Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 10 'requested resource in use' and BSOD drmkpro64.sys failed


  • This topic is locked This topic is locked
30 replies to this topic

#1 tierzastarrw

tierzastarrw

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 07 March 2017 - 11:51 AM


Hey,
So I think I've got a buggy. Earlier my computer threw up a BSOD with the message that drmkpro64.sys failed. When I went to look it up, I found that it was some kind of malware. So, I went to scan with malwarebytes but it wont start up. I keep getting this error message: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
The requested resource in in use.

I ran task manager to see if it was running but it isn't. This thing has also started to install some programs onto my computer as well, such as; anonymizer gadget and video abductor.

Thank you for your time

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:48 PM

Posted 07 March 2017 - 12:45 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that Additional.txt is checked.
  • Press Scan button.
  • It will make 2 logs (FRST.txt and Addition.txt) in the same directory the tool is run. Please copy and paste them to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 tierzastarrw

tierzastarrw
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 07 March 2017 - 01:04 PM

First.txt

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-03-2017
Ran by tierza (administrator) on DESKTOP-34VPQP3 (07-03-2017 09:56:48)
Running from C:\Users\tierz\Desktop\FRST
Loaded Profiles: tierza (Available Profiles: tierza & Administrator)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
() C:\Program Files (x86)\dataup\dataup.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.6.2.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
() C:\Program Files (x86)\svcvmx\svcvmx.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.110.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(qdcomsvc Inc.) C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
(ct Corp.) C:\Users\tierz\AppData\Local\Temp\20170306\ct.exe
(splsrv Corp.) C:\Windows\SysWOW64\splsrv.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
() C:\Windows\runSW.exe
(Realtek) C:\Windows\SwUSB.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
Failed to access process -> vmxclient.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17012.10301.0_x64__8wekyb3d8bbwe\Video.UI.exe
Failed to access process -> vmxclient.exe
Failed to access process -> vmxclient.exe
Failed to access process -> vmxclient.exe
Failed to access process -> vmxclient.exe
() C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8004.42017.0_x64__8wekyb3d8bbwe\HxMail.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8004.42017.0_x64__8wekyb3d8bbwe\HxTsr.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-11-01] (Apple Inc.)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-06] (Microsoft Corporation)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [EaseUS EPM tray] => C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.8\bin\EpmNews.exe
HKLM-x32\...\Run: [EaseUS Cleanup] => "C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.8\bin\CleanUpUI.exe" 10 300
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)
HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKLM\...\RunOnce: [ConnecitfyTemp a] => cmd /Q /C "rmdir /S /Q C:\Users\tierz\AppData\Local\Temp\Connectify\a" <===== ATTENTION
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\Run: [CyberGhost] => "C:\Program Files\CyberGhost 6\CyberGhost.exe" /autostart /min
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\Run: [StartAB] => C:\Users\tierz\AppData\Local\VideoAB\videoab.exe [3062288 2017-02-20] ()
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\RunOnce: [Uninstall C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_2\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_2\amd64"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\MountPoints2: {a85aeb01-5f84-11e6-940a-1c872cb602ac} - "I:\SKLoader.exe"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\MountPoints2: {f5bf8b8e-04b1-11e6-9402-28c2dd10555a} - "F:\setup.exe"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\MountPoints2: {f5bf8bae-04b1-11e6-9402-28c2dd10555a} - "I:\setup.exe"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\MountPoints2: {f5bf8be9-04b1-11e6-9402-28c2dd10555a} - "F:\setup.exe"
HKU\S-1-5-18\...\Run: [] => [X]
HKU\S-1-5-18\...\RunOnce: [Application Restart #0] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [371928 2016-07-16] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [Application Restart #1] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [371928 2016-07-16] (Microsoft Corporation)
Startup: C:\Users\tierz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe [2016-04-20] (Leader Technologies)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 8.8.4.4 192.168.1.1
Tcpip\..\Interfaces\{a8ab2b3c-da44-4fde-9db0-147bb06f9b3b}: [DhcpNameServer] 8.8.8.8 8.8.4.4
Tcpip\..\Interfaces\{bc4712d6-5f34-49ab-9093-57f2554a090a}: [DhcpNameServer] 8.8.8.8 8.8.4.4 192.168.1.1
Tcpip\..\Interfaces\{d7112b3b-ee78-4ded-a21b-0d95e7302934}: [DhcpNameServer] 10.204.0.1

Internet Explorer:
==================
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-12-28] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-12-28] (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2016-12-28] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-09-19] (Oracle Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2016-12-28] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-09-19] (Oracle Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-28] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-28] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-28] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-28] (Microsoft Corporation)

Edge:
======
Edge Extension: (Bing) -> EdgeExtension_MicrosoftMicrosoftRewards_8wekyb3d8bbwe => C:\Program Files\WindowsApps\Microsoft.MicrosoftRewards_0.9.2.0_neutral__8wekyb3d8bbwe [2016-12-28]

FireFox:
========
FF DefaultProfile: ymortavt.default
FF ProfilePath: C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default [2017-03-06]
FF NewTab: Mozilla\Firefox\Profiles\ymortavt.default -> hxxps://search.yahoo.com/?fr=vmn&type=vmn__webcompa__1_0__ya__hp_WCYID10300_FYD_161026__ysff
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\ymortavt.default -> Yahoo®
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\ymortavt.default -> Bing
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\ymortavt.default -> Yahoo®
FF Homepage: Mozilla\Firefox\Profiles\ymortavt.default -> about:home
FF Extension: (Ad-Busters) - C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\Extensions\ad-busters@outlook.com.xpi [2017-02-12]
FF Extension: (MEGA) - C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\Extensions\firefox@mega.co.nz.xpi [2017-03-06]
FF Extension: (Ebates Cash Back) - C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\Extensions\{35d6291e-1d4b-f9b4-c52f-77e6410d1326}.xpi [2017-02-28]
FF Extension: (FirefoxAdKiller) - C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\Extensions\{b1df372d-8b32-4c7d-b6b4-9c5b78cf6fb1}.xpi [2017-02-12]
FF Extension: (Video DownloadHelper) - C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2017-02-12]
FF Extension: (SHA-1 deprecation staged rollout) - C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\features\{bc3a9e78-804c-4621-ae0b-7c28cb1d0c19}\disableSHA1rollout@mozilla.org.xpi [2017-03-06]
FF SearchPlugin: C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\searchplugins\yahoo-lavasoft.xml [2016-10-26]
FF HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_24_0_0_221.dll [2017-02-15] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_221.dll [2017-02-15] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-09-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-09-19] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-12-28] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-12-28] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin HKU\S-1-5-21-3357796534-2979617118-1178381313-1001: @nsroblox.roblox.com/launcher -> C:\Users\tierz\AppData\Local\Roblox\Versions\version-c2285b6f3d724119\\NPRobloxProxy.dll [2013-01-01] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-3357796534-2979617118-1178381313-1001: @nsroblox.roblox.com/launcher64 -> C:\Users\tierz\AppData\Local\Roblox\Versions\version-c2285b6f3d724119\\NPRobloxProxy64.dll [2013-01-01] ( ROBLOX Corporation)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [3699904 2016-12-28] (Microsoft Corporation)
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [373728 2016-11-30] (Intel Corporation)
S3 MozillaMaintenance; C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe [146888 2016-03-21] (Mozilla Foundation)
S3 PACSPTISVR-Sound_Organizer; C:\Program Files (x86)\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [174176 2012-11-08] (Sony Corporation)
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed] <==== ATTENTION
R2 RunSwUSB; C:\Windows\runSW.exe [44760 2014-12-12] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
R2 windowsmanagementservice; C:\Users\tierz\AppData\Local\Temp\20170306\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION
S2 RTLDHCPService; C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ATP; C:\WINDOWS\System32\drivers\AsusTP.sys [101368 2015-12-14] (ASUS Corporation)
S3 DFX11_1; C:\WINDOWS\system32\drivers\dfx11_1x64.sys [28008 2015-08-31] (Windows ® Win 7 DDK provider)
S3 DFX12; C:\WINDOWS\system32\drivers\dfx12x64.sys [39048 2015-11-14] (Windows ® Win 7 DDK provider)
R3 dptf_cpu; C:\WINDOWS\System32\drivers\dptf_cpu.sys [38720 2014-09-18] (Intel Corporation)
R3 dptf_pch; C:\WINDOWS\System32\drivers\dptf_pch.sys [38208 2014-09-18] (Intel Corporation)
R1 drmkpro64; C:\Windows\System32\Drivers\drmkpro64.sys [51784 2017-02-22] () [File not signed] <==== ATTENTION
S3 dtlitescsibus; C:\WINDOWS\System32\drivers\dtlitescsibus.sys [30264 2016-04-19] (Disc Soft Ltd)
S3 dtliteusbbus; C:\WINDOWS\System32\drivers\dtliteusbbus.sys [47672 2016-04-19] (Disc Soft Ltd)
R3 esif_lf; C:\WINDOWS\System32\drivers\esif_lf.sys [216360 2014-09-18] (Intel Corporation)
S3 fusion; C:\WINDOWS\system32\DRIVERS\fusion.sys [19840 2015-03-31] ()
S3 iaLPSS_I2C; C:\WINDOWS\System32\drivers\iaLPSS_I2C.sys [120312 2014-06-10] (Intel Corporation)
R0 IntelHSWPcc; C:\WINDOWS\System32\drivers\IntelPcc.sys [77992 2014-08-03] (Intel Corporation)
R3 kbfiltr; C:\WINDOWS\System32\drivers\kbfiltr.sys [17280 2012-08-05] ( )
R3 kxspb; C:\WINDOWS\System32\drivers\kxspb.sys [40976 2014-10-21] (Kionix, Inc.)
R3 MEIx64; C:\WINDOWS\system32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)
S3 NdisImPlatformMp; C:\WINDOWS\System32\drivers\NdisImPlatform.sys [126464 2016-07-16] (Microsoft Corporation)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R0 PxHlpa64; C:\WINDOWS\System32\Drivers\PxHlpa64.sys [56336 2016-08-23] (Corel Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [895256 2015-07-07] (Realtek                                            )
S3 RtlWlanu; C:\WINDOWS\System32\drivers\rtwlanu.sys [5195776 2016-07-16] (Realtek Semiconductor Corporation                           )
R3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [410880 2015-07-01] (Realsil Semiconductor Corporation)
S3 tap0901cn; C:\WINDOWS\System32\drivers\tap0901cn.sys [45576 2015-10-19] (The OpenVPN Project)
S1 VBoxNetAdp; C:\WINDOWS\system32\DRIVERS\VBoxNetAdp6.sys [119712 2016-04-18] (Oracle Corporation)
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.8.0.50\Definitions\SDSDefs\20160915.023\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.8.0.50\Definitions\SDSDefs\20160915.023\EX64.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-06 15:43 - 2017-03-07 09:56 - 00000000 ____D C:\Users\tierz\Desktop\FRST
2017-03-06 15:25 - 2017-03-06 15:27 - 00000000 ____D C:\Users\tierz\Desktop\Cozmo
2017-03-06 15:15 - 2017-03-06 15:15 - 00001914 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-03-06 15:15 - 2017-03-06 15:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-03-06 15:15 - 2017-03-06 15:15 - 00000000 ____D C:\Program Files\Malwarebytes
2017-03-06 15:15 - 2017-02-24 06:23 - 00077408 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-03-06 15:04 - 2017-03-06 15:05 - 00046951 _____ C:\Users\tierz\Downloads\Addition.txt
2017-03-06 15:02 - 2017-03-06 15:05 - 00032489 _____ C:\Users\tierz\Downloads\FRST.txt
2017-03-06 14:55 - 2017-03-07 09:56 - 00000000 ____D C:\FRST
2017-03-06 14:53 - 2017-03-06 14:53 - 01765888 _____ (Farbar) C:\Users\tierz\Downloads\FRST.exe
2017-03-06 13:12 - 2017-03-06 13:12 - 00000000 ____D C:\Program Files (x86)\regtool
2017-03-06 13:10 - 2017-03-06 15:12 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-03-06 13:03 - 2017-03-06 13:03 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-03-06 12:23 - 2017-03-06 12:23 - 00000000 ____D C:\WINDOWS\system32\%LOCALAPPDATA%
2017-03-06 12:21 - 2017-03-06 12:21 - 00000000 ____D C:\WINDOWS\pss
2017-03-06 12:11 - 2017-03-06 12:11 - 00000037 _____ C:\WINDOWS\wininit.ini
2017-03-06 12:07 - 2017-03-06 12:07 - 00000000 ____D C:\ProgramData\shimgen
2017-03-06 12:06 - 2017-03-06 12:06 - 00000000 ____D C:\Users\tierz\AppData\Roaming\NuGet
2017-03-06 12:06 - 2017-03-06 12:06 - 00000000 ____D C:\Users\tierz\AppData\Local\NuGet
2017-03-06 12:05 - 2017-03-06 12:07 - 00000000 ____D C:\ProgramData\chocolatey
2017-03-06 12:03 - 2017-03-06 12:03 - 00001145 _____ C:\Users\tierz\Desktop\Video Abductor.lnk
2017-03-06 12:03 - 2017-03-06 12:03 - 00000000 ____D C:\Users\tierz\AppData\Local\VideoAB
2017-03-06 12:03 - 2017-02-20 19:38 - 41569792 _____ C:\WINDOWS\ffmpeg.exe
2017-03-06 12:03 - 2017-02-20 19:38 - 07438809 _____ C:\WINDOWS\youtube-dl.exe
2017-03-06 12:03 - 2017-02-20 19:38 - 00000003 _____ C:\WINDOWS\SysWOW64\delay.dat
2017-03-06 12:02 - 2017-03-06 12:02 - 00000000 ____D C:\Users\tierz\AppData\Roaming\InterStat
2017-03-06 11:59 - 2017-03-06 12:11 - 00000000 ____D C:\Program Files (x86)\472bf109-d48f-442d-a508-8bf30d8257d91488830374
2017-03-06 11:56 - 2017-03-06 12:32 - 00000000 ____D C:\Users\tierz\AppData\Local\llssoft
2017-03-06 11:55 - 2017-03-06 13:12 - 00000000 ____D C:\Program Files (x86)\svcvmx
2017-03-06 11:51 - 2017-03-06 11:53 - 00413252 _____ C:\WINDOWS\Minidump\030617-33375-01.dmp
2017-03-06 11:39 - 2017-03-06 12:12 - 00000000 ____D C:\Program Files (x86)\S5
2017-03-06 11:39 - 2017-03-06 11:51 - 00000420 _____ C:\WINDOWS\Tasks\Online Application Updater.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000406 ____H C:\WINDOWS\Tasks\Traffic Exchange Updater.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000374 _____ C:\WINDOWS\Tasks\Online Application v209.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000374 _____ C:\WINDOWS\Tasks\Online Application v209 Guardian.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000374 _____ C:\WINDOWS\Tasks\Online Application v209 Guard.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000364 _____ C:\WINDOWS\Tasks\Traffic Exchange v209 - 3.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000364 _____ C:\WINDOWS\Tasks\Traffic Exchange v209 - 2.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000364 _____ C:\WINDOWS\Tasks\Traffic Exchange v209 - 1.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000364 _____ C:\WINDOWS\Tasks\Online Application v2.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000364 _____ C:\WINDOWS\Tasks\Online Application v2 Guardian.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000364 _____ C:\WINDOWS\Tasks\Online Application v2 Guard.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000354 _____ C:\WINDOWS\Tasks\Traffic Exchange v2 - 3.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000354 _____ C:\WINDOWS\Tasks\Traffic Exchange v2 - 2.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000354 _____ C:\WINDOWS\Tasks\Traffic Exchange v2 - 1.job
2017-03-06 11:39 - 2017-03-06 11:39 - 01852928 _____ (splsrv Corp.) C:\WINDOWS\SysWOW64\splsrv.exe
2017-03-06 11:39 - 2017-03-06 11:39 - 00003722 _____ C:\WINDOWS\System32\Tasks\Online Application Guardian
2017-03-06 11:39 - 2017-03-06 11:39 - 00003716 _____ C:\WINDOWS\System32\Tasks\Online Application Guard
2017-03-06 11:39 - 2017-03-06 11:39 - 00003708 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Guardian
2017-03-06 11:39 - 2017-03-06 11:39 - 00003704 _____ C:\WINDOWS\System32\Tasks\Online Application
2017-03-06 11:39 - 2017-03-06 11:39 - 00003702 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Guard
2017-03-06 11:39 - 2017-03-06 11:39 - 00003690 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange
2017-03-06 11:39 - 2017-03-06 11:39 - 00003314 _____ C:\WINDOWS\System32\Tasks\Online Application Updater
2017-03-06 11:39 - 2017-03-06 11:39 - 00003294 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Updater
2017-03-06 11:39 - 2017-03-06 11:39 - 00003280 _____ C:\WINDOWS\System32\Tasks\Online Application v209 Guardian
2017-03-06 11:39 - 2017-03-06 11:39 - 00003274 _____ C:\WINDOWS\System32\Tasks\Online Application v209 Guard
2017-03-06 11:39 - 2017-03-06 11:39 - 00003266 _____ C:\WINDOWS\System32\Tasks\Online Application v2 Guardian
2017-03-06 11:39 - 2017-03-06 11:39 - 00003262 _____ C:\WINDOWS\System32\Tasks\Online Application v209
2017-03-06 11:39 - 2017-03-06 11:39 - 00003260 _____ C:\WINDOWS\System32\Tasks\Online Application v2 Guard
2017-03-06 11:39 - 2017-03-06 11:39 - 00003256 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 3
2017-03-06 11:39 - 2017-03-06 11:39 - 00003256 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 2
2017-03-06 11:39 - 2017-03-06 11:39 - 00003256 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 1
2017-03-06 11:39 - 2017-03-06 11:39 - 00003248 _____ C:\WINDOWS\System32\Tasks\Online Application v2
2017-03-06 11:39 - 2017-03-06 11:39 - 00003242 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 3
2017-03-06 11:39 - 2017-03-06 11:39 - 00003242 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 2
2017-03-06 11:39 - 2017-03-06 11:39 - 00003242 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 1
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Users\tierz\AppData\Roaming\c
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Users\tierz\AppData\Local\AnonymizerLauncher
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Users\tierz\.proxycheck
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Users\tierz\.AnonymizerLauncher
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\ProgramData\1488829152
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Program Files (x86)\qdcomsvc
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Program Files (x86)\Microleaves
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Program Files (x86)\dataup
2017-03-06 11:38 - 2017-03-06 11:39 - 00000000 ____D C:\Users\tierz\AppData\Roaming\Microleaves
2017-03-06 11:38 - 2017-03-06 11:38 - 00000000 ____D C:\Users\tierz\AppData\Roaming\AGData
2017-03-06 11:38 - 2017-03-06 11:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
2017-03-06 11:36 - 2017-03-06 11:36 - 02647487 _____ C:\WINDOWS\chromebrowser.exe
2017-02-22 17:12 - 2017-02-22 17:12 - 00051784 _____ C:\WINDOWS\system32\Drivers\drmkpro64.sys
2017-02-12 14:33 - 2017-02-12 14:35 - 00000000 ____D C:\Users\tierz\dwhelper
2017-02-09 11:37 - 2017-02-09 11:37 - 00022469 _____ C:\Users\tierz\Desktop\Grocery Outlet Resume.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-07 09:56 - 2016-08-05 19:12 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-03-07 08:18 - 2016-07-16 03:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-07 08:18 - 2016-07-16 03:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-03-07 07:37 - 2016-11-26 23:37 - 00000000 ____D C:\Users\tierz\AppData\Local\CrashDumps
2017-03-07 06:23 - 2016-09-03 20:33 - 00004170 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{CA8D93BD-9BF1-4C16-BDBF-62DF924C98E4}
2017-03-06 19:10 - 2016-11-21 20:35 - 00000000 ____D C:\Users\tierz\AppData\LocalLow\Mozilla
2017-03-06 15:35 - 2016-07-16 03:45 - 00000000 ____D C:\WINDOWS\INF
2017-03-06 15:32 - 2016-08-05 16:38 - 00000000 ____D C:\Windows10Upgrade
2017-03-06 15:30 - 2016-09-03 20:22 - 00000000 ____D C:\Program Files (x86)\Connectify
2017-03-06 15:15 - 2016-11-22 09:30 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-03-06 15:12 - 2016-08-05 19:31 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-06 15:12 - 2016-08-05 19:20 - 00000000 ____D C:\Users\tierz
2017-03-06 15:11 - 2016-07-15 22:04 - 01310720 _____ C:\WINDOWS\system32\config\BBI
2017-03-06 12:31 - 2016-03-20 18:18 - 00000000 ____D C:\ProgramData\ASUS Smart Gesture
2017-03-06 12:12 - 2016-11-10 19:20 - 00000000 ____D C:\Program Files (x86)\AnonymizerGadget
2017-03-06 11:59 - 2016-11-10 19:22 - 00000000 _____ C:\TOSTACK
2017-03-06 11:51 - 2016-11-05 10:16 - 820156042 _____ C:\WINDOWS\MEMORY.DMP
2017-03-06 11:51 - 2016-11-05 10:16 - 00000000 ____D C:\WINDOWS\Minidump
2017-03-06 11:37 - 2015-12-18 13:47 - 00000000 ____D C:\Users\tierz\AppData\Roaming\uTorrent
2017-03-06 10:41 - 2016-07-06 19:55 - 00000000 ____D C:\Users\tierz\AppData\Roaming\vlc
2017-03-05 17:07 - 2017-01-02 15:35 - 00000000 ____D C:\Users\tierz\AppData\Roaming\USB_HELPER
2017-03-05 16:24 - 2016-12-24 17:23 - 00000000 ____D C:\Users\tierz\AppData\LocalLow\uTorrent
2017-03-05 12:41 - 2017-01-02 15:31 - 00000000 ____D C:\Users\tierz\AppData\Local\Deployment
2017-02-28 10:23 - 2016-07-16 03:47 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-02-27 16:41 - 2016-11-21 14:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-27 16:41 - 2016-03-31 21:44 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2017-02-26 18:55 - 2016-07-16 03:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-02-26 18:55 - 2016-03-20 15:52 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-02-26 18:49 - 2016-03-20 15:52 - 138020592 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-02-20 19:38 - 2011-06-11 00:58 - 00773968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvcr100.dll
2017-02-15 12:07 - 2016-07-16 03:47 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-02-15 12:07 - 2016-07-16 03:47 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-02-12 15:30 - 2016-08-05 19:15 - 00000200 _____ C:\WINDOWS\system32\{EC94D02F-D200-4428-9531-05AF7F9799CB}.bat
2017-02-06 11:48 - 2016-09-01 22:22 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-02-06 11:48 - 2016-09-01 22:22 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2016-11-10 19:22 - 2016-11-10 19:28 - 0000038 _____ () C:\Users\tierz\AppData\Local\a.txt
2016-11-05 15:30 - 2016-11-05 15:30 - 0000600 _____ () C:\Users\tierz\AppData\Local\PUTTY.RND
2016-11-10 19:21 - 2016-11-10 19:22 - 0000003 _____ () C:\Users\tierz\AppData\Local\run1.txt
2016-11-10 18:46 - 2016-11-10 18:46 - 0004096 _____ () C:\ProgramData\czchsjpj.srw
2016-08-05 19:15 - 2016-08-05 19:15 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2016-11-10 18:46 - 2016-11-10 18:46 - 0000016 _____ () C:\ProgramData\mntemp

Some files in TEMP:
====================
2017-03-06 03:23 - 2017-03-06 03:23 - 2762048 _____ (Lead Devs) C:\Users\tierz\AppData\Local\Temp\alNzC7yS-prog.exe
2017-03-06 11:36 - 2017-03-06 11:36 - 1203712 _____ (TODO: <Company name>) C:\Users\tierz\AppData\Local\Temp\CodecFixDivx.exe
2017-03-06 10:37 - 2017-03-06 11:36 - 1850712 _____ () C:\Users\tierz\AppData\Local\Temp\cpa.exe
2017-03-06 11:58 - 2017-03-06 11:58 - 0836608 _____ () C:\Users\tierz\AppData\Local\Temp\DMDD__11426_il6.exe
2017-03-06 12:15 - 2017-03-06 14:04 - 3516080 _____ (Enigma Software Group USA, LLC.) C:\Users\tierz\AppData\Local\Temp\esgsetup.exe
2017-03-06 11:36 - 2017-03-06 11:36 - 0028672 _____ (Western Visayas College of Science and TechnologyT) C:\Users\tierz\AppData\Local\Temp\fox.exe
2017-01-06 12:57 - 2017-01-06 12:57 - 0040448 ____N () C:\Users\tierz\AppData\Local\Temp\proxy_vole738132990581449868.dll
2017-03-06 11:36 - 2017-03-06 11:36 - 4453367 _____ () C:\Users\tierz\AppData\Local\Temp\start.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-04 11:54

==================== End of FRST.txt ============================

 

 

Addition.txt

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-03-2017
Ran by tierza (07-03-2017 09:58:41)
Running from C:\Users\tierz\Desktop\FRST
Windows 10 Home Version 1607 (X64) (2016-08-06 03:40:33)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3357796534-2979617118-1178381313-500 - Administrator - Disabled) => C:\Users\Administrator
DefaultAccount (S-1-5-21-3357796534-2979617118-1178381313-503 - Limited - Disabled)
Guest (S-1-5-21-3357796534-2979617118-1178381313-501 - Limited - Disabled)
tierza (S-1-5-21-3357796534-2979617118-1178381313-1001 - Administrator - Enabled) => C:\Users\tierz

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\uTorrent) (Version: 3.4.9.43295 - BitTorrent Inc.)
7-Zip 16.02 (x64) (HKLM\...\7-Zip) (Version: 16.02 - Igor Pavlov)
Adobe Flash Player 24 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 24.0.0.221 - Adobe Systems Incorporated)
Apple Application Support (32-bit) (HKLM-x32\...\{F2871C89-C8A5-42EE-8D45-0F02506385A6}) (Version: 5.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{9BC93467-75D1-4AA4-BD58-D9C51D88DFAB}) (Version: 5.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{55BB2110-FB43-49B3-93F4-945A0CFB0A6C}) (Version: 10.0.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
ASUS Smart Gesture (HKLM-x32\...\{4D3286A6-F6AB-498A-82A4-E4F040529F3D}) (Version: 4.0.12 - ASUS)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
BS.Player FREE (HKLM-x32\...\BSPlayerf) (Version: 2.70.1080 - AB Team, d.o.o.)
Fossil Echo (HKLM-x32\...\1230646427_is1) (Version: 2.0.0.1 - GOG.com)
Free YouTube Downloader 4.1.559 (HKLM-x32\...\{A7E19604-93AF-4611-8C9F-CE509C2B286F}_is1) (Version:  - HOW Inc.)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4549 - Intel Corporation)
iTunes (HKLM\...\{554C62C7-E6BB-40F1-892B-F0AE02D3C135}) (Version: 12.5.3.17 - Apple Inc.)
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 16.0.7571.2109 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729 (HKLM\...\{2DFD8316-9EF1-3210-908C-4CB61961C1AC}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{527BBE2F-1FED-3D8B-91CB-4DB0F838E69E}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{CA8A885F-E95B-3FC6-BB91-F4D9377C7686}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23918 (HKLM-x32\...\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}) (Version: 14.0.23918.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM-x32\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
Mozilla Firefox 51.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 51.0.1 (x86 en-US)) (Version: 51.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.0.1 - Mozilla)
Note-UP (HKLM-x32\...\NUIns) (Version:  - ) <==== ATTENTION
Office 16 Click-to-Run Extensibility Component (x32 Version: 16.0.7571.2109 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (Version: 16.0.7571.2109 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (Version: 16.0.7571.2109 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (x32 Version: 16.0.7571.2109 - Microsoft Corporation) Hidden
Online.io Application (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
Ori and The Blind Forest - Definitive Edition (HKLM-x32\...\1384944984_is1) (Version: 2.0.0.2 - GOG.com)
Parvaneh: Legacy of the Light's Guardians (HKLM\...\cGFydmFuZWhsZWdhY3lvZnRoZWxpZ2h0c2d1YXJkaWFucw_is1) (Version: 1 - )
Python 3.5.2 (64-bit) (HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\{d46281ac-f66b-4246-8cfe-34f61512982f}) (Version: 3.5.2150.0 - Python Software Foundation)
Python 3.5.2 Add to Path (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Core Interpreter (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Development Libraries (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Documentation (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Executables (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 pip Bootstrap (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Standard Library (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Tcl/Tk Support (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Test Suite (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Utility Scripts (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python Launcher (HKLM-x32\...\{A674B2CB-13CA-437B-A215-9DD257959A49}) (Version: 3.6.5835.0 - Python Software Foundation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7571 - Realtek Semiconductor Corp.)
ROBLOX Player for tierza (HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\{373B1718-8CC5-4567-8EE2-9033AD08A680}) (Version:  - ROBLOX Corporation)
Sound Organizer (HKLM-x32\...\{53F7486D-41B5-4117-8914-A85B0DBDDC07}) (Version: 1.4.0.11260 - Sony Corporation)
SPORE™ Collection (HKLM-x32\...\1948823323_is1) (Version: 2.0.0.5 - GOG.com)
Tales of Zestiria (HKLM-x32\...\{104D902A-F2BA-44F2-AF39-25A8B366BFEA}_is1) (Version:  - Bandai Namco)
TAP-Windows 9.9.2 (HKLM\...\TAP-Windows) (Version: 9.9.2 - )
Traffic Exchange (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
WiiU_USB_Helper (HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\2bfcfdc8f5500a14) (Version: 0.6.1.183 - WiiU_USB_Helper)
Windows 10 Upgrade Assistant (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.17346 - Microsoft Corporation)
Windows Driver Package - ASUS (ATP) Mouse  (11/11/2015 1.0.0.262) (HKLM\...\A044C5901003C24E6891688653ABA1068D04A1A0) (Version: 11/11/2015 1.0.0.262 - ASUS)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6720.1207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6720.1207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6720.1207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001_Classes\CLSID\{DEE03C2B-0C0C-41A9-9877-FD4B4D7B6EA3}\InprocServer32 -> C:\Users\tierz\AppData\Local\Roblox\Versions\version-c2285b6f3d724119\RobloxProxy64.dll (ROBLOX Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {09E962B1-AF5F-417F-8F37-F32612ADE4CF} - System32\Tasks\Online Application Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION
Task: {0A473D76-7145-4122-A044-FFB67F1F79EC} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-12-28] (Microsoft Corporation)
Task: {0F3C688F-7745-412F-8CE7-F7819880F3E9} - System32\Tasks\Traffic Exchange v2 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION
Task: {1421BBF4-19DC-431C-8297-30266FD3D571} - System32\Tasks\RtHDVBg => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2015-07-30] (Realtek Semiconductor)
Task: {1899F8D9-E3B2-4209-8CFA-6D6AEB5CA4CA} - System32\Tasks\Traffic Exchange v209 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION
Task: {20B3D284-F99B-4A96-9F92-9A28CF555CFF} - System32\Tasks\{AF1DF452-741D-4F7E-B10C-45EA2FFA1419} => pcalua.exe -a F:\INSTALL.EXE -d F:\
Task: {2CA82826-56E2-4B47-812B-39E191CC0C29} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {33A6BE73-6D7C-4FA1-8962-3B3913372DF5} - System32\Tasks\Online Application v209 Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION
Task: {3C058BA8-EFFB-4C40-86D7-2F5021CBDFC7} - System32\Tasks\Online Application v209 => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION
Task: {41700B27-0A57-4229-962F-BD46CC5D993D} - System32\Tasks\Online Application v2 => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION
Task: {495AC365-2737-4014-9F34-138111230AD6} - System32\Tasks\Traffic Exchange v209 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION
Task: {51418CA2-7A88-46F8-B5ED-927143CB86FC} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {51F36019-E7D3-44B0-9DD5-AC26C0D53C3A} - System32\Tasks\Traffic Exchange Guardian => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION
Task: {53EA1287-329B-450E-AA38-C85745992038} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2015-07-30] (Realtek Semiconductor)
Task: {5BDAC688-EADC-49C6-B477-70A2A1EE1C0C} - System32\Tasks\Online Application v2 Guard => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION
Task: {6BAA1CD6-22D5-44C7-8CD9-E63F752BA994} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2016-12-28] (Microsoft Corporation)
Task: {7DF08D8A-2E47-4161-931E-141099376E33} - System32\Tasks\Traffic Exchange v2 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION
Task: {85059419-9E58-4CF8-BE2F-491F7ED7CF8B} - System32\Tasks\Traffic Exchange v209 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION
Task: {8594021D-5B6F-491C-BCF1-50628CC57CC2} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {87A669C5-740A-4636-963D-4F71F131A758} - System32\Tasks\Online Application Guard => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION
Task: {87FFFF65-8A9F-488C-B492-B85CCC00DCA8} - System32\Tasks\Online Application => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION
Task: {943A4E5C-999B-4C66-B54D-1C147314F82E} - System32\Tasks\{E60853D3-EFC8-475C-969F-61EF8A9A749A} => pcalua.exe -a I:\Play.EXE -d I:\
Task: {A063695D-0206-4FC6-98AE-CA6BA252A7D1} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {A0B624D1-AF36-4900-BDAB-D86FA723BAA6} - System32\Tasks\Traffic Exchange Guard => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION
Task: {AB796FCB-813F-4D0E-9A02-A0FA4F3E4B40} - System32\Tasks\Traffic Exchange Updater => C:\Program Files (x86)\Microleaves\Traffic Exchange\Traffic Exchange Updater.exe [2017-02-15] (Microleaves) <==== ATTENTION
Task: {B41B0455-191E-4111-9E0A-FA0CB5C469E9} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-12-28] (Microsoft Corporation)
Task: {B95BD3D3-A715-44E6-B560-01CFA4FCD66F} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {B964CEF7-3413-4F39-BE47-9E4F69C389BF} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-02-15] (Adobe Systems Incorporated)
Task: {B981E3D8-1214-49AE-952F-D5043ADFED59} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2016-12-28] (Microsoft Corporation)
Task: {CF141C90-FA3A-4AFD-A36E-241822346D17} - System32\Tasks\Traffic Exchange => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION
Task: {D5967059-CB0B-455D-B6EC-53EF74CAA622} - System32\Tasks\Online Application v209 Guard => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION
Task: {DAC4A48B-3205-42FA-802D-9E48471B0153} - System32\Tasks\ASUS Smart Gesture Launcher => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLauncher.exe [2015-12-14] (AsusTek)
Task: {DD3A8EB2-40D5-4D24-B146-6DF5A53F03BC} - System32\Tasks\Online Application v2 Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION
Task: {DF550CB7-964D-4E62-825B-C7B29E66B3FC} - System32\Tasks\Norton Product InstallerIdle => C:\Users\tierz\AppData\Local\Temp\7zSDA55.tmp\SymInstallStub.exe  <==== ATTENTION
Task: {E13CE0C5-4783-40C5-B8EC-694464DD861D} - System32\Tasks\Online Application Updater => C:\Program Files (x86)\Microleaves\Online.io Application\Online Application Updater.exe [2017-02-15] (Microleaves) <==== ATTENTION
Task: {ED873EC3-5868-4CB5-B4C5-5C85EF3748E1} - System32\Tasks\Traffic Exchange v2 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION
Task: {F0CEA0AB-5ED8-4AE3-BA04-ADC9ED449822} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2016-12-28] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\Norton Product InstallerIdle.job =>
Task: C:\WINDOWS\Tasks\Online Application Updater.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online Application Updater.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v2 Guard.job => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v2 Guardian.job => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v2.job => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v209 Guard.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v209 Guardian.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v209.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange Updater.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Traffic Exchange Updater.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v2 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v2 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v2 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v209 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v209 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v209 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-07-16 03:42 - 2016-07-16 03:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-12-14 01:15 - 2016-12-09 02:29 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-10-05 17:17 - 2016-10-05 17:17 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2016-10-05 17:17 - 2016-10-05 17:17 - 01353528 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2017-01-05 17:36 - 2017-01-05 17:36 - 00077824 _____ () C:\Program Files (x86)\dataup\dataup.exe
2016-12-14 01:15 - 2016-12-09 02:29 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-08-27 18:36 - 2016-12-28 09:03 - 08924864 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2016-09-20 14:38 - 2016-09-06 20:56 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-01-11 10:04 - 2016-12-20 23:09 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2017-01-11 10:04 - 2016-12-20 23:08 - 00693248 _____ () C:\Windows\ShellExperiences\MtcUvc.dll
2017-01-19 11:46 - 2017-01-19 11:46 - 01969360 _____ () C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.6.2.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.dll
2017-02-10 08:17 - 2017-02-10 08:17 - 00381440 _____ () C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.6.2.0_x64__8wekyb3d8bbwe\Microsoft.Notes.Upgrade.dll
2016-05-27 14:50 - 2016-11-30 21:57 - 00401888 _____ () C:\WINDOWS\system32\igfxTray.exe
2017-01-11 10:03 - 2016-12-20 22:48 - 01401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-01-13 20:09 - 2017-01-13 20:09 - 00896512 _____ () C:\Program Files (x86)\svcvmx\svcvmx.exe
2017-01-20 20:18 - 2017-01-20 20:18 - 01087488 _____ () C:\Program Files (x86)\svcvmx\vmxclient.exe
2017-02-23 08:25 - 2017-02-23 08:30 - 00073728 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.110.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2017-02-23 08:25 - 2017-02-23 08:30 - 00179712 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.110.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2017-02-23 08:25 - 2017-02-23 08:30 - 42895360 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.110.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2017-02-06 20:07 - 2017-02-06 20:09 - 02215424 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.110.0_x64__kzf8qxf38zg5c\roottools.dll
2017-01-11 10:03 - 2016-12-20 22:54 - 09760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-01-11 10:03 - 2016-12-20 22:48 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2017-01-11 10:03 - 2016-12-20 22:48 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2017-01-11 10:03 - 2016-12-20 22:48 - 02424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-01-11 10:03 - 2016-12-20 22:53 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2017-01-06 08:05 - 2014-12-12 17:24 - 00044760 _____ () C:\Windows\runSW.exe
2017-03-07 08:16 - 2017-03-07 08:17 - 01710080 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8004.42017.0_x64__8wekyb3d8bbwe\HxMail.exe
2017-03-07 08:16 - 2017-03-07 08:17 - 13327552 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8004.42017.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Core.dll
2017-01-11 10:03 - 2016-12-20 22:49 - 04046848 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Signals.dll
2016-07-16 03:42 - 2016-07-16 03:42 - 01872384 _____ () C:\Windows\System32\speech_onecore\engines\tts\MSTTSEngine_OneCore.dll
2016-09-21 23:32 - 2016-09-21 23:32 - 00224768 _____ () C:\Program Files (x86)\dataup\help_dll.dll
2017-01-14 19:40 - 2017-01-14 19:40 - 53460992 _____ () C:\Program Files (x86)\svcvmx\libcef.dll
2016-05-31 11:43 - 2016-05-31 11:43 - 01976832 _____ () C:\Program Files (x86)\svcvmx\libglesv2.dll
2016-05-31 11:44 - 2016-05-31 11:44 - 00075264 _____ () C:\Program Files (x86)\svcvmx\libegl.dll
2016-12-14 01:15 - 2016-12-09 02:29 - 02681200 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2016-06-15 17:15 - 2016-06-15 17:15 - 17599640 _____ () C:\Program Files (x86)\svcvmx\pepflashplayer.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Windows:{4B9A1497-0817-47C4-9612-D6A1C53ACF57} [26]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\webcompanion.com -> hxxp://webcompanion.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2016-03-20 13:09 - 2016-03-20 13:07 - 00000824 ____N C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\tierz\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppBackground\{dba97027-699b-49ae-8106-64ba02ca9cd1}.jpg
DNS Servers: 8.8.8.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run: => "Connectify Hotspot"
HKLM\...\StartupApproved\Run: => "Malwarebytes TrayApp"
HKLM\...\StartupApproved\Run32: => "EaseUS Cleanup"
HKLM\...\StartupApproved\Run32: => "EaseUS EPM tray"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\StartupApproved\Run: => "uTorrent"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\StartupApproved\Run: => "CyberGhost"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [UDP Query User{CBB5E5D2-6D99-440D-A98F-849E3D9C18F0}C:\users\tierz\appdata\roaming\utorrent\updates\3.4.6_42094.exe] => (Block) C:\users\tierz\appdata\roaming\utorrent\updates\3.4.6_42094.exe
FirewallRules: [TCP Query User{B252B64E-9E7B-40F6-A268-93F884C88961}C:\users\tierz\appdata\roaming\utorrent\updates\3.4.6_42094.exe] => (Block) C:\users\tierz\appdata\roaming\utorrent\updates\3.4.6_42094.exe
FirewallRules: [{F5774882-3DD2-4643-8677-7444D4DAA21A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{AB6112F6-CB03-4D58-84BC-5A9B5596A39A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [UDP Query User{89422455-6A2E-48E4-8954-A0CD0EC53281}C:\program files (x86)\thinkfree office\qlaunch.exe] => (Allow) C:\program files (x86)\thinkfree office\qlaunch.exe
FirewallRules: [TCP Query User{9D06FF24-CFEE-4229-86B1-EB5911FD58B2}C:\program files (x86)\thinkfree office\qlaunch.exe] => (Allow) C:\program files (x86)\thinkfree office\qlaunch.exe
FirewallRules: [UDP Query User{C14A765F-7EF2-42AE-9FB5-EFCDB274D58F}C:\program files (x86)\thinkfree office\tfwrite.exe] => (Allow) C:\program files (x86)\thinkfree office\tfwrite.exe
FirewallRules: [TCP Query User{B473FE3F-9B80-45C8-AFDD-8A39ADD124A8}C:\program files (x86)\thinkfree office\tfwrite.exe] => (Allow) C:\program files (x86)\thinkfree office\tfwrite.exe
FirewallRules: [UDP Query User{14805108-CD5C-4667-933D-BBF737ABF847}C:\program files (x86)\thinkfree office\tfsetup.exe] => (Allow) C:\program files (x86)\thinkfree office\tfsetup.exe
FirewallRules: [TCP Query User{5107D841-AD13-40C1-8CA3-461723F61664}C:\program files (x86)\thinkfree office\tfsetup.exe] => (Allow) C:\program files (x86)\thinkfree office\tfsetup.exe
FirewallRules: [{A56F7A07-0CC1-4094-97B4-C4CE9C5FF79B}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{5999E7ED-7B68-48B5-8AC1-5264AA9F5C45}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{7CB05421-F579-4B7B-977A-B08791A42DAE}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{CBCBD2D4-2178-47C9-9A87-E22B597D65FA}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{A405F53D-67BC-4C0A-B400-EF4B478D50DF}C:\program files (x86)\505 games\tiny brains\binaries\win32\tinybrains.exe] => (Block) C:\program files (x86)\505 games\tiny brains\binaries\win32\tinybrains.exe
FirewallRules: [UDP Query User{2F00FC6A-E788-4ED2-91EC-05A6292BBFA9}C:\program files (x86)\505 games\tiny brains\binaries\win32\tinybrains.exe] => (Block) C:\program files (x86)\505 games\tiny brains\binaries\win32\tinybrains.exe
FirewallRules: [TCP Query User{8C596C27-642C-4E29-8E61-745C844B6946}C:\program files\goliath\goliath.exe] => (Block) C:\program files\goliath\goliath.exe
FirewallRules: [UDP Query User{7ABD536B-C08F-4EEB-BB65-7BDFB0D53F0C}C:\program files\goliath\goliath.exe] => (Block) C:\program files\goliath\goliath.exe
FirewallRules: [TCP Query User{96184894-C2C3-47D1-B2E7-BE28839BC255}D:\games\mighty no 9\binaries\win32\mn9game.exe] => (Block) D:\games\mighty no 9\binaries\win32\mn9game.exe
FirewallRules: [UDP Query User{517C953B-817E-40BD-A204-7B60BD1EF028}D:\games\mighty no 9\binaries\win32\mn9game.exe] => (Block) D:\games\mighty no 9\binaries\win32\mn9game.exe
FirewallRules: [TCP Query User{06220A84-2967-4C68-8108-4CC7F3882098}D:\games\grow up\growup.exe] => (Block) D:\games\grow up\growup.exe
FirewallRules: [UDP Query User{C7A7F37B-C2BB-4A1F-B27B-B95DEC32395C}D:\games\grow up\growup.exe] => (Block) D:\games\grow up\growup.exe
FirewallRules: [TCP Query User{F4EAB63F-BC23-420A-A79E-9F8C32A76835}C:\program files (x86)\valve\portal 2\portal2.exe] => (Block) C:\program files (x86)\valve\portal 2\portal2.exe
FirewallRules: [UDP Query User{1547E465-932F-49F7-80CE-E64A5164A5A9}C:\program files (x86)\valve\portal 2\portal2.exe] => (Block) C:\program files (x86)\valve\portal 2\portal2.exe
FirewallRules: [{79616F06-AAA6-4AD7-A2F3-F5E9AAFBA055}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{DD87A19E-CFDA-4008-AD8C-97E4C897FC4C}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{4EE087B8-A30F-4384-A2F3-DB7FB880B3FC}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [TCP Query User{19B74DFA-E045-4054-8809-97099B2C1582}C:\users\tierz\downloads\mongoose-free-6.5.exe] => (Allow) C:\users\tierz\downloads\mongoose-free-6.5.exe
FirewallRules: [UDP Query User{E82AEA32-EA87-448C-B12C-DF94771829F9}C:\users\tierz\downloads\mongoose-free-6.5.exe] => (Allow) C:\users\tierz\downloads\mongoose-free-6.5.exe
FirewallRules: [TCP Query User{8FC2E15C-6CFC-4047-BC4F-30B0422D05C9}C:\program files (x86)\connectify\connectify.exe] => (Allow) C:\program files (x86)\connectify\connectify.exe
FirewallRules: [UDP Query User{3514FABB-334E-4330-841A-113F5E0A90B0}C:\program files (x86)\connectify\connectify.exe] => (Allow) C:\program files (x86)\connectify\connectify.exe
FirewallRules: [TCP Query User{3C3F6149-B54F-4651-B6C4-CD73FFEC1490}C:\xampp\apache\bin\httpd.exe] => (Allow) C:\xampp\apache\bin\httpd.exe
FirewallRules: [UDP Query User{970C8CA3-315A-4695-8941-A9E929AC9394}C:\xampp\apache\bin\httpd.exe] => (Allow) C:\xampp\apache\bin\httpd.exe
FirewallRules: [{6C464832-2FEB-41F5-8E27-4A20D764E8B1}] => (Block) C:\xampp\apache\bin\httpd.exe
FirewallRules: [{7437E6FA-DBD7-4138-AAA6-1B41BDE6D9AF}] => (Block) C:\xampp\apache\bin\httpd.exe
FirewallRules: [TCP Query User{1AD628BF-2C40-4414-8793-51B22B76AC6C}C:\users\tierz\appdata\local\jdownloader 2.0\jdownloader2.exe] => (Allow) C:\users\tierz\appdata\local\jdownloader 2.0\jdownloader2.exe
FirewallRules: [UDP Query User{F06350C3-9F1C-40F0-AB3B-6DB7FF42CB7D}C:\users\tierz\appdata\local\jdownloader 2.0\jdownloader2.exe] => (Allow) C:\users\tierz\appdata\local\jdownloader 2.0\jdownloader2.exe
FirewallRules: [TCP Query User{7C527664-658E-49B3-86E8-960E3F4EB64A}C:\program files (x86)\java\jre1.8.0_101\launch4j-tmp\mimo.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_101\launch4j-tmp\mimo.exe
FirewallRules: [UDP Query User{87E1C9DA-ACDA-44DB-9DDA-E9B81441C69E}C:\program files (x86)\java\jre1.8.0_101\launch4j-tmp\mimo.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_101\launch4j-tmp\mimo.exe
FirewallRules: [TCP Query User{524FE545-122B-42AC-BC98-A64BB1CDBE2E}C:\program files (x86)\java\jre1.8.0_101\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_101\bin\javaw.exe
FirewallRules: [UDP Query User{0A941E54-8B73-4646-AF76-6F7850A2E9AD}C:\program files (x86)\java\jre1.8.0_101\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_101\bin\javaw.exe
FirewallRules: [TCP Query User{DC32950A-B171-43E4-A10A-E49817A5D134}C:\program files\tixati\tixati.exe] => (Block) C:\program files\tixati\tixati.exe
FirewallRules: [UDP Query User{730C7739-8362-42EA-85E7-E2824F17E151}C:\program files\tixati\tixati.exe] => (Block) C:\program files\tixati\tixati.exe
FirewallRules: [{0C0E5CB0-9AF5-4D38-9621-9FF85F5DEC55}] => (Allow) C:\Users\tierz\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{3910804A-2D8D-4782-B927-6AA417A6CAC1}] => (Allow) C:\Users\tierz\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{24D74F42-4B14-44F3-B3DD-FB7D20656BFE}] => (Allow) C:\Users\tierz\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{09D60F12-1181-47B0-93C5-9A4169263DE4}] => (Allow) C:\Users\tierz\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2EEDBC2C-7C20-41C1-B457-6B0884B90A2F}] => (Allow) C:\Users\tierz\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{EA1EE220-B84D-4BBB-A107-3F318419025F}] => (Allow) C:\Users\tierz\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{AA214267-B4FC-4B56-BE49-69E9D2CDC781}] => (Allow) C:\Program Files (x86)\VPN Unlimited\vpn-unlimited.exe
FirewallRules: [{4394288F-6167-4ED5-A923-6E68114446A1}] => (Allow) C:\Program Files (x86)\VPN Unlimited\vpn-unlimited.exe
FirewallRules: [{ED117569-626E-402D-BEEE-0E02D659B1E6}] => (Allow) C:\Program Files (x86)\VPN Unlimited\openvpn.exe
FirewallRules: [{4C0E3C7C-B4F1-4CB3-80C9-7750AE27BFC8}] => (Allow) C:\Program Files (x86)\VPN Unlimited\openvpn.exe
FirewallRules: [{3A30F472-E3BB-46F4-BCF2-F1A0FD3BDC16}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [TCP Query User{845460F4-1A11-4392-9D73-1850F751645A}C:\program files (x86)\thinkfree office\uninstall.exe] => (Allow) C:\program files (x86)\thinkfree office\uninstall.exe
FirewallRules: [UDP Query User{A0475C34-405F-4901-AB55-8C1197745555}C:\program files (x86)\thinkfree office\uninstall.exe] => (Allow) C:\program files (x86)\thinkfree office\uninstall.exe
FirewallRules: [{3A23CCC1-54B9-4013-9AA4-90C1B903E222}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{68A3B2C6-12BE-4093-8034-B456F9D0DDB3}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{DDDABF0F-EF7B-49FA-9812-B61EC1487D91}] => (Allow) C:\PROGRA~2\REALTEK\USBWIR~1\RtWlan.exe
FirewallRules: [{4129DE7A-0E6A-4D02-BA2B-961F44D3E2D8}] => (Allow) LPort=1542
FirewallRules: [{A76620C3-73A4-43BF-BD7F-47F822D3F142}] => (Allow) LPort=1542
FirewallRules: [{FDCE2294-7A51-4637-8A37-5120A810C419}] => (Allow) LPort=53
FirewallRules: [{5D82170B-311C-44C5-A7CD-34A9B17A45D9}] => (Allow) C:\PROGRA~2\REALTEK\USBWIR~1\Rtldhcp.exe
FirewallRules: [{41EFC38E-14D1-4110-AB97-8B0368F23F3B}] => (Allow) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{67A58B73-B545-4D3B-AFAC-F4BC3A31FC03}] => (Allow) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{99849659-09B8-47E6-B95C-BE86FD71A918}] => (Allow) LPort=53
FirewallRules: [{D616D559-20EC-424E-A656-A9F4F7544BFA}] => (Allow) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{794A135E-CE7E-43F9-BF35-05AA12A8C3FE}] => (Allow) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{8A6DC446-4EAE-4262-B24F-581FC864D57A}] => (Allow) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{DC37864E-36B7-4F0C-A457-32628EC827AC}] => (Allow) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe

==================== Restore Points =========================

03-02-2017 13:48:36 Scheduled Checkpoint
26-02-2017 18:47:50 Windows Update

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/07/2017 07:37:45 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x5882001c
Faulting module name: KERNELBASE.dll, version: 10.0.14393.479, time stamp: 0x58256d37
Exception code: 0x80000003
Fault offset: 0x00154882
Faulting process id: 0x5894
Faulting application start time: 0x01d2975867d476e9
Faulting application path: C:\Program Files (x86)\svcvmx\vmxclient.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: db69ec93-ff9e-49de-9eb3-5a8e081fd887
Faulting package full name:
Faulting package-relative application ID:

Error: (03/07/2017 07:15:36 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x5882001c
Faulting module name: KERNELBASE.dll, version: 10.0.14393.479, time stamp: 0x58256d37
Exception code: 0x80000003
Fault offset: 0x00154882
Faulting process id: 0x5c48
Faulting application start time: 0x01d297555a47473d
Faulting application path: C:\Program Files (x86)\svcvmx\vmxclient.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: 21391009-8273-4023-80a2-badfa35a8eb5
Faulting package full name:
Faulting package-relative application ID:

Error: (03/07/2017 05:17:59 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x5882001c
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x00851dbe
Faulting process id: 0x6090
Faulting application start time: 0x01d2974514e5e2b0
Faulting application path: C:\Program Files (x86)\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files (x86)\svcvmx\libcef.dll
Report Id: 21baa9d3-a2ed-48ca-853f-7d256fb5ebc8
Faulting package full name:
Faulting package-relative application ID:

Error: (03/07/2017 12:01:07 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x5882001c
Faulting module name: pepflashplayer.dll, version: 22.0.0.192, time stamp: 0x575f29cf
Exception code: 0x40000015
Fault offset: 0x00834f52
Faulting process id: 0x4958
Faulting application start time: 0x01d2971802b55921
Faulting application path: C:\Program Files (x86)\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files (x86)\svcvmx\pepflashplayer.dll
Report Id: e661e0b9-7764-4538-8d81-c5ea945adcdf
Faulting package full name:
Faulting package-relative application ID:

Error: (03/06/2017 10:27:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x5882001c
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x00180814
Faulting process id: 0x11e4
Faulting application start time: 0x01d2970bca6507d9
Faulting application path: C:\Program Files (x86)\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files (x86)\svcvmx\libcef.dll
Report Id: d5a526a8-e2f8-4739-b1c1-0760937d1a30
Faulting package full name:
Faulting package-relative application ID:

Error: (03/06/2017 09:03:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x5882001c
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x01eed9f0
Faulting process id: 0x51c0
Faulting application start time: 0x01d297000d4ce014
Faulting application path: C:\Program Files (x86)\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files (x86)\svcvmx\libcef.dll
Report Id: 83d82918-d781-465e-8698-fd62ea872a97
Faulting package full name:
Faulting package-relative application ID:

Error: (03/06/2017 07:19:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x5882001c
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x00180814
Faulting process id: 0x47c0
Faulting application start time: 0x01d296f18b53850a
Faulting application path: C:\Program Files (x86)\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files (x86)\svcvmx\libcef.dll
Report Id: 396d88a5-11b0-47c4-bbe1-c8bb6ae631bd
Faulting package full name:
Faulting package-relative application ID:

Error: (03/06/2017 03:16:35 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (03/06/2017 01:24:55 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-34VPQP3)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2147024865 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/06/2017 01:24:55 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-34VPQP3)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.


System errors:
=============
Error: (03/06/2017 03:52:37 PM) (Source: Microsoft-Windows-BitLocker-Driver) (EventID: 24620) (User: DESKTOP-34VPQP3)
Description: Encrypted volume check: Volume information on H: cannot be read.

Error: (03/06/2017 03:27:28 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/06/2017 03:12:03 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Realtek DHCP Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (03/06/2017 03:11:19 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-34VPQP3)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.

Error: (03/06/2017 03:11:17 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/06/2017 01:25:14 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/06/2017 01:24:55 PM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-34VPQP3)
Description: Unable to start a DCOM Server: CortanaUI.AppXx19q0gyvntjc9d3jsjsfaertqgy617se.mca as Unavailable/Unavailable. The error:
"31"
Happened while starting this command:
"C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca

Error: (03/06/2017 01:24:55 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-34VPQP3)
Description: The server CortanaUI.AppXx19q0gyvntjc9d3jsjsfaertqgy617se.mca did not register with DCOM within the required timeout.

Error: (03/06/2017 01:24:54 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/06/2017 01:10:03 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


CodeIntegrity:
===================================
  Date: 2016-11-21 20:39:20.581
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-11-21 20:39:20.573
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-08-21 10:43:57.136
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-08-21 10:43:57.133
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info ===========================

Processor: Intel® Core™ i7-5500U CPU @ 2.40GHz
Percentage of memory in use: 51%
Total physical RAM: 8095.08 MB
Available physical RAM: 3951.93 MB
Total Virtual: 10250.71 MB
Available Virtual: 3370.32 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:372.6 GB) (Free:253.31 GB) NTFS
Drive d: (Data) (Fixed) (Total:542.8 GB) (Free:426.25 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 285F93C7)

Partition: GPT.

==================== End of Addition.txt ============================



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:48 PM

Posted 07 March 2017 - 02:08 PM

Hello,

 

 

 

Please download the following file => Attached File  fixlist.txt   29.73KB   11 downloads and save it to the Desktop.

NOTE. It's important that both files, FRST64.exe and fixlist.txt are in the same location or the fix will not work.

 

Restart the computer in Safe Mode. See here how to do this

Run FRST64.exe and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please restart your computer in Normal Mode and post back the log file in your next reply.

This script was written specifically for you, for use on that particular machine.

 

Let me know how are things after the fix above.

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 07 March 2017 - 02:09 PM.

cXfZ4wS.png


#5 tierzastarrw

tierzastarrw
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 07 March 2017 - 02:40 PM

Wow. Thank you for the quick response. I don't know how you can read through all that stuff. I tried and got a headache within a minute.

 

Bad News

So my computer booted up real slow and the programs start up real slow as well. Malwarebytes still will not boot up. I'm now getting an 'unable to connect to service; message. Some of the programs the malware installed are still there.

 

Good News

the drmkpro64.sys file in the drivers is gone.

 

Fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-03-2017
Ran by tierza (07-03-2017 11:21:04) Run:1
Running from C:\Users\tierz\Desktop\FRST
Loaded Profiles: tierza (Available Profiles: tierza & Administrator)
Boot Mode: Safe Mode (minimal)
==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
() C:\Program Files (x86)\dataup\dataup.exe
() C:\Program Files (x86)\svcvmx\svcvmx.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(qdcomsvc Inc.) C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
(ct Corp.) C:\Users\tierz\AppData\Local\Temp\20170306\ct.exe
(splsrv Corp.) C:\Windows\SysWOW64\splsrv.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKLM\...\RunOnce: [ConnecitfyTemp a] => cmd /Q /C "rmdir /S /Q C:\Users\tierz\AppData\Local\Temp\Connectify\a" <===== ATTENTION
HKU\S-1-5-18\...\Run: [] => [X]
Startup: C:\Users\tierz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe [2016-04-20] (Leader Technologies)
Unlock: HKLM\System\CurrentControlSet\Services\Dataup
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
DeleteKey: HKLM\System\CurrentControlSet\Services\Dataup
Unlock: C:\Program Files (x86)\dataup
C:\Program Files (x86)\dataup
Unlock: HKLM\System\CurrentControlSet\Services\qdcomsvc
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed] <==== ATTENTION
DeleteKey: HKLM\System\CurrentControlSet\Services\qdcomsvc
Unlock: C:\Program Files (x86)\qdcomsvc
C:\Program Files (x86)\qdcomsvc
Unlock: HKLM\System\CurrentControlSet\Services\windowsmanagementservice
R2 windowsmanagementservice; C:\Users\tierz\AppData\Local\Temp\20170306\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION
DeleteKey: HKLM\System\CurrentControlSet\Services\windowsmanagementservice
Unlock: C:\Users\tierz\AppData\Local\Temp\20170306\ct.exe
C:\Users\tierz\AppData\Local\Temp\20170306\ct.exe
Unlock: HKLM\System\CurrentControlSet\Services\drmkpro64
R1 drmkpro64; C:\Windows\System32\Drivers\drmkpro64.sys [51784 2017-02-22] () [File not signed] <==== ATTENTION
DeleteKey: HKLM\System\CurrentControlSet\Services\drmkpro64
Unlock: C:\Windows\System32\Drivers\drmkpro64.sys
C:\Windows\System32\Drivers\drmkpro64.sys
File: C:\Users\tierz\AppData\Local\VideoAB\videoab.exe
File: C:\WINDOWS\system32\DRIVERS\fusion.sys
File: C:\WINDOWS\System32\drivers\kbfiltr.sys
File: C:\WINDOWS\System32\drivers\NetAdapterCx.sys
File: C:\WINDOWS\ffmpeg.exe
File:C:\WINDOWS\youtube-dl.exe
File:C:\WINDOWS\SysWOW64\delay.dat
Folder: C:\Program Files (x86)\regtool
Folder: C:\WINDOWS\system32\%LOCALAPPDATA%
Folder: C:\ProgramData\shimgen
2017-03-06 12:02 - 2017-03-06 12:02 - 00000000 ____D C:\Users\tierz\AppData\Roaming\InterStat
2017-03-06 11:59 - 2017-03-06 12:11 - 00000000 ____D C:\Program Files (x86)\472bf109-d48f-442d-a508-8bf30d8257d91488830374
2017-03-06 11:56 - 2017-03-06 12:32 - 00000000 ____D C:\Users\tierz\AppData\Local\llssoft
2017-03-06 11:55 - 2017-03-06 13:12 - 00000000 ____D C:\Program Files (x86)\svcvmx
2017-03-06 11:39 - 2017-03-06 12:12 - 00000000 ____D C:\Program Files (x86)\S5
2017-03-06 11:39 - 2017-03-06 11:51 - 00000420 _____ C:\WINDOWS\Tasks\Online Application Updater.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000406 ____H C:\WINDOWS\Tasks\Traffic Exchange Updater.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000374 _____ C:\WINDOWS\Tasks\Online Application v209.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000374 _____ C:\WINDOWS\Tasks\Online Application v209 Guardian.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000374 _____ C:\WINDOWS\Tasks\Online Application v209 Guard.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000364 _____ C:\WINDOWS\Tasks\Traffic Exchange v209 - 3.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000364 _____ C:\WINDOWS\Tasks\Traffic Exchange v209 - 2.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000364 _____ C:\WINDOWS\Tasks\Traffic Exchange v209 - 1.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000364 _____ C:\WINDOWS\Tasks\Online Application v2.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000364 _____ C:\WINDOWS\Tasks\Online Application v2 Guardian.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000364 _____ C:\WINDOWS\Tasks\Online Application v2 Guard.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000354 _____ C:\WINDOWS\Tasks\Traffic Exchange v2 - 3.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000354 _____ C:\WINDOWS\Tasks\Traffic Exchange v2 - 2.job
2017-03-06 11:39 - 2017-03-06 11:51 - 00000354 _____ C:\WINDOWS\Tasks\Traffic Exchange v2 - 1.job
2017-03-06 11:39 - 2017-03-06 11:39 - 01852928 _____ (splsrv Corp.) C:\WINDOWS\SysWOW64\splsrv.exe
2017-03-06 11:39 - 2017-03-06 11:39 - 00003722 _____ C:\WINDOWS\System32\Tasks\Online Application Guardian
2017-03-06 11:39 - 2017-03-06 11:39 - 00003716 _____ C:\WINDOWS\System32\Tasks\Online Application Guard
2017-03-06 11:39 - 2017-03-06 11:39 - 00003708 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Guardian
2017-03-06 11:39 - 2017-03-06 11:39 - 00003704 _____ C:\WINDOWS\System32\Tasks\Online Application
2017-03-06 11:39 - 2017-03-06 11:39 - 00003702 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Guard
2017-03-06 11:39 - 2017-03-06 11:39 - 00003690 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange
2017-03-06 11:39 - 2017-03-06 11:39 - 00003314 _____ C:\WINDOWS\System32\Tasks\Online Application Updater
2017-03-06 11:39 - 2017-03-06 11:39 - 00003294 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Updater
2017-03-06 11:39 - 2017-03-06 11:39 - 00003280 _____ C:\WINDOWS\System32\Tasks\Online Application v209 Guardian
2017-03-06 11:39 - 2017-03-06 11:39 - 00003274 _____ C:\WINDOWS\System32\Tasks\Online Application v209 Guard
2017-03-06 11:39 - 2017-03-06 11:39 - 00003266 _____ C:\WINDOWS\System32\Tasks\Online Application v2 Guardian
2017-03-06 11:39 - 2017-03-06 11:39 - 00003262 _____ C:\WINDOWS\System32\Tasks\Online Application v209
2017-03-06 11:39 - 2017-03-06 11:39 - 00003260 _____ C:\WINDOWS\System32\Tasks\Online Application v2 Guard
2017-03-06 11:39 - 2017-03-06 11:39 - 00003256 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 3
2017-03-06 11:39 - 2017-03-06 11:39 - 00003256 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 2
2017-03-06 11:39 - 2017-03-06 11:39 - 00003256 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 1
2017-03-06 11:39 - 2017-03-06 11:39 - 00003248 _____ C:\WINDOWS\System32\Tasks\Online Application v2
2017-03-06 11:39 - 2017-03-06 11:39 - 00003242 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 3
2017-03-06 11:39 - 2017-03-06 11:39 - 00003242 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 2
2017-03-06 11:39 - 2017-03-06 11:39 - 00003242 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 1
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Users\tierz\AppData\Roaming\c
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Users\tierz\AppData\Local\AnonymizerLauncher
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Users\tierz\.proxycheck
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Users\tierz\.AnonymizerLauncher
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\ProgramData\1488829152
2017-03-06 11:39 - 2017-03-06 11:39 - 00000000 ____D C:\Program Files (x86)\Microleaves
2017-03-06 11:38 - 2017-03-06 11:39 - 00000000 ____D C:\Users\tierz\AppData\Roaming\Microleaves
2017-03-06 11:38 - 2017-03-06 11:38 - 00000000 ____D C:\Users\tierz\AppData\Roaming\AGData
2017-03-06 11:38 - 2017-03-06 11:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
2017-03-06 11:36 - 2017-03-06 11:36 - 02647487 _____ C:\WINDOWS\chromebrowser.exe
2017-03-06 12:12 - 2016-11-10 19:20 - 00000000 ____D C:\Program Files (x86)\AnonymizerGadget
Task: {09E962B1-AF5F-417F-8F37-F32612ADE4CF} - System32\Tasks\Online Application Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION
Task: {0F3C688F-7745-412F-8CE7-F7819880F3E9} - System32\Tasks\Traffic Exchange v2 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION
Task: {1899F8D9-E3B2-4209-8CFA-6D6AEB5CA4CA} - System32\Tasks\Traffic Exchange v209 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION
Task: {20B3D284-F99B-4A96-9F92-9A28CF555CFF} - System32\Tasks\{AF1DF452-741D-4F7E-B10C-45EA2FFA1419} => pcalua.exe -a F:\INSTALL.EXE -d F:\
Task: {33A6BE73-6D7C-4FA1-8962-3B3913372DF5} - System32\Tasks\Online Application v209 Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION
Task: {3C058BA8-EFFB-4C40-86D7-2F5021CBDFC7} - System32\Tasks\Online Application v209 => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION
Task: {41700B27-0A57-4229-962F-BD46CC5D993D} - System32\Tasks\Online Application v2 => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION
Task: {495AC365-2737-4014-9F34-138111230AD6} - System32\Tasks\Traffic Exchange v209 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION
Task: {51F36019-E7D3-44B0-9DD5-AC26C0D53C3A} - System32\Tasks\Traffic Exchange Guardian => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION
Task: {5BDAC688-EADC-49C6-B477-70A2A1EE1C0C} - System32\Tasks\Online Application v2 Guard => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION
Task: {7DF08D8A-2E47-4161-931E-141099376E33} - System32\Tasks\Traffic Exchange v2 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION
Task: {85059419-9E58-4CF8-BE2F-491F7ED7CF8B} - System32\Tasks\Traffic Exchange v209 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION
Task: {87A669C5-740A-4636-963D-4F71F131A758} - System32\Tasks\Online Application Guard => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION
Task: {87FFFF65-8A9F-488C-B492-B85CCC00DCA8} - System32\Tasks\Online Application => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION
Task: {943A4E5C-999B-4C66-B54D-1C147314F82E} - System32\Tasks\{E60853D3-EFC8-475C-969F-61EF8A9A749A} => pcalua.exe -a I:\Play.EXE -d I:\
Task: {A0B624D1-AF36-4900-BDAB-D86FA723BAA6} - System32\Tasks\Traffic Exchange Guard => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION
Task: {AB796FCB-813F-4D0E-9A02-A0FA4F3E4B40} - System32\Tasks\Traffic Exchange Updater => C:\Program Files (x86)\Microleaves\Traffic Exchange\Traffic Exchange Updater.exe [2017-02-15] (Microleaves) <==== ATTENTION
Task: {CF141C90-FA3A-4AFD-A36E-241822346D17} - System32\Tasks\Traffic Exchange => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION
Task: {D5967059-CB0B-455D-B6EC-53EF74CAA622} - System32\Tasks\Online Application v209 Guard => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION
Task: {DD3A8EB2-40D5-4D24-B146-6DF5A53F03BC} - System32\Tasks\Online Application v2 Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION
Task: {DF550CB7-964D-4E62-825B-C7B29E66B3FC} - System32\Tasks\Norton Product InstallerIdle => C:\Users\tierz\AppData\Local\Temp\7zSDA55.tmp\SymInstallStub.exe  <==== ATTENTION
Task: {E13CE0C5-4783-40C5-B8EC-694464DD861D} - System32\Tasks\Online Application Updater => C:\Program Files (x86)\Microleaves\Online.io Application\Online Application Updater.exe [2017-02-15] (Microleaves) <==== ATTENTION
Task: {ED873EC3-5868-4CB5-B4C5-5C85EF3748E1} - System32\Tasks\Traffic Exchange v2 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION
Task: C:\WINDOWS\Tasks\Norton Product InstallerIdle.job =>
Task: C:\WINDOWS\Tasks\Online Application Updater.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online Application Updater.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v2 Guard.job => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v2 Guardian.job => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v2.job => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v209 Guard.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v209 Guardian.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v209.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange Updater.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Traffic Exchange Updater.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v2 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v2 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v2 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v209 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v209 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v209 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
AlternateDataStreams: C:\Windows:{4B9A1497-0817-47C4-9612-D6A1C53ACF57} [26]
EmptyTemp:
end
*****************

Error: Restore point can only be created in normal mode.
Processes closed successfully.
C:\Program Files (x86)\dataup\dataup.exe => No running process found
C:\Program Files (x86)\svcvmx\svcvmx.exe => No running process found
C:\Program Files (x86)\svcvmx\vmxclient.exe => No running process found
C:\Program Files (x86)\svcvmx\vmxclient.exe => No running process found
C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe => No running process found
C:\Users\tierz\AppData\Local\Temp\20170306\ct.exe => No running process found
C:\Windows\SysWOW64\splsrv.exe => No running process found
C:\Program Files (x86)\svcvmx\vmxclient.exe => No running process found
C:\Program Files (x86)\svcvmx\vmxclient.exe => No running process found
C:\Program Files (x86)\svcvmx\vmxclient.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\svcvmx => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ConnecitfyTemp a => value not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\Users\tierz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe => moved successfully
"HKLM\System\CurrentControlSet\Services\Dataup" => key was unlocked
HKLM\System\CurrentControlSet\Services\Dataup => key removed successfully
Dataup => service removed successfully
HKLM\System\CurrentControlSet\Services\Dataup => key not found.
"C:\Program Files (x86)\dataup" => was unlocked
C:\Program Files (x86)\dataup => moved successfully
"HKLM\System\CurrentControlSet\Services\qdcomsvc" => key was unlocked
HKLM\System\CurrentControlSet\Services\qdcomsvc => key removed successfully
qdcomsvc => service removed successfully
HKLM\System\CurrentControlSet\Services\qdcomsvc => key not found.
"C:\Program Files (x86)\qdcomsvc" => was unlocked
C:\Program Files (x86)\qdcomsvc => moved successfully
"HKLM\System\CurrentControlSet\Services\windowsmanagementservice" => key was unlocked
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key removed successfully
windowsmanagementservice => service removed successfully
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key not found.
"C:\Users\tierz\AppData\Local\Temp\20170306\ct.exe" => was unlocked
C:\Users\tierz\AppData\Local\Temp\20170306\ct.exe => moved successfully
"HKLM\System\CurrentControlSet\Services\drmkpro64" => key was unlocked
HKLM\System\CurrentControlSet\Services\drmkpro64 => key removed successfully
drmkpro64 => service removed successfully
HKLM\System\CurrentControlSet\Services\drmkpro64 => key not found.
"C:\Windows\System32\Drivers\drmkpro64.sys" => was unlocked
C:\Windows\System32\Drivers\drmkpro64.sys => moved successfully

========================= File: C:\Users\tierz\AppData\Local\VideoAB\videoab.exe ========================

File is digitally signed
MD5: D7BC41E1618FD57D2CAA074D4A481AB0
Creation and modification date: 2017-03-06 12:03 - 2017-02-20 19:38
Size: 3062288
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:

====== End of File: ======


========================= File: C:\WINDOWS\system32\DRIVERS\fusion.sys ========================

File is digitally signed
MD5: F1ECC45F389796648239627E4C4E58F0
Creation and modification date: 2015-03-31 14:14 - 2015-03-31 14:14
Size: 0019840
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:

====== End of File: ======


========================= File: C:\WINDOWS\System32\drivers\kbfiltr.sys ========================

File is digitally signed
MD5: 6C6F4A5FC5A2343995D1B0F111D5CF06
Creation and modification date: 2015-01-18 23:44 - 2012-08-05 19:17
Size: 0017280
Attributes: ----A
Company Name:  
Internal Name: KBFiltr
Original Name: KBFiltr
Product: Keyboard Filter Driver
Description: Keyboard Filter Driver
File Version: 1.0.0.1 built by: WinDDK
Product Version: 1.0.0.1
Copyright:  

====== End of File: ======


========================= File: C:\WINDOWS\System32\drivers\NetAdapterCx.sys ========================

File is digitally signed
MD5: 6C76780A01FC2B885BD6E957B5C36B02
Creation and modification date: 2016-07-16 03:42 - 2016-07-16 03:42
Size: 0090624
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:

====== End of File: ======


========================= File: C:\WINDOWS\ffmpeg.exe ========================

File not signed
MD5:
Creation and modification date: 2017-03-06 12:03 - 2017-02-20 19:38
Size: 41569792
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:

====== End of File: ======


========================= File:C:\WINDOWS\youtube-dl.exe ========================

File not signed
MD5: C39840B6D9453E1EE62D47AF22A319B7
Creation and modification date: 2017-03-06 12:03 - 2017-02-20 19:38
Size: 7438809
Attributes: ----A
Company Name:
Internal Name:
Original Name: youtube-dl.exe
Product: youtube-dl
Description: YouTube video downloader
File Version: 2016.07.17
Product Version: 2016.07.17
Copyright:

====== End of File: ======


========================= File:C:\WINDOWS\SysWOW64\delay.dat ========================

File not signed
MD5: CEE631121C2EC9232F3A2F028AD5C89B
Creation and modification date: 2017-03-06 12:03 - 2017-02-20 19:38
Size: 0000003
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:

====== End of File: ======


========================= Folder: C:\Program Files (x86)\regtool ========================

2017-01-03 16:15 - 2017-01-03 16:15 - 0055808 _____ () C:\Program Files (x86)\regtool\regtool.exe

====== End of Folder: ======


========================= Folder: C:\WINDOWS\system32\%LOCALAPPDATA% ========================

2017-03-06 12:23 - 2017-03-06 12:23 - 0000000 ____D () C:\WINDOWS\system32\%LOCALAPPDATA%\CrashDumps
2017-03-06 12:23 - 2017-03-06 12:23 - 1758593 _____ () C:\WINDOWS\system32\%LOCALAPPDATA%\CrashDumps\LogonUI.exe.976.dmp

====== End of Folder: ======


========================= Folder: C:\ProgramData\shimgen ========================

2017-03-06 12:07 - 2017-03-06 12:08 - 0000000 ____D () C:\ProgramData\shimgen\generatedfiles

====== End of Folder: ======

C:\Users\tierz\AppData\Roaming\InterStat => moved successfully
C:\Program Files (x86)\472bf109-d48f-442d-a508-8bf30d8257d91488830374 => moved successfully
C:\Users\tierz\AppData\Local\llssoft => moved successfully
C:\Program Files (x86)\svcvmx => moved successfully
C:\Program Files (x86)\S5 => moved successfully
C:\WINDOWS\Tasks\Online Application Updater.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange Updater.job => moved successfully
C:\WINDOWS\Tasks\Online Application v209.job => moved successfully
C:\WINDOWS\Tasks\Online Application v209 Guardian.job => moved successfully
C:\WINDOWS\Tasks\Online Application v209 Guard.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange v209 - 3.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange v209 - 2.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange v209 - 1.job => moved successfully
C:\WINDOWS\Tasks\Online Application v2.job => moved successfully
C:\WINDOWS\Tasks\Online Application v2 Guardian.job => moved successfully
C:\WINDOWS\Tasks\Online Application v2 Guard.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange v2 - 3.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange v2 - 2.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange v2 - 1.job => moved successfully
C:\WINDOWS\SysWOW64\splsrv.exe => moved successfully
C:\WINDOWS\System32\Tasks\Online Application Guardian => moved successfully
C:\WINDOWS\System32\Tasks\Online Application Guard => moved successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange Guardian => moved successfully
C:\WINDOWS\System32\Tasks\Online Application => moved successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange Guard => moved successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange => moved successfully
C:\WINDOWS\System32\Tasks\Online Application Updater => moved successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange Updater => moved successfully
C:\WINDOWS\System32\Tasks\Online Application v209 Guardian => moved successfully
C:\WINDOWS\System32\Tasks\Online Application v209 Guard => moved successfully
C:\WINDOWS\System32\Tasks\Online Application v2 Guardian => moved successfully
C:\WINDOWS\System32\Tasks\Online Application v209 => moved successfully
C:\WINDOWS\System32\Tasks\Online Application v2 Guard => moved successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 3 => moved successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 2 => moved successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 1 => moved successfully
C:\WINDOWS\System32\Tasks\Online Application v2 => moved successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 3 => moved successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 2 => moved successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 1 => moved successfully
C:\Users\tierz\AppData\Roaming\c => moved successfully
C:\Users\tierz\AppData\Local\AnonymizerLauncher => moved successfully
C:\Users\tierz\.proxycheck => moved successfully
C:\Users\tierz\.AnonymizerLauncher => moved successfully
C:\Users\Default\AppData\Local\AdvinstAnalytics => moved successfully
"C:\Users\Default User\AppData\Local\AdvinstAnalytics" => not found.
C:\ProgramData\1488829152 => moved successfully
C:\Program Files (x86)\Microleaves => moved successfully
C:\Users\tierz\AppData\Roaming\Microleaves => moved successfully
C:\Users\tierz\AppData\Roaming\AGData => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget => moved successfully
C:\WINDOWS\chromebrowser.exe => moved successfully
C:\Program Files (x86)\AnonymizerGadget => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{09E962B1-AF5F-417F-8F37-F32612ADE4CF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09E962B1-AF5F-417F-8F37-F32612ADE4CF} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application Guardian => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application Guardian => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0F3C688F-7745-412F-8CE7-F7819880F3E9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F3C688F-7745-412F-8CE7-F7819880F3E9} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 3 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v2 - 3 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1899F8D9-E3B2-4209-8CFA-6D6AEB5CA4CA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1899F8D9-E3B2-4209-8CFA-6D6AEB5CA4CA} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 3 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v209 - 3 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{20B3D284-F99B-4A96-9F92-9A28CF555CFF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{20B3D284-F99B-4A96-9F92-9A28CF555CFF} => key removed successfully
C:\WINDOWS\System32\Tasks\{AF1DF452-741D-4F7E-B10C-45EA2FFA1419} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{AF1DF452-741D-4F7E-B10C-45EA2FFA1419} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{33A6BE73-6D7C-4FA1-8962-3B3913372DF5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{33A6BE73-6D7C-4FA1-8962-3B3913372DF5} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v209 Guardian => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v209 Guardian => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3C058BA8-EFFB-4C40-86D7-2F5021CBDFC7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C058BA8-EFFB-4C40-86D7-2F5021CBDFC7} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v209 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v209 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{41700B27-0A57-4229-962F-BD46CC5D993D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{41700B27-0A57-4229-962F-BD46CC5D993D} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v2 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v2 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{495AC365-2737-4014-9F34-138111230AD6} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{495AC365-2737-4014-9F34-138111230AD6} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 2 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v209 - 2 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{51F36019-E7D3-44B0-9DD5-AC26C0D53C3A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{51F36019-E7D3-44B0-9DD5-AC26C0D53C3A} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange Guardian => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange Guardian => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5BDAC688-EADC-49C6-B477-70A2A1EE1C0C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5BDAC688-EADC-49C6-B477-70A2A1EE1C0C} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v2 Guard => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v2 Guard => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7DF08D8A-2E47-4161-931E-141099376E33} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7DF08D8A-2E47-4161-931E-141099376E33} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 2 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v2 - 2 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{85059419-9E58-4CF8-BE2F-491F7ED7CF8B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{85059419-9E58-4CF8-BE2F-491F7ED7CF8B} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 1 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v209 - 1 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{87A669C5-740A-4636-963D-4F71F131A758} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87A669C5-740A-4636-963D-4F71F131A758} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application Guard => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application Guard => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{87FFFF65-8A9F-488C-B492-B85CCC00DCA8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87FFFF65-8A9F-488C-B492-B85CCC00DCA8} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{943A4E5C-999B-4C66-B54D-1C147314F82E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{943A4E5C-999B-4C66-B54D-1C147314F82E} => key removed successfully
C:\WINDOWS\System32\Tasks\{E60853D3-EFC8-475C-969F-61EF8A9A749A} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{E60853D3-EFC8-475C-969F-61EF8A9A749A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A0B624D1-AF36-4900-BDAB-D86FA723BAA6} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A0B624D1-AF36-4900-BDAB-D86FA723BAA6} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange Guard => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange Guard => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AB796FCB-813F-4D0E-9A02-A0FA4F3E4B40} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AB796FCB-813F-4D0E-9A02-A0FA4F3E4B40} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange Updater => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange Updater => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CF141C90-FA3A-4AFD-A36E-241822346D17} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CF141C90-FA3A-4AFD-A36E-241822346D17} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D5967059-CB0B-455D-B6EC-53EF74CAA622} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D5967059-CB0B-455D-B6EC-53EF74CAA622} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v209 Guard => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v209 Guard => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DD3A8EB2-40D5-4D24-B146-6DF5A53F03BC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD3A8EB2-40D5-4D24-B146-6DF5A53F03BC} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v2 Guardian => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v2 Guardian => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DF550CB7-964D-4E62-825B-C7B29E66B3FC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF550CB7-964D-4E62-825B-C7B29E66B3FC} => key removed successfully
C:\WINDOWS\System32\Tasks\Norton Product InstallerIdle => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Norton Product InstallerIdle => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E13CE0C5-4783-40C5-B8EC-694464DD861D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E13CE0C5-4783-40C5-B8EC-694464DD861D} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application Updater => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application Updater => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ED873EC3-5868-4CB5-B4C5-5C85EF3748E1} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ED873EC3-5868-4CB5-B4C5-5C85EF3748E1} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 1 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v2 - 1 => key removed successfully
C:\WINDOWS\Tasks\Norton Product InstallerIdle.job => moved successfully
C:\WINDOWS\Tasks\Online Application Updater.job => not found.
C:\WINDOWS\Tasks\Online Application v2 Guard.job => not found.
C:\WINDOWS\Tasks\Online Application v2 Guardian.job => not found.
C:\WINDOWS\Tasks\Online Application v2.job => not found.
C:\WINDOWS\Tasks\Online Application v209 Guard.job => not found.
C:\WINDOWS\Tasks\Online Application v209 Guardian.job => not found.
C:\WINDOWS\Tasks\Online Application v209.job => not found.
C:\WINDOWS\Tasks\Traffic Exchange Updater.job => not found.
C:\WINDOWS\Tasks\Traffic Exchange v2 - 1.job => not found.
C:\WINDOWS\Tasks\Traffic Exchange v2 - 2.job => not found.
C:\WINDOWS\Tasks\Traffic Exchange v2 - 3.job => not found.
C:\WINDOWS\Tasks\Traffic Exchange v209 - 1.job => not found.
C:\WINDOWS\Tasks\Traffic Exchange v209 - 2.job => not found.
C:\WINDOWS\Tasks\Traffic Exchange v209 - 3.job => not found.
C:\Windows => ":{4B9A1497-0817-47C4-9612-D6A1C53ACF57}" ADS removed successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 267604171 B
Java, Flash, Steam htmlcache => 8902 B
Windows/system/drivers => 8140204 B
Edge => 259010109 B
Chrome => 0 B
Firefox => 398673456 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 14218 B
NetworkService => 728908 B
tierz => 647490561 B
Administrator => 18293 B

RecycleBin => 77874 B
EmptyTemp: => 1.5 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:24:20 ====



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:48 PM

Posted 07 March 2017 - 03:36 PM

Hello,

 

Please uninstall MBAM this way => https://forums.malwarebytes.com/topic/196955-malwarebytes-mb-clean-tool/

 

Next do the following:

 

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click mb3-setup-consumer-3.0.6.1469.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

How to get logs: (Export log to save as txt)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.

(Copy to clipboard for pasting into forum replies or tickets)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'

 

 

Regards,

Georgi


cXfZ4wS.png


#7 tierzastarrw

tierzastarrw
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 07 March 2017 - 04:15 PM

Hello,

 

Thank you for the speedy response again.

 

Bad news:

Startup and programs are still slow but not as slow. Video abductor, one of the programs the malware installed is still on my computer.

 

Good news:

Malwarebytes quarantined a bunch of stuff

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/7/17
Scan Time: 1:02 PM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1450
License: Free

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-34VPQP3\tierza

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 445805
Time Elapsed: 4 min, 4 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 11
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROLEAVES\Online Application Installer, Quarantined, [695], [333868],1.0.1450
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROLEAVES\Online.io Application, Quarantined, [695], [317312],1.0.1450
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROLEAVES\Traffic Exchange, Quarantined, [695], [333881],1.0.1450
PUP.Optional.InterStat, HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\SOFTWARE\InterStat, Quarantined, [1702], [260518],1.0.1450
PUP.Optional.ConvertAd, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NUIns, Quarantined, [78], [246227],1.0.1450
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{52F7BE5C-2C3B-4C7B-A96D-F19B9EC1992D}, Quarantined, [695], [335317],1.0.1450
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{F0847AE0-465A-4D7B-A555-AABB43B550F0}, Quarantined, [695], [321304],1.0.1450
PUP.Optional.OnlineIO, HKLM\SOFTWARE\MICROLEAVES\Online.io Application, Quarantined, [695], [317312],1.0.1450
PUP.Optional.OnlineIO, HKLM\SOFTWARE\MICROLEAVES\{52F7BE5C-2C3B-4C7B-A96D-F19B9EC1992D}, Quarantined, [695], [339688],1.0.1450
Trojan.Clicker, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Dataup, Quarantined, [43], [377136],1.0.1450
PUP.Optional.InterStat, HKU\S-1-5-21-3357796534-2979617118-1178381313-1001_Classes\APPLICATIONS\interstat.exe, Quarantined, [1702], [261503],1.0.1450

Registry Value: 5
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, Quarantined, [18091], [251589],1.0.1450
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{52F7BE5C-2C3B-4C7B-A96D-F19B9EC1992D}|CONTACT, Quarantined, [695], [333851],1.0.1450
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{52F7BE5C-2C3B-4C7B-A96D-F19B9EC1992D}|URLINFOABOUT, Quarantined, [695], [335317],1.0.1450
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{F0847AE0-465A-4D7B-A555-AABB43B550F0}|CONTACT, Quarantined, [695], [333851],1.0.1450
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{F0847AE0-465A-4D7B-A555-AABB43B550F0}|URLINFOABOUT, Quarantined, [695], [321304],1.0.1450

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 4
PUP.Optional.InterStat, C:\Users\tierz\AppData\Local\CrashRpt\UnsentCrashReports\Interstatnogui_387\Logs, Quarantined, [1702], [373566],1.0.1450
PUP.Optional.InterStat, C:\USERS\TIERZ\APPDATA\LOCAL\CRASHRPT\UNSENTCRASHREPORTS\Interstatnogui_387, Quarantined, [1702], [373566],1.0.1450
PUP.Optional.SwytShop, C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\jetpack\323D625D490FE8DD@ext.u\simple-storage, Quarantined, [3460], [375413],1.0.1450
PUP.Optional.SwytShop, C:\USERS\TIERZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\YMORTAVT.DEFAULT\JETPACK\323D625D490FE8DD@ext.u, Quarantined, [3460], [375413],1.0.1450

File: 1
PUP.Optional.SwytShop, C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\jetpack\323D625D490FE8DD@ext.u\simple-storage\store.json, Quarantined, [3460], [375413],1.0.1450

Physical Sector: 0
(No malicious items detected)


(end)



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:48 PM

Posted 07 March 2017 - 04:48 PM

Hi,

 

 

STEP 1

 

 

Nice work. Please rerun Malwarebytes, click on Scan and this time select Custom. Click on the Configure Scan button and place a checkbox beside "Scan for rootkits". Select only drive C:\ to be scanned and click on the Scan Now button.

 

Allow MBAM to quarantine what it found and post back the results in your next reply.

 

 

STEP 2

 

 

Also please run a new Scan with FRST and post back the results.

 

 

Regards,

Georgi


cXfZ4wS.png


#9 tierzastarrw

tierzastarrw
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 07 March 2017 - 06:13 PM

Here we go

 

Malwarebytes

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/7/17
Scan Time: 2:01 PM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1451
License: Free

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-34VPQP3\tierza

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 453157
Time Elapsed: 17 min, 19 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

 

 

FRST.TXT

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-03-2017
Ran by tierza (administrator) on DESKTOP-34VPQP3 (07-03-2017 14:13:08)
Running from C:\Users\tierz\Desktop\FRST
Loaded Profiles: tierza &  (Available Profiles: tierza & Administrator)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
() C:\Windows\runSW.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Realtek) C:\Windows\SwUSB.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.6.2.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ActionUriServer.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17012.10301.0_x64__8wekyb3d8bbwe\Video.UI.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.17012.10311.0_x64__8wekyb3d8bbwe\Music.UI.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-11-01] (Apple Inc.)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-06] (Microsoft Corporation)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [EaseUS EPM tray] => C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.8\bin\EpmNews.exe
HKLM-x32\...\Run: [EaseUS Cleanup] => "C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.8\bin\CleanUpUI.exe" 10 300
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)
HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109055\...\RunOnce: [Application Restart #0] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [371928 2016-07-16] (Microsoft Corporation)
HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109055\...\RunOnce: [Application Restart #1] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [371928 2016-07-16] (Microsoft Corporation)
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\Run: [CyberGhost] => "C:\Program Files\CyberGhost 6\CyberGhost.exe" /autostart /min
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\Run: [StartAB] => C:\Users\tierz\AppData\Local\VideoAB\videoab.exe [3062288 2017-02-20] ()
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\RunOnce: [Uninstall C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_2\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_2\amd64"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\MountPoints2: {a85aeb01-5f84-11e6-940a-1c872cb602ac} - "I:\SKLoader.exe"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\MountPoints2: {f5bf8b8e-04b1-11e6-9402-28c2dd10555a} - "F:\setup.exe"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\MountPoints2: {f5bf8bae-04b1-11e6-9402-28c2dd10555a} - "I:\setup.exe"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\MountPoints2: {f5bf8be9-04b1-11e6-9402-28c2dd10555a} - "F:\setup.exe"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\Run: [CyberGhost] => "C:\Program Files\CyberGhost 6\CyberGhost.exe" /autostart /min
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\Run: [StartAB] => C:\Users\tierz\AppData\Local\VideoAB\videoab.exe [3062288 2017-02-20] ()
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\RunOnce: [Uninstall C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_2\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_2\amd64"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\MountPoints2: {a85aeb01-5f84-11e6-940a-1c872cb602ac} - "I:\SKLoader.exe"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\MountPoints2: {f5bf8b8e-04b1-11e6-9402-28c2dd10555a} - "F:\setup.exe"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\MountPoints2: {f5bf8bae-04b1-11e6-9402-28c2dd10555a} - "I:\setup.exe"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\MountPoints2: {f5bf8be9-04b1-11e6-9402-28c2dd10555a} - "F:\setup.exe"
HKU\S-1-5-21-3357796534-2979617118-1178381313-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109991\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2016-07-16] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [Application Restart #0] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [371928 2016-07-16] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [Application Restart #1] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [371928 2016-07-16] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 8.8.4.4 192.168.1.1
Tcpip\..\Interfaces\{a8ab2b3c-da44-4fde-9db0-147bb06f9b3b}: [DhcpNameServer] 8.8.8.8 8.8.4.4
Tcpip\..\Interfaces\{bc4712d6-5f34-49ab-9093-57f2554a090a}: [DhcpNameServer] 8.8.8.8 8.8.4.4 192.168.1.1
Tcpip\..\Interfaces\{d7112b3b-ee78-4ded-a21b-0d95e7302934}: [DhcpNameServer] 10.204.0.1

Internet Explorer:
==================
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-01-29] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2017-01-29] (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2017-01-29] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-09-19] (Oracle Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2017-01-29] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-09-19] (Oracle Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-01-29] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-01-29] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-01-29] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-01-29] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: ymortavt.default
FF ProfilePath: C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default [2017-03-07]
FF NewTab: Mozilla\Firefox\Profiles\ymortavt.default -> hxxps://search.yahoo.com/?fr=vmn&type=vmn__webcompa__1_0__ya__hp_WCYID10300_FYD_161026__ysff
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\ymortavt.default -> Yahoo®
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\ymortavt.default -> Bing
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\ymortavt.default -> Yahoo®
FF Homepage: Mozilla\Firefox\Profiles\ymortavt.default -> about:home
FF Extension: (Ad-Busters) - C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\Extensions\ad-busters@outlook.com.xpi [2017-02-12]
FF Extension: (MEGA) - C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\Extensions\firefox@mega.co.nz.xpi [2017-03-06]
FF Extension: (Ebates Cash Back) - C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\Extensions\{35d6291e-1d4b-f9b4-c52f-77e6410d1326}.xpi [2017-02-28]
FF Extension: (FirefoxAdKiller) - C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\Extensions\{b1df372d-8b32-4c7d-b6b4-9c5b78cf6fb1}.xpi [2017-02-12]
FF Extension: (Video DownloadHelper) - C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2017-02-12]
FF Extension: (SHA-1 deprecation staged rollout) - C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\features\{bc3a9e78-804c-4621-ae0b-7c28cb1d0c19}\disableSHA1rollout@mozilla.org.xpi [2017-03-06]
FF SearchPlugin: C:\Users\tierz\AppData\Roaming\Mozilla\Firefox\Profiles\ymortavt.default\searchplugins\yahoo-lavasoft.xml [2016-10-26]
FF HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
FF HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_24_0_0_221.dll [2017-02-15] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_221.dll [2017-02-15] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-09-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-09-19] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2017-01-29] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-01-29] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin HKU\S-1-5-21-3357796534-2979617118-1178381313-1001: @nsroblox.roblox.com/launcher -> C:\Users\tierz\AppData\Local\Roblox\Versions\version-c2285b6f3d724119\\NPRobloxProxy.dll [2013-01-01] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-3357796534-2979617118-1178381313-1001: @nsroblox.roblox.com/launcher64 -> C:\Users\tierz\AppData\Local\Roblox\Versions\version-c2285b6f3d724119\\NPRobloxProxy64.dll [2013-01-01] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511: @nsroblox.roblox.com/launcher -> C:\Users\tierz\AppData\Local\Roblox\Versions\version-c2285b6f3d724119\\NPRobloxProxy.dll [2013-01-01] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511: @nsroblox.roblox.com/launcher64 -> C:\Users\tierz\AppData\Local\Roblox\Versions\version-c2285b6f3d724119\\NPRobloxProxy64.dll [2013-01-01] ( ROBLOX Corporation)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [3704520 2017-02-18] (Microsoft Corporation)
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [373728 2016-11-30] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
S3 PACSPTISVR-Sound_Organizer; C:\Program Files (x86)\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [174176 2012-11-08] (Sony Corporation)
R2 RunSwUSB; C:\Windows\runSW.exe [44760 2014-12-12] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
S2 RTLDHCPService; C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ATP; C:\WINDOWS\System32\drivers\AsusTP.sys [101368 2015-12-14] (ASUS Corporation)
S3 DFX11_1; C:\WINDOWS\system32\drivers\dfx11_1x64.sys [28008 2015-08-31] (Windows ® Win 7 DDK provider)
S3 DFX12; C:\WINDOWS\system32\drivers\dfx12x64.sys [39048 2015-11-14] (Windows ® Win 7 DDK provider)
R3 dptf_cpu; C:\WINDOWS\System32\drivers\dptf_cpu.sys [38720 2014-09-18] (Intel Corporation)
R3 dptf_pch; C:\WINDOWS\System32\drivers\dptf_pch.sys [38208 2014-09-18] (Intel Corporation)
S3 dtlitescsibus; C:\WINDOWS\System32\drivers\dtlitescsibus.sys [30264 2016-04-19] (Disc Soft Ltd)
S3 dtliteusbbus; C:\WINDOWS\System32\drivers\dtliteusbbus.sys [47672 2016-04-19] (Disc Soft Ltd)
R3 esif_lf; C:\WINDOWS\System32\drivers\esif_lf.sys [216360 2014-09-18] (Intel Corporation)
S3 fusion; C:\WINDOWS\system32\DRIVERS\fusion.sys [19840 2015-03-31] ()
S3 iaLPSS_I2C; C:\WINDOWS\System32\drivers\iaLPSS_I2C.sys [120312 2014-06-10] (Intel Corporation)
R0 IntelHSWPcc; C:\WINDOWS\System32\drivers\IntelPcc.sys [77992 2014-08-03] (Intel Corporation)
R3 kbfiltr; C:\WINDOWS\System32\drivers\kbfiltr.sys [17280 2012-08-05] ( )
R3 kxspb; C:\WINDOWS\System32\drivers\kxspb.sys [40976 2014-10-21] (Kionix, Inc.)
R0 MBAMSwissArmy; C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys [251848 2017-03-07] (Malwarebytes)
R3 MEIx64; C:\WINDOWS\system32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)
S3 NdisImPlatformMp; C:\WINDOWS\System32\drivers\NdisImPlatform.sys [126464 2016-07-16] (Microsoft Corporation)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R0 PxHlpa64; C:\WINDOWS\System32\Drivers\PxHlpa64.sys [56336 2016-08-23] (Corel Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [895256 2015-07-07] (Realtek                                            )
S3 RtlWlanu; C:\WINDOWS\System32\drivers\rtwlanu.sys [5195776 2016-07-16] (Realtek Semiconductor Corporation                           )
R3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [410880 2015-07-01] (Realsil Semiconductor Corporation)
S3 tap0901cn; C:\WINDOWS\System32\drivers\tap0901cn.sys [45576 2015-10-19] (The OpenVPN Project)
S1 VBoxNetAdp; C:\WINDOWS\system32\DRIVERS\VBoxNetAdp6.sys [119712 2016-04-18] (Oracle Corporation)
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.8.0.50\Definitions\SDSDefs\20160915.023\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.8.0.50\Definitions\SDSDefs\20160915.023\EX64.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-07 13:15 - 2017-03-07 13:15 - 00004236 _____ C:\Users\tierz\Desktop\malwarebytes scan.txt
2017-03-07 13:01 - 2017-03-07 13:07 - 00251848 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-03-07 13:01 - 2017-03-07 13:01 - 00001914 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-03-07 13:01 - 2017-03-07 13:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-03-07 13:01 - 2017-03-07 13:01 - 00000000 ____D C:\Program Files\Malwarebytes
2017-03-07 13:01 - 2017-01-20 07:47 - 00077416 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-03-07 13:00 - 2017-03-07 13:01 - 55566792 _____ (Malwarebytes ) C:\Users\tierz\Downloads\mb3-setup-consumer-3.0.6.1469.exe
2017-03-07 11:11 - 2017-03-07 11:11 - 00030442 _____ C:\Users\tierz\Downloads\fixlist.txt
2017-03-06 15:43 - 2017-03-07 14:13 - 00000000 ____D C:\Users\tierz\Desktop\FRST
2017-03-06 15:25 - 2017-03-06 15:27 - 00000000 ____D C:\Users\tierz\Desktop\Cozmo
2017-03-06 15:04 - 2017-03-06 15:05 - 00046951 _____ C:\Users\tierz\Downloads\Addition.txt
2017-03-06 15:02 - 2017-03-06 15:05 - 00032489 _____ C:\Users\tierz\Downloads\FRST.txt
2017-03-06 14:55 - 2017-03-07 14:13 - 00000000 ____D C:\FRST
2017-03-06 14:53 - 2017-03-06 14:53 - 01765888 _____ (Farbar) C:\Users\tierz\Downloads\FRST.exe
2017-03-06 13:12 - 2017-03-06 13:12 - 00000000 ____D C:\Program Files (x86)\regtool
2017-03-06 13:10 - 2017-03-07 13:08 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-03-06 13:03 - 2017-03-07 11:25 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-03-06 12:23 - 2017-03-06 12:23 - 00000000 ____D C:\WINDOWS\system32\%LOCALAPPDATA%
2017-03-06 12:21 - 2017-03-06 12:21 - 00000000 ____D C:\WINDOWS\pss
2017-03-06 12:11 - 2017-03-06 12:11 - 00000037 _____ C:\WINDOWS\wininit.ini
2017-03-06 12:07 - 2017-03-06 12:07 - 00000000 ____D C:\ProgramData\shimgen
2017-03-06 12:06 - 2017-03-06 12:06 - 00000000 ____D C:\Users\tierz\AppData\Roaming\NuGet
2017-03-06 12:06 - 2017-03-06 12:06 - 00000000 ____D C:\Users\tierz\AppData\Local\NuGet
2017-03-06 12:05 - 2017-03-06 12:07 - 00000000 ____D C:\ProgramData\chocolatey
2017-03-06 12:03 - 2017-03-06 12:03 - 00001145 _____ C:\Users\tierz\Desktop\Video Abductor.lnk
2017-03-06 12:03 - 2017-03-06 12:03 - 00000000 ____D C:\Users\tierz\AppData\Local\VideoAB
2017-03-06 12:03 - 2017-02-20 19:38 - 41569792 _____ C:\WINDOWS\ffmpeg.exe
2017-03-06 12:03 - 2017-02-20 19:38 - 07438809 _____ C:\WINDOWS\youtube-dl.exe
2017-03-06 12:03 - 2017-02-20 19:38 - 00000003 _____ C:\WINDOWS\SysWOW64\delay.dat
2017-03-06 11:51 - 2017-03-06 11:53 - 00413252 _____ C:\WINDOWS\Minidump\030617-33375-01.dmp
2017-02-12 14:33 - 2017-02-12 14:35 - 00000000 ____D C:\Users\tierz\dwhelper
2017-02-09 11:37 - 2017-02-09 11:37 - 00022469 _____ C:\Users\tierz\Desktop\Grocery Outlet Resume.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-07 13:38 - 2016-11-21 20:35 - 00000000 ____D C:\Users\tierz\AppData\LocalLow\Mozilla
2017-03-07 13:38 - 2016-08-05 19:12 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-03-07 13:18 - 2016-07-16 03:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-03-07 13:16 - 2016-09-03 20:33 - 00004170 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{CA8D93BD-9BF1-4C16-BDBF-62DF924C98E4}
2017-03-07 13:08 - 2017-01-02 15:31 - 00000000 ____D C:\Users\tierz\AppData\Local\Apps\2.0
2017-03-07 13:07 - 2016-08-05 19:31 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-07 13:07 - 2016-08-05 19:20 - 00000000 ____D C:\Users\tierz
2017-03-07 13:07 - 2016-07-15 22:04 - 01310720 _____ C:\WINDOWS\system32\config\BBI
2017-03-07 13:07 - 2016-02-22 08:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-07 13:01 - 2016-11-22 09:30 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-03-07 12:29 - 2016-07-16 03:47 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-03-07 12:28 - 2016-08-24 17:41 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2017-03-07 11:31 - 2016-11-21 14:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-03-07 11:23 - 2016-07-03 20:37 - 00000000 ____D C:\Users\tierz\AppData\LocalLow\Temp
2017-03-07 10:40 - 2016-11-26 23:37 - 00000000 ____D C:\Users\tierz\AppData\Local\CrashDumps
2017-03-07 08:18 - 2016-07-16 03:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-06 15:35 - 2016-07-16 03:45 - 00000000 ____D C:\WINDOWS\INF
2017-03-06 15:32 - 2016-08-05 16:38 - 00000000 ____D C:\Windows10Upgrade
2017-03-06 12:31 - 2016-03-20 18:18 - 00000000 ____D C:\ProgramData\ASUS Smart Gesture
2017-03-06 11:59 - 2016-11-10 19:22 - 00000000 _____ C:\TOSTACK
2017-03-06 11:51 - 2016-11-05 10:16 - 820156042 _____ C:\WINDOWS\MEMORY.DMP
2017-03-06 11:51 - 2016-11-05 10:16 - 00000000 ____D C:\WINDOWS\Minidump
2017-03-06 11:37 - 2015-12-18 13:47 - 00000000 ____D C:\Users\tierz\AppData\Roaming\uTorrent
2017-03-06 10:41 - 2016-07-06 19:55 - 00000000 ____D C:\Users\tierz\AppData\Roaming\vlc
2017-03-05 17:07 - 2017-01-02 15:35 - 00000000 ____D C:\Users\tierz\AppData\Roaming\USB_HELPER
2017-03-05 16:24 - 2016-12-24 17:23 - 00000000 ____D C:\Users\tierz\AppData\LocalLow\uTorrent
2017-03-05 12:41 - 2017-01-02 15:31 - 00000000 ____D C:\Users\tierz\AppData\Local\Deployment
2017-02-28 10:23 - 2016-07-16 03:47 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-02-27 16:41 - 2016-03-31 21:44 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2017-02-26 18:55 - 2016-07-16 03:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-02-26 18:55 - 2016-03-20 15:52 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-02-26 18:49 - 2016-03-20 15:52 - 138020592 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-02-20 19:38 - 2011-06-11 00:58 - 00773968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvcr100.dll
2017-02-15 12:07 - 2016-07-16 03:47 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-02-15 12:07 - 2016-07-16 03:47 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-02-12 15:30 - 2016-08-05 19:15 - 00000200 _____ C:\WINDOWS\system32\{EC94D02F-D200-4428-9531-05AF7F9799CB}.bat
2017-02-06 11:48 - 2016-09-01 22:22 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-02-06 11:48 - 2016-09-01 22:22 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2016-11-10 19:22 - 2016-11-10 19:28 - 0000038 _____ () C:\Users\tierz\AppData\Local\a.txt
2016-11-05 15:30 - 2016-11-05 15:30 - 0000600 _____ () C:\Users\tierz\AppData\Local\PUTTY.RND
2016-11-10 19:21 - 2016-11-10 19:22 - 0000003 _____ () C:\Users\tierz\AppData\Local\run1.txt
2016-11-10 18:46 - 2016-11-10 18:46 - 0004096 _____ () C:\ProgramData\czchsjpj.srw
2016-08-05 19:15 - 2016-08-05 19:15 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2016-11-10 18:46 - 2016-11-10 18:46 - 0000016 _____ () C:\ProgramData\mntemp

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-04 11:54

==================== End of FRST.txt ============================

 

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-03-2017
Ran by tierza (07-03-2017 14:14:34)
Running from C:\Users\tierz\Desktop\FRST
Windows 10 Home Version 1607 (X64) (2016-08-06 03:40:33)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3357796534-2979617118-1178381313-500 - Administrator - Disabled) => C:\Users\Administrator
DefaultAccount (S-1-5-21-3357796534-2979617118-1178381313-503 - Limited - Disabled)
Guest (S-1-5-21-3357796534-2979617118-1178381313-501 - Limited - Disabled)
tierza (S-1-5-21-3357796534-2979617118-1178381313-1001 - Administrator - Enabled) => C:\Users\tierz

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\uTorrent) (Version: 3.4.9.43295 - BitTorrent Inc.)
µTorrent (HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\uTorrent) (Version: 3.4.9.43295 - BitTorrent Inc.)
7-Zip 16.02 (x64) (HKLM\...\7-Zip) (Version: 16.02 - Igor Pavlov)
Adobe Flash Player 24 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 24.0.0.221 - Adobe Systems Incorporated)
Apple Application Support (32-bit) (HKLM-x32\...\{F2871C89-C8A5-42EE-8D45-0F02506385A6}) (Version: 5.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{9BC93467-75D1-4AA4-BD58-D9C51D88DFAB}) (Version: 5.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{55BB2110-FB43-49B3-93F4-945A0CFB0A6C}) (Version: 10.0.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
ASUS Smart Gesture (HKLM-x32\...\{4D3286A6-F6AB-498A-82A4-E4F040529F3D}) (Version: 4.0.12 - ASUS)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
BS.Player FREE (HKLM-x32\...\BSPlayerf) (Version: 2.70.1080 - AB Team, d.o.o.)
Fossil Echo (HKLM-x32\...\1230646427_is1) (Version: 2.0.0.1 - GOG.com)
Free YouTube Downloader 4.1.559 (HKLM-x32\...\{A7E19604-93AF-4611-8C9F-CE509C2B286F}_is1) (Version:  - HOW Inc.)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4549 - Intel Corporation)
iTunes (HKLM\...\{554C62C7-E6BB-40F1-892B-F0AE02D3C135}) (Version: 12.5.3.17 - Apple Inc.)
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 16.0.7766.2060 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729 (HKLM\...\{2DFD8316-9EF1-3210-908C-4CB61961C1AC}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{527BBE2F-1FED-3D8B-91CB-4DB0F838E69E}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{CA8A885F-E95B-3FC6-BB91-F4D9377C7686}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23918 (HKLM-x32\...\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}) (Version: 14.0.23918.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM-x32\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
Mozilla Firefox 52.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 52.0 (x86 en-US)) (Version: 52.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.0.0.6270 - Mozilla)
Office 16 Click-to-Run Extensibility Component (x32 Version: 16.0.7766.2047 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (Version: 16.0.7766.2047 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (Version: 16.0.7766.2047 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (x32 Version: 16.0.7668.2066 - Microsoft Corporation) Hidden
Ori and The Blind Forest - Definitive Edition (HKLM-x32\...\1384944984_is1) (Version: 2.0.0.2 - GOG.com)
Parvaneh: Legacy of the Light's Guardians (HKLM\...\cGFydmFuZWhsZWdhY3lvZnRoZWxpZ2h0c2d1YXJkaWFucw_is1) (Version: 1 - )
Python 3.5.2 (64-bit) (HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\{d46281ac-f66b-4246-8cfe-34f61512982f}) (Version: 3.5.2150.0 - Python Software Foundation)
Python 3.5.2 (64-bit) (HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\{d46281ac-f66b-4246-8cfe-34f61512982f}) (Version: 3.5.2150.0 - Python Software Foundation)
Python 3.5.2 Add to Path (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Core Interpreter (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Development Libraries (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Documentation (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Executables (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 pip Bootstrap (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Standard Library (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Tcl/Tk Support (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Test Suite (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Utility Scripts (64-bit) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python Launcher (HKLM-x32\...\{A674B2CB-13CA-437B-A215-9DD257959A49}) (Version: 3.6.5835.0 - Python Software Foundation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7571 - Realtek Semiconductor Corp.)
ROBLOX Player for tierza (HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\{373B1718-8CC5-4567-8EE2-9033AD08A680}) (Version:  - ROBLOX Corporation)
ROBLOX Player for tierza (HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\{373B1718-8CC5-4567-8EE2-9033AD08A680}) (Version:  - ROBLOX Corporation)
Sound Organizer (HKLM-x32\...\{53F7486D-41B5-4117-8914-A85B0DBDDC07}) (Version: 1.4.0.11260 - Sony Corporation)
SPORE™ Collection (HKLM-x32\...\1948823323_is1) (Version: 2.0.0.5 - GOG.com)
Tales of Zestiria (HKLM-x32\...\{104D902A-F2BA-44F2-AF39-25A8B366BFEA}_is1) (Version:  - Bandai Namco)
TAP-Windows 9.9.2 (HKLM\...\TAP-Windows) (Version: 9.9.2 - )
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
WiiU_USB_Helper (HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\2bfcfdc8f5500a14) (Version: 0.6.1.183 - WiiU_USB_Helper)
WiiU_USB_Helper (HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\2bfcfdc8f5500a14) (Version: 0.6.1.183 - WiiU_USB_Helper)
Windows 10 Upgrade Assistant (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.17346 - Microsoft Corporation)
Windows Driver Package - ASUS (ATP) Mouse  (11/11/2015 1.0.0.262) (HKLM\...\A044C5901003C24E6891688653ABA1068D04A1A0) (Version: 11/11/2015 1.0.0.262 - ASUS)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6720.1207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6720.1207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6720.1207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511_Classes\CLSID\{DEE03C2B-0C0C-41A9-9877-FD4B4D7B6EA3}\InprocServer32 -> C:\Users\tierz\AppData\Local\Roblox\Versions\version-c2285b6f3d724119\RobloxProxy64.dll (ROBLOX Corporation)
CustomCLSID: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6720.1207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6720.1207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\tierz\AppData\Local\Microsoft\OneDrive\17.3.6720.1207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001_Classes\CLSID\{DEE03C2B-0C0C-41A9-9877-FD4B4D7B6EA3}\InprocServer32 -> C:\Users\tierz\AppData\Local\Roblox\Versions\version-c2285b6f3d724119\RobloxProxy64.dll (ROBLOX Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {06E46190-87E7-4E76-9C22-563FB6191608} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2017-02-18] (Microsoft Corporation)
Task: {1421BBF4-19DC-431C-8297-30266FD3D571} - System32\Tasks\RtHDVBg => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2015-07-30] (Realtek Semiconductor)
Task: {1AD3708A-C85F-421D-AD99-DD1820064EEA} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-02-18] (Microsoft Corporation)
Task: {2CA82826-56E2-4B47-812B-39E191CC0C29} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {51418CA2-7A88-46F8-B5ED-927143CB86FC} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {53EA1287-329B-450E-AA38-C85745992038} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2015-07-30] (Realtek Semiconductor)
Task: {8594021D-5B6F-491C-BCF1-50628CC57CC2} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {A063695D-0206-4FC6-98AE-CA6BA252A7D1} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {B90A1020-4C68-4F61-9A57-581F3996DA19} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-02-18] (Microsoft Corporation)
Task: {B95BD3D3-A715-44E6-B560-01CFA4FCD66F} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {B964CEF7-3413-4F39-BE47-9E4F69C389BF} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-02-15] (Adobe Systems Incorporated)
Task: {B981E3D8-1214-49AE-952F-D5043ADFED59} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2017-02-18] (Microsoft Corporation)
Task: {D321CD60-B1E6-414C-A85C-0BAF77A093B1} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2017-02-18] (Microsoft Corporation)
Task: {DAC4A48B-3205-42FA-802D-9E48471B0153} - System32\Tasks\ASUS Smart Gesture Launcher => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLauncher.exe [2015-12-14] (AsusTek)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-07-16 03:42 - 2016-07-16 03:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-12-14 01:15 - 2016-12-09 02:29 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2017-01-06 08:05 - 2014-12-12 17:24 - 00044760 _____ () C:\Windows\runSW.exe
2016-10-05 17:17 - 2016-10-05 17:17 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2016-10-05 17:17 - 2016-10-05 17:17 - 01353528 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2017-03-07 13:01 - 2017-01-20 07:47 - 02264352 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
2016-12-14 01:15 - 2016-12-09 02:29 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-08-27 18:36 - 2017-01-29 05:55 - 08930504 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2016-05-27 14:50 - 2016-11-30 21:57 - 00401888 _____ () C:\WINDOWS\system32\igfxTray.exe
2016-09-20 14:38 - 2016-09-06 20:56 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-01-11 10:04 - 2016-12-20 23:09 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2017-01-19 11:46 - 2017-01-19 11:46 - 01969360 _____ () C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.6.2.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.dll
2017-02-10 08:17 - 2017-02-10 08:17 - 00381440 _____ () C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.6.2.0_x64__8wekyb3d8bbwe\Microsoft.Notes.Upgrade.dll
2017-01-11 10:03 - 2016-12-20 22:54 - 09760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-01-11 10:03 - 2016-12-20 22:48 - 01401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-01-11 10:03 - 2016-12-20 22:48 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2017-01-11 10:03 - 2016-12-20 22:48 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2017-01-11 10:03 - 2016-12-20 22:48 - 02424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-01-11 10:03 - 2016-12-20 22:53 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\webcompanion.com -> hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\webcompanion.com -> hxxp://webcompanion.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2016-03-20 13:09 - 2016-03-20 13:07 - 00000824 ____N C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109199\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109310\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\tierz\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppBackground\{dba97027-699b-49ae-8106-64ba02ca9cd1}.jpg
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\Control Panel\Desktop\\Wallpaper -> C:\Users\tierz\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppBackground\{dba97027-699b-49ae-8106-64ba02ca9cd1}.jpg
HKU\S-1-5-21-3357796534-2979617118-1178381313-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109991\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Windows\img0.jpg
DNS Servers: 8.8.8.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run: => "Connectify Hotspot"
HKLM\...\StartupApproved\Run: => "Malwarebytes TrayApp"
HKLM\...\StartupApproved\Run32: => "EaseUS Cleanup"
HKLM\...\StartupApproved\Run32: => "EaseUS EPM tray"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\StartupApproved\Run: => "uTorrent"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\StartupApproved\Run: => "CyberGhost"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\StartupApproved\Run: => "uTorrent"
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\StartupApproved\Run: => "CyberGhost"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [UDP Query User{CBB5E5D2-6D99-440D-A98F-849E3D9C18F0}C:\users\tierz\appdata\roaming\utorrent\updates\3.4.6_42094.exe] => (Block) C:\users\tierz\appdata\roaming\utorrent\updates\3.4.6_42094.exe
FirewallRules: [TCP Query User{B252B64E-9E7B-40F6-A268-93F884C88961}C:\users\tierz\appdata\roaming\utorrent\updates\3.4.6_42094.exe] => (Block) C:\users\tierz\appdata\roaming\utorrent\updates\3.4.6_42094.exe
FirewallRules: [{F5774882-3DD2-4643-8677-7444D4DAA21A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{AB6112F6-CB03-4D58-84BC-5A9B5596A39A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [UDP Query User{89422455-6A2E-48E4-8954-A0CD0EC53281}C:\program files (x86)\thinkfree office\qlaunch.exe] => (Allow) C:\program files (x86)\thinkfree office\qlaunch.exe
FirewallRules: [TCP Query User{9D06FF24-CFEE-4229-86B1-EB5911FD58B2}C:\program files (x86)\thinkfree office\qlaunch.exe] => (Allow) C:\program files (x86)\thinkfree office\qlaunch.exe
FirewallRules: [UDP Query User{C14A765F-7EF2-42AE-9FB5-EFCDB274D58F}C:\program files (x86)\thinkfree office\tfwrite.exe] => (Allow) C:\program files (x86)\thinkfree office\tfwrite.exe
FirewallRules: [TCP Query User{B473FE3F-9B80-45C8-AFDD-8A39ADD124A8}C:\program files (x86)\thinkfree office\tfwrite.exe] => (Allow) C:\program files (x86)\thinkfree office\tfwrite.exe
FirewallRules: [UDP Query User{14805108-CD5C-4667-933D-BBF737ABF847}C:\program files (x86)\thinkfree office\tfsetup.exe] => (Allow) C:\program files (x86)\thinkfree office\tfsetup.exe
FirewallRules: [TCP Query User{5107D841-AD13-40C1-8CA3-461723F61664}C:\program files (x86)\thinkfree office\tfsetup.exe] => (Allow) C:\program files (x86)\thinkfree office\tfsetup.exe
FirewallRules: [{A56F7A07-0CC1-4094-97B4-C4CE9C5FF79B}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{5999E7ED-7B68-48B5-8AC1-5264AA9F5C45}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{7CB05421-F579-4B7B-977A-B08791A42DAE}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{CBCBD2D4-2178-47C9-9A87-E22B597D65FA}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{A405F53D-67BC-4C0A-B400-EF4B478D50DF}C:\program files (x86)\505 games\tiny brains\binaries\win32\tinybrains.exe] => (Block) C:\program files (x86)\505 games\tiny brains\binaries\win32\tinybrains.exe
FirewallRules: [UDP Query User{2F00FC6A-E788-4ED2-91EC-05A6292BBFA9}C:\program files (x86)\505 games\tiny brains\binaries\win32\tinybrains.exe] => (Block) C:\program files (x86)\505 games\tiny brains\binaries\win32\tinybrains.exe
FirewallRules: [TCP Query User{8C596C27-642C-4E29-8E61-745C844B6946}C:\program files\goliath\goliath.exe] => (Block) C:\program files\goliath\goliath.exe
FirewallRules: [UDP Query User{7ABD536B-C08F-4EEB-BB65-7BDFB0D53F0C}C:\program files\goliath\goliath.exe] => (Block) C:\program files\goliath\goliath.exe
FirewallRules: [TCP Query User{96184894-C2C3-47D1-B2E7-BE28839BC255}D:\games\mighty no 9\binaries\win32\mn9game.exe] => (Block) D:\games\mighty no 9\binaries\win32\mn9game.exe
FirewallRules: [UDP Query User{517C953B-817E-40BD-A204-7B60BD1EF028}D:\games\mighty no 9\binaries\win32\mn9game.exe] => (Block) D:\games\mighty no 9\binaries\win32\mn9game.exe
FirewallRules: [TCP Query User{06220A84-2967-4C68-8108-4CC7F3882098}D:\games\grow up\growup.exe] => (Block) D:\games\grow up\growup.exe
FirewallRules: [UDP Query User{C7A7F37B-C2BB-4A1F-B27B-B95DEC32395C}D:\games\grow up\growup.exe] => (Block) D:\games\grow up\growup.exe
FirewallRules: [TCP Query User{F4EAB63F-BC23-420A-A79E-9F8C32A76835}C:\program files (x86)\valve\portal 2\portal2.exe] => (Block) C:\program files (x86)\valve\portal 2\portal2.exe
FirewallRules: [UDP Query User{1547E465-932F-49F7-80CE-E64A5164A5A9}C:\program files (x86)\valve\portal 2\portal2.exe] => (Block) C:\program files (x86)\valve\portal 2\portal2.exe
FirewallRules: [{79616F06-AAA6-4AD7-A2F3-F5E9AAFBA055}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{DD87A19E-CFDA-4008-AD8C-97E4C897FC4C}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{4EE087B8-A30F-4384-A2F3-DB7FB880B3FC}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [TCP Query User{19B74DFA-E045-4054-8809-97099B2C1582}C:\users\tierz\downloads\mongoose-free-6.5.exe] => (Allow) C:\users\tierz\downloads\mongoose-free-6.5.exe
FirewallRules: [UDP Query User{E82AEA32-EA87-448C-B12C-DF94771829F9}C:\users\tierz\downloads\mongoose-free-6.5.exe] => (Allow) C:\users\tierz\downloads\mongoose-free-6.5.exe
FirewallRules: [TCP Query User{8FC2E15C-6CFC-4047-BC4F-30B0422D05C9}C:\program files (x86)\connectify\connectify.exe] => (Allow) C:\program files (x86)\connectify\connectify.exe
FirewallRules: [UDP Query User{3514FABB-334E-4330-841A-113F5E0A90B0}C:\program files (x86)\connectify\connectify.exe] => (Allow) C:\program files (x86)\connectify\connectify.exe
FirewallRules: [TCP Query User{3C3F6149-B54F-4651-B6C4-CD73FFEC1490}C:\xampp\apache\bin\httpd.exe] => (Allow) C:\xampp\apache\bin\httpd.exe
FirewallRules: [UDP Query User{970C8CA3-315A-4695-8941-A9E929AC9394}C:\xampp\apache\bin\httpd.exe] => (Allow) C:\xampp\apache\bin\httpd.exe
FirewallRules: [{6C464832-2FEB-41F5-8E27-4A20D764E8B1}] => (Block) C:\xampp\apache\bin\httpd.exe
FirewallRules: [{7437E6FA-DBD7-4138-AAA6-1B41BDE6D9AF}] => (Block) C:\xampp\apache\bin\httpd.exe
FirewallRules: [TCP Query User{1AD628BF-2C40-4414-8793-51B22B76AC6C}C:\users\tierz\appdata\local\jdownloader 2.0\jdownloader2.exe] => (Allow) C:\users\tierz\appdata\local\jdownloader 2.0\jdownloader2.exe
FirewallRules: [UDP Query User{F06350C3-9F1C-40F0-AB3B-6DB7FF42CB7D}C:\users\tierz\appdata\local\jdownloader 2.0\jdownloader2.exe] => (Allow) C:\users\tierz\appdata\local\jdownloader 2.0\jdownloader2.exe
FirewallRules: [TCP Query User{7C527664-658E-49B3-86E8-960E3F4EB64A}C:\program files (x86)\java\jre1.8.0_101\launch4j-tmp\mimo.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_101\launch4j-tmp\mimo.exe
FirewallRules: [UDP Query User{87E1C9DA-ACDA-44DB-9DDA-E9B81441C69E}C:\program files (x86)\java\jre1.8.0_101\launch4j-tmp\mimo.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_101\launch4j-tmp\mimo.exe
FirewallRules: [TCP Query User{524FE545-122B-42AC-BC98-A64BB1CDBE2E}C:\program files (x86)\java\jre1.8.0_101\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_101\bin\javaw.exe
FirewallRules: [UDP Query User{0A941E54-8B73-4646-AF76-6F7850A2E9AD}C:\program files (x86)\java\jre1.8.0_101\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_101\bin\javaw.exe
FirewallRules: [TCP Query User{DC32950A-B171-43E4-A10A-E49817A5D134}C:\program files\tixati\tixati.exe] => (Block) C:\program files\tixati\tixati.exe
FirewallRules: [UDP Query User{730C7739-8362-42EA-85E7-E2824F17E151}C:\program files\tixati\tixati.exe] => (Block) C:\program files\tixati\tixati.exe
FirewallRules: [{0C0E5CB0-9AF5-4D38-9621-9FF85F5DEC55}] => (Allow) C:\Users\tierz\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{3910804A-2D8D-4782-B927-6AA417A6CAC1}] => (Allow) C:\Users\tierz\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{24D74F42-4B14-44F3-B3DD-FB7D20656BFE}] => (Allow) C:\Users\tierz\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{09D60F12-1181-47B0-93C5-9A4169263DE4}] => (Allow) C:\Users\tierz\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2EEDBC2C-7C20-41C1-B457-6B0884B90A2F}] => (Allow) C:\Users\tierz\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{EA1EE220-B84D-4BBB-A107-3F318419025F}] => (Allow) C:\Users\tierz\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{AA214267-B4FC-4B56-BE49-69E9D2CDC781}] => (Allow) C:\Program Files (x86)\VPN Unlimited\vpn-unlimited.exe
FirewallRules: [{4394288F-6167-4ED5-A923-6E68114446A1}] => (Allow) C:\Program Files (x86)\VPN Unlimited\vpn-unlimited.exe
FirewallRules: [{ED117569-626E-402D-BEEE-0E02D659B1E6}] => (Allow) C:\Program Files (x86)\VPN Unlimited\openvpn.exe
FirewallRules: [{4C0E3C7C-B4F1-4CB3-80C9-7750AE27BFC8}] => (Allow) C:\Program Files (x86)\VPN Unlimited\openvpn.exe
FirewallRules: [{3A30F472-E3BB-46F4-BCF2-F1A0FD3BDC16}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [TCP Query User{845460F4-1A11-4392-9D73-1850F751645A}C:\program files (x86)\thinkfree office\uninstall.exe] => (Allow) C:\program files (x86)\thinkfree office\uninstall.exe
FirewallRules: [UDP Query User{A0475C34-405F-4901-AB55-8C1197745555}C:\program files (x86)\thinkfree office\uninstall.exe] => (Allow) C:\program files (x86)\thinkfree office\uninstall.exe
FirewallRules: [{3A23CCC1-54B9-4013-9AA4-90C1B903E222}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{68A3B2C6-12BE-4093-8034-B456F9D0DDB3}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{DDDABF0F-EF7B-49FA-9812-B61EC1487D91}] => (Allow) C:\PROGRA~2\REALTEK\USBWIR~1\RtWlan.exe
FirewallRules: [{4129DE7A-0E6A-4D02-BA2B-961F44D3E2D8}] => (Allow) LPort=1542
FirewallRules: [{A76620C3-73A4-43BF-BD7F-47F822D3F142}] => (Allow) LPort=1542
FirewallRules: [{FDCE2294-7A51-4637-8A37-5120A810C419}] => (Allow) LPort=53
FirewallRules: [{5D82170B-311C-44C5-A7CD-34A9B17A45D9}] => (Allow) C:\PROGRA~2\REALTEK\USBWIR~1\Rtldhcp.exe
FirewallRules: [{41EFC38E-14D1-4110-AB97-8B0368F23F3B}] => (Allow) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{67A58B73-B545-4D3B-AFAC-F4BC3A31FC03}] => (Allow) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{99849659-09B8-47E6-B95C-BE86FD71A918}] => (Allow) LPort=53
FirewallRules: [{D616D559-20EC-424E-A656-A9F4F7544BFA}] => (Allow) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{794A135E-CE7E-43F9-BF35-05AA12A8C3FE}] => (Allow) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{8A6DC446-4EAE-4262-B24F-581FC864D57A}] => (Allow) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{DC37864E-36B7-4F0C-A457-32628EC827AC}] => (Allow) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe

==================== Restore Points =========================

03-02-2017 13:48:36 Scheduled Checkpoint
26-02-2017 18:47:50 Windows Update

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/07/2017 01:13:08 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-34VPQP3)
Description: Activation of app Microsoft.WindowsStore_8wekyb3d8bbwe!App failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/07/2017 01:07:43 PM) (Source: DPTF) (EventID: 256) (User: )
Description: Event-ID 256

Error: (03/07/2017 01:07:43 PM) (Source: DPTF) (EventID: 256) (User: )
Description: Event-ID 256

Error: (03/07/2017 01:07:43 PM) (Source: DPTF) (EventID: 256) (User: )
Description: Event-ID 256

Error: (03/07/2017 01:07:43 PM) (Source: DPTF) (EventID: 256) (User: )
Description: Event-ID 256

Error: (03/07/2017 01:02:28 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (03/07/2017 11:33:04 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (03/07/2017 11:26:52 AM) (Source: DPTF) (EventID: 256) (User: )
Description: Event-ID 256

Error: (03/07/2017 11:26:52 AM) (Source: DPTF) (EventID: 256) (User: )
Description: Event-ID 256

Error: (03/07/2017 11:26:52 AM) (Source: DPTF) (EventID: 256) (User: )
Description: Event-ID 256


System errors:
=============
Error: (03/07/2017 01:13:20 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-34VPQP3)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{9E175B6D-F52A-11D8-B9A5-505054503030}
 and APPID
{9E175B9C-F52A-11D8-B9A5-505054503030}
 to the user DESKTOP-34VPQP3\tierza SID (S-1-5-21-3357796534-2979617118-1178381313-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.MicrosoftEdge_38.14393.0.0_neutral__8wekyb3d8bbwe SID (S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194). This security permission can be modified using the Component Services administrative tool.

Error: (03/07/2017 01:08:14 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/07/2017 01:06:59 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/07/2017 11:27:48 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/07/2017 11:26:08 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service dps with arguments "Unavailable" in order to run the server:
{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}

Error: (03/07/2017 11:26:08 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service dps with arguments "Unavailable" in order to run the server:
{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}

Error: (03/07/2017 11:26:08 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service dps with arguments "Unavailable" in order to run the server:
{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}

Error: (03/07/2017 11:26:08 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service dps with arguments "Unavailable" in order to run the server:
{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}

Error: (03/07/2017 11:26:08 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service dps with arguments "Unavailable" in order to run the server:
{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}

Error: (03/07/2017 11:26:07 AM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-34VPQP3)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}


CodeIntegrity:
===================================
  Date: 2016-11-21 20:39:20.581
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-11-21 20:39:20.573
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-08-21 10:43:57.136
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-08-21 10:43:57.133
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info ===========================

Processor: Intel® Core™ i7-5500U CPU @ 2.40GHz
Percentage of memory in use: 41%
Total physical RAM: 8095.08 MB
Available physical RAM: 4701.31 MB
Total Virtual: 9375.08 MB
Available Virtual: 5931.09 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:372.6 GB) (Free:252.87 GB) NTFS
Drive d: (Data) (Fixed) (Total:542.8 GB) (Free:426.25 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 285F93C7)

Partition: GPT.

==================== End of Addition.txt ============================



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:48 PM

Posted 08 March 2017 - 12:17 AM

Hi,

 

 

Please download the following file => Attached File  fixlist.txt   3.41KB   11 downloads and save it to the Desktop.

NOTE. It's important that both files, FRST64.exe and fixlist.txt are in the same location or the fix will not work.

 

Restart the computer in Safe Mode. See here how to do this

Run FRST64.exe and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please restart your computer in Normal Mode and post back the log file in your next reply.

This script was written specifically for you, for use on that particular machine.

 

Let me know how are things after the fix above.

 

 

Regards,

Georgi


cXfZ4wS.png


#11 tierzastarrw

tierzastarrw
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 08 March 2017 - 11:59 AM

FRST has been running the fix all night. Should it be taking that long?



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:48 PM

Posted 08 March 2017 - 12:27 PM

No, something went wrong. Please restart the computer and see if a log file will be created.

 

If no, then please try the following fix instead => Attached File  fixlist.txt   1.29KB   4 downloads

 

You can run in from Normal Mode.

 

Let me know about the results.

 

 

Regards,

Georgi


cXfZ4wS.png


#13 tierzastarrw

tierzastarrw
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 08 March 2017 - 12:46 PM

Hi,

So the failed fix did have a fixlog.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-03-2017
Ran by tierza (08-03-2017 08:32:51) Run:3
Running from C:\Users\tierz\Desktop\FRST
Loaded Profiles: tierza (Available Profiles: tierza & Administrator)
Boot Mode: Safe Mode
==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\Run: [StartAB] => C:\Users\tierz\AppData\Local\VideoAB\videoab.exe [3062288 2017-02-20] ()
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\Run: [StartAB] => C:\Users\tierz\AppData\Local\VideoAB\videoab.exe [3062288 2017-02-20] ()
FF HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
FF HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
File: C:\Windows\runSW.exe
File: C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.8.0.50\Definitions\SDSDefs\20160915.023\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.8.0.50\Definitions\SDSDefs\20160915.023\EX64.SYS [X]
2017-03-06 13:12 - 2017-03-06 13:12 - 00000000 ____D C:\Program Files (x86)\regtool
2017-03-06 12:23 - 2017-03-06 12:23 - 00000000 ____D C:\WINDOWS\system32\%LOCALAPPDATA%
2017-03-06 12:03 - 2017-03-06 12:03 - 00001145 _____ C:\Users\tierz\Desktop\Video Abductor.lnk
2017-03-06 12:03 - 2017-03-06 12:03 - 00000000 ____D C:\Users\tierz\AppData\Local\VideoAB
EmptyTemp:
end
*****************

Error: Restore point can only be created in normal mode.
Processes closed successfully.
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\Software\Microsoft\Windows\CurrentVersion\Run\\StartAB => value not found.
 



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:48 PM

Posted 08 March 2017 - 01:06 PM

Not very useful since you ran it 3 times and and the following line is probably already deleted and that's why it's not found:
 

 

Ran by tierza (08-03-2017 08:32:51) Run:3

 

 

HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\Software\Microsoft\Windows\CurrentVersion\Run\\StartAB => value not found.

 

but it seems that FRST failed to proceed the next one:

 

HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\Run: [StartAB] => C:\Users\tierz\AppData\Local\VideoAB\videoab.exe [3062288 2017-02-20] ()

 

Ok, Let's see if the new fixlist.txt will deal with it.

 

 

Regards,

Georgi


cXfZ4wS.png


#15 tierzastarrw

tierzastarrw
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 08 March 2017 - 01:14 PM

Ok. So FRST is now running the new fixlist. I checked the new fixlog and it says value not found again.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-03-2017
Ran by tierza (08-03-2017 09:53:45) Run:4
Running from C:\Users\tierz\Desktop\FRST
Loaded Profiles: tierza (Available Profiles: tierza & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CloseProcesses:
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\...\Run: [StartAB] => C:\Users\tierz\AppData\Local\VideoAB\videoab.exe [3062288 2017-02-20] ()
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03072017140109511\...\Run: [StartAB] => C:\Users\tierz\AppData\Local\VideoAB\videoab.exe [3062288 2017-02-20] ()
2017-03-06 13:12 - 2017-03-06 13:12 - 00000000 ____D C:\Program Files (x86)\regtool
2017-03-06 12:03 - 2017-03-06 12:03 - 00001145 _____ C:\Users\tierz\Desktop\Video Abductor.lnk
2017-03-06 12:03 - 2017-03-06 12:03 - 00000000 ____D C:\Users\tierz\AppData\Local\VideoAB
EmptyTemp:
end
*****************

Processes closed successfully.
HKU\S-1-5-21-3357796534-2979617118-1178381313-1001\Software\Microsoft\Windows\CurrentVersion\Run\\StartAB => value not found.
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users