Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Command Processor Pop Up and Persistent Task


  • This topic is locked This topic is locked
25 replies to this topic

#1 RiberoD07

RiberoD07

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 13 March 2017 - 11:23 AM

I actually have 3 problems and will explain each one and put the log at the end

Running Windows 10 64-bit

so the first and the most visually annoying problem,

Every 30 minutes to an hour I've been getting a pop up that says This app can not be run on this PC or along those lines. I had no idea what it was as every time it happened I was not trying to open any app. It's the blue smartscreen/windows store themed looking popup. When I open the task manager it's there as Windows Command Processor and if I click on open file location it sends me to the legitimate cmd.exe, whenever I click end task the popup disappears right away but comes back later on. In the services there are usually quite a lot of conhost and svhost that may or may not be legitimate aswell.

 

This leads to the next problem which may be the most important problem, in the task manager under background processes there's a process that's called ASUS USB Charger Plus (32 bit) and right below it is another one with the exact same name, normally I wouldn't think twice about it but one ihas a headphone logo on it? I clicked on properties and it has startup.exe as it's name and if I click on file location it leads me to C:\Program Files (x86)\Client which is an empty folder even with hidden files on or off also if I go back a level by clicking the arrow left of the file path to Program Files (x86) there is no Client folder there. If I click on properties, this one says created on December 14th 2016. The other one with a USB as a logo, leads to the correct file path (C:\Program Files (x86)\ASUS\USBChargerPlus) and in properties says it was created on May 25th, 2015. Whenever I try to end the process through the task manager it's gone for a few seconds and then 3-5 instances of it pop back in background processes and eventually stay as just 1... So the one with headphones is 100% a virus atleast imo.. 

 

This third issue may be tied into the second

Whenever I first boot up my computer I get a message with an exclamation mark and nothing else like a standard warning window box type thing with an OK on it. If I click ok it disappears and doesn't return. There's another box that pops up whenever I launch chrome that says manifest file is missing or unreadable at ~/AppData/Local/FASTextenstions/ag12h31h23b made up the filename but it's alphanumerical like that but the problem is there is no Fastextensions folder in that directory.. Again I click okay and chrome opens fine and it only pops up whenever I restart and open chrome for the first time.

 

THIS chrome issue is likely to just be a corrupt extension and not a virus but the exclamation mark window is alarming and I'd really like to fix the chrome issue aswell.

 

On a side note... I just noticed that task manager says my windows explorer is taking up between 50-80% of my CPU.. and I only have 1 instance of it open and it's not loading anything... If anyone can help with that too it'd be much appreciated

 

Attached are the files

FRST.txt and Addition.txt

Thanks!

 

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,434 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:30 PM

Posted 13 March 2017 - 06:33 PM

Welcome. :)

Download the attached file and save it in the same directory FRST64 is saved.

  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

iO5EZayK.png


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 RiberoD07

RiberoD07
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 13 March 2017 - 07:53 PM

Okay I did all the steps, before I post I will say what I've noticed. The smartscreen/blue this app can not be run has not reappeared and name.exe and clientmonitor.exe have been deleted along with files melt.bat and some other files that looked like viruses. The window box with the exclamation mark has disappeared but the google chrome unreadable extension warning still comes up everytime I try and open a google chrome window. The virus named startup.exe that is hiding as ASUS USB Charger Plus (32 Bit) discovered by FRST here: (ASUSTek Computer Inc.) C:\ProgramData\Client\startup.exe

and here: HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\RunOnce: [Client Monitor] => C:\ProgramData\Client\startup.exe [864720 2016-07-10] (ASUSTek Computer Inc.) was not removed, and I am 99% sure it is malware of some sort. Other than that I have been seeing a cmd window opening saying something along the lines of registry key not found spammed across the console before closing itself. 

FRST log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 13-03-2017
Ran by Daniel (13-03-2017 20:07:31) Run:1
Running from C:\Users\Daniel\Downloads\FRST-OlderVersion
Loaded Profiles: Daniel (Available Profiles: Daniel)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\CurrentVersion\Windows: [Load] C:\Users\Daniel\AppData\Local\Temp\FolderN\name.exe <===== ATTENTION 
HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\Winlogon: [Shell] explorer.exe,"C:\Users\Daniel\AppData\Roaming\clientmonitor.exe" <==== ATTENTION 
GroupPolicy: Restriction <======= ATTENTION 
GroupPolicy\User: Restriction <======= ATTENTION 
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION 
FF Plugin-x32: @alibaba.com/npwangwang;version=1.0 -> C:\Program Files (x86)\AliWangWang\8.60.01C\npwangwang.dll [No File] 
FF Plugin-x32: @alipay.com/NPComBrg701,version=1.0.2011.701 -> C:\WINDOWS\system32\itruscert\NPComBrg701.dll [No File] 
FF Plugin HKU\S-1-5-21-2498589561-758378069-103133614-1001: @alibaba.com/npAliSSOLogin;version=1.0 -> C:\Program Files (x86)\AliWangWang\8.60.03C\npAliSSOLogin.dll [No File] 
FF Plugin HKU\S-1-5-21-2498589561-758378069-103133614-1001: @alibaba.com/npwangwang;version=1.0 -> C:\Program Files (x86)\AliWangWang\8.60.03C\npwangwang.dll [No File] 
CustomCLSID: HKU\S-1-5-21-2498589561-758378069-103133614-1001_Classes\CLSID\{5D09DD40-CDC4-4C56-B615-0D1E3B357C2B}\InprocServer32 -> C:\Program Files (x86)\AliWangWang\8.60.03C\AliIMX_64.dll => No File 
Shortcut: C:\Users\Daniel\Desktop\Desktop\Haxton.bat - Shortcut (2).lnk -> C:\Users\Daniel\Desktop\Haxton.bat (No File) 
Shortcut: C:\Users\Daniel\Desktop\Desktop\Haxton.bat - Shortcut.lnk -> C:\Users\Daniel\Desktop\Haxton.bat (No File) 
Shortcut: C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.1.7-p400\Interactive Ruby.lnk -> C:\Program Files (x86)\Heroku\ruby-2.1.7\bin\irb.bat (No File) 
Shortcut: C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.1.7-p400\RubyGems Documentation Server.lnk -> C:\Program Files (x86)\Heroku\ruby-2.1.7\bin\gem.bat (No File) 
HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\CurrentVersion\Windows: [Load] C:\Users\Daniel\AppData\Local\Temp\FolderN\name.exe <===== ATTENTION 
2016-11-16 15:31 - 2016-12-07 11:42 - 0000000 _____ () C:\Users\Daniel\AppData\Local\Temptable.xml 
2017-03-12 23:55 - 2016-07-13 18:33 - 0053248 _____ (Microsoft Corporation) C:\Users\Daniel\AppData\Local\Temp\svhost.exe 
Multi-Device Hybrid Apps using C# - Templates - ENU (x32 Version: 14.0.23107 - Microsoft Corporation) Hidden 
FirewallRules: [{550FBF9A-BD2B-4A9B-9E92-AEB522A23205}] => (Allow) C:\Users\Daniel\AppData\Local\Temp\MPCOnline\MPCDownload.exe 
FirewallRules: [{4620622B-F25A-4D00-A0C0-BBE61142F2EF}] => (Allow) C:\Users\Daniel\AppData\Local\Temp\MPCOnline\MPCDownload.exe 
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON 
CMD: ipconfig /flushdns 
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP: 
Reboot:
 
*****************
 
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => value removed successfully
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
C:\Windows\system32\GroupPolicy\User => moved successfully
HKLM\SOFTWARE\Policies\Google => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@alibaba.com/npwangwang;version=1.0 => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@alipay.com/NPComBrg701,version=1.0.2011.701 => key removed successfully
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\MozillaPlugins\@alibaba.com/npAliSSOLogin;version=1.0 => key removed successfully
C:\Program Files (x86)\AliWangWang\8.60.03C\npAliSSOLogin.dll => not found.
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\MozillaPlugins\@alibaba.com/npwangwang;version=1.0 => key removed successfully
C:\Program Files (x86)\AliWangWang\8.60.03C\npwangwang.dll => not found.
HKU\S-1-5-21-2498589561-758378069-103133614-1001_Classes\CLSID\{5D09DD40-CDC4-4C56-B615-0D1E3B357C2B} => key removed successfully
C:\Users\Daniel\Desktop\Desktop\Haxton.bat - Shortcut (2).lnk => moved successfully
C:\Users\Daniel\Desktop\Desktop\Haxton.bat - Shortcut.lnk => moved successfully
C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.1.7-p400\Interactive Ruby.lnk => moved successfully
C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.1.7-p400\RubyGems Documentation Server.lnk => moved successfully
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => value not found.
C:\Users\Daniel\AppData\Local\Temptable.xml => moved successfully
C:\Users\Daniel\AppData\Local\Temp\svhost.exe => moved successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{12D99739-FFD3-3761-8AA6-F929E0FE407E}\\SystemComponent => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{550FBF9A-BD2B-4A9B-9E92-AEB522A23205} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4620622B-F25A-4D00-A0C0-BBE61142F2EF} => value removed successfully
 
========= netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset C:\resettcpip.txt =========
 
Resetting Global, OK!
Resetting Interface, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Route, OK!
Resetting Subinterface, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========
 
Failed to clear log AirSpaceChannel. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.
Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied.
Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied.
Failed to clear log Microsoft-Windows-USBVideo/Analytic. The instance name passed was not recognized as valid by a WMI data provider.
 
========= End of CMD: =========
 
 
========= Bitsadmin /Reset /Allusers =========
 
 
BITSADMIN version 3.0
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
{CCCCDFE7-44AA-4C64-A8BF-22B395C5EF80} canceled.
1 out of 1 jobs canceled.
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 31687387 B
Java, Flash, Steam htmlcache => 33204491 B
Windows/system/drivers => 11628257 B
Edge => 4318171 B
Chrome => 760902553 B
Firefox => 311432671 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 136720 B
Daniel => 225780204 B
 
RecycleBin => 536746654 B
EmptyTemp: => 1.8 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 20:08:56 ====
 
JRT log:
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.1 (02.11.2017)
Operating System: Windows 10 Home x64 
Ran by Daniel (Administrator) on 2017-03-13 at 20:17:26.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 14 
 
Failed to delete: C:\Program Files (x86)\taobaoprotect (Folder) 
Successfully deleted: C:\Program Files (x86)\mozilla firefox\plugins\npwangwang.dll (File) 
Successfully deleted: C:\ProgramData\productdata (Folder) 
Successfully deleted: C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm (Folder) 
Successfully deleted: C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\klbibkeccnjlkjkiokjodocebajanakg (Folder) 
Successfully deleted: C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.localstorage-journal (File) 
Successfully deleted: C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.localstorage (File) 
Successfully deleted: C:\Users\Daniel\AppData\Roaming\taobaoprotect (Folder) 
Successfully deleted: C:\Windows\system32\Tasks\AliUpdater{E34385E0-FC3E-4902-9CFA-4805F3527E20} (Task)
Successfully deleted: C:\Windows\system32\Tasks\SmartDefrag_Startup (Task)
Successfully deleted: C:\Windows\system32\Tasks\Uninstaller_SkipUac_Daniel (Task)
Successfully deleted: C:\Windows\Tasks\AliUpdater{E34385E0-FC3E-4902-9CFA-4805F3527E20}.job (Task) 
Successfully deleted: C:\Windows\Tasks\Uninstaller_SkipUac_Daniel.job (Task) 
Successfully deleted: C:\Windows\wininit.ini (File) 
 
 
 
Registry: 1 
 
Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\TBSecSvc (Registry Key) 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2017-03-13 at 20:21:12.49
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
ADWcleaner Log:
 
# AdwCleaner v6.044 - Logfile created 13/03/2017 at 20:36:45
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-13.2 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Daniel - LAPTOP-S41S24SG
# Running from : C:\Users\Daniel\Downloads\adwcleaner_6.044.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Users\Public\Documents\drivepro
Folder Found:  C:\Users\Daniel\AppData\Local\Geckofx
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
Task Found:  {514B395E-7F5F-41BA-BC1F-9733905B3769}
 
 
***** [ Registry ] *****
 
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Scheduler
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Scheduler
Key Found:  HKLM\SOFTWARE\Classes\OCComSDK.ComSDK
Key Found:  HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshDecoWizardPage_c
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshDecoWizardPage_c.1
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshDoctorPage_c
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshDoctorPage_c.1
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshManipulationPage
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshManipulationPage.23
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshPrepCompPage_c
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshPrepCompPage_c.1
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshRelaxPage_c
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshRelaxPage_c.1
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshSmoothPage_c
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshSmoothPage_c.1
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshSplitPage_c
Key Found:  HKLM\SOFTWARE\Classes\SWNGRE.uiMeshSplitPage_c.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\OCComSDK.ComSDK
Key Found:  [x64] HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshDecoWizardPage_c
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshDecoWizardPage_c.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshDoctorPage_c
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshDoctorPage_c.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshManipulationPage
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshManipulationPage.23
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshPrepCompPage_c
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshPrepCompPage_c.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshRelaxPage_c
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshRelaxPage_c.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshSmoothPage_c
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshSmoothPage_c.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshSplitPage_c
Key Found:  [x64] HKLM\SOFTWARE\Classes\SWNGRE.uiMeshSplitPage_c.1
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}
Key Found:  HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Hola
Key Found:  HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Store
Key Found:  HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\WTools
Key Found:  HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\INSTALLPATH\STATUS
Key Found:  HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\drivepro
Key Found:  HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\NetStream 1.0
Key Found:  HKCU\Software\Hola
Key Found:  HKCU\Software\Store
Key Found:  HKCU\Software\WTools
Key Found:  HKCU\Software\INSTALLPATH\STATUS
Key Found:  HKCU\Software\drivepro
Key Found:  HKLM\SOFTWARE\MIITS LLC
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\NetStream 1.0
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherChickn
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2705BBD-00A4-4056-86C0-ACBAD87B5EDE}
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0FFAB04C-C934-4880-83E7-D185F2AA636B}
Key Found:  [x64] HKCU\Software\Hola
Key Found:  [x64] HKCU\Software\Store
Key Found:  [x64] HKCU\Software\WTools
Key Found:  [x64] HKCU\Software\INSTALLPATH\STATUS
Key Found:  [x64] HKCU\Software\drivepro
Key Found:  [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\NetStream 1.0
Key Found:  HKLM\SOFTWARE\Classes\Installer\Features\DBB5072C4A006504680CCAAB8DB7E5ED
Key Found:  HKLM\SOFTWARE\Classes\Installer\Products\DBB5072C4A006504680CCAAB8DB7E5ED
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2498589561-758378069-103133614-1001\Products\C40BAFF0439C0884387E1D582FAA36B6
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DBB5072C4A006504680CCAAB8DB7E5ED
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DBB5072C4A006504680CCAAB8DB7E5ED
Key Found:  [x64] HKLM\SOFTWARE\Classes\Installer\Features\DBB5072C4A006504680CCAAB8DB7E5ED
Key Found:  [x64] HKLM\SOFTWARE\Classes\Installer\Products\DBB5072C4A006504680CCAAB8DB7E5ED
Key Found:  HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
Key Found:  HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\metrolyrics.com
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.metrolyrics.c
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\metrolyrics.com
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.metrolyrics.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\metrolyrics.com
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.metrolyrics
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\metrolyrics.com
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.metrolyrics.co
Value Found:  HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [hola]
Value Found:  HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Selection Tools]
Value Found:  HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [fastweb]
Key Found:  HKCU\Software\MozillaPlugins\@hola.org/FlashPlayer
Key Found:  HKCU\Software\MozillaPlugins\@hola.org/vlc
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Web data] - mouse-recorder-premium.en.softonic.com
Chrome pref Found:  [C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - booedmolknjekdopkepjjeckmjkdpfgl
Chrome pref Found:  [C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - flpcjncodpafbgdpnkljologafpionhb
Chrome pref Found:  [C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - gngocbkfmikdgphklgmmehbjjlfgdemm
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [9062 Bytes] - [13/03/2017 20:36:45]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9135 Bytes] ##########
 
Thanks, Hopefully this can help narrow down my problem and any other problems that are in my machine, on the bright side those programs managed to free up a couple gb of space so that's good. 
 


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,434 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:30 PM

Posted 13 March 2017 - 09:42 PM

Download the attached file and save it in the same directory FRST64 is saved.

  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 
Open AdwCleaner. This time around click on the Clean button. On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

Go to this site and scan the following file:

C:\ProgramData\Client\startup.exe

 

Post the results link.


Edited by JSntgRvr, 13 March 2017 - 09:50 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 RiberoD07

RiberoD07
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 13 March 2017 - 09:59 PM

So I ran FRST with the fixlist you gave me and below is the output. However, the Clean button on ADWCleaner is greyed out so I'm not sure what to do, and when I go to task manager the virus startup.exe which is hiding under the name ASUS USB Charger Plus (32 bit) is still there, and when I click on file location it does go to C:\ProgramData\Client\ however it says this folder is empty, so I can't exactly try and pass the file through VirusTotal since I do not know where the .exe really is.. 
FRST Log:
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 13-03-2017
Ran by Daniel (13-03-2017 22:53:49) Run:2
Running from C:\Users\Daniel\Downloads\FRST-OlderVersion
Loaded Profiles: Daniel (Available Profiles: Daniel)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
C:\Users\Daniel\AppData\Roaming\clientmonitor.exe
C:\Program Files (x86)\taobaoprotect
*****************
 
C:\Users\Daniel\AppData\Roaming\clientmonitor.exe => moved successfully
C:\Program Files (x86)\taobaoprotect => moved successfully
 
==== End of Fixlog 22:53:50 ====


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,434 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:30 PM

Posted 13 March 2017 - 10:24 PM

First Scan, then Clean. I believe the Clean button wont be available until a Scan is perform.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,434 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:30 PM

Posted 13 March 2017 - 10:28 PM

Not necessary


Edited by JSntgRvr, 13 March 2017 - 10:30 PM.
Not necessary

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,434 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:30 PM

Posted 13 March 2017 - 10:33 PM

Lets remove the file:
 
Download the attached file and save it in the same directory FRST64 is saved.
  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 RiberoD07

RiberoD07
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 13 March 2017 - 10:48 PM

okay so the log says that it was moved successfully.. but I still got the explorer.exe exclamation mark window dialog upon booting and startup.exe is still on my task manager as a background process when I boot up my computer. The google chrome extension is still popping up whenever I try and open a google chrome window. I just got the blue pop up that says This App Can't Run on This PC so feels like i'm pretty much back to where I started. Below is the log but it's not much help since startup.exe is still in my task manager and when I click on open file location it still says C:\ProgramData\Client\ although that folder still says it's empty.

 

EDIT: Regarding the "This App Can't Run on your PC" pop up at boot and periodically, my guess is that there is a .bat file somewhere or maybe task scheduler set up to start on boot and that's where the blue pop up comes from but I'm not sure how to find it as it could be anywhere..

 

FRST Log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 13-03-2017
Ran by Daniel (13-03-2017 23:41:27) Run:3
Running from C:\Users\Daniel\Downloads\FRST-OlderVersion
Loaded Profiles: Daniel (Available Profiles: Daniel)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
C:\ProgramData\Client\startup.exe
*****************
 
Could not move "C:\ProgramData\Client\startup.exe" => Scheduled to move on reboot.
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 13-03-2017 23:42:01)
 
C:\ProgramData\Client\startup.exe => Is moved successfully
 
==== End of Fixlog 23:42:01 ====

Edited by RiberoD07, 13 March 2017 - 10:53 PM.


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,434 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:30 PM

Posted 14 March 2017 - 12:20 AM

Please rescan with Frst. Make sure a check mark is on the addition.txt and post the new reports.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 RiberoD07

RiberoD07
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 14 March 2017 - 12:32 AM

here is the FRST log and attached is the Addition.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2017
Ran by Daniel (administrator) on LAPTOP-S41S24SG (14-03-2017 01:26:45)
Running from C:\Users\Daniel\Downloads\FRST-OlderVersion
Loaded Profiles: Daniel (Available Profiles: Daniel)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(IObit) C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Intel Corporation) C:\Windows\System32\ibtsiva.exe
(Intel Corporation) C:\Windows\SysWOW64\esif_uf.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(DEVGURU Co., LTD.) C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
() C:\altera\14.0\quartus\bin64\jtagserver.exe
( Rsupport Corporation) C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenService.exe
(Mentor Graphics Corporation) C:\Program Files\SOLIDWORKS Corp\SOLIDWORKS Flow Simulation\binCFW\remotesolverdispatcherservice.exe
(Alibaba Group) C:\Program Files (x86)\Alibaba\wwbizsrv\wwbizsrv.exe
(TechSmith Corporation) C:\Program Files (x86)\Common Files\TechSmith Shared\Uploader\UploaderService.exe
(Mentor Graphics Corporation) C:\Program Files\SOLIDWORKS Corp\SOLIDWORKS Flow Simulation\binCFW\dispatcher.exe
() C:\Program Files (x86)\RSUPPORT\MobizenService\dat\adb.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(Intel Corporation) C:\Windows\Temp\DPTF\esif_assist_64.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.12.112.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Rsupport corporation) C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(ASUSTek Computer Inc.) C:\ProgramData\Client\startup.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Conexant Systems, Inc) C:\Program Files\CONEXANT\SAII\SmartAudio.exe
() C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe
() C:\Program Files\AutoHotkey\AutoHotkey.exe
() C:\Program Files\AutoHotkey\AutoHotkey.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Don HO don.h@free.fr) C:\Program Files (x86)\Notepad++\notepad++.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [920280 2015-04-17] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1830616 2014-04-10] (Conexant Systems, Inc.)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-24] (Microsoft Corporation)
HKLM-x32\...\Winlogon: [Userinit] userinit.exe,"C:\WINDOWS\system32\clientmonitor.exe"
HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\RunOnce: [Client Monitor] => C:\ProgramData\Client\startup.exe [864720 2016-07-10] (ASUSTek Computer Inc.)
HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\CurrentVersion\Windows: [Load] C:\Users\Daniel\AppData\Local\Temp\FolderN\name.exe <===== ATTENTION
HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\Winlogon: [Shell] explorer.exe,"C:\Users\Daniel\AppData\Roaming\clientmonitor.exe" <==== ATTENTION
ShellIconOverlayIdentifiers: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-03-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-03-06] (Dropbox, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2016-09-24] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Snagit 12.lnk [2017-03-13]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SOLIDWORKS 2015 Fast Start.lnk [2016-06-27]
Startup: C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launch Jawbone Updater.lnk [2017-03-13]
Startup: C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2017-03-13]
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyServer: [S-1-5-21-2498589561-758378069-103133614-1001] => http=127.0.0.1:8888;https=127.0.0.1:8888
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{66a814c4-a482-427f-aa2b-d0943858fba1}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{7611d6fd-f138-487a-b7bf-249e8d192c07}: [DhcpNameServer] 192.168.2.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus15.msn.com/?pc=ASTE
SearchScopes: HKU\S-1-5-21-2498589561-758378069-103133614-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll [2016-05-23] (IObit)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2016-01-13] (Oracle Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2017-01-29] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2016-01-13] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\ssv.dll [2015-10-23] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\jp2ssv.dll [2015-10-23] (Oracle Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-01-29] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-01-29] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-01-29] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-01-29] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_21_0_0_197.dll [2016-04-02] ()
FF Plugin: @java.com/DTPlugin,version=10.79.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2016-01-13] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.79.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2016-01-13] (Oracle Corporation)
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_197.dll [2016-04-02] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1220162.dll [2015-08-31] (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.65.2 -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\dtplugin\npDeployJava1.dll [2015-10-23] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.65.2 -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\plugin2\npjp2.dll [2015-10-23] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll [2013-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-01-29] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR DefaultSearchURL: Default -> hxxps://www.skydaz.com/favicon.ico
CHR DefaultSearchKeyword: Default -> json-viewer
CHR Profile: C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default [2017-03-14]
CHR Extension: (Google Slides) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-10-07]
CHR Extension: (Google Docs) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-10-07]
CHR Extension: (Google Drive) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-07]
CHR Extension: (Goofbid - Automatic eBay Bidder) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\bojohkhilmdefbglojiamgjegnaemcoh [2016-12-21]
CHR Extension: (OneTab) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\chphlpgkkbolifaimnlloiipkdnihall [2017-02-23]
CHR Extension: (uBlock Origin) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2017-03-13]
CHR Extension: (Google Search) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Block & Focus) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcpbedhdekgkhigjgmlcbmcjoeaebbfm [2017-03-02]
CHR Extension: (Learn To Fly 3!) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\eaigbhffknefonfnjphdamhommlmfegi [2017-02-26]
CHR Extension: (Zotero Connector) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\ekhagklcjbdpajgpjgmbionohlpdbjgc [2016-12-07]
CHR Extension: (Google Sheets) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-06-25]
CHR Extension: (JSON Viewer) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbmdgpbipfallnflgajpaliibnhdgobh [2017-01-27]
CHR Extension: (Grammarly for Chrome) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen [2017-03-13]
CHR Extension: (The Great Suspender) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\klbibkeccnjlkjkiokjodocebajanakg [2017-03-13]
CHR Extension: (Linkclump) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfpjkncokllnfokkgpkobnkbkmelfefj [2016-12-14]
CHR Extension: (Skydaz 
 Minecraft Installers, Tools,...) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\maakdldemihpjphbbiopbmnmpfknpchh [2016-07-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-13]
CHR Extension: (Gmail) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-10-07]
CHR Extension: (Chrome Media Router) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-23]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [3704520 2017-02-18] (Microsoft Corporation)
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-09-08] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-09-08] (Dropbox, Inc.)
R2 DbxSvc; C:\Windows\system32\DbxSvc.exe [46408 2017-01-20] (Dropbox, Inc.)
R2 esifsvc; C:\Windows\SysWoW64\esif_uf.exe [1385640 2015-06-12] (Intel Corporation)
S3 fussvc; C:\Program Files (x86)\Windows Kits\8.1\App Certification Kit\fussvc.exe [142336 2014-02-20] (Microsoft Corporation) [File not signed]
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373728 2016-11-30] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
R2 IObitUnSvr; C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe [360736 2016-10-28] (IObit)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [223008 2015-06-24] (Intel Corporation)
R2 JTAGServer; C:\altera\14.0\quartus\bin64\jtagserver.exe [302592 2014-06-18] () [File not signed]
S2 metasploitPostgreSQL; C:\metasploit\postgresql\bin\pg_ctl.exe [78848 2016-06-28] (PostgreSQL Global Development Group) [File not signed]
S2 metasploitProSvc; C:\metasploit\ruby\bin\ruby.exe [107178 2016-06-28] (hxxp://www.ruby-lang.org/) [File not signed]
S2 metasploitThin; C:\metasploit\ruby\bin\ruby.exe [107178 2016-06-28] (hxxp://www.ruby-lang.org/) [File not signed]
S2 metasploitWorker; C:\metasploit\ruby\bin\ruby.exe [107178 2016-06-28] (hxxp://www.ruby-lang.org/) [File not signed]
R2 Mobizen plugin; C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenService.exe [1277768 2017-02-01] ( Rsupport Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-07-09] ()
R2 RemoteSolverDispatcher; C:\Program Files\SOLIDWORKS Corp\SOLIDWORKS Flow Simulation\binCFW\remotesolverdispatcherservice.exe [238848 2015-11-10] (Mentor Graphics Corporation)
R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [197776 2016-12-13] (Sandboxie Holdings, LLC)
S3 SolidWorks Licensing Service; C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2015-10-06] (SolidWorks) [File not signed]
R2 ss_conn_service; C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [754784 2016-01-08] (DEVGURU Co., LTD.)
S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [119808 2013-08-22] (Microsoft Corporation) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [7032080 2016-05-12] (TeamViewer GmbH)
R2 TechSmith Uploader Service; C:\Program Files (x86)\Common Files\TechSmith Shared\Uploader\UploaderService.exe [3408384 2015-01-26] (TechSmith Corporation) [File not signed]
S3 VSStandardCollectorService140; C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\DiagnosticsHub\Collector\StandardCollector.Service.exe [56040 2015-11-19] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [730304 2015-10-02] (Wacom Technology, Corp.)
R2 wwbizsrv; C:\Program Files (x86)\Alibaba\wwbizsrv\wwbizsrv.exe [2904176 2016-07-14] (Alibaba Group)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3831712 2015-07-09] (Intel® Corporation)
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\Dr.Fone for iOS\Library\DriverInstaller\DriverInstall.exe" [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AlteraUSBBlaster; C:\Windows\system32\drivers\usbblstr.sys [70480 2014-06-17] (FTDI Ltd.)
R3 athur; C:\Windows\System32\drivers\athuwbx.sys [2702336 2013-11-20] (Qualcomm Atheros Communications, Inc.)
R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [101368 2015-12-14] (ASUS Corporation)
U5 dc3d; C:\Windows\System32\Drivers\dc3d.sys [95016 2015-09-10] (Microsoft Corporation)
R3 dptf_acpi; C:\Windows\System32\drivers\dptf_acpi.sys [47096 2015-06-12] (Intel Corporation)
R3 dptf_cpu; C:\Windows\System32\drivers\dptf_cpu.sys [43000 2015-06-12] (Intel Corporation)
R3 esif_lf; C:\Windows\system32\DRIVERS\esif_lf.sys [251384 2015-06-12] (Intel Corporation)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [349960 2016-07-12] (Intel Corporation)
R2 IntelHaxm; C:\Windows\system32\DRIVERS\IntelHaxm.sys [84992 2015-01-30] (Intel  Corporation)
R0 IntelHSWPcc; C:\Windows\System32\drivers\IntelPcc.sys [88256 2015-06-25] (Intel Corporation)
R1 mirrorv3; C:\Windows\system32\DRIVERS\rminiv3.sys [5632 2012-12-18] (Famatech International Corp.)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 Netwtw04; C:\Windows\System32\drivers\Netwtw04.sys [7116288 2016-07-16] (Intel Corporation)
R2 npf; C:\Windows\System32\drivers\npf.sys [36600 2015-11-15] (Riverbed Technology, Inc.)
R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [205968 2016-12-13] (Sandboxie Holdings, LLC)
R3 SensorsAlsDriver; C:\Windows\System32\drivers\WUDFRd.sys [216064 2016-07-16] (Microsoft Corporation)
R3 SensorsSimulatorDriver; C:\Windows\System32\drivers\WUDFRd.sys [216064 2016-07-16] (Microsoft Corporation)
R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [21360 2016-03-22] (IObit)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
S1 VBoxNetAdp; C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys [117768 2015-11-10] (Oracle Corporation)
R1 VBoxUSBMon; C:\Windows\system32\DRIVERS\VBoxUSBMon.sys [127432 2015-09-16] (BigNox Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
R1 XQHDrv; C:\Windows\system32\DRIVERS\XQHDrv.sys [253384 2015-09-15] (BigNox Corporation)
R1 XQHDrv; C:\Windows\SysWOW64\DRIVERS\XQHDrv.sys [253384 2015-09-15] (BigNox Corporation)
S3 dbx; system32\DRIVERS\dbx.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-14 00:39 - 2017-03-14 00:44 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Notepad++
2017-03-13 23:50 - 2016-07-10 02:47 - 00864720 __RSH (ASUSTek Computer Inc.) C:\Users\Daniel\AppData\Roaming\clientmonitor.exe
2017-03-13 22:44 - 2017-03-13 22:44 - 00000000 ____D C:\ProgramData\ProductData
2017-03-13 21:01 - 2017-03-13 21:01 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\LibreOffice
2017-03-13 20:38 - 2017-03-13 20:38 - 00000661 _____ C:\Users\Daniel\Downloads\audio10.diagcab
2017-03-13 20:37 - 2017-03-13 20:37 - 00009350 _____ C:\Users\Daniel\Desktop\AdwCleaner[S0].txt
2017-03-13 20:34 - 2017-03-13 22:54 - 00000000 ____D C:\AdwCleaner
2017-03-13 20:21 - 2017-03-13 20:34 - 00002062 _____ C:\Users\Daniel\Desktop\JRT.txt
2017-03-13 20:17 - 2017-03-13 20:17 - 04031440 _____ C:\Users\Daniel\Downloads\adwcleaner_6.044.exe
2017-03-13 20:16 - 2017-03-13 20:16 - 01663736 _____ (Malwarebytes) C:\Users\Daniel\Downloads\JRT.exe
2017-03-13 20:10 - 2017-03-13 23:42 - 00000165 _____ C:\Users\Daniel\AppData\Roaming\sp_data.sys
2017-03-13 20:10 - 2017-03-13 20:10 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\WTablet
2017-03-13 20:10 - 2017-03-13 20:10 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Rsupport
2017-03-13 20:10 - 2017-03-13 20:10 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Intel
2017-03-13 20:06 - 2017-03-14 01:26 - 00000000 ____D C:\Users\Daniel\Downloads\FRST-OlderVersion
2017-03-13 20:02 - 2017-03-13 20:02 - 00002957 _____ C:\Users\Daniel\Downloads\Fixlist.txt
2017-03-13 18:45 - 2017-03-13 18:45 - 00003268 _____ C:\Windows\System32\Tasks\SmartDefrag_AutoAnalyze
2017-03-13 18:45 - 2017-03-13 18:45 - 00003108 _____ C:\Windows\System32\Tasks\IObitSelfCheckTask
2017-03-13 18:45 - 2017-03-13 18:45 - 00003104 _____ C:\Windows\System32\Tasks\SmartDefrag_Update
2017-03-13 18:45 - 2017-03-13 18:45 - 00001229 _____ C:\Users\Public\Desktop\Smart Defrag 5.lnk
2017-03-13 18:45 - 2017-03-13 18:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Defrag
2017-03-13 18:45 - 2016-03-25 14:33 - 00128288 _____ (IObit) C:\Windows\system32\IObitSmartDefragExtension.dll
2017-03-13 18:45 - 2016-03-22 11:02 - 00036824 _____ (IObit) C:\Windows\system32\SmartDefragBootTime.exe
2017-03-13 18:45 - 2016-03-22 11:02 - 00021360 _____ (IObit) C:\Windows\system32\Drivers\SmartDefragDriver.sys
2017-03-13 18:43 - 2017-03-13 18:43 - 00000000 ____D C:\Users\Daniel\AppData\LocalLow\IObit
2017-03-13 18:42 - 2017-03-13 20:10 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\IObit
2017-03-13 18:42 - 2017-03-13 18:45 - 00000000 ____D C:\ProgramData\IObit
2017-03-13 18:42 - 2017-03-13 18:44 - 00000000 ____D C:\Program Files (x86)\IObit
2017-03-13 18:42 - 2017-03-13 18:42 - 14175520 _____ (IObit) C:\Users\Daniel\Downloads\iobituninstaller.exe
2017-03-13 18:42 - 2017-03-13 18:42 - 00001427 _____ C:\Users\Public\Desktop\IObit Uninstaller.lnk
2017-03-13 18:42 - 2017-03-13 18:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller
2017-03-13 18:28 - 2017-03-13 18:28 - 00001144 _____ C:\Users\Daniel\foud_virus.txt
2017-03-13 18:06 - 2017-03-13 18:06 - 07368965 _____ C:\Users\Daniel\Downloads\TL-WN722N_V1_140918.zip
2017-03-13 18:06 - 2017-03-13 18:06 - 00000000 ____D C:\Users\Daniel\Desktop\My_Wifi_Drivers
2017-03-13 18:06 - 2013-11-20 07:43 - 02702336 _____ (Qualcomm Atheros Communications, Inc.) C:\Windows\system32\Drivers\athuwbx.sys
2017-03-13 17:44 - 2017-03-13 17:44 - 00053919 _____ C:\Users\Daniel\Downloads\FRST_13-03-2017 00.19.06.txt
2017-03-13 13:50 - 2017-03-13 13:50 - 00000099 _____ C:\Users\Daniel\getColorChecks.txt
2017-03-13 13:21 - 2017-03-14 01:25 - 00002516 _____ C:\Users\Daniel\Desktop\farm_Cacnea.ahk
2017-03-13 13:10 - 2017-03-13 13:10 - 00000014 _____ C:\Users\Daniel\pokemonduelTransfer.txt
2017-03-13 00:26 - 2017-03-13 00:51 - 00000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
2017-03-13 00:21 - 2017-03-13 00:21 - 00224221 _____ C:\Users\Daniel\Downloads\Shortcut.txt
2017-03-13 00:17 - 2017-03-13 00:21 - 00073559 _____ C:\Users\Daniel\Downloads\Addition.txt
2017-03-13 00:16 - 2017-03-14 01:26 - 00000000 ____D C:\FRST
2017-03-13 00:16 - 2017-03-13 20:06 - 02424832 _____ (Farbar) C:\Users\Daniel\Downloads\FRST64.exe
2017-03-13 00:16 - 2017-03-13 00:21 - 00096314 _____ C:\Users\Daniel\Downloads\FRST.txt
2017-03-13 00:14 - 2017-03-13 00:14 - 05659435 _____ (Swearware) C:\Users\Daniel\Downloads\ComboFix.exe
2017-03-13 00:09 - 2017-03-13 00:10 - 150427920 _____ (Microsoft Corporation) C:\Users\Daniel\Downloads\msert.exe
2017-03-12 22:53 - 2017-03-12 22:53 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker
2017-03-12 22:53 - 2017-03-12 22:53 - 00000000 ____D C:\Program Files\Unlocker
2017-03-12 22:52 - 2017-03-12 22:52 - 00402911 _____ C:\Users\Daniel\Downloads\Unlocker1.9.2.exe
2017-03-12 22:22 - 2001-08-23 13:00 - 00034871 _____ C:\Windows\system32\gpedit.msc
2017-03-12 22:20 - 2017-03-12 22:20 - 00875012 _____ C:\Users\Daniel\Downloads\add_gpedit_msc_by_jwils876-d3kh6vm.zip
2017-03-12 22:20 - 2017-03-12 22:20 - 00707354 _____ C:\Windows\unins000.exe
2017-03-12 22:20 - 2017-03-12 22:20 - 00001539 _____ C:\Windows\unins000.dat
2017-03-12 22:20 - 2017-03-12 22:20 - 00000000 ____D C:\Windows\SysWOW64\GPBAK
2017-03-12 22:20 - 2008-04-14 02:11 - 00295936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appmgr.dll
2017-03-12 22:20 - 2001-08-23 13:00 - 00034871 _____ C:\Windows\SysWOW64\gpedit.msc
2017-03-12 21:28 - 2017-03-12 21:28 - 00261994 _____ C:\Users\Daniel\Downloads\ahk_notepad-plus-plus-master.zip
2017-03-12 21:28 - 2017-03-12 21:28 - 00000000 ____D C:\Users\Daniel\Desktop\Notepad++
2017-03-12 21:10 - 2017-03-12 21:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2017-03-12 21:09 - 2017-03-12 21:10 - 00000000 ___RD C:\Program Files (x86)\Skype
2017-03-12 20:00 - 2017-03-12 20:39 - 00001004 _____ C:\Users\Daniel\Desktop\new_ulex_mobi.ahk
2017-03-12 17:57 - 2017-03-12 19:38 - 00000719 _____ C:\Users\Daniel\Desktop\msgbox.ahk
2017-03-12 15:42 - 2017-03-12 19:49 - 00001612 _____ C:\Users\Daniel\Desktop\farm_ulex_mobizen.ahk
2017-03-12 13:42 - 2017-03-13 13:30 - 00000474 _____ C:\Users\Daniel\Desktop\getColor.ahk
2017-03-12 13:32 - 2017-03-13 13:50 - 00001228 _____ C:\Users\Daniel\Desktop\farm_ulex_1.ahk
2017-03-12 13:29 - 2017-03-12 13:29 - 00001139 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SideSync.lnk
2017-03-12 13:27 - 2017-03-12 13:29 - 00001209 _____ C:\Users\Public\Desktop\SideSync.lnk
2017-03-12 13:27 - 2017-03-12 13:27 - 00000000 ____D C:\Users\Daniel\Documents\SideSync
2017-03-12 13:27 - 2017-03-12 13:27 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Samsung
2017-03-12 13:27 - 2017-03-12 13:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung
2017-03-12 13:26 - 2017-03-12 13:26 - 00000000 ____D C:\ProgramData\Samsung
2017-03-12 13:26 - 2017-03-12 13:26 - 00000000 ____D C:\Program Files\Samsung
2017-03-12 13:25 - 2017-03-12 13:25 - 00000000 ____D C:\Program Files (x86)\Samsung
2017-03-12 13:24 - 2017-03-12 13:25 - 48364048 _____ (Samsung) C:\Users\Daniel\Downloads\SideSync_4.3.0.92.exe
2017-03-12 13:18 - 2017-03-12 13:18 - 00000000 ____D C:\Users\Public\Documents\Rsupport
2017-03-12 13:14 - 2017-03-12 13:18 - 00000132 _____ C:\Users\Daniel\Desktop\myScript.ahk
2017-03-12 13:12 - 2017-03-12 13:12 - 00002051 _____ C:\Users\Public\Desktop\Mobizen.lnk
2017-03-12 13:12 - 2017-03-12 13:12 - 00000000 ____D C:\Users\Daniel\Documents\Mobizen
2017-03-12 13:12 - 2017-03-12 13:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RSUPPORT
2017-03-12 13:12 - 2017-03-12 13:12 - 00000000 ____D C:\Program Files (x86)\RSUPPORT
2017-03-12 13:11 - 2017-03-12 13:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoHotkey
2017-03-12 13:11 - 2017-03-12 13:11 - 00000000 ____D C:\Program Files\AutoHotkey
2017-03-12 13:10 - 2017-03-12 13:10 - 03114048 _____ C:\Users\Daniel\Downloads\AutoHotkey_1.1.25.01_setup.exe
2017-03-12 13:09 - 2017-03-12 13:10 - 50165624 _____ (RSUPPORT ) C:\Users\Daniel\Downloads\mobizen.exe
2017-03-11 17:42 - 2017-03-11 17:43 - 00000040 _____ C:\Users\Daniel\transfer id.txt
2017-03-11 04:45 - 2017-03-11 04:45 - 03737088 _____ C:\Users\Daniel\Downloads\Lecture+4-2016.ppt
2017-03-10 00:15 - 2017-03-10 00:15 - 00032789 _____ C:\Users\Daniel\Downloads\Assignment3Part2.pdf
2017-03-10 00:09 - 2017-03-10 00:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2017-03-09 23:55 - 2017-03-09 23:55 - 00182789 _____ C:\Users\Daniel\Downloads\RSA (1).pdf
2017-03-09 23:52 - 2017-03-09 23:52 - 00182789 _____ C:\Users\Daniel\Downloads\RSA.pdf
2017-03-09 23:52 - 2017-03-09 23:52 - 00064877 _____ C:\Users\Daniel\Downloads\ASSIGN-2.pdf
2017-03-07 15:16 - 2017-03-07 15:16 - 00061952 _____ C:\Users\Daniel\Downloads\Final+lab+schedule+2017 (4).xls
2017-03-07 13:16 - 2017-03-07 13:16 - 00006054 _____ C:\Users\Daniel\Downloads\download (1).htm
2017-03-07 13:15 - 2017-03-07 13:15 - 00082952 _____ C:\Users\Daniel\Downloads\Midterm-Review.pdf
2017-03-07 01:57 - 2017-03-07 01:57 - 00556885 _____ C:\Users\Daniel\Downloads\Fluid-Flow-Assignment-6-Answers-Darcie (1).pdf
2017-03-07 01:47 - 2017-03-07 01:47 - 00556885 _____ C:\Users\Daniel\Downloads\Fluid-Flow-Assignment-6-Answers-Darcie.pdf
2017-03-06 19:20 - 2017-03-06 19:27 - 656679482 ____R C:\Users\Daniel\Downloads\Maplesoft Maple 17 (64bit).7z
2017-03-06 16:50 - 2017-03-06 16:50 - 00046184 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-stable.sys
2017-03-06 00:39 - 2017-03-06 00:39 - 00043783 _____ C:\Users\Daniel\Downloads\prob3-74s.pdf
2017-03-05 23:41 - 2017-03-05 23:41 - 13747672 _____ C:\Users\Daniel\Downloads\Fundamentals of Electrical Engineering by Giorgio Rizzoni.pdf
2017-03-02 16:36 - 2017-03-02 16:36 - 00014287 _____ C:\Users\Daniel\Desktop\DanielRibero_250850422_Assignment2.odt
2017-03-02 16:36 - 2017-03-02 16:36 - 00000111 ____H C:\Users\Daniel\Desktop\.~lock.DanielRibero_250850422_Assignment2.doc#
2017-03-02 11:09 - 2017-03-02 11:09 - 00000924 _____ C:\Users\Daniel\Downloads\A2.m
2017-03-02 11:01 - 2017-03-02 11:25 - 00001052 _____ C:\Users\Daniel\Downloads\Assignment_2 (2).m
2017-03-02 10:59 - 2017-03-02 10:59 - 00001378 _____ C:\Users\Daniel\Downloads\Assignment_2 (1).m
2017-02-27 17:49 - 2017-02-27 17:49 - 08640995 _____ C:\Users\Daniel\Downloads\Automate_the_Boring_Stuff_onlinematerials.zip
2017-02-27 15:04 - 2017-02-27 15:11 - 00000000 ____D C:\Users\Daniel\Desktop\PythonExample
2017-02-27 14:59 - 2017-03-12 22:00 - 00000000 ____D C:\Users\Daniel\Documents\PythonCode
2017-02-27 12:08 - 2017-02-27 12:26 - 00000000 ____D C:\Users\Daniel\Desktop\groceryList
2017-02-25 21:57 - 2017-02-25 21:57 - 00000111 ____H C:\Users\Daniel\Downloads\.~lock.Assignment+5-2017 (1).docx#
2017-02-25 21:53 - 2017-02-25 21:53 - 03178742 _____ C:\Users\Daniel\Downloads\Lecture19.pptx
2017-02-25 21:53 - 2017-02-25 21:53 - 00000111 ____H C:\Users\Daniel\Downloads\.~lock.Lecture19.pptx#
2017-02-25 12:50 - 2017-02-25 13:15 - 00000000 ____D C:\Users\Daniel\Desktop\BirthdayDatabase
2017-02-24 20:39 - 2017-02-24 20:39 - 01110564 _____ (Igor Pavlov) C:\Users\Daniel\Downloads\7z1604.exe
2017-02-24 20:39 - 2017-02-24 20:39 - 00000000 ____D C:\Program Files (x86)\7-Zip
2017-02-24 20:05 - 2017-02-24 20:05 - 00000000 ____D C:\Users\Daniel\AppData\Local\pip
2017-02-24 10:48 - 2017-02-24 10:48 - 01929896 _____ (Dominik Reichl ) C:\Users\Daniel\Downloads\KeePass-1.32-Setup.exe
2017-02-24 10:48 - 2017-02-24 10:48 - 00001172 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeePass.lnk
2017-02-24 10:48 - 2017-02-24 10:48 - 00000000 ____D C:\Program Files (x86)\KeePass Password Safe
2017-02-24 00:16 - 2017-02-24 00:21 - 00000043 _____ C:\Users\Daniel\Desktop\exampleFile.txt
2017-02-24 00:15 - 2017-02-24 00:29 - 00000228 _____ C:\Users\Daniel\Desktop\write.py
2017-02-24 00:11 - 2017-02-24 00:11 - 01615467 _____ C:\Users\Daniel\Desktop\get_pip.py
2017-02-23 23:51 - 2017-02-23 23:53 - 00000000 ____D C:\pyqtgraph-0.10.0
2017-02-23 23:50 - 2017-02-23 23:50 - 01544516 _____ C:\Users\Daniel\Downloads\pyqtgraph-0.10.0.tar.gz
2017-02-23 23:26 - 2017-02-27 12:08 - 00000305 _____ C:\Users\Daniel\Desktop\first.py
2017-02-23 23:13 - 2017-02-23 23:13 - 00001351 _____ C:\Users\Daniel\Downloads\Assignment_2.m
2017-02-23 23:06 - 2017-02-23 23:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 3.5
2017-02-23 23:04 - 2017-02-23 23:04 - 29347880 _____ (Python Software Foundation) C:\Users\Daniel\Downloads\python-3.5.3.exe
2017-02-22 00:19 - 2017-02-22 00:19 - 00008550 _____ C:\Users\Daniel\Downloads\download.htm
2017-02-21 22:43 - 2017-02-21 22:43 - 00006242 _____ C:\Users\Daniel\schedule.txt
2017-02-19 20:16 - 2017-02-19 20:16 - 00153092 _____ C:\Users\Daniel\Downloads\Greyhound.pdf
2017-02-17 02:44 - 2017-02-17 02:44 - 01045400 _____ C:\Users\Daniel\Downloads\101g-ie-03.pdf
2017-02-17 02:36 - 2017-02-17 02:37 - 00474112 _____ C:\Users\Daniel\Downloads\chapter_2_lecture_3_-__energy_equation.ppt
2017-02-14 00:36 - 2017-02-14 00:36 - 00061952 _____ C:\Users\Daniel\Downloads\Final+lab+schedule+2017 (3).xls
2017-02-13 15:08 - 2017-02-13 15:08 - 00153581 _____ C:\Users\Daniel\Downloads\Midterm-2012-Solution (1).pdf
2017-02-13 14:19 - 2017-02-13 14:19 - 00153581 _____ C:\Users\Daniel\Downloads\Midterm 2012 Solution.pdf
2017-02-13 14:03 - 2017-02-13 14:03 - 10138141 _____ C:\Users\Daniel\Downloads\Allan R. Hambley Electrical Engineering Principles & Applications.pdf
2017-02-13 13:04 - 2017-02-13 13:04 - 00153581 _____ C:\Users\Daniel\Downloads\Midterm-2012-Solution.pdf
2017-02-13 03:49 - 2017-02-13 03:49 - 00117370 _____ C:\Users\Daniel\Downloads\FlowLabEOC2e_CH04.pdf
2017-02-12 21:14 - 2017-02-12 21:15 - 00608270 _____ C:\Users\Daniel\Downloads\assignment 2-finite_375.pdf
2017-02-12 21:14 - 2017-02-12 21:14 - 00615512 _____ C:\Users\Daniel\Downloads\Tutorial 5b_new_374 (1).pdf
2017-02-12 21:14 - 2017-02-12 21:14 - 00044737 _____ C:\Users\Daniel\Downloads\Tutorial 5a_373.pdf
2017-02-12 21:11 - 2017-02-12 21:11 - 00000030 _____ C:\Users\Daniel\cg.txt
2017-02-12 21:08 - 2017-02-12 21:08 - 00615512 _____ C:\Users\Daniel\Downloads\Tutorial 5b_new_374.pdf
2017-02-12 18:30 - 2017-02-12 18:30 - 00294400 _____ C:\Users\Daniel\Downloads\Lecture10.ppt
2017-02-12 18:16 - 2017-02-12 18:16 - 00268667 _____ C:\Users\Daniel\Downloads\2015-Midterm.pdf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-13 23:48 - 2016-09-24 10:04 - 01274830 _____ C:\Windows\system32\PerfStringBackup.INI
2017-03-13 23:44 - 2016-07-07 19:58 - 00000000 _RSHD C:\ProgramData\Client
2017-03-13 23:42 - 2016-02-25 17:19 - 00000000 ____D C:\ProgramData\ASUS Smart Gesture
2017-03-13 23:42 - 2015-10-07 07:59 - 00000000 __SHD C:\Users\Daniel\IntelGraphicsProfiles
2017-03-13 23:41 - 2016-09-26 00:04 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-03-13 23:41 - 2016-09-24 10:02 - 00000180 _____ C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-03-13 23:41 - 2016-07-16 02:04 - 01048576 _____ C:\Windows\system32\config\BBI
2017-03-13 23:41 - 2016-01-13 11:20 - 00000091 _____ C:\HaxLogs.txt
2017-03-13 20:41 - 2015-10-22 17:18 - 00000000 ____D C:\Users\Daniel\AppData\Local\ElevatedDiagnostics
2017-03-13 20:08 - 2016-01-26 15:33 - 00000000 ____D C:\Users\Daniel\AppData\LocalLow\Temp
2017-03-13 20:07 - 2016-07-19 06:04 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.1.7-p400
2017-03-13 20:07 - 2016-07-16 07:47 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2017-03-13 20:07 - 2015-07-10 07:04 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2017-03-13 19:56 - 2017-01-30 21:30 - 00000000 ____D C:\Program Files (x86)\Bonjour
2017-03-13 19:54 - 2016-07-12 17:11 - 00000000 ____D C:\Users\Daniel\AppData\LocalLow\Blizzard Entertainment
2017-03-13 19:42 - 2016-09-24 10:01 - 00000000 ____D C:\Windows\system32\SleepStudy
2017-03-13 19:41 - 2015-11-21 23:28 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\uTorrent
2017-03-13 19:34 - 2016-07-17 03:58 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Python 2.7
2017-03-13 18:28 - 2016-09-24 10:04 - 00000000 ____D C:\Users\Daniel
2017-03-13 18:16 - 2016-07-16 07:47 - 00000000 ____D C:\Windows\system32\NDF
2017-03-13 18:08 - 2016-07-16 07:45 - 00000000 ____D C:\Windows\INF
2017-03-13 08:41 - 2016-07-16 07:47 - 00000000 ____D C:\Windows\AppReadiness
2017-03-13 08:40 - 2016-07-16 07:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-13 00:53 - 2015-10-07 18:45 - 00000000 ____D C:\Windows\pss
2017-03-13 00:28 - 2016-07-07 05:31 - 00000000 _RSHD C:\Program Files (x86)\Client
2017-03-13 00:11 - 2016-07-16 07:47 - 00000000 __RHD C:\Users\Public\Libraries
2017-03-13 00:04 - 2016-01-25 19:51 - 00000000 ____D C:\Users\Daniel\Documents\Visual Studio 2015
2017-03-12 23:55 - 2016-05-25 19:07 - 00000008 __RSH C:\ProgramData\ntuser.pol
2017-03-12 21:29 - 2016-07-23 05:13 - 00000000 ____D C:\Program Files (x86)\Notepad++
2017-03-12 21:10 - 2015-11-08 21:15 - 00002640 _____ C:\Users\Public\Desktop\Skype.lnk
2017-03-12 21:10 - 2015-11-08 21:15 - 00000000 ____D C:\ProgramData\Skype
2017-03-12 21:09 - 2015-09-09 19:41 - 00000000 ____D C:\ProgramData\Package Cache
2017-03-12 13:32 - 2015-10-07 08:00 - 00000000 ____D C:\Users\Daniel\AppData\Local\Publishers
2017-03-12 13:23 - 2015-11-11 09:36 - 00000000 ____D C:\Users\Daniel\.android
2017-03-12 13:11 - 2015-10-30 05:07 - 00000000 ____D C:\Windows\ShellNew
2017-03-10 00:09 - 2016-09-08 11:16 - 00000000 ____D C:\Program Files (x86)\Dropbox
2017-03-05 16:12 - 2016-12-06 14:34 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2017-03-05 16:12 - 2016-07-16 07:47 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-03-02 13:45 - 2015-11-24 22:27 - 00000000 ____D C:\Users\Daniel\Documents\MATLAB
2017-02-24 20:39 - 2016-07-30 00:36 - 00034784 _____ (Sysinternals - www.sysinternals.com) C:\Windows\system32\Drivers\PROCEXP152.SYS
2017-02-24 20:39 - 2016-07-30 00:35 - 00000000 ____D C:\Users\Daniel\Downloads\ProcessExplorer
2017-02-23 23:15 - 2015-12-02 13:52 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Python 3.5
2017-02-23 23:12 - 2015-12-02 13:52 - 00000000 ____D C:\Users\Daniel\AppData\Local\Package Cache
2017-02-23 19:47 - 2015-10-07 18:43 - 00000000 ____D C:\Windows\system32\MRT
2017-02-23 19:44 - 2015-10-07 18:43 - 138020592 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-02-23 15:23 - 2015-10-08 00:42 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-02-22 19:40 - 2016-07-16 07:36 - 00000000 ____D C:\Windows\CbsTemp
2017-02-22 19:18 - 2016-06-15 23:14 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2017-02-19 20:28 - 2015-10-07 07:59 - 00000000 ____D C:\Users\Daniel\AppData\Local\Packages
2017-02-13 04:28 - 2017-02-05 04:28 - 00001682 _____ C:\Windows\Sandboxie.ini
 
==================== Files in the root of some directories =======
 
2017-03-13 23:50 - 2016-07-10 02:47 - 0864720 __RSH (ASUSTek Computer Inc.) C:\Users\Daniel\AppData\Roaming\clientmonitor.exe
2017-03-13 20:10 - 2017-03-13 23:42 - 0000165 _____ () C:\Users\Daniel\AppData\Roaming\sp_data.sys
2015-11-28 18:47 - 2015-11-28 18:48 - 0001456 _____ () C:\Users\Daniel\AppData\Local\Adobe Save for Web 13.0 Prefs
2016-08-09 13:29 - 2016-08-09 14:05 - 0005120 _____ () C:\Users\Daniel\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-09-22 20:53 - 2016-09-22 20:53 - 0000711 _____ () C:\Users\Daniel\AppData\Local\recently-used.xbel
2016-07-10 02:08 - 2016-07-10 02:48 - 0001586 __RSH () C:\ProgramData\Client Monitor
 
Some files in TEMP:
====================
2017-03-13 20:10 - 2016-07-13 18:33 - 0053248 _____ (Microsoft Corporation) C:\Users\Daniel\AppData\Local\Temp\svhost.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-03-08 02:48
 
==================== End of FRST.txt ============================
 
 

Attached Files



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,434 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:30 PM

Posted 14 March 2017 - 09:58 AM

I'll be out for a few hours. Will review these logs when I come back.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,434 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:30 PM

Posted 14 March 2017 - 12:27 PM

Download the attached file and save it in the same directory FRST64 is saved.

  • Boot in Safe Mode
  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 
favicon-32x32.png Please download Malwarebytes to your desktop.
 
Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
 
Once the program has fully updated, Proceed with the Scan options and select "Threat Scan".
 
The Scan Pane is the introduction to scan-related options in the program. When you click Scan in the Menu Pane, you will see the screen shown below.
 
10a.png
 
After a scan has been executed, scan results are displayed as shown below. In this scan, three threats were detected.
 
13a.png
 
Put a checkmark on all detected and click on "Quarantine Selected"
 
18a.png
 
Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.
 
19a.png
 
Please note that an Export button is shown at the bottom left corner of this screen. This allows you to make a copy of the log for use by other programs. You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.


Edited by JSntgRvr, 14 March 2017 - 12:30 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,434 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:30 PM

Posted 14 March 2017 - 12:31 PM

Please note the above post was edited to include the right Fixlist.txt.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 RiberoD07

RiberoD07
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 14 March 2017 - 01:04 PM

Attached are the images that I am getting that I wish to fix but am not sure how.

this is the FRST log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 13-03-2017
Ran by Daniel (14-03-2017 13:46:36) Run:4
Running from C:\Users\Daniel\Desktop\FRST-OlderVersion
Loaded Profiles: Daniel (Available Profiles: Daniel)
Boot Mode: Safe Mode (minimal)
==============================================
 
fixlist content:
*****************
CloseProcesses:
HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\CurrentVersion\Windows: [Load] C:\Users\Daniel\AppData\Local\Temp\FolderN\name.exe <===== ATTENTION 
HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\Winlogon: [Shell] explorer.exe,"C:\Users\Daniel\AppData\Roaming\clientmonitor.exe" <==== ATTENTION 
HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\CurrentVersion\Windows: [Load] C:\Users\Daniel\AppData\Local\Temp\FolderN\name.exe <===== ATTENTION 
2017-03-13 20:10 - 2016-07-13 18:33 - 0053248 _____ (Microsoft Corporation) C:\Users\Daniel\AppData\Local\Temp\svhost.exe 
2017-03-13 23:50 - 2016-07-10 02:47 - 0864720 __RSH (ASUSTek Computer Inc.) C:\Users\Daniel\AppData\Roaming\clientmonitor.exe
2017-03-13 20:10 - 2017-03-13 23:42 - 0000165 _____ () C:\Users\Daniel\AppData\Roaming\sp_data.sys
2015-11-28 18:47 - 2015-11-28 18:48 - 0001456 _____ () C:\Users\Daniel\AppData\Local\Adobe Save for Web 13.0 Prefs
2016-08-09 13:29 - 2016-08-09 14:05 - 0005120 _____ () C:\Users\Daniel\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-09-22 20:53 - 2016-09-22 20:53 - 0000711 _____ () C:\Users\Daniel\AppData\Local\recently-used.xbel
2016-07-10 02:08 - 2016-07-10 02:48 - 0001586 __RSH () C:\ProgramData\Client Monitor
2017-03-13 20:10 - 2016-07-13 18:33 - 0053248 _____ (Microsoft Corporation) C:\Users\Daniel\AppData\Local\Temp\svhost.exe
HKLM-x32\...\Winlogon: [Userinit] userinit.exe,"C:\WINDOWS\system32\clientmonitor.exe"
HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\RunOnce: [Client Monitor] => C:\ProgramData\Client\startup.exe [864720 2016-07-10] (ASUSTek Computer Inc.)
HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\CurrentVersion\Windows: [Load] C:\Users\Daniel\AppData\Local\Temp\FolderN\name.exe <===== ATTENTION
HKU\S-1-5-21-2498589561-758378069-103133614-1001\...\Winlogon: [Shell] explorer.exe,"C:\Users\Daniel\AppData\Roaming\clientmonitor.exe" <==== ATTENTION
Unlock: C:\WINDOWS\system32\clientmonitor.exe
Unlock: C:\ProgramData\Client\startup.exe
Unlock: C:\Users\Daniel\AppData\Roaming\clientmonitor.exe
Unlock: C:\Users\Daniel\AppData\Local\Temp\svhost.exe 
Unlock: C:\Users\Daniel\AppData\Local\Temp\FolderN\name.exe
C:\WINDOWS\system32\clientmonitor.exe
C:\ProgramData\Client\startup.exe
C:\Users\Daniel\AppData\Roaming\clientmonitor.exe
C:\Users\Daniel\AppData\Local\Temp\svhost.exe 
C:\Users\Daniel\AppData\Local\Temp\FolderN\name.exe
C:\Users\Daniel\AppData\Local\Temp\FolderN
C:\ProgramData\Client
C:\Program Files (x86)\Client
RemoveProxy:
Hosts:
EMPTYTEMP: 
Reboot:
 
*****************
 
Processes closed successfully.
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => value removed successfully
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => value not found.
C:\Users\Daniel\AppData\Local\Temp\svhost.exe => moved successfully
Could not move "C:\Users\Daniel\AppData\Roaming\clientmonitor.exe" => Scheduled to move on reboot.
C:\Users\Daniel\AppData\Roaming\sp_data.sys => moved successfully
C:\Users\Daniel\AppData\Local\Adobe Save for Web 13.0 Prefs => moved successfully
C:\Users\Daniel\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully
C:\Users\Daniel\AppData\Local\recently-used.xbel => moved successfully
C:\ProgramData\Client Monitor => moved successfully
"C:\Users\Daniel\AppData\Local\Temp\svhost.exe" => not found.
HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => value removed successfully
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Client Monitor => value not found.
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => value not found.
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value not found.
"C:\WINDOWS\system32\clientmonitor.exe" => not found.
"C:\ProgramData\Client\startup.exe" => was unlocked
"C:\Users\Daniel\AppData\Roaming\clientmonitor.exe" => was unlocked
"C:\Users\Daniel\AppData\Local\Temp\svhost.exe" => not found.
"C:\Users\Daniel\AppData\Local\Temp\FolderN\name.exe" => was unlocked
"C:\WINDOWS\system32\clientmonitor.exe" => not found.
Could not move "C:\ProgramData\Client\startup.exe" => Scheduled to move on reboot.
Could not move "C:\Users\Daniel\AppData\Roaming\clientmonitor.exe" => Scheduled to move on reboot.
"C:\Users\Daniel\AppData\Local\Temp\svhost.exe" => not found.
C:\Users\Daniel\AppData\Local\Temp\FolderN\name.exe => moved successfully
C:\Users\Daniel\AppData\Local\Temp\FolderN => moved successfully
C:\ProgramData\Client => moved successfully
C:\Program Files (x86)\Client => moved successfully
 
========= RemoveProxy: =========
 
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-2498589561-758378069-103133614-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-21-2498589561-758378069-103133614-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2498589561-758378069-103133614-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 26425435 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 715854 B
Edge => 0 B
Chrome => 603033926 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 9112 B
Daniel => 160309876 B
 
RecycleBin => 3368332 B
EmptyTemp: => 757.1 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Safe Mode (minimal)) (Date&Time: 14-03-2017 13:47:04)
 
C:\Users\Daniel\AppData\Roaming\clientmonitor.exe => Is moved successfully
C:\ProgramData\Client\startup.exe => Is moved successfully
C:\Users\Daniel\AppData\Roaming\clientmonitor.exe => Is moved successfully
 
==== End of Fixlog 13:47:04 ====
 
this is the MBAM log:
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 3/14/17
Scan Time: 1:48 PM
Logfile: malware_report.txt
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.75
Update Package Version: 1.0.1394
License: Free
 
-System Information-
OS: Windows 8
CPU: x64
File System: NTFS
User: LAPTOP-S41S24SG\Daniel
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 483328
Time Elapsed: 6 min, 6 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 4
PUP.Optional.ClientMonitor, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Client Monitor, Quarantined, [2423], [353404],1.0.1394
PUP.Optional.DrivePro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\drivepro, Quarantined, [14], [304351],1.0.1394
PUP.Optional.DrivePro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{0F9D4A9E-EB1F-4C73-B67D-771999F5010D}, Quarantined, [14], [304352],1.0.1394
PUP.Optional.ClientMonitor, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{182F626D-2F89-453C-A025-445E50277C70}, Quarantined, [2423], [353399],1.0.1394
 
Registry Value: 2
PUP.Optional.DrivePro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{0F9D4A9E-EB1F-4C73-B67D-771999F5010D}|PATH, Quarantined, [14], [304352],1.0.1394
PUP.Optional.ClientMonitor, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{182F626D-2F89-453C-A025-445E50277C70}|PATH, Quarantined, [2423], [353399],1.0.1394
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 5
Ransom.NullByte, C:\USERS\DANIEL\DOWNLOADS\NECROBOT.REBUILT.V0.1.7.ZIP, Quarantined, [528], [321124],1.0.1394
Trojan.Agent.E, C:\WINDOWS\SYSWOW64\CLIENTMONITOR.EXE, Quarantined, [204], [245888],1.0.1394
PUP.Optional.QuickCleaner, C:\WINDOWS\SYSTEM32\TASKS\E02C4BD5-54D5-4470-9EA0-A68D88112C00, Quarantined, [13347], [261956],1.0.1394
PUP.Optional.ClientMonitor, C:\WINDOWS\SYSTEM32\TASKS\CLIENT MONITOR, Quarantined, [2423], [353407],1.0.1394
PUP.Optional.DrivePro, C:\WINDOWS\SYSTEM32\TASKS\DRIVEPRO, Quarantined, [14], [304350],1.0.1394
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
It seems like the startup.exe is no longer in my task manager so that is great news however I'm not sure if it's all clean yet. 

 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users