UI0Detect.exe"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UI0Detect]
"Description"="@%SystemRoot%\system32\ui0detect.exe,-102"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windowsmanagementservice]
"ImagePath"="C:\Users\STT-3\AppData\Local\Temp\20170226\ct.exe"
 
[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\80\52C64B7E]
"@%SystemRoot%\system32\ui0detect.exe,-101"="Interactive Services Detection"
 
[HKEY_USERS\S-1-5-21-1064145775-1192110755-2523778263-1001\SOFTWARE\Classes\Local Settings\MuiCache\80\52C64B7E]
"@%SystemRoot%\system32\ui0detect.exe,-102"="Enables user notification of user input for interactive services, which enables access to dialogs created by interactive services when they appear. If this service is stopped, notifications of new interactive service dialogs will no longer function and there might not be access to interactive service dialogs. If this service is disabled, both notifications of and access to new interactive service dialogs will no longer function."
 
[HKEY_USERS\S-1-5-21-1064145775-1192110755-2523778263-1001\SOFTWARE\Classes\Local Settings\MuiCache\80\52C64B7E]
"@%SystemRoot%\system32\ui0detect.exe,-101"="Interactive Services Detection"
 
 
===================== Search result for "vmxclient.exe" ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\vmxclient.exe]
 
[HKEY_USERS\S-1-5-21-1064145775-1192110755-2523778263-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\9addef5b_0]
""="{2}.\\?\hdaudio#func_01&ven_10ec&dev_0282&subsys_17aa36ab&rev_1000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\singlelineouttopo/00010001
\Device\HarddiskVolume5\Program Files (x86)\svcvmx\vmxclient.exe%b{00000000-0000-0000-0000-000000000000}"
 
====== End of Search ======


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:16 PM

Posted 08 March 2017 - 10:04 AM

Delete the current Fixlist.txt used previously.
Repeat these instructions with the new Fixlist.txt that is attached.


xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Recovery Environment

Note: You require access to a USB drive.
Note: Please print off these instructions, or ensure you have access to them using a different device.Enter Recovery Environment (Windows 10)
  • Consult the following instructions (scroll down to "Entry points into WinRE") on how to enter the Recovery Environment in Windows 10.
  • After entering the Recovery Environment, click Troubleshoot followed by Advanced options.
  • Proceed to the Advanced Boot Options Menu instructions below.
Advanced Boot Options Menu
  • Select Command Prompt.
  • In the command window type notepad and press Enter on your keyboard.
  • Notepad will open. Click File followed by Open.
  • Click Computer, write down your USB drive letter on a piece of paper and close Notepad.
  • Type: x:\frst.exe / x:\frst64.exe in the command window.
    • Note: Replace letter x with the drive letter of your USB drive you wrote down earlier.
  • Press Enter on your keyboard. The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Click Fix.
  • A log (Fixlog.txt) will be saved to your USB drive. Reboot your computer. Copy the contents of Fixlog.txt and paste in your next reply
===

Remove Malwarebytes using their removal tool.
Download and run the tool.
https://support.malwarebytes.com/customer/portal/articles/1835311-how-do-i-uninstall-malwarebytes-anti-malware-?b_id=6438

Reinstall Malwarebytes from this site.
https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

If you have the paid version reinstall it using the license.

Run Malwarebytes and post the logs.
===


After the restart of the computer please run the Farbar tool normally.
Post fresh FRST and Addition.txt logs for my review.

Let me know what problem persists.

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:16 PM

Posted 14 March 2017 - 07:43 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users