Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: Running Malwarebytes, but it's compromised. Details below


  • This topic is locked This topic is locked
21 replies to this topic

#1 plaiche

plaiche

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey City
  • Local time:03:47 PM

Posted 28 February 2017 - 06:30 PM

Hello,

Affected system running:

Windows 10 Pro 

Malwarebytes Premium

Windows Defender

Chrome (at the time when issues began)

 

  • Tabs began auto launching in Chrome warning of a missing font
  • I used task manager to kill numerous Chrome tabs until it was shutdown
  • Launched Malwarebytes, but 'Scan" is not an option 
  • Consistent popups from Malwarebytes warning "Website Blocked" / IP Address 82.163.143.176 / Port: 63399 (and 51577, 53948) / Type: Outbound / File: C:\Windows\System32\svchost.exe
  • Launched Edge to attempt to get to Bleeping Computer 
  • More new tabs in Edge including : Windows Security Notification READ BEFORE CONTINUING Your Windows antivirus may not be sufficient to get enough. Get McAfee Antivirus now to protect your computer from malware, viruses and online hackers. Browser: Chrome Service Provider: Comcast: IP Address: 76.116.66.xxx

 

  • Malwarebytes has the following 7 items in Quarantine
  • PUP.Optional.DNSUnlocker.ACMB2 Location C:\ProgramData\07c61d78-0445-1\07c61d78-0445-1.d
  • PUP.Optional.DNSUnlocker.ACMB2 Location C:\ProgramData\07c61d78-4923-0\07c61d78-4923-0.d
  • Adware.Agent.Generic
  • PUP.Optional.DNSUnlocker.ACMB2 Location C:\ProgramData\07c61d78-50c7-0\07c61d78-50c7-0.d
  • PUP.Optional.DNSUnlocker.ACMB2 Location C:\ProgramData\07c61d78-5e65-0\07c61d78-5e65-0.d
  • Adware.Agent.Generic
  • PUP.Optional.DNSUnlocker.ACMB2 Location C:\ProgramData\07c61d78-0077-1\07c61d78-0077-1.d

     
  • Windows Defender quarantined: Ransom:Win32/Spora.A
  • I clicked Remove All in Defender

I doubt I would have been able to run much from that machine, so I have taken the step of downloaded numerous utilities from BleepingComputer to a USB drive. I have not rebooted or inserted the USB drive as of yet.

 

Hope you can help. Ready to follow instructions :-) 

Thanks,
Michael 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 PM

Posted 05 March 2017 - 04:58 PM

Hi, do not plug that USB into any other machine but this one.

info on infection.

Windows Defender detects and removes this threat.

This ransomware can stop you from using your PC or accessing your data. It might ask you to pay money to a malicious hacker.

Notably, this ransomware has worm capability, which means that it can spread to other computers in the network.

We have seen it being distributed via email either as a document with malicious macro codes or as an HTML application (HTA) packaged in a .zip file.

 

 

Can you do these

3Al62Pm.pngMiniToolBox

  • Please download MiniToolBox, save it to your desktop and run it.
  • Checkmark the following checkboxes:
    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Installed Programs
    • List Users, Partitions and Memory size.

  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


zcMPezJ.pngAdwCleaner
  • Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

lv0mVRW.pngJunkware Removal Tool
  • Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

cvMlKv6.pngESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 plaiche

plaiche
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey City
  • Local time:03:47 PM

Posted 05 March 2017 - 10:09 PM

A clarification please: the USB drive has tools downloaded on separate machine and copied onto the drive as the infected machine is blocked from downloading from BleepingComputer. 

So, can I plug the (presumably clean) USB drive into the infected machine to have the needed applications available? If so, I will not put the drive into any other system, but the infected one. 



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 PM

Posted 06 March 2017 - 11:01 AM

Yes use it on the infected machine.. ESET will also scan that USB if connected.. I do not want you plugging it into another machine until ESET scans it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 plaiche

plaiche
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey City
  • Local time:03:47 PM

Posted 06 March 2017 - 12:31 PM

Minitoolbox:
 

MiniToolBox by Farbar  Version: 17-06-2016
Ran by Admin (administrator) on 06-03-2017 at 08:59:30
Running from "C:\Users\Admin\Desktop"
Microsoft Windows 10 Pro  (X64)
Model: To Be Filled By O.E.M. Manufacturer: To Be Filled By O.E.M.
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
========================= IP Configuration: ================================
 
Intel® Ethernet Connection I217-V = Ethernet (Connected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : EntoHack-Central
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Ethernet:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel® Ethernet Connection I217-V
   Physical Address. . . . . . . . . : BC-5F-F4-B9-00-30
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4905:885e:194f:779%8(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, March 05, 2017 10:51:38 AM
   Lease Expires . . . . . . . . . . : Tuesday, March 07, 2017 8:55:31 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 62676980
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-D3-F2-DE-BC-5F-F4-B9-00-30
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.{92B608BA-21A3-45E7-A5BD-B1FB0E425DD6}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 9:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:2854:193c:cd5:1fad:b38b:bd69(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::cd5:1fad:b38b:bd69%7(Preferred) 
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 117440512
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-D3-F2-DE-BC-5F-F4-B9-00-30
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
 
Name:    google.com
Addresses:  2607:f8b0:4006:80f::200e
 216.58.219.238
 
 
Pinging google.com [216.58.219.238] with 32 bytes of data:
Reply from 216.58.219.238: bytes=32 time=11ms TTL=54
Reply from 216.58.219.238: bytes=32 time=11ms TTL=54
 
Ping statistics for 216.58.219.238:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 11ms, Maximum = 11ms, Average = 11ms
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
 
Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
 2001:4998:58:c02::a9
 2001:4998:c:a06::2:4008
 98.138.253.109
 206.190.36.45
 98.139.183.24
 
 
Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=109ms TTL=50
Reply from 206.190.36.45: bytes=32 time=90ms TTL=50
 
Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 90ms, Maximum = 109ms, Average = 99ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
  8...bc 5f f4 b9 00 30 ......Intel® Ethernet Connection I217-V
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  7...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.5     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0         On-link       192.168.1.5    281
      192.168.1.5  255.255.255.255         On-link       192.168.1.5    281
    192.168.1.255  255.255.255.255         On-link       192.168.1.5    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link       192.168.1.5    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link       192.168.1.5    281
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  7    331 ::/0                     On-link
  1    331 ::1/128                  On-link
  7    331 2001::/32                On-link
  7    331 2001:0:2854:193c:cd5:1fad:b38b:bd69/128
                                    On-link
  8    281 fe80::/64                On-link
  7    331 fe80::/64                On-link
  7    331 fe80::cd5:1fad:b38b:bd69/128
                                    On-link
  8    281 fe80::4905:885e:194f:779/128
                                    On-link
  1    331 ff00::/8                 On-link
  8    281 ff00::/8                 On-link
  7    331 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\WINDOWS\SysWoW64\napinsp.dll [55808] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWoW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWoW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWoW64\NLAapi.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWoW64\winrnr.dll [24064] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [67584] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [80896] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31744] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 12 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (03/06/2017 08:57:12 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest2" on line C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_89c64d28dafea4b9.manifest.
 
Error: (03/06/2017 08:57:12 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest2" on line C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_89c64d28dafea4b9.manifest.
 
Error: (03/06/2017 08:56:42 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest2" on line C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_89c64d28dafea4b9.manifest.
 
Error: (03/05/2017 11:03:40 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (03/03/2017 09:45:40 AM) (Source: Application Error) (User: )
Description: Faulting application name: NvStreamUserAgent.exe, version: 7.1.2084.9592, time stamp: 0x57605c64
Faulting module name: ntdll.dll, version: 10.0.14393.479, time stamp: 0x5825887f
Exception code: 0xc0000005
Fault offset: 0x0000000000030bdd
Faulting process id: 0x334c
Faulting application start time: 0xNvStreamUserAgent.exe0
Faulting application path: NvStreamUserAgent.exe1
Faulting module path: NvStreamUserAgent.exe2
Report Id: NvStreamUserAgent.exe3
Faulting package full name: NvStreamUserAgent.exe4
Faulting package-relative application ID: NvStreamUserAgent.exe5
 
Error: (03/03/2017 09:45:36 AM) (Source: Microsoft-Windows-Immersive-Shell) (User: ENTOHACK-CENTRA)
Description: Activation of app Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (03/02/2017 09:16:32 AM) (Source: Application Error) (User: )
Description: Faulting application name: NvStreamUserAgent.exe, version: 7.1.2084.9592, time stamp: 0x57605c64
Faulting module name: ntdll.dll, version: 10.0.14393.479, time stamp: 0x5825887f
Exception code: 0xc0000005
Fault offset: 0x0000000000030bdd
Faulting process id: 0x3228
Faulting application start time: 0xNvStreamUserAgent.exe0
Faulting application path: NvStreamUserAgent.exe1
Faulting module path: NvStreamUserAgent.exe2
Report Id: NvStreamUserAgent.exe3
Faulting package full name: NvStreamUserAgent.exe4
Faulting package-relative application ID: NvStreamUserAgent.exe5
 
Error: (03/02/2017 02:29:02 AM) (Source: Application Error) (User: )
Description: Faulting application name: NvStreamUserAgent.exe, version: 7.1.2084.9592, time stamp: 0x57605c64
Faulting module name: ntdll.dll, version: 10.0.14393.479, time stamp: 0x5825887f
Exception code: 0xc0000005
Fault offset: 0x0000000000030bdd
Faulting process id: 0x3044
Faulting application start time: 0xNvStreamUserAgent.exe0
Faulting application path: NvStreamUserAgent.exe1
Faulting module path: NvStreamUserAgent.exe2
Report Id: NvStreamUserAgent.exe3
Faulting package full name: NvStreamUserAgent.exe4
Faulting package-relative application ID: NvStreamUserAgent.exe5
 
Error: (03/01/2017 05:09:42 AM) (Source: Application Error) (User: )
Description: Faulting application name: NvStreamUserAgent.exe, version: 7.1.2084.9592, time stamp: 0x57605c64
Faulting module name: ntdll.dll, version: 10.0.14393.479, time stamp: 0x5825887f
Exception code: 0xc0000005
Fault offset: 0x0000000000030bdd
Faulting process id: 0x1b94
Faulting application start time: 0xNvStreamUserAgent.exe0
Faulting application path: NvStreamUserAgent.exe1
Faulting module path: NvStreamUserAgent.exe2
Report Id: NvStreamUserAgent.exe3
Faulting package full name: NvStreamUserAgent.exe4
Faulting package-relative application ID: NvStreamUserAgent.exe5
 
Error: (03/01/2017 05:09:24 AM) (Source: Microsoft-Windows-Immersive-Shell) (User: ENTOHACK-CENTRA)
Description: Package Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe+App was terminated because it took too long to suspend.
 
 
System errors:
=============
Error: (03/03/2017 11:33:39 PM) (Source: volsnap) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
 
Error: (03/03/2017 09:45:36 AM) (Source: DCOM) (User: ENTOHACK-CENTRA)
Description: "C:\WINDOWS\System32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider31Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProviderUnavailableUnavailable
 
Error: (03/02/2017 02:29:03 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{3185A766-B338-11E4-A71E-12E3F512A338}{7006698D-2974-4091-A424-85DD0B909E23}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable
 
Error: (02/27/2017 03:12:56 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}{F72671A9-012C-4725-9D2F-2A4D32D65169}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable
 
Error: (02/27/2017 02:59:57 PM) (Source: DCOM) (User: ENTOHACK-CENTRA)
Description: {21F282D1-A881-49E1-9A3A-26E44E39B86C}
 
Error: (02/27/2017 02:59:00 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: 
%%2147952449 = The requested address is not valid in its context.
 
 
Error: (02/27/2017 02:59:00 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: 
%%2147952449 = The requested address is not valid in its context.
 
 
Error: (02/27/2017 02:59:00 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error: 
%%2147952449 = The requested address is not valid in its context.
 
 
Error: (02/27/2017 02:59:00 PM) (Source: Tcpip) (User: )
Description: The system detected an address conflict for IP address 192.168.1.2 with the system
having network hardware address E4-11-5B-04-DB-0A. Network operations on this system may
be disrupted as a result.
 
Error: (02/27/2017 02:57:55 PM) (Source: Service Control Manager) (User: )
Description: The NetTcpActivator service depends on the NetTcpPortSharing service which failed to start because of the following error: 
%%1058 = The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
 
 
 
Microsoft Office Sessions:
=========================
Error: (03/06/2017 08:57:12 AM) (Source: SideBySide)(User: )
Description: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifestC:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_89c64d28dafea4b9.manifestC:\Users\Admin\Desktop\esetsmartinstaller_enu.exe
 
Error: (03/06/2017 08:57:12 AM) (Source: SideBySide)(User: )
Description: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifestC:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_89c64d28dafea4b9.manifestC:\Users\Admin\Desktop\esetsmartinstaller_enu.exe
 
Error: (03/06/2017 08:56:42 AM) (Source: SideBySide)(User: )
Description: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifestC:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_89c64d28dafea4b9.manifestC:\Users\Admin\Downloads\esetsmartinstaller_enu.exe
 
Error: (03/05/2017 11:03:40 AM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
 
Error: (03/03/2017 09:45:40 AM) (Source: Application Error)(User: )
Description: NvStreamUserAgent.exe7.1.2084.959257605c64ntdll.dll10.0.14393.4795825887fc00000050000000000030bdd334c01d2942cd288a696C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exeC:\WINDOWS\SYSTEM32\ntdll.dllcd15099f-ed8b-4793-8327-316ee4ea0319
 
Error: (03/03/2017 09:45:36 AM) (Source: Microsoft-Windows-Immersive-Shell)(User: ENTOHACK-CENTRA)
Description: Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App-2144927142
 
Error: (03/02/2017 09:16:32 AM) (Source: Application Error)(User: )
Description: NvStreamUserAgent.exe7.1.2084.959257605c64ntdll.dll10.0.14393.4795825887fc00000050000000000030bdd322801d2935f96ed910bC:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exeC:\WINDOWS\SYSTEM32\ntdll.dll1d4e757b-6572-4983-92da-94b6512a306f
 
Error: (03/02/2017 02:29:02 AM) (Source: Application Error)(User: )
Description: NvStreamUserAgent.exe7.1.2084.959257605c64ntdll.dll10.0.14393.4795825887fc00000050000000000030bdd304401d293269dccf25eC:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exeC:\WINDOWS\SYSTEM32\ntdll.dll463ef68c-55d3-4227-b4af-908c036f0fc2
 
Error: (03/01/2017 05:09:42 AM) (Source: Application Error)(User: )
Description: NvStreamUserAgent.exe7.1.2084.959257605c64ntdll.dll10.0.14393.4795825887fc00000050000000000030bdd1b9401d29273f0cdba60C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exeC:\WINDOWS\SYSTEM32\ntdll.dll2d68c68a-d14d-4d72-893a-f4b2836b526b
 
Error: (03/01/2017 05:09:24 AM) (Source: Microsoft-Windows-Immersive-Shell)(User: ENTOHACK-CENTRA)
Description: Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe+App
 
 
CodeIntegrity Errors:
===================================
  Date: 2017-02-28 09:13:14.576
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume3\Program Files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-02-23 07:42:30.090
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume3\Program Files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-02-15 07:28:41.900
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume3\Program Files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-02-07 08:31:48.454
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume3\Program Files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-02-03 10:04:20.523
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume3\Program Files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-02-01 16:27:02.362
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Store signing level requirements.
 
  Date: 2017-02-01 16:27:00.387
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Store signing level requirements.
 
  Date: 2017-02-01 16:27:00.383
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Store signing level requirements.
 
  Date: 2017-02-01 16:26:54.035
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Store signing level requirements.
 
  Date: 2017-02-01 16:25:56.610
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Store signing level requirements.
 
 
=========================== Installed Programs ============================
 
µTorrent (HKCU\...\uTorrent) (Version: 3.4.9.43295 - BitTorrent Inc.)
1394 OHCI Compliant Host Controller (Legacy) (HKLM-x32\...\{B12878BB-DA05-4F25-96E7-E0200428B220}) (Version: 0.0.1 - Microsoft Corporation)
Ace Stream Media 3.1.6 (HKCU\...\AceStream) (Version: 3.1.6 - Ace Stream Media)
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.1.16 - Adobe Systems)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe Creative Suite 6 Master Collection (HKLM-x32\...\{E8AD3069-9EB7-4BA8-8BFE-83F4E69355C0}) (Version: 6 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe Widget Browser (HKLM-x32\...\com.adobe.WidgetBrowser) (Version: 2.0 Build 348 - Adobe Systems Incorporated.)
Ansel (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Ansel) (Version: 372.70 - NVIDIA Corporation) Hidden
bl (HKLM-x32\...\{2A075BB4-E976-4278-BF3F-E5C6945D84C0}) (Version: 1.0.0 - Your Company Name) Hidden
Broadcom NetXtreme-I Netlink Driver and Management Installer (HKLM\...\{982E1601-0DFC-4FD3-A427-AC6570697858}) (Version: 14.0.3.2 - Broadcom Corporation)
CameraHelperMsi (HKLM-x32\...\{15634701-BACE-4449-8B25-1567DA8C9FD3}) (Version: 13.51.815.0 - Logitech) Hidden
Citrix Online Launcher (HKLM-x32\...\{48947098-A67C-46D4-90C5-9F2F6F0F96FE}) (Version: 1.0.449 - Citrix)
Creative Audio Control Panel (HKLM-x32\...\AudioCS) (Version: 3.00 - Creative Technology Limited)
Creative Software AutoUpdate (HKLM-x32\...\Creative Software AutoUpdate) (Version: 1.41 - Creative Technology Limited)
Creative Sound Blaster Properties x64 Edition (HKLM-x32\...\Creative Sound Blaster Properties x64 Edition) (Version: 1.03 - Creative Technology Limited)
Crysis® 2 (HKLM-x32\...\{6033673D-2530-4587-8AD0-EB059FC263F9}) (Version: 1.9.0.0 - Electronic Arts)
Ditto (HKLM-x32\...\Ditto_is1) (Version:  - Scott Brogden)
DLNow 1.2 (HKLM-x32\...\DLNow) (Version: 1.2 - Logixoft)
erLT (HKLM-x32\...\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}) (Version: 1.20.138.34 - Logitech, Inc.) Hidden
Evernote v. 6.4.2 (HKLM-x32\...\{E74F0DCA-9FC8-11E6-9D98-005056950253}) (Version: 6.4.2.3788 - Evernote Corp.)
FileHippo App Manager (HKLM-x32\...\FileHippo.com) (Version:  - FileHippo.com)
foobar2000 v1.3.10 (HKLM-x32\...\foobar2000) (Version: 1.3.10 - Peter Pawlowski)
GIMP 2.8.18 (HKLM\...\GIMP-2_is1) (Version: 2.8.18 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Drive (HKLM-x32\...\{07A12123-B717-496B-B471-48AF6407B433}) (Version: 1.32.4066.7445 - Google, Inc.)
Google Earth (HKLM-x32\...\{F6430171-B86B-4639-839E-374913E7911D}) (Version: 7.1.8.3036 - Google)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.32.7 - Google Inc.) Hidden
GoToMeeting 8.0.0.6441 (HKCU\...\GoToMeeting) (Version: 8.0.0.6441 - CitrixOnline)
Grammarly for Microsoft® Office Suite (HKCU\...\{c0b3c46d-8b25-4fcd-bdd5-1cf3302047ff}) (Version: 6.5.86 - Grammarly)
Grammarly for Microsoft® Office Suite (HKLM\...\{10CD8DA4-B543-4B99-B6D7-EF818555FBAB}) (Version: 6.5.86 - Grammarly) Hidden
Helium (HKLM-x32\...\{9A781940-AC41-4D5E-8E1E-76A04B916FB9}) (Version: 1.0.0 - ClockworkMod)
HP ENVY 110 series Basic Device Software (HKLM\...\{737E9620-F941-40CC-8335-A711BB859B82}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP ENVY 110 series Help (HKLM-x32\...\{D4444B31-E9E9-4389-B35D-41B5BCA5E9FB}) (Version: 140.0.2.2 - Hewlett Packard)
Intel® Network Connections 18.5.54.0 (HKLM\...\PROSetDX) (Version: 18.5.54.0 - Intel)
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
join.me (HKCU\...\JoinMe) (Version: 3.1.0.4367 - LogMeIn, Inc.)
join.me for Outlook (HKLM-x32\...\{3D0FEDDD-A111-4EC3-AD73-C3394DDF314A}) (Version: 3.4.0.5 - LogMeIn, Inc.)
Logitech Webcam Software (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.80 - Logitech Inc.)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
MergeModule_x64 (HKLM\...\{12DCC5A7-0100-4433-B4FF-217A3C5DC83B}) (Version: 9.3.00 - Sony Corporation) Hidden
MergeModule_x86 (HKLM-x32\...\{DD7721BB-CF1C-4DC9-AD87-8D5FB75413B7}) (Version: 9.3.00 - Sony Corporation) Hidden
Microsoft ASP.NET MVC 4 Runtime (HKLM-x32\...\{3FE312D5-B862-40CE-8E4E-A6D8ABF62736}) (Version: 4.0.40804.0 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4734.1000 - Microsoft Corporation)
Microsoft OneDrive (HKCU\...\OneDriveSetup.exe) (Version: 17.3.6798.0207 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
MotoHelper 2.1.32 Driver 5.4.0 (HKLM-x32\...\MotoHelper) (Version: 2.1.32 - Motorola)
MotoHelper MergeModules (HKLM-x32\...\{94CAC2F1-C856-47F4-AF24-65A1E75AEDB9}) (Version: 1.2.0 - Motorola) Hidden
Motorola Mobile Drivers Installation 5.4.0 (HKLM\...\{B0C6CCC9-0BAB-4636-A06F-B43B6FBC25DF}) (Version: 5.4.0 - Motorola Inc.) Hidden
NVIDIA 3D Vision Controller Driver 369.04 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 369.04 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 376.53 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 376.53 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.11.4.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.11.4.1 - NVIDIA Corporation)
NVIDIA Graphics Driver 376.53 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 376.53 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.15 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.15 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.16.0318 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.16.0318 - NVIDIA Corporation)
PDF Settings CS6 (HKLM-x32\...\{BFEAAE77-BD7F-4534-B286-9C5CB4697EB1}) (Version: 11.0 - Adobe Systems Incorporated) Hidden
ph (HKLM-x32\...\{185F9795-9663-4F13-9EF9-307A282ADB5A}) (Version: 1.0.0 - Your Company Name) Hidden
PlayMemories Home (HKLM-x32\...\{94F4815B-755A-4FFA-AFDC-EE8FE776981E}) (Version: 5.3.00.12160 - Sony Corporation)
PMB_ModeEditor (HKLM-x32\...\{E95982CA-945F-41F2-B156-A603897AB242}) (Version: 10.3.00 - Sony Corporation) Hidden
PMB_ServiceUploader (HKLM-x32\...\{E7FDF11C-12BB-4D6F-9B6D-F8E488C776DC}) (Version: 10.3.00 - Sony Corporation) Hidden
QT Lite 4.1.0 (HKLM-x32\...\quicktime_lite_is1) (Version: 4.1.0 - )
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.48.823.2011 - Realtek)
Realtek WLAN Driver (HKLM-x32\...\{0FB630AB-7BD8-40AE-B223-60397D57C3C9}) (Version: 2.00.0006 - Realtek)
Scrivener (HKLM-x32\...\Scrivener 1970) (Version: 1970 - Literature and Latte)
SHIELD Streaming (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_GFExperience.NvStreamSrv) (Version: 7.1.0280 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_ShieldWirelessController) (Version: 2.11.4.1 - NVIDIA Corporation) Hidden
SketchUp 2016 (HKLM\...\{E2B66CF6-ABA0-4E5F-B426-7478B18301AE}) (Version: 16.1.1449 - Trimble Navigation Limited)
Skype™ 7.32 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.32.104 - Skype Technologies S.A.)
SmartDraw 2016 (HKLM-x32\...\SmartDraw 2016) (Version:  - SmartDraw, LLC)
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.5 - Sophos Limited)
Sound Organizer (HKLM-x32\...\{53F7486D-41B5-4117-8914-A85B0DBDDC07}) (Version: 1.4.0.11260 - Sony Corporation)
Spotify (HKCU\...\Spotify) (Version: 1.0.45.186.g3b5036d6 - Spotify AB)
SugarSync (HKLM-x32\...\SugarSync) (Version: 3.8.2.6.147467 - SugarSync, Inc.)
Universal Adb Driver (HKLM-x32\...\{C0E08D8D-6076-4117-B644-2AF34F35B757}) (Version: 1.0.4 - ClockworkMod)
VC_CRT_x64 (HKLM\...\{54F2237F-018C-483B-8884-9FC0D88840C3}) (Version: 1.02.0000 - Intel Corporation) Hidden
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Vulkan Run Time Libraries 1.0.26.0 (HKLM\...\VulkanRT1.0.26.0) (Version: 1.0.26.0 - LunarG, Inc.)
Vulkan Run Time Libraries 1.0.8.1 (HKLM\...\VulkanRT1.0.8.1) (Version: 1.0.8.1 - LunarG, Inc.)
XMind 7.5 Update 1 (v3.6.51) (HKLM-x32\...\XMind_is1) (Version: 3.6.51.201607142338 - XMind Ltd.)
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.30.75 - Zemana Ltd.)
Zoom (HKCU\...\ZoomUMX) (Version: 3.5 - Zoom Video Communications, Inc.)
 
========================= Memory info: ===================================
 
Percentage of memory in use: 33%
Total physical RAM: 32699.18 MB
Available physical RAM: 21895.14 MB
Total Virtual: 71611.18 MB
Available Virtual: 58395.89 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:223.03 GB) (Free:12.74 GB) NTFS
2 Drive d: (DVDXFERS) (CDROM) (Total:4.21 GB) (Free:0 GB) UDF
7 Drive j: (New Volume) (Fixed) (Total:931.41 GB) (Free:39 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\ENTOHACK-CENTRA
 
Admin                    Administrator            DefaultAccount           
Guest                    
 
 
**** End of log ****

AdwCleaner

# AdwCleaner v6.044 - Logfile created 06/03/2017 at 09:13:06
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-02.1 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : Admin - ENTOHACK-CENTRA
# Running from : C:\Users\Admin\Desktop\AdwCleaner (1).exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Users\Admin\AppData\LocalLow\.acestream
Folder Found:  C:\Users\Admin\AppData\Roaming\.acestream
Folder Found:  C:\Users\Admin\AppData\Roaming\acestream
Folder Found:  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ace Stream Media
Folder Found:  C:\_acestream_cache_
Folder Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apfpecihdjjdaocoeacnmdlcfnahpilc
 
 
***** [ Files ] *****
 
File Found:  C:\prefs.js
File Found:  C:\Users\Admin\AppData\Roaming\Installer.dat
File Found:  C:\Users\Admin\AppData\Roaming\Main.dat
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxps_static.cmptch.com_0.localstorage
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxps_static.cmptch.com_0.localstorage-journal
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxps_static.re-markit00.re-markit.co_0.localstorage
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxps_static.re-markit00.re-markit.co_0.localstorage-journal
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_akz.imgfarm.com_0.localstorage
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_akz.imgfarm.com_0.localstorage-journal
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_hp.myway.com_0.localstorage
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_hp.myway.com_0.localstorage-journal
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_st.chatango.com_0.localstorage
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_st.chatango.com_0.localstorage-journal
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_static.coupontime00.coupontime.co_0.localstorage
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_static.coupontime00.coupontime.co_0.localstorage-journal
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_www.azlyrics.com_0.localstorage
File Found:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_www.azlyrics.com_0.localstorage-journal
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Classes\.acelive
Key Found:  HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Classes\.acemedia
Key Found:  HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Classes\.acestream
Key Found:  HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Classes\.tslive
Key Found:  HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Classes\acestream
Key Found:  HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Classes\AceStream.file
Key Found:  HKCU\Software\Classes\.acelive
Key Found:  HKCU\Software\Classes\.acemedia
Key Found:  HKCU\Software\Classes\.acestream
Key Found:  HKCU\Software\Classes\.tslive
Key Found:  HKCU\Software\Classes\acestream
Key Found:  HKCU\Software\Classes\AceStream.file
Key Found:  [x64] HKCU\Software\Classes\.acelive
Key Found:  [x64] HKCU\Software\Classes\.acemedia
Key Found:  [x64] HKCU\Software\Classes\.acestream
Key Found:  [x64] HKCU\Software\Classes\.tslive
Key Found:  [x64] HKCU\Software\Classes\acestream
Key Found:  [x64] HKCU\Software\Classes\AceStream.file
Key Found:  HKCU\Software\Classes\CLSID\{79690976-ED6E-403C-BBBA-F8928B5EDE17}
Key Found:  HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\AceStream
Key Found:  HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream
Key Found:  HKCU\Software\AceStream
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
Key Found:  [x64] HKCU\Software\AceStream
Key Found:  [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream
Key Found:  HKCU\Software\Microsoft\Internet Explorer\DOMStorage\govids.net
Key Found:  HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.govids.net
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cmptch.com
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\govids.net
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\smartdraw.en.soft
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\static.cmptch.com
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\utop.it
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.govids.net
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cmptch.com
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\govids.net
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\smartdraw.en.softoni
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\static.cmptch.com
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utop.it
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.govids.net
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\govids.net
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.govids.net
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cmptch.com
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\govids.net
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\smartdraw.en.so
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\static.cmptch.c
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\utop.it
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.govids.net
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cmptch.com
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\govids.net
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\smartdraw.en.softo
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\static.cmptch.com
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utop.it
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.govids.net
Key Found:  HKCU\Software\Classes\Applications\ace_player.exe
Key Found:  HKCU\Software\Classes\MIME\Database\Content Type\application/x-acestream-plugin
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acelive
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acemedia
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acestream
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tslive
Key Found:  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acelive
Key Found:  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acemedia
Key Found:  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acestream
Key Found:  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tslive
Key Found:  HKCU\SOFTWARE\Classes\Applications\ace_player.exe
Key Found:  HKCU\SOFTWARE\Classes\MIME\Database\Content Type\application/x-acestream-plugin
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Secure Preferences ] - apfpecihdjjdaocoeacnmdlcfnahpilc
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [12371 Bytes] - [06/03/2017 09:13:06]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [12445 Bytes] ##########
 

Junkware

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.1 (02.11.2017)
Operating System: Windows 10 Pro x64 
Ran by Admin (Administrator) on Mon 03/06/2017 at  9:23:49.98
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 03/06/2017 at  9:24:53.46
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ESET

C:\Users\Admin\Downloads\driver_licence_renewal_form_nj.iso a variant of Win32/ExpressDownloader.K potentially unwanted application deleted
J:\EWP HP drive\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe Win32/Agent.NVP trojan cleaned by deleting
J:\EWP HP drive\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\AutoPlay.exe Win32/Agent.NVP trojan cleaned by deleting
J:\EWP HP drive\hp\bin\AUTOPLAY.EXE Win32/Agent.NVP trojan cleaned by deleting
J:\EWP HP drive\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application cleaned by deleting
J:\shared\CS6\1. Instructions\STEP 2 FOLDER Adobe Master Collection CS6 Patcher_\AdobePatcher.bat BAT/HostsChanger.A potentially unsafe application cleaned by deleting
J:\shared\CS6\1. Instructions\STEP 4\disable_activation.cmd BAT/HostsChanger.A potentially unsafe application cleaned by deleting
J:\Social media content\disk-defrag-setup.exe a variant of Win32/Auslogics.C potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\Acquarius backup\New CS6\1. Instructions\STEP 2 FOLDER Adobe Master Collection CS6 Patcher_\AdobePatcher.bat BAT/HostsChanger.A potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\Acquarius backup\New CS6\1. Instructions\STEP 3\adobe.cs6.all.products.activator.(x32.y.x64)_up01-MPT.exe a variant of Win32/HackTool.Patcher.A potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\Acquarius backup\New CS6\1. Instructions\STEP 4\disable_activation.cmd BAT/HostsChanger.A potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\Acquarius backup\New CS6\1. Instructions\STEP 4\KEYGEN METHOD\xf-mccs6.exe Win32/Keygen.HA potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\Acquarius backup\Program Files (x86)\Common Files\DVDVideoSoft\TB\DVDVideoSoftTB.exe a variant of Win32/Toolbar.Conduit.AU potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\Acquarius backup\Program Files (x86)\Vuze\.install4j\i4j_extf_15_5p83tu.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\cleanup copy of c downloads oct 2014\cbsidlm-tr1_10a-RioDVD_Region_Free_Player-ORG-10463982 (1).exe Win32/DownloadAdmin.G potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\cleanup copy of c downloads oct 2014\cbsidlm-tr1_10a-RioDVD_Region_Free_Player-ORG-10463982.exe Win32/DownloadAdmin.G potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\cleanup copy of c downloads oct 2014\FLVPlayerSetup.exe Win32/InstallCore.BL potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\cleanup copy of c downloads oct 2014\SopCast-3.8.2.exe a variant of Win32/Bundled.Toolbar.Ask.C potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\cleanup copy of c downloads oct 2014\trz2678.tmp Win32/TopMedia.B potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\cleanup copy of c downloads oct 2014\trz31FE.tmp a variant of Win32/InstallIQ potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\cleanup copy of c downloads oct 2014\vioplayer2_d4766966.exe a variant of Win32/InstallIQ.A potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\cleanup copy of c downloads oct 2014\vioplayer2_d4872405.exe a variant of Win32/InstallIQ.A potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\CS6\1. Instructions\STEP 2 FOLDER Adobe Master Collection CS6 Patcher_\AdobePatcher.bat BAT/HostsChanger.A potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\CS6\1. Instructions\STEP 3\adobe.cs6.all.products.activator.(x32.y.x64)_up01-MPT.exe a variant of Win32/HackTool.Patcher.A potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\CS6\1. Instructions\STEP 4\disable_activation.cmd BAT/HostsChanger.A potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\CUNY Backups\Original Desktop\Downloads\cbsidlm-tr1_7-Revo_Uninstaller-10687648.exe Win32/DownloadAdmin.D potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\Picture\Social media content\disk-defrag-setup.exe a variant of Win32/Auslogics.C potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\shared\CS6\1. Instructions\STEP 2 FOLDER Adobe Master Collection CS6 Patcher_\AdobePatcher.bat BAT/HostsChanger.A potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\shared\CS6\1. Instructions\STEP 3\adobe.cs6.all.products.activator.(x32.y.x64)_up01-MPT.exe a variant of Win32/HackTool.Patcher.A potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\shared\CS6\1. Instructions\STEP 4\disable_activation.cmd BAT/HostsChanger.A potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\shared\CS6\1. Instructions\STEP 4\KEYGEN METHOD\xf-mccs6.exe Win32/Keygen.HA potentially unsafe application cleaned by deleting
J:\Thermaltaken backup\Space overflow files from C\Desktop\Mai's documents\disk-defrag-setup.exe a variant of Win32/Auslogics.C potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\Space overflow files from C\Documents\fg742p.zip Win32/Freegate.A potentially unsafe application deleted
J:\Thermaltaken backup\Space overflow files from C\Downloads\cbsidlm-tr1_10a-RioDVD_Region_Free_Player-ORG-10463982 (1).exe Win32/DownloadAdmin.G potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\Space overflow files from C\Downloads\cbsidlm-tr1_10a-RioDVD_Region_Free_Player-ORG-10463982.exe Win32/DownloadAdmin.G potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\Space overflow files from C\Downloads\FLVPlayerSetup.exe Win32/InstallCore.BL potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\Space overflow files from C\Downloads\openfreely_setup_356.exe a variant of Win32/InstallIQ potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\Space overflow files from C\Downloads\The.Avengers.2012.DVDRip.XviD-NYDIC_secure.exe Win32/TopMedia.B potentially unwanted application cleaned by deleting
J:\Thermaltaken backup\Space overflow files from C\Downloads\Xvid.exe a variant of Win32/Verti.J potentially unwanted application cleaned by deleting
 
 


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 PM

Posted 06 March 2017 - 01:43 PM

OK, remove what ADwcleaner found,...
 
Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database if one is required.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button.
  • A window will open which lists the logs of your scans.
  • Click on the Scan tab.
  • Double-click the most recent scan which will be at the top of the list....the log will appear.
  • Review the results...see note below
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
  • To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
  • Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
  • A copy of all logfiles are saved to C:\AdwCleaner.
  • -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.


    Good chance you were infected thru the Keygens.

    The practice of using keygens, hacking toolscracking tools, warez, torrents or any pirated software is not only considered illegal activity but it is a serious security risk.
     
     

    Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

    TrendMicro Warning
     
     

    ...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

    Keygen and Crack Sites Distribute VIRUX and FakeAV
     
     

    ...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

    University of Washington spyware study
     
     

    ...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

    Bad Web Sites: Malware
     
     

    ...a staggering 59% of the key generators and crack tools downloaded from P2P networks represent a security liability since they contain malicious and unwanted code. "25% of the Web sites we accessed offering counterfeit product keys, pirated software, key generators or crack tools attempted to install either malicious software or potentially unwanted software. A significant number of these Web sites attempted to install malicious or unwanted code...In addition to the peer-to-peer networks, 11% of the key generators and crack tools downloaded from Web sites were also plagued by malicious and unwanted software.

    Microsoft Reveals the Risks of Using Pirated XP and Office
    Whatever You Do, Do Not Download Windows 7 Via Torrent Sites

    When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting
and reinstalling the OS.

I strongly recommend that you remove all cracks and keygens immediately to reduce the risk of infection/reinfection. If not, then we are just wasting time trying to clean your system. Further, other tools used during the disinfection process may detect crack and keygens so they need to be removed.

Using these types of programs or the websites visited to get them is almost a guaranteed way to get yourself infected!!


Reboot the machine and see how it is.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 plaiche

plaiche
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey City
  • Local time:03:47 PM

Posted 06 March 2017 - 02:23 PM

Will do as you say above and add results. For the sake of clarity: those Keygens were from a backup from an entirely different machine and have sat unused for many years. I probably dumped them on that drive a few months ago when moving things around from other external storage. While I have Adobe on this machine, I am 100% certain it was not installed via those old files with the Keygens that turned up. 

The infected machine is under 1 year old, and I have never run a keygen on it once. Can't be sure the guy who built it for me didn't, but I can be certain on my end.

Back to the steps above...



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 PM

Posted 06 March 2017 - 02:43 PM

Ok, that's reasonable.. just felt I should advise..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 plaiche

plaiche
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey City
  • Local time:03:47 PM

Posted 06 March 2017 - 02:57 PM

Of course, and I appreciate it. Just knew as soon as I saw the reference they were older files. Still going to delete them as per your recommendation. 

AdwCleaner log post cleanup/reboot:
 

# AdwCleaner v6.044 - Logfile created 06/03/2017 at 14:33:23
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-02.1 [Local]
# Operating System : Windows 10 Pro  (X64)
# Username : Admin - ENTOHACK-CENTRA
# Running from : C:\Users\Admin\Downloads\AdwCleaner.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Users\Admin\AppData\LocalLow\.acestream
[-] Folder deleted: C:\Users\Admin\AppData\Roaming\.acestream
[-] Folder deleted: C:\Users\Admin\AppData\Roaming\acestream
[-] Folder deleted: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ace Stream Media
[-] Folder deleted: C:\_acestream_cache_
[-] Folder deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apfpecihdjjdaocoeacnmdlcfnahpilc
 
 
***** [ Files ] *****
 
[-] File deleted: C:\prefs.js
[-] File deleted: C:\Users\Admin\AppData\Roaming\Installer.dat
[-] File deleted: C:\Users\Admin\AppData\Roaming\Main.dat
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxps_static.cmptch.com_0.localstorage
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxps_static.cmptch.com_0.localstorage-journal
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxps_static.re-markit00.re-markit.co_0.localstorage
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxps_static.re-markit00.re-markit.co_0.localstorage-journal
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_akz.imgfarm.com_0.localstorage
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_akz.imgfarm.com_0.localstorage-journal
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_hp.myway.com_0.localstorage
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_hp.myway.com_0.localstorage-journal
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_st.chatango.com_0.localstorage
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_st.chatango.com_0.localstorage-journal
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_static.coupontime00.coupontime.co_0.localstorage
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_static.coupontime00.coupontime.co_0.localstorage-journal
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_www.azlyrics.com_0.localstorage
[-] File deleted: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_www.azlyrics.com_0.localstorage-journal
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Classes\.acelive
[-] Key deleted: HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Classes\.acemedia
[-] Key deleted: HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Classes\.acestream
[-] Key deleted: HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Classes\.tslive
[-] Key deleted: HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Classes\acestream
[-] Key deleted: HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Classes\AceStream.file
[#] Key deleted on reboot: HKCU\Software\Classes\.acelive
[#] Key deleted on reboot: HKCU\Software\Classes\.acemedia
[#] Key deleted on reboot: HKCU\Software\Classes\.acestream
[#] Key deleted on reboot: HKCU\Software\Classes\.tslive
[#] Key deleted on reboot: HKCU\Software\Classes\acestream
[#] Key deleted on reboot: HKCU\Software\Classes\AceStream.file
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\.acelive
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\.acemedia
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\.acestream
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\.tslive
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\acestream
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\AceStream.file
[-] Key deleted: HKCU\Software\Classes\CLSID\{79690976-ED6E-403C-BBBA-F8928B5EDE17}
[-] Key deleted: HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\AceStream
[-] Key deleted: HKU\S-1-5-21-3777986144-643453739-1554320205-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream
[#] Key deleted on reboot: HKCU\Software\AceStream
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
[#] Key deleted on reboot: [x64] HKCU\Software\AceStream
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\govids.net
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.govids.net
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cmptch.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\govids.net
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\smartdraw.en.softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\static.cmptch.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\utop.it
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.govids.net
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cmptch.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\govids.net
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\smartdraw.en.softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\static.cmptch.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utop.it
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.govids.net
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\govids.net
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.govids.net
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cmptch.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\govids.net
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\smartdraw.en.softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\static.cmptch.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\utop.it
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.govids.net
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cmptch.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\govids.net
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\smartdraw.en.softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\static.cmptch.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utop.it
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.govids.net
[-] Key deleted: HKCU\Software\Classes\Applications\ace_player.exe
[-] Key deleted: HKCU\Software\Classes\MIME\Database\Content Type\application/x-acestream-plugin
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acelive
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acemedia
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acestream
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tslive
[#] Key deleted on reboot: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acelive
[#] Key deleted on reboot: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acemedia
[#] Key deleted on reboot: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acestream
[#] Key deleted on reboot: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tslive
[#] Key deleted on reboot: HKCU\SOFTWARE\Classes\Applications\ace_player.exe
[#] Key deleted on reboot: HKCU\SOFTWARE\Classes\MIME\Database\Content Type\application/x-acestream-plugin
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1] [extension] Deleted: apfpecihdjjdaocoeacnmdlcfnahpilc
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleanerpossible copy.txt - [12621 Bytes] - [06/03/2017 09:18:16]
C:\AdwCleaner\AdwCleaner[C0].txt - [13215 Bytes] - [06/03/2017 14:33:23]
C:\AdwCleaner\AdwCleaner[S0].txt - [12621 Bytes] - [06/03/2017 09:13:06]
C:\AdwCleaner\AdwCleaner[S1].txt - [12775 Bytes] - [06/03/2017 14:26:50]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [13437 Bytes] ##########


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 PM

Posted 06 March 2017 - 03:02 PM

Looks good, if it did not reboot after that clean do so.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 plaiche

plaiche
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey City
  • Local time:03:47 PM

Posted 07 March 2017 - 07:33 AM

boopme, 

Everything looks good on this end so far. Any lingering concerns or added protection (beyond MWB Premium) I should employ (beyond not doing anything foolish ;-) let me know. Otherwise, thank you very much for the guidance and expertise in getting this sorted out!
 



#12 plaiche

plaiche
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey City
  • Local time:03:47 PM

Posted 07 March 2017 - 07:51 AM

Report just now from MWBytes
 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Protection Event Date: 3/7/17
Protection Event Time: 7:49 AM
Logfile: 
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1444
License: Premium
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System
 
-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0
 
-Website Data-
Domain: beautyfile.info
IP Address: 81.171.14.67
Port: [57523]
Type: Outbound
File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 
 
(end)

Cause for further concern?


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 PM

Posted 07 March 2017 - 11:12 AM

Hi, let's make sure there are no Trojan hooks left.
Start a new topic per the guide below. Start at step 6. Include this MBAM detection and the FRST log in the guide.


Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 plaiche

plaiche
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey City
  • Local time:03:47 PM

Posted 07 March 2017 - 03:07 PM

Ok, will do. Two questions:

Default options for the FRST scan? (all "Whitelist" options checked, no "Optional Scan" options checked) 

Is there a naming protocol I should use for the new thread referencing either the issue thus far, or this previous post? 



#15 plaiche

plaiche
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey City
  • Local time:03:47 PM

Posted 08 March 2017 - 09:52 AM

Hi,

It's back. Popups starting firing and then MBAM froze, so I rebooted and it autoscanned identifying the following threats
 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 3/8/17
Scan Time: 9:47 AM
Logfile: 
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1449
License: Premium
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 449881
Time Elapsed: 1 min, 41 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 2
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E, No Action By User, [46], [260247],1.0.1449
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E, No Action By User, [46], [260247],1.0.1449
 
Registry Value: 1
Trojan.DNSChanger.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{92b608ba-21a3-45e7-a5bd-b1fb0e425dd6}|NAMESERVER, No Action By User, [7713], [260227],1.0.1449
 
Registry Data: 7
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, No Action By User, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, No Action By User, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{193ed7e6-59d4-4e53-8ac8-59479437fe37}|NameServer, No Action By User, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{5d3650d4-8bc4-11e6-8e27-806e6f6e6963}|NameServer, No Action By User, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{92b608ba-21a3-45e7-a5bd-b1fb0e425dd6}|NameServer, No Action By User, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{92b608ba-21a3-45e7-a5bd-b1fb0e425dd6}|DhcpNameServer, No Action By User, [46], [-1],0.0.0
Trojan.DNSChanger.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NAMESERVER, No Action By User, [7713], [293494],1.0.1449
 
Data Stream: 0
(No malicious items detected)
 
Folder: 4
PUP.Optional.DNSUnlocker.ACMB2, C:\PROGRAMDATA\07c61d78-1f55-0, No Action By User, [46], [182288],1.0.1449
PUP.Optional.DNSUnlocker.ACMB2, C:\PROGRAMDATA\07c61d78-2885-0, No Action By User, [46], [182288],1.0.1449
PUP.Optional.DNSUnlocker.ACMB2, C:\PROGRAMDATA\07c61d78-5bb3-1, No Action By User, [46], [182288],1.0.1449
Adware.Agent.Generic, C:\PROGRAMDATA\{B3CF4DAD-0464-FA06-6312-078293536955}, No Action By User, [1715], [331038],1.0.1449
 
File: 2
Adware.Elex, C:\PROGRAMDATA\9BB972F\27944DF1.DLL, No Action By User, [305], [375719],1.0.1449
Adware.Agent.Generic, C:\PROGRAMDATA\{B3CF4DAD-0464-FA06-6312-078293536955}\9753B84D-20F8-0FE6-E7EE-784729413B48.EXE, No Action By User, [1715], [331038],1.0.1449
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


Thank you.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users