Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I got a RAT. Please help.


  • Please log in to reply
13 replies to this topic

#1 IThinkIGottaRat

IThinkIGottaRat

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 24 March 2017 - 11:55 AM

Ok, so I think I have picked up a RAT program packed in a .dll that I downloaded.  The dll was to be injected into a game process, so I am able to execute level 7 Lua scripts in one of the games I play, and be able to use "loadstring" and "getobjects" to spawn in whatever items I want, be able to fly, use god mode /admin/GM commands etc.  Well, needless to say the executor worked great.  I was able to execute my own custom LUA scripts to execute my own requests to the server, and to pass on items and abilities to other players on the server, as if I was a Real GM or Admin.  Everything was working great for about 4 hours, then my pc began to run slow and freeze up on me.  Applications started hanging, and switching back and forth between windows was a pain, my laptop is pretty fast 8 gigs of ram, dell, and ran all types of games with no issues, like h1z1, dayz, etc.  

 

Now, loading the games take for ever, some games just hang up completely and either crash, or just go extremely slow.  My computer just showed signs of an infection, I'm not sure if it was my graphics card driver, or a remote program logging in, but my computer out of nowhere beeped like UAC noise, but no UAC came up, instead my monitor went black for a second and blinked, then refreshed.  I had this happen to me one time before when I got a RAT years ago.  My avg didn't detect anything wrong with the dll on the first scan so I ran it, then after I used the program and all the stuff started happening 4 hours later my AVG popped up and said system spool something is infected, so I clicked on remove the infection.   It said it cleaned my system, and deleted the dll file (this was the other day).

 

Now today, My computer is hanging up again while trying to play a low spec game that should be able to run great off of a low spec machine. My laptop isn't high end but its definitely not low end. It's a $800.00 laptop with 8 gigs of ram, i5core, and is usually lightning fast. I can usually play highend games no problem on it.

Now today again, I was trying to play a game, and my computer went into derp mode.  It started hanging up, and did the noise again and my screen went black and refreshed back to normal.  I truly believe the dll I injected was packed with some kind of Remote Access Tool, or virus.  Any help you guys can give me would be much appreciated.  Thank you again from the bottom of my heart.  My friend said you guys were the best sight on the internet, so here I am.

 

*********====================++++++++++++++*****************************************************========================+++++++++++++++

After you tell me what tools to download and what scans to do, should I answer back on this post, or start a new thread in the Virus, Trojan, Spyware, and Malware Removal Logs?   Thank you again.  Please, let me know where I need to post the information you need. Thank you so much for your time and help.  

 

Here is the virustotal link to the file, I should have virustotal it first before i used it, I usually do but I was just so eager to use it, and it came from a well respected exploit maker I let my guard down and now I'm sure I'm RATed.

 

https://www.virustotal.com/en/file/845c1a3483e605cdebe0db80542e9779b6a4d7c7683ba538b4b2881bfb71e9c9/analysis/1490380466/


Edited by IThinkIGottaRat, 24 March 2017 - 01:37 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 24 March 2017 - 02:53 PM

Hi, run these and post here.

3Al62Pm.pngMiniToolBox
  • Please download MiniToolBox, save it to your desktop and run it.
  • Checkmark the following checkboxes:
    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Installed Programs
    • List Users, Partitions and Memory size.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
zcMPezJ.pngAdwCleaner
  • Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
lv0mVRW.pngJunkware Removal Tool
  • Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
cvMlKv6.pngESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 IThinkIGottaRat

IThinkIGottaRat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 24 March 2017 - 06:39 PM

Sorry it took so long to get back to you, the scans took a long time.  They just finished up and here is what I got.  MiniToolBox did not create a file named result.txt but it did create MTB.txt here is the MiniToolBox Log.

 

MiniToolBox by Farbar  Version: 17-06-2016
Ran by Juan (administrator) on 24-03-2017 at 13:20:00
Running from "C:\Users\Juan\Desktop"
Microsoft Windows 10 Home  (X64)
Model: Inspiron 15-7568 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
========================= IP Configuration: ================================
 
Intel® Dual Band Wireless-AC 3165 = Wi-Fi (Connected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)
PdaNet Broadband Adapter = Ethernet (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Bluetooth Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : DESKTOP-GMABSMV
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : hsd1.mi.comcast.net.
 
Ethernet adapter Ethernet:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : PdaNet Broadband Adapter
   Physical Address. . . . . . . . . : 00-26-37-BD-39-42
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Local Area Connection* 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 94-65-9C-F4-F6-BA
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wi-Fi:
 
   Connection-specific DNS Suffix  . : hsd1.mi.comcast.net.
   Description . . . . . . . . . . . : Intel® Dual Band Wireless-AC 3165
   Physical Address. . . . . . . . . : 94-65-9C-F4-F6-B9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:40b:c200:27b0:c867:d4aa:d712:dc1c(Preferred) 
   Temporary IPv6 Address. . . . . . : 2601:40b:c200:27b0:680c:50c1:802:a535(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::c867:d4aa:d712:dc1c%14(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.0.0.28(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, March 22, 2017 8:49:00 PM
   Lease Expires . . . . . . . . . . : Friday, March 31, 2017 11:47:47 AM
   Default Gateway . . . . . . . . . : fe80::200:caff:fe11:2233%14
                                       10.0.0.1
   DHCP Server . . . . . . . . . . . : 10.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 110388636
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-8A-54-18-94-65-9C-F4-F6-B9
   DNS Servers . . . . . . . . . . . : 2001:558:feed::1
                                       2001:558:feed::2
                                       75.75.76.76
                                       75.75.75.75
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Ethernet adapter Bluetooth Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 94-65-9C-F4-F6-BD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.hsd1.mi.comcast.net.:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hsd1.mi.comcast.net.
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 12:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  cdns01.comcast.net
Address:  2001:558:feed::1
 
Name:    google.com
Addresses:  2607:f8b0:4009:815::200e
 216.58.192.174
 
 
Pinging google.com [2607:f8b0:4009:802::200e] with 32 bytes of data:
Reply from 2607:f8b0:4009:802::200e: time=18ms 
Reply from 2607:f8b0:4009:802::200e: time=16ms 
 
Ping statistics for 2607:f8b0:4009:802::200e:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 18ms, Average = 17ms
Server:  cdns01.comcast.net
Address:  2001:558:feed::1
 
Name:    yahoo.com
Addresses:  2001:4998:c:a06::2:4008
 2001:4998:58:c02::a9
 2001:4998:44:204::a7
 206.190.36.45
 98.139.183.24
 98.138.253.109
 
 
Pinging yahoo.com [2001:4998:58:c02::a9] with 32 bytes of data:
Reply from 2001:4998:58:c02::a9: time=34ms 
Reply from 2001:4998:58:c02::a9: time=35ms 
 
Ping statistics for 2001:4998:58:c02::a9:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 34ms, Maximum = 35ms, Average = 34ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 10...00 26 37 bd 39 42 ......PdaNet Broadband Adapter
  3...94 65 9c f4 f6 ba ......Microsoft Wi-Fi Direct Virtual Adapter
 14...94 65 9c f4 f6 b9 ......Intel® Dual Band Wireless-AC 3165
 11...94 65 9c f4 f6 bd ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  6...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1        10.0.0.28     55
         10.0.0.0    255.255.255.0         On-link         10.0.0.28    311
        10.0.0.28  255.255.255.255         On-link         10.0.0.28    311
       10.0.0.255  255.255.255.255         On-link         10.0.0.28    311
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         10.0.0.28    311
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link         10.0.0.28    311
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 14    311 ::/0                     fe80::200:caff:fe11:2233
  1    331 ::1/128                  On-link
 14    311 2601:40b:c200:27b0::/64  On-link
 14    311 2601:40b:c200:27b0:680c:50c1:802:a535/128
                                    On-link
 14    311 2601:40b:c200:27b0:c867:d4aa:d712:dc1c/128
                                    On-link
 14    311 fe80::/64                On-link
 14    311 fe80::c867:d4aa:d712:dc1c/128
                                    On-link
  1    331 ff00::/8                 On-link
 14    311 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [55808] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [24064] (Microsoft Corporation)
Catalog5 07 C:\WINDOWS\SysWOW64\wshbth.dll [51712] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [67584] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [80896] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31744] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [62976] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 12 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 13 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (03/24/2017 01:17:18 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b.manifest2" on line C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_89c2555adb023171.manifest.
 
Error: (03/24/2017 01:14:55 PM) (Source: Windows Search Service) (User: )
Description: The index cannot be initialized.
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:55 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.
 
Context: Windows Application
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:55 PM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.
 
Context: Windows Application, SystemIndex Catalog
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:54 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.
 
Context: Windows Application, SystemIndex Catalog
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:24 PM) (Source: Windows Search Service) (User: )
Description: The index cannot be initialized.
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:24 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.
 
Context: Windows Application
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:24 PM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.
 
Context: Windows Application, SystemIndex Catalog
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:24 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.
 
Context: Windows Application, SystemIndex Catalog
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:13:54 PM) (Source: Windows Search Service) (User: )
Description: The index cannot be initialized.
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
 
System errors:
=============
Error: (03/24/2017 01:19:57 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1683 time(s).
 
Error: (03/24/2017 01:19:57 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with the following error: 
%%1168 = Element not found.
 
 
Error: (03/24/2017 01:19:27 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1682 time(s).
 
Error: (03/24/2017 01:19:27 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with the following error: 
%%1168 = Element not found.
 
 
Error: (03/24/2017 01:18:56 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1681 time(s).
 
Error: (03/24/2017 01:18:56 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with the following error: 
%%1168 = Element not found.
 
 
Error: (03/24/2017 01:18:26 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1680 time(s).
 
Error: (03/24/2017 01:18:26 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with the following error: 
%%1168 = Element not found.
 
 
Error: (03/24/2017 01:17:56 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1679 time(s).
 
Error: (03/24/2017 01:17:56 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with the following error: 
%%1168 = Element not found.
 
 
 
Microsoft Office Sessions:
=========================
Error: (03/24/2017 01:17:18 PM) (Source: SideBySide)(User: )
Description: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b.manifestC:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_89c2555adb023171.manifestC:\Users\Juan\Desktop\esetsmartinstaller_enu (1).exe
 
Error: (03/24/2017 01:14:55 PM) (Source: Windows Search Service)(User: )
Description: 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:55 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:55 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:54 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
Search.TripoliIndexer
 
Error: (03/24/2017 01:14:24 PM) (Source: Windows Search Service)(User: )
Description: 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:24 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:24 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
Error: (03/24/2017 01:14:24 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog
 
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
Search.TripoliIndexer
 
Error: (03/24/2017 01:13:54 PM) (Source: Windows Search Service)(User: )
Description: 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
 
CodeIntegrity Errors:
===================================
  Date: 2017-03-24 11:34:00.187
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\AVG\Av\avgidsagenta.exe) attempted to load \Device\HarddiskVolume3\Windows\WinSxS\amd64_avg.vc140.crt_f92d94485545da78_14.0.24210.0_none_69fa0197d9b096ae\msvcp140.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-03-24 11:34:00.184
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\AVG\Av\avgidsagenta.exe) attempted to load \Device\HarddiskVolume3\Windows\WinSxS\amd64_avg.vc140.crt_f92d94485545da78_14.0.24210.0_none_69fa0197d9b096ae\vcruntime140.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-03-24 11:33:59.974
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\AVG\Av\avgidsagenta.exe) attempted to load \Device\HarddiskVolume3\Windows\WinSxS\amd64_avg.vc140.crt_f92d94485545da78_14.0.24210.0_none_69fa0197d9b096ae\msvcp140.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-03-24 11:33:59.944
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\AVG\Av\avgidsagenta.exe) attempted to load \Device\HarddiskVolume3\Windows\WinSxS\amd64_avg.vc140.crt_f92d94485545da78_14.0.24210.0_none_69fa0197d9b096ae\vcruntime140.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-03-24 11:33:59.739
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\AVG\Av\avgidsagenta.exe) attempted to load \Device\HarddiskVolume3\Windows\WinSxS\amd64_avg.vc140.crt_f92d94485545da78_14.0.24210.0_none_69fa0197d9b096ae\vcruntime140.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-03-24 04:55:34.729
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\AVG\Av\avgidsagenta.exe) attempted to load \Device\HarddiskVolume3\Windows\WinSxS\amd64_avg.vc140.crt_f92d94485545da78_14.0.24210.0_none_69fa0197d9b096ae\vcruntime140.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-03-24 04:55:32.670
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\AVG\Av\avgidsagenta.exe) attempted to load \Device\HarddiskVolume3\Windows\WinSxS\amd64_avg.vc140.crt_f92d94485545da78_14.0.24210.0_none_69fa0197d9b096ae\vcruntime140.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-03-24 04:55:10.739
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\AVG\Av\avgidsagenta.exe) attempted to load \Device\HarddiskVolume3\Windows\WinSxS\amd64_avg.vc140.crt_f92d94485545da78_14.0.24210.0_none_69fa0197d9b096ae\vcruntime140.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-03-24 04:55:08.512
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\AVG\Av\avgidsagenta.exe) attempted to load \Device\HarddiskVolume3\Windows\WinSxS\amd64_avg.vc140.crt_f92d94485545da78_14.0.24210.0_none_69fa0197d9b096ae\vcruntime140.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-03-24 04:55:08.332
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\AVG\Av\avgidsagenta.exe) attempted to load \Device\HarddiskVolume3\Windows\WinSxS\amd64_avg.vc140.crt_f92d94485545da78_14.0.24210.0_none_69fa0197d9b096ae\vcruntime140.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
 
=========================== Installed Programs ============================
 
7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
Adobe Flash Player 23 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 23.0.0.207 - Adobe Systems Incorporated)
Application Insights Tools for Visual Studio 2015 (HKLM-x32\...\{9F429DF7-F8DD-4980-9673-E6DACA012F6C}) (Version: 3.3 - Microsoft Corporation) Hidden
AVG (HKLM\...\{E9AD07E3-D8D9-4DEA-B6B2-85069DED4B5B}) (Version: 16.151.8007 - AVG Technologies) Hidden
AVG (HKLM\...\AvgZen) (Version: 1.113.2.50020 - AVG Technologies)
AVG 2016 (HKLM\...\{AE49571A-73D5-4389-9405-5D7A72C5A944}) (Version: 16.0.4767 - AVG Technologies) Hidden
AVG Protection (HKLM\...\AVG) (Version: 2016.151.8007 - AVG Technologies)
AVG Web TuneUp (HKLM-x32\...\AVG Web TuneUp) (Version: 4.3.7.452 - AVG Technologies)
AVG Zen (HKLM\...\{50B62078-D231-46A3-BA7C-23DCFA0E6101}) (Version: 1.113.1 - AVG Technologies) Hidden
Avira Connect (HKLM-x32\...\{0b46d918-af4f-4612-8076-5c0ae67cb2aa}) (Version: 1.2.81.41506 - Avira Operations GmbH & Co. KG)
Avira Connect (HKLM-x32\...\{BC5A9829-B67F-4E3A-83EE-0CDBDB6FBA1C}) (Version: 1.2.81.41506 - Avira Operations GmbH & Co. KG) Hidden
Azure AD Authentication Connected Service (HKLM-x32\...\{3FEAC561-1CF6-41D6-B0F3-BECDD9C88A1B}) (Version: 14.0.23107 - Microsoft Corporation) Hidden
AzureTools.Notifications (HKLM-x32\...\{1E5CA362-39B6-4BD0-B9C0-69CF15F0FEA2}) (Version: 2.7.30611.1601 - Microsoft Corporation) Hidden
Behaviors SDK (Windows Phone) for Visual Studio 2013 (HKLM-x32\...\{C1609E6E-10B5-46F4-A48C-AC57045D0B88}) (Version: 12.0.51210.80 - Microsoft Corporation) Hidden
Behaviors SDK (Windows) for Visual Studio 2013 (HKLM-x32\...\{B2429EA1-767E-4947-A458-F2204A2AA1BB}) (Version: 12.0.51210.80 - Microsoft Corporation) Hidden
Blend for Visual Studio SDK for .NET 4.5 (HKLM-x32\...\{37E53780-3944-4A6A-842F-727128E8616E}) (Version: 3.0.40218.0 - Microsoft Corporation) Hidden
Blend for Visual Studio SDK for Silverlight 5 (HKLM-x32\...\{0C03A66F-1FF0-45F9-8D67-0D806EBFFBA1}) (Version: 3.0.40218.0 - Microsoft Corporation) Hidden
BlueStacks App Player (HKLM-x32\...\BlueStacks) (Version: 2.5.70.6309 - BlueStack Systems, Inc.)
Build Tools - amd64 (HKLM\...\{CC1F74DF-058F-406C-BC7D-F14D6E5F7CBD}) (Version: 12.0.31101 - Microsoft Corporation) Hidden
Build Tools - x86 (HKLM-x32\...\{B255880F-8C5E-4FAF-8F9C-7DBA635B2615}) (Version: 12.0.31101 - Microsoft Corporation) Hidden
Build Tools Language Resources - amd64 (HKLM\...\{E43BBAEB-4914-44C6-88C0-E7A1DBD20A91}) (Version: 12.0.31101 - Microsoft Corporation) Hidden
Build Tools Language Resources - x86 (HKLM-x32\...\{D37FDF2F-8766-4BDF-A0E3-A60BDBB630ED}) (Version: 12.0.31101 - Microsoft Corporation) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.22 - Piriform)
Cheat Engine 6.6 (HKLM-x32\...\Cheat Engine 6.6_is1) (Version:  - Cheat Engine)
Conexant HD Audio (HKLM-x32\...\{7A630EC4-B56A-4709-B18F-769B4F80DD17}) (Version: 8.65.122.0 - Conexant)
Creativerse (HKLM\...\Steam App 280790) (Version:  - Playful Corporation)
Dell Customer Connect (HKLM-x32\...\{4FA72FF9-DD64-43A8-8704-6380A11F11D5}) (Version: 1.4.15.0 - Dell Inc.)
Dell Data Vault (HKLM\...\{2E55EEFD-2162-4A7D-9158-EDB0305603A6}) (Version: 4.3.9.0 - Dell Inc.) Hidden
Dell Digital Delivery (HKLM-x32\...\{AB7F2792-2ED1-4C5C-9F28-680E5110BF72}) (Version: 3.1.1018.0 - Dell Products, LP)
Dell Foundation Services (HKLM\...\{BDB50421-E961-42F3-B803-6DAC6F173834}) (Version: 3.4.16100.0 - Dell Inc.)
Dell Help & Support (HKLM\...\{E8669F4E-F2BE-48A9-B5A5-0BC12CA4CB4F}) (Version: 2.4.18.0 - Dell Inc.) Hidden
Dell Help & Support (HKLM-x32\...\InstallShield_{E8669F4E-F2BE-48A9-B5A5-0BC12CA4CB4F}) (Version: 2.4.18.0 - Dell Inc.)
Dell Product Registration (HKLM-x32\...\InstallShield_{85B14AE3-1624-45BE-942B-A528DF6F1CCE}) (Version: 3.0.123.0 - Dell Inc.)
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.3.6855.72 - Dell)
Dell SupportAssistAgent (HKLM-x32\...\{9B0F1E41-7ADC-4F10-919F-390FB60925C9}) (Version: 1.4.0.23 - Dell)
Dell Update - SupportAssist Update Plugin (HKLM\...\{92F651D9-4431-469E-9B11-299D007AF656}) (Version: 2.0.2.1835 - Dell Inc.)
Dell Update (HKLM-x32\...\{90437913-9D4D-4D9D-B438-B8664DF851E9}) (Version: 1.7.1007.0 - Dell Inc.)
Discord (HKCU\...\Discord) (Version: 0.0.297 - Hammer & Chisel, Inc.)
Dotfuscator and Analytics Community Edition 5.22.0 (HKLM-x32\...\{60018889-9E0F-43E8-9B89-29E8C828B40A}) (Version: 5.22.0.3788 - PreEmptive Solutions) Hidden
Dropbox 20 GB (HKLM-x32\...\{597A58EC-42D6-4940-8739-FB94491B013C}) (Version: 1.0.8.0 - Dropbox, Inc.)
Entity Framework 6.1.1 Tools  for Visual Studio 2013 (HKLM-x32\...\{85253F13-EE42-4850-A3A5-79B90E92D7AC}) (Version: 12.0.30610.0 - Microsoft Corporation)
Entity Framework 6.1.3 Tools  for Visual Studio 2015 Update 1 (HKLM-x32\...\{2A56910C-69C8-495D-8ED8-9080F0A14E58}) (Version: 14.0.41103.0 - Microsoft Corporation)
FileViewPro (HKLM\...\FileViewPro_is1) (Version: 1.1.0.0 - Solvusoft Corporation)
FMW 1 (HKLM\...\{DC2A8E3D-D5E1-4837-A2E0-C308100AC412}) (Version: 1.143.3 - AVG Technologies) Hidden
Fraps (remove only) (HKLM-x32\...\Fraps) (Version:  - )
GIMP 2.8.20 (HKLM\...\GIMP-2_is1) (Version: 2.8.20 - The GIMP Team)
Git version 2.11.1 (HKLM\...\Git_is1) (Version: 2.11.1 - The Git Development Community)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.32.7 - Google Inc.) Hidden
H1Z1: Just Survive (HKLM\...\Steam App 295110) (Version:  - Daybreak Game Company)
H1Z1: Just Survive Test Server (HKLM\...\Steam App 362300) (Version:  - )
Hard Time  (HKLM-x32\...\Hard Time) (Version:  - MDickie)
IDA Pro Free v5.0 (HKLM-x32\...\IDA Pro Free_is1) (Version:  - Hex-Rays SA)
IIS 10.0 Express (HKLM\...\{13FD7E30-D2F1-498D-ABC2-A4242DB6610E}) (Version: 10.0.1736 - Microsoft Corporation)
IIS Express Application Compatibility Database for x64 (HKLM\...\{08274920-8908-45c2-9258-8ad67ff77b09}.sdb) (Version:  - )
IIS Express Application Compatibility Database for x86 (HKLM\...\{ad846bae-d44b-4722-abad-f7420e08bcd9}.sdb) (Version:  - )
Intel® Chipset Device Software (HKLM-x32\...\{60c073df-e736-4210-9c3a-5fc2b651cef3}) (Version: 10.1.1.7 - Intel® Corporation) Hidden
Intel® Dynamic Platform and Thermal Framework (HKLM-x32\...\{654EE65D-FAA4-4EA6-8C07-DC94E6A304D4}) (Version: 8.1.10600.150 - Intel Corporation)
Intel® HID Event Filter (HKLM-x32\...\3FB06EEC-013D-4366-9918-71B97DFB84EB) (Version: 1.1.0.310 - Intel Corporation)
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.0.1158 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 21.20.16.4590 - Intel Corporation)
Intel® Serial IO (HKLM\...\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}) (Version: 30.100.1519.7 - Intel Corporation)
Intel® Virtual Buttons (HKLM-x32\...\1992736F-C90A-481C-B21B-EE34CAD07387) (Version: 1.1.0.21 - Intel Corporation)
Intel® WiDi (HKLM\...\{C7CD6D54-26AF-4D93-B06F-D81ACE8624CB}) (Version: 6.0.40.0 - Intel Corporation)
Intel® WiDi Software Asset Manager (HKLM-x32\...\{5B5CD20C-29F0-4857-A4FA-A4F4C716B019}) (Version: 1.1.347 - Intel Corporation) Hidden
Intel® Wireless Bluetooth® (HKLM-x32\...\{9A287643-10C5-4463-B9D1-B2404CE18CCF}) (Version: 17.1.1529.1620 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{7fdb5c8c-2bc0-49e8-afcb-ae7f4ad526fd}) (Version: 18.12.0 - Intel Corporation)
Intel® RealSense™ SDK Runtime (HKLM-x32\...\ARP_for_prd_rs_sdk_runtime_10.0.26.0396) (Version: 10.0.26.0396 - Intel Corporation)
Intel® RealSense™ SDK Runtime Gold (x86): Core (HKLM-x32\...\{4BAB7070-1D73-11E6-8844-2C44FD873B55}) (Version: 10.0.26.396 - Intel Corporation) Hidden
Intel® RealSense™ SDK Runtime Gold (x86): Core: Calibration (HKLM-x32\...\{676C639E-1D73-11E6-BF2F-2C44FD873B55}) (Version: 10.0.26.396 - Intel Corporation) Hidden
Intel® RealSense™ SDK Runtime Gold (x86): User Segmentation (HKLM-x32\...\{51040000-1D73-11E6-A45D-2C44FD873B55}) (Version: 10.0.26.396 - Intel Corporation) Hidden
Intel® Security Assist (HKLM-x32\...\{4B230374-6475-4A73-BA6E-41015E9C5013}) (Version: 1.0.0.532 - Intel Corporation)
Intel® Software Guard Extensions Platform Software (HKLM\...\{10307C17-F7FD-405D-9F3B-0BF66EA43857}) (Version: 1.0.26920.1393 - Intel Corporation)
LocalESPC (HKLM-x32\...\{62910715-63E3-0AB0-0B29-99140DE1C15E}) (Version: 8.59.29989 - Microsoft Corporation) Hidden
LocalESPCui for en-us (HKLM-x32\...\{326A5052-061C-F656-31E3-3B73842ABD46}) (Version: 8.59.29989 - Microsoft) Hidden
Maxx Audio Installer (x64) (HKLM\...\{307032B2-6AF2-46D7-B933-62438DEB2B9A}) (Version: 2.6.6331.1 - Waves Audio Ltd.) Hidden
MEGAsync (HKLM-x32\...\MEGAsync) (Version:  - Mega Limited)
Microsoft .NET Framework 4.5 Multi-Targeting Pack (HKLM-x32\...\{56E962F0-4FB0-3C67-88DB-9EAA6EEFC493}) (Version: 4.5.50710 - Microsoft Corporation)
Microsoft .NET Framework 4.5 SDK (HKLM-x32\...\{4AE57014-05C4-4864-A13D-86517A7E1BA4}) (Version: 4.5.50710 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (ENU) (HKLM-x32\...\{D3517C62-68A5-37CF-92F7-93C029A89681}) (Version: 4.5.50932 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (HKLM-x32\...\{6A0C6700-EA93-372C-8871-DCCF13D160A4}) (Version: 4.5.50932 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 SDK (HKLM-x32\...\{19A5926D-66E1-46FC-854D-163AA10A52D3}) (Version: 4.5.51641 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 Multi-Targeting Pack (ENU) (HKLM-x32\...\{290FC320-2F5A-329E-8840-C4193BD7A9EE}) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 Multi-Targeting Pack (HKLM-x32\...\{19E8AE59-4D4A-3534-B567-6CC08FA4102E}) (Version: 4.5.51651 - Microsoft Corporation)
Microsoft .NET Framework 4.6 SDK (HKLM-x32\...\{B5915D37-0637-4A26-A3AA-C5DC9F856370}) (Version: 4.6.00081 - Microsoft Corporation)
Microsoft .NET Framework 4.6 Targeting Pack (ENU) (HKLM-x32\...\{034547E9-D8FA-49E7-8B9C-4C9861FB9146}) (Version: 4.6.00127 - Microsoft Corporation)
Microsoft .NET Framework 4.6 Targeting Pack (HKLM-x32\...\{2CC6A4A7-AAC2-46C9-9DBB-3727B5954F65}) (Version: 4.6.00081 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 SDK (HKLM-x32\...\{2F0ECC80-B9E4-4485-8083-CD32F22ABD92}) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 Targeting Pack (ENU) (HKLM-x32\...\{8EEB28EE-5141-411C-9CF0-9952264FE4AF}) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 Targeting Pack (HKLM-x32\...\{8BC3EEC9-090F-4C53-A8DA-1BEC913040F9}) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft .NET Version Manager (x64) 1.0.0-beta5 (HKLM\...\{c5a4aba3-1aba-3ef8-b2d5-c3fa37f59738}) (Version: 1.0.10609.0 - Microsoft Corporation)
Microsoft Help Viewer 2.1 (HKLM-x32\...\Microsoft Help Viewer 2.1) (Version: 2.1.21005 - Microsoft Corporation)
Microsoft Help Viewer 2.2 (HKLM-x32\...\Microsoft Help Viewer 2.2) (Version: 2.2.25420 - Microsoft Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4693.1005 - Microsoft Corporation)
Microsoft OneDrive (HKCU\...\OneDriveSetup.exe) (Version: 17.3.6798.0207 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20513.0 - Microsoft Corporation)
Microsoft Silverlight 5 SDK (HKLM-x32\...\{E1FBB3D4-ADB0-4949-B101-855DA061C735}) (Version: 5.0.61118.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Command Line Utilities  (HKLM\...\{58FED865-4F13-408D-A5BF-996019C4B936}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (HKLM-x32\...\{1B876496-B3A2-4D22-9B12-B608A3FD4B8B}) (Version: 11.1.2902.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (x64) (HKLM\...\{A6BA243E-85A3-4635-A269-32949C98AC7F}) (Version: 11.1.2902.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Express LocalDB  (HKLM\...\{6C026A91-640F-4A23-8B68-05D589CC6F18}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (HKLM-x32\...\{2F7DBBE6-8EBC-495C-9041-46A772F4E311}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (x64) (HKLM\...\{43A5C316-9521-49C3-B9B6-FCE5E1005DF0}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client  (HKLM\...\{D411E9C9-CE62-4DBF-9D92-4CB22B750ED5}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL ScriptDom  (HKLM\...\{54C5041B-0E91-4E92-8417-AAA12493C790}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 T-SQL Language Service  (HKLM-x32\...\{04DD7AF4-A6D3-4E30-9BB9-3B3670719234}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2014 Express LocalDB  (HKLM\...\{AB8DE9BA-19E1-446A-BCFA-6B3DA9751E21}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server 2014 Management Objects  (HKLM-x32\...\{2774595F-BC2A-4B12-A25B-0C37A37049B0}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server 2014 Management Objects  (x64) (HKLM\...\{1F9EB3B6-AED7-4AA7-B8F1-8E314B74B2A5}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server 2014 Transact-SQL ScriptDom  (HKLM\...\{020CDFE0-C127-4047-B571-37C82396B662}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server 2014 T-SQL Language Service  (HKLM-x32\...\{47D08E7A-92A1-489B-B0BF-415516497BCE}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server Compact 4.0 SP1 x64 ENU (HKLM\...\{78909610-D229-459C-A936-25D92283D3FD}) (Version: 4.0.8876.1 - Microsoft Corporation)
Microsoft SQL Server Data Tools - enu (12.0.41012.0) (HKLM-x32\...\{AC8E0CF4-42A1-4151-B684-97CF6FD726CF}) (Version: 12.0.41012.0 - Microsoft Corporation)
Microsoft SQL Server Data Tools - enu (14.0.50616.0) (HKLM-x32\...\{58246C80-3941-4B69-AE31-264644E2ADB8}) (Version: 14.0.50616.0 - Microsoft Corporation)
Microsoft SQL Server Data Tools Build Utilities - enu (12.0.30919.1) (HKLM-x32\...\{6781FF9B-E87D-4A03-9373-A55A288B83FA}) (Version: 12.0.30919.1 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (HKLM-x32\...\{070C38AC-05CE-43DF-9A20-141332F6AB2B}) (Version: 11.1.3366.16 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (x64) (HKLM\...\{05FF8209-C4F1-4C77-BC28-791653156D20}) (Version: 11.1.3366.16 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2014 (HKLM\...\{FC3BB979-AA54-4B60-BBA3-2C4DA6E08D80}) (Version: 12.0.2402.29 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2014 (HKLM-x32\...\{091CE6AA-2753-4F6E-AD1C-0E875744EB54}) (Version: 12.0.2402.29 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 (HKLM-x32\...\{d992c12e-cab2-426f-bde3-fb8c53950b0d}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft Visual Studio Code (HKLM-x32\...\{F8A2A208-72B3-4D61-95FC-8A65D340689B}_is1) (Version: 1.10.2 - Microsoft Corporation)
Microsoft Visual Studio Express 2013 for Windows Desktop - ENU with Update 4 (HKLM-x32\...\{b8a9dbc1-1fd4-4103-a83b-a2896f193ea0}) (Version: 12.0.31101.0 - Microsoft Corporation)
Microsoft Web Deploy 3.6 (HKLM\...\{94E1227C-08A9-4962-B388-1F05D89AEA75}) (Version: 3.1238.1962 - Microsoft Corporation)
Mozilla Firefox 52.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 52.0.1 (x86 en-US)) (Version: 52.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.0.1.6284 - Mozilla)
Multi-Device Hybrid Apps using C# - Templates - ENU (HKLM-x32\...\{12D99739-FFD3-3761-8AA6-F929E0FE407E}) (Version: 14.0.23107 - Microsoft Corporation) Hidden
Notepad++ (64-bit x64) (HKLM\...\Notepad++) (Version: 7.3 - Notepad++ Team)
OBS Studio (HKLM-x32\...\OBS Studio) (Version: 17.0.2 - OBS Project)
OpenOffice 4.1.3 (HKLM-x32\...\{EEA30AEB-8BA7-465B-85D4-098BB99733E7}) (Version: 4.13.9783 - Apache Software Foundation)
paint.net (HKLM\...\{6AC1101E-7561-43C9-BEEA-4AB1D220D8FF}) (Version: 4.0.13 - dotPDN LLC)
PdaNet+ for Android 4.19 (HKLM-x32\...\PdaNet_is1) (Version:  - June Fabrics Technology Inc)
PowreShellIntegration.Notifications (HKLM-x32\...\{ED8DFB38-C87B-42B3-A33E-B20DF935C055}) (Version: 2.5.21003.1603 - Microsoft Corporation) Hidden
PreEmptive Analytics Visual Studio Components (HKLM-x32\...\{436A18DD-5F2C-4B3C-985E-AD3C13B0CC25}) (Version: 1.2.5134.1 - PreEmptive Solutions) Hidden
Prerequisites for SSDT  (HKLM-x32\...\{21373064-AD95-48DB-A32E-0D9E08EF7355}) (Version: 12.0.2000.8 - Microsoft Corporation)
Prerequisites for SSDT  (HKLM-x32\...\{35C1D9D6-87C0-46A3-B1B4-EDBCC063221C}) (Version: 11.1.3000.0 - Microsoft Corporation)
Product Registration (HKLM\...\{85B14AE3-1624-45BE-942B-A528DF6F1CCE}) (Version: 3.0.123.0 - Dell Inc.) Hidden
Project and Item Templates for Visual Studio Community 2015 - ENU (HKLM-x32\...\{85619B33-76D7-4FF8-A04D-6E568B0CF29A}) (Version: 14.0.23107 - Microsoft Corporation) Hidden
Python Tools Redirection Template (HKLM-x32\...\{C6028E83-4C47-459F-9EDC-7D1412CBCD97}) (Version: 1.1 - Microsoft Corporation) Hidden
QuickSet64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 11.1.32 - Dell Inc.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.10125.31214 - Realtek Semiconductor Corp.)
RecordPad Sound Recorder (HKLM-x32\...\Recordpad) (Version: 5.35 - NCH Software)
ROBLOX Player for Juan (HKCU\...\{373B1718-8CC5-4567-8EE2-9033AD08A680}) (Version:  - ROBLOX Corporation)
ROBLOX Studio for Juan (HKCU\...\{2922D6F1-2865-4EFA-97A9-94EEAB3AFA14}) (Version:  - ROBLOX Corporation)
Skype™ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)
ST Microelectronics 3 Axis Digital Accelerometer Solution (HKLM-x32\...\{9C24F411-9CA7-4A8A-91F3-F08A4A38EB31}) (Version: 4.14.0065 - ST Microelectronics)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Team Explorer for Microsoft Visual Studio 2013 (HKLM-x32\...\{C9E7751E-88ED-36CF-B610-71A1D262E906}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Team Explorer for Microsoft Visual Studio 2015 Update 3 CTP1 (HKLM-x32\...\{C0402801-37B7-30B1-A678-AE3E73E4C4F6}) (Version: 14.98.25331 - Microsoft) Hidden
Test Tools for Microsoft Visual Studio 2015 (HKLM-x32\...\{9EABBFE1-7EED-47D9-8FB8-21D7E4808057}) (Version: 14.0.23107 - Microsoft Corporation) Hidden
Twelve Sky 2 Classic (HKLM\...\Steam App 539650) (Version:  - SG Data)
TypeScript Power Tool (HKLM-x32\...\{6098D454-CB7B-44C2-8615-D869FD9655C7}) (Version: 1.0.5.0 - Microsoft Corporation) Hidden
TypeScript Tools for Microsoft Visual Studio 2013 (HKLM-x32\...\{0E4A9B1A-12D2-4827-BE61-44DBD72797FB}) (Version: 1.0.5.0 - Microsoft Corporation) Hidden
Universal CRT Extension SDK (HKLM-x32\...\{284FA9A0-CEDD-81D3-5A19-5858E95FD0C4}) (Version: 10.0.10150 - Microsoft Corporation) Hidden
Universal CRT Headers Libraries and Sources (HKLM-x32\...\{ABD37F71-FC3F-F525-C7B3-BDD95F684C51}) (Version: 10.0.10150 - Microsoft Corporation) Hidden
Universal CRT Redistributable (HKLM-x32\...\{0460C87B-7F4C-3170-FAC9-B7A6AE5CE4E9}) (Version: 10.0.26624 - Microsoft Corporation) Hidden
Universal CRT Tools x64 (HKLM\...\{33952D66-D503-10CA-DD8E-E365C15EB4E0}) (Version: 10.0.26624 - Microsoft Corporation) Hidden
Universal CRT Tools x86 (HKLM-x32\...\{B048B812-32DE-3474-FA64-223B6A63AD47}) (Version: 10.0.26624 - Microsoft Corporation) Hidden
Update for  (KB2504637) (HKLM-x32\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}.KB2504637) (Version: 1 - Microsoft Corporation)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Visual Studio 2013 Update 4 (KB2829760) (HKLM-x32\...\{53d408db-eb91-43fb-9d8f-167681c19763}) (Version: 12.0.31101 - Microsoft Corporation)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
VS Update core components (HKLM-x32\...\{9F7DE660-6BFE-3BA2-A93D-4F13BD13E10B}) (Version: 12.0.31101 - Microsoft Corporation) Hidden
Vulkan Run Time Libraries 1.0.33.0 (HKLM\...\VulkanRT1.0.33.0) (Version: 1.0.33.0 - LunarG, Inc.)
WavePad Sound Editor (HKLM-x32\...\WavePad) (Version: 7.04 - NCH Software)
WCF Data Services 5.6.4 Runtime (HKLM-x32\...\{DB85E7BD-B2DD-43D4-B3C0-23D7B527B597}) (Version: 5.6.62175.4 - Microsoft Corporation) Hidden
WCF Data Services Tools for Microsoft Visual Studio 2015 (HKLM-x32\...\{0A3B508E-5638-4471-BCC9-954E1868CB86}) (Version: 5.6.62175.4 - Microsoft Corporation) Hidden
WCF RIA Services V1.0 SP2 (HKLM-x32\...\{5D8DD6A8-C4D7-4554-93F9-F1CC28C72600}) (Version: 4.1.62812.0 - Microsoft Corporation)
Window Title Changer version 1.0 (HKLM-x32\...\{F530C1D7-2F76-497A-934C-2C55F57BBB37}_is1) (Version: 1.0 - MurGee.com)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
XSplit Broadcaster (HKLM-x32\...\{F18B78EE-9B92-4598-9B76-06FDA8866F48}) (Version: 2.9.1611.1622 - SplitmediaLabs)
 
========================= Memory info: ===================================
 
Percentage of memory in use: 49%
Total physical RAM: 8049.27 MB
Available physical RAM: 4069.13 MB
Total Virtual: 9329.27 MB
Available Virtual: 4508.39 MB
 
========================= Partitions: =====================================
 
1 Drive c: (OS) (Fixed) (Total:454.4 GB) (Free:246.69 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\DESKTOP-GMABSMV
 
Administrator            DefaultAccount           defaultuser0             
Guest                    Juan                     
 
 
**** End of log ****
 
 
Ok here is the next log which is from AdwareCleaner.
 
# AdwCleaner v6.044 - Logfile created 24/03/2017 at 13:31:13
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-23.2 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Juan - DESKTOP-GMABSMV
# Running from : C:\Users\Juan\Desktop\AdwCleaner.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
Service Found:  vToolbarUpdater40.3.7
Service Found:  WtuSystemSupport
 
 
***** [ Folders ] *****
 
Folder Found:  C:\ProgramData\909c0ae0-667e-4e28-86fb-21f2dc049b6b
Folder Found:  C:\ProgramData\a71716eb-b4b7-474c-9a5a-ce27f0e42927
Folder Found:  C:\ProgramData\b1ab5057-6360-4d82-807c-d8ee46699d76
Folder Found:  C:\ProgramData\e6bde2a4-154c-4b58-9fb6-960b7d96a0dd
Folder Found:  C:\Users\Juan\AppData\Local\FileViewPro
Folder Found:  C:\Users\Juan\AppData\Local\avg web tuneup
Folder Found:  C:\Program Files\FileViewPro
Folder Found:  C:\Program Files\avg web tuneup
Folder Found:  C:\Program Files\Common Files\AVG Secure Search
Folder Found:  C:\ProgramData\avg web tuneup
Folder Found:  C:\ProgramData\Application Data\avg web tuneup
Folder Found:  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileViewPro
Folder Found:  C:\Program Files (x86)\avg web tuneup
Folder Found:  C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Found:  C:\Users\Juan\AppData\Local\Google\Chrome\User Data\Default\Extensions\chfdnecihphmhljaaejmgoiahnihplgn
 
 
***** [ Files ] *****
 
File Found:  C:\Users\Juan\AppData\Roaming\Mozilla\Firefox\Profiles\f8m5mub8.default\extensions\Avg@toolbar.xpi
File Found:  C:\Users\Juan\AppData\Roaming\Mozilla\Firefox\Profiles\f8m5mub8.default\searchplugins\avg-secure-search.xml
File Found:  C:\Users\Juan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_chfdnecihphmhljaaejmgoiahnihplgn_0.localstorage
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
Task Found:  pcdeventlaunchertask
 
 
***** [ Registry ] *****
 
Key Found:  HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd
Key Found:  HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd.1
Key Found:  HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi
Key Found:  HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi.1
Key Found:  HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Found:  HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Found:  HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj
Key Found:  HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd
Key Found:  [x64] HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi
Key Found:  [x64] HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Found:  [x64] HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj
Key Found:  [x64] HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj.1
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{4BC8AD89-AC5F-4DBD-A38F-C355C7DD33D7}
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found:  HKLM\SOFTWARE\AVG Tuneup
Key Found:  [x64] HKLM\SOFTWARE\AVG Secure Search
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileViewPro_is1
Data Found:  HKU\S-1-5-21-2246841162-2448000130-2845959427-1001\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxps://mysearch.avg.com/?cid={4406B7E5-7C88-480E-8609-A9F277101BF8}&mid=f38cfb1def9e47cfb86
Data Found:  HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxps://mysearch.avg.com/?cid={4406B7E5-7C88-480E-8609-A9F277101BF8}&mid=f38cfb1def9e47cfb867452cda101f4e-fc594c5f8117b13ac50d1f5644da04d6
Data Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxps://mysearch.avg.com/?cid={4406B7E5-7C88-480E-8609-A9F277101BF8}&mid=f38cfb1def9e47cfb867452cda101f4e-fc594c5f8117b13ac50d1f5644da04
Key Found:  HKU\S-1-5-21-2246841162-2448000130-2845959427-1001\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Data Found:  HKU\S-1-5-21-2246841162-2448000130-2845959427-1001\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - 
Key Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Data Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - 
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Data Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - 
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\solvusoft.com
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.solvusoft.com
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\solvusoft.com
Key Found:  HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.solvusoft.com
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\solvusoft.com
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.solvusoft.c
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\solvusoft.com
Key Found:  [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.solvusoft.com
Value Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Value Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [vProt]
Key Found:  HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\avgsh
Key Found:  HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Found:  HKCU\Software\Google\Chrome\Extensions\chfdnecihphmhljaaejmgoiahnihplgn
Key Found:  [x64] HKCU\Software\Google\Chrome\Extensions\chfdnecihphmhljaaejmgoiahnihplgn
 
 
***** [ Web browsers ] *****
 
Firefox pref Found:  [C:\Users\Juan\AppData\Roaming\Mozilla\Firefox\Profiles\f8m5mub8.default\prefs.js] - "avg.wtu.ext.extParams" -  "{\"action\":\"extParams\",\"data\":{\"searchParams\":{\"pid\":\"wtu\",\"cid\":\"{fed7f39
Firefox pref Found:  [C:\Users\Juan\AppData\Roaming\Mozilla\Firefox\Profiles\f8m5mub8.default\prefs.js] - "browser.search.defaultenginename" -  "AVG Secure Search"
Chrome pref Found:  [C:\Users\Juan\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\Juan\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\Juan\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - chfdnecihphmhljaaejmgoiahnihplgn
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [8585 Bytes] - [24/03/2017 13:31:13]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [8658 Bytes] ##########
 
 
Here is the 3rd log which is from JunkwareRemovalTools.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 10 Home x64 
Ran by Juan (Administrator) on Fri 03/24/2017 at 13:36:13.70
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 7 
 
Failed to delete: C:\Program Files (x86)\Common Files\avg secure search\vtoolbarupdater (Folder) 
Successfully deleted: C:\ProgramData\Start Menu\Programs\fileviewpro (Folder) 
Successfully deleted: C:\Users\Juan\AppData\Local\fileviewpro (Folder) 
Successfully deleted: C:\Users\Juan\AppData\Roaming\Mozilla\Firefox\Profiles\f8m5mub8.default\searchplugins\avg-secure-search.xml (File) 
Successfully deleted: C:\WINDOWS\system32\Tasks\PCDEventLauncherTask (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\PCDoctorBackgroundMonitorTask (Task)
Successfully deleted: C:\Program Files\fileviewpro (Folder) 
 
Deleted the following from C:\Users\Juan\AppData\Roaming\Mozilla\Firefox\Profiles\f8m5mub8.default\prefs.js
user_pref(avg.wtu.ext.extParams, {\action\:\extParams\,\data\:{\searchParams\:{\pid\:\wtu\,\cid\:\{fed7f39b-35ec-4116-90f1-7639c4ac3bd4}\,\mid\:\f38cfb1d
user_pref(browser.search.defaultenginename, AVG Secure Search);
 
 
 
Registry: 7 
 
Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\vToolbarUpdater40.3.7 (Registry Key) 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page (Registry Value) 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{44EFA836-69C3-4613-88D4-6789C00FE5D0} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page (Registry Value) 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 03/24/2017 at 13:38:08.07
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
Here is the final log from EssetOnlineScanner.
 
C:\Program Files (x86)\Cheat Engine 6.6\standalonephase1.dat a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application cleaned by deleting
C:\Users\Juan\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\I2T41A1J\STIGMA_ByRob Schneider[1].zip a variant of Win32/Packed.VMProtect.E trojan deleted
C:\Users\Juan\AppData\Local\Temp\Rar$ML0.227\ZeroInjector.rar a variant of Win32/GameHack.AZO potentially unsafe application deleted
C:\Users\Juan\Desktop\Project_Zero.rar a variant of Win32/GameHack.AZO potentially unsafe application deleted
C:\Users\Juan\Desktop\Setup_FileViewPro_2016.exe Win32/Solvusoft.B potentially unwanted application cleaned by deleting
C:\Users\Juan\Desktop\STIGMA_V3.dll a variant of Win32/Packed.VMProtect.E trojan cleaned by deleting
C:\Users\Juan\Desktop\Verbhax_redux.rar Win32/DllInject.DM potentially unsafe application deleted
C:\Users\Juan\Desktop\hij\ukno\Extreme Injector v3.6.1 - by master131_mpgh.net_[unknowncheats.me]_.rar Win32/DllInject.DM potentially unsafe application deleted
C:\Users\Juan\Desktop\hij\ukno\Extreme Injector v3.6.exe a variant of Win32/InstallCore.ARC potentially unwanted application cleaned by deleting
C:\Users\Juan\Desktop\hij\ukno\Windows 10 Injector by Gimmer_[unknowncheats.me]_.zip a variant of MSIL/DllInject.BK potentially unsafe application deleted
C:\Users\Juan\Desktop\hij\ukno\asshurt\ASSHURT4_AUTORUN.zip a variant of Win32/Packed.VMProtect.ABO trojan deleted
C:\Users\Juan\Desktop\hij\ukno\DESTINY\Destiny.rar a variant of Win32/GameHack.AZO potentially unsafe application deleted
C:\Users\Juan\Desktop\hij\ukno\DESTINY\Destiny\DestinyInjector.exe a variant of Win32/GameHack.AZO potentially unsafe application cleaned by deleting
C:\Users\Juan\Desktop\hij\ukno\DESTINY\Project Zero\Project_Zero (1).rar a variant of Win32/GameHack.AZO potentially unsafe application deleted
C:\Users\Juan\Desktop\hij\ukno\DESTINY\Project Zero\Project_Zero.rar a variant of Win32/GameHack.AZO potentially unsafe application deleted
C:\Users\Juan\Desktop\hij\ukno\DESTINY\Working rc7\Membypass.rar multiple threats deleted
C:\Users\Juan\Desktop\hij\ukno\newxploit\noeon\Neon_E-XploitV1.1.rar a variant of MSIL/DllInject.SN potentially unsafe application deleted
C:\Users\Juan\Desktop\hij\ukno\newxploit\noeon\Neon_E-XploitV1.1\NeonEcho Injector (1).exe a variant of MSIL/DllInject.SN potentially unsafe application cleaned by deleting
C:\Users\Juan\Desktop\hij\ukno\newxploit\noeon\Neon_E-XploitV1.1\NeonEcho Injector.exe a variant of MSIL/DllInject.SN potentially unsafe application cleaned by deleting
C:\Users\Juan\Desktop\New folder\STIGMA_ByRob Schneider\STIGMA_V3.dll a variant of Win32/Packed.VMProtect.E trojan cleaned by deleting
C:\Users\Juan\Desktop\phoenix\CheatEngine66.exe a variant of Win32/FusionCore.I potentially unwanted application cleaned by deleting
C:\Users\Juan\Desktop\Project Zero\ZeroInjector.exe a variant of Win32/GameHack.AZO potentially unsafe application cleaned by deleting
C:\Users\Juan\Desktop\scripts\Project Zero.rar a variant of Win32/GameHack.AZO potentially unsafe application deleted
C:\Users\Juan\Desktop\scripts\Project Zero\ZeroInjector.exe a variant of Win32/GameHack.AZO potentially unsafe application cleaned by deleting
C:\Users\Juan\Desktop\scripts\Project Zero\New Zero\Project_Zero.rar Win32/DllInject.DM potentially unsafe application deleted
C:\Users\Juan\Desktop\scripts\Project Zero\New Zero\Project Zero\Extreme Injector v3.exe Win32/DllInject.DM potentially unsafe application cleaned by deleting
C:\Users\Juan\Desktop\scripts\Project Zero\New Zero\Project Zero\ZeroInjector.exe a variant of Win32/GameHack.AZO potentially unsafe application cleaned by deleting
C:\Users\Juan\Documents\MEGAsync Downloads\asshurt.dll a variant of Win32/Packed.VMProtect.ABO trojan cleaned by deleting
C:\Users\Juan\Documents\MEGAsync Downloads\Extreme Injector v3.exe Win32/DllInject.DM potentially unsafe application cleaned by deleting
C:\Users\Juan\Documents\MEGAsync Downloads\RC7 NEW.rar multiple threats deleted
C:\Users\Juan\Downloads\Project_Zero.rar a variant of Win32/GameHack.AZO potentially unsafe application deleted
C:\Users\Juan\Downloads\Starch.dll a variant of Win32/Packed.VMProtect.ABO trojan cleaned by deleting
C:\Users\Juan\Downloads\Verbhax_redux.rar Win32/DllInject.DM potentially unsafe application deleted
 
 
Thank you again for your time and help.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 31 March 2017 - 10:25 AM

Hello again.. looks like a good clean.

Remove what ADWCleaner found...

Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database if one is required.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button.
  • A window will open which lists the logs of your scans.
  • Click on the Scan tab.
  • Double-click the most recent scan which will be at the top of the list....the log will appear.
  • Review the results...see note below
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
  • To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
  • Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
  • A copy of all logfiles are saved to C:\AdwCleaner.
  • -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.

    I see 2 Antivirus installed, AVG and Avira.. You only should have 1 active.. Remove one please.

    Now I also see this error "The Windows Search service terminated" in the Minitoolbox log under Application and System Errors.. please start a WIN 10 topic on these and they can fix that.



How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 IThinkIGottaRat

IThinkIGottaRat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 01 April 2017 - 11:25 PM

Ok here is the Adwcleaner log file for the 1st cleanup of detections.

 

# AdwCleaner v6.045 - Logfile created 01/04/2017 at 20:22:39
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-01.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Juan - DESKTOP-GMABSMV
# Running from : C:\Users\Juan\Desktop\AdwCleaner (1).exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
[-] Service deleted: WtuSystemSupport
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\ProgramData\909c0ae0-667e-4e28-86fb-21f2dc049b6b
[-] Folder deleted: C:\ProgramData\a71716eb-b4b7-474c-9a5a-ce27f0e42927
[-] Folder deleted: C:\ProgramData\b1ab5057-6360-4d82-807c-d8ee46699d76
[-] Folder deleted: C:\ProgramData\e6bde2a4-154c-4b58-9fb6-960b7d96a0dd
[-] Folder deleted: C:\Users\Juan\AppData\Local\avg web tuneup
[-] Folder deleted: C:\Program Files\avg web tuneup
[-] Folder deleted: C:\Program Files\Common Files\AVG Secure Search
[-] Folder deleted: C:\ProgramData\avg web tuneup
[#] Folder deleted on reboot: C:\ProgramData\Application Data\avg web tuneup
[-] Folder deleted: C:\Program Files (x86)\avg web tuneup
[-] Folder deleted: C:\Program Files (x86)\Common Files\AVG Secure Search
[-] Folder deleted: C:\Users\Juan\AppData\Local\Google\Chrome\User Data\Default\Extensions\chfdnecihphmhljaaejmgoiahnihplgn
 
 
***** [ Files ] *****
 
[-] File deleted: C:\Users\Juan\AppData\Roaming\Mozilla\Firefox\Profiles\f8m5mub8.default\extensions\Avg@toolbar.xpi
[-] File deleted: C:\Users\Juan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_chfdnecihphmhljaaejmgoiahnihplgn_0.localstorage
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd.1
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi.1
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
[-] Key deleted: HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj
[-] Key deleted: HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj.1
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{4BC8AD89-AC5F-4DBD-A38F-C355C7DD33D7}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key deleted: HKLM\SOFTWARE\AVG Tuneup
[-] Key deleted: [x64] HKLM\SOFTWARE\AVG Secure Search
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileViewPro_is1
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\solvusoft.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.solvusoft.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\solvusoft.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.solvusoft.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\solvusoft.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.solvusoft.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\solvusoft.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.solvusoft.com
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [vProt]
[-] Key deleted: HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\avgsh
[-] Key deleted: HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
[-] Key deleted: HKCU\Software\Google\Chrome\Extensions\chfdnecihphmhljaaejmgoiahnihplgn
[#] Key deleted on reboot: [x64] HKCU\Software\Google\Chrome\Extensions\chfdnecihphmhljaaejmgoiahnihplgn
 
 
***** [ Web browsers ] *****
 
[-] Firefox preferences cleaned: "avg.wtu.ext.extParams" -  "{\"action\":\"extParams\",\"data\":{\"searchParams\":{\"pid\":\"wtu\",\"cid\":\"{fed7f39b-35ec-4116-90f1-7639c4ac3bd4}\",\"mid\":\"f38cfb1def9e47cfb867452cda101f4e-fc594c5f8117b13ac50d1f5644da04d6ab3006a9\",\"ds\":\"AVG\",\"v\":\"4.3.7.452\",\"lang\":\"en\",\"pr\":\"fr\",\"d\":\"2016-12-03%2018%3A29%3A36\",\"ud\":\"\",\"cmpid\":\"0117tb\",\"domain\":\"mysearch.avg.com\",\"protocol\":\"hxxps\",\"FileUpdateDate\":\"\",\"form\":\"AVGSDF\",\"pc\":\"AVG2\"},\"cmpIds\":{\"hp\":\"0117tb\",\"nt\":\"0117tb\",\"dsp\":\"ZenTest_B_0\"},\"install\":{\"RevertUrlHp\":\"about:home\",\"RevertUrlSp\":\"Google\",\"RevertUrlNt\":\"about:newtab\",\"hp\":1,\"sp\":1,\"nt\":1},\"manifest\":{\"domain_display_name\":\"AVG Secure Search\"}}}"
[-] [C:\Users\Juan\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: chfdnecihphmhljaaejmgoiahnihplgn
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
:: TCP/IP settings cleared
:: IE policies deleted
:: Chrome policies deleted
:: Chrome preferences reset: C:\Users\Juan\AppData\Local\Google\Chrome\User Data\Default
:: Hosts file cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [7564 Bytes] - [01/04/2017 20:22:39]
C:\AdwCleaner\AdwCleaner[S0].txt - [8813 Bytes] - [24/03/2017 13:31:13]
C:\AdwCleaner\AdwCleaner[S1].txt - [6703 Bytes] - [01/04/2017 20:16:34]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [7783 Bytes] ##########
 
 
 
 
 
And here is the log file of the new scan after i disinfected it with AdwareCleaner.
 
# AdwCleaner v6.045 - Logfile created 01/04/2017 at 20:34:26
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-01.1 [Local]
# Operating System : Windows 10 Home  (X64)
# Username : Juan - DESKTOP-GMABSMV
# Running from : C:\Users\Juan\Desktop\AdwCleaner (1).exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Juan\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\Juan\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [7926 Bytes] - [01/04/2017 20:22:39]
C:\AdwCleaner\AdwCleaner[S0].txt - [8813 Bytes] - [24/03/2017 13:31:13]
C:\AdwCleaner\AdwCleaner[S1].txt - [6703 Bytes] - [01/04/2017 20:16:34]
C:\AdwCleaner\AdwCleaner[S2].txt - [1365 Bytes] - [01/04/2017 20:34:26]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1438 Bytes] ##########
 
 
 
Now here are my concerns.  The creator of the exploit who crypted the backdoor into the exploits dll specializes in VT, or as he likes to put it, "it's like opening a box, inside of a box, then using your box to execute scripts to control the box you are inhabiting."  That's how he explained it when he was describing how his exploit creates a virtual box inside Roblox, where we could then pass on LUA scripts from his box to be executed by the server.  I used to have a lot of respect for this guy, and was actually pretty close to him, even shared the same discord for a while, so it really surprised me when he RATed everyone.  Now, my concern is, that windows explorer error didn't occur before I got sploited, it started recently right after I injected the dll into roblox process for the first time. So, I guess my question or concern is, even though the log files look normal is there a more indepth scan we can do just to be 100% sure?  I have heard through the grapevine, from others in our game exploiting community, that he was using tool like blackshades or darkcomet.  Is there any scan we can do a scan to see if I'm infected with something like that?  I know how my computer normally functions, its really fast, games never lose fps under 23, I can be running a highend game, switch out from game to desktop, to chrome with very little slowing down in the process, now after I injected that dll, my computer runs a lot slower than normal, and sometimes low end roblox games freeze up and skip frames down to 7 fps, this never happened before.  Anyways thanks for all your help so far. I appreciate it!


#6 bobby01

bobby01

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 02 April 2017 - 04:51 PM

with the uac sounds for no obvious reasons, refreshing desktops etc........thats the exact behavior I noticed on my system. Especially when running a cleanup tool, as soon as I click "clean infection" my desktop refreshes. So theres a hacker sitting there with remote access blocking my actions. How do you disconnect the access ??



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 03 April 2017 - 12:54 PM

We should get a deeper look.. We will make a new topic..(see last step of Guide below).

Repost this

Now here are my concerns.  The creator of the exploit who crypted the backdoor into the exploits dll specializes in VT, or as he likes to put it, "it's like opening a box, inside of a box, then using your box to execute scripts to control the box you are inhabiting."  That's how he explained it when he was describing how his exploit creates a virtual box inside Roblox, where we could then pass on LUA scripts from his box to be executed by the server.  I used to have lot of respect for this guy, and was actually pretty close to him, even shared the same discord for a while, so it really surprised me when he RATed everyone.  Now, my concern is, that windows explorer error didn't occur before I got sploited, it started recently right after I injected the dll into roblox process for the first time. So, I guess my question or concern is, even though the log files look normal is there a more indepth scan we can do just to be 100% sure?  I have heard through the grapevine, from others in our game exploiting community, that he was using tool like blackshades or darkcomet.  Is there any scan we can do a scan to see if I'm infected with something like that?  I know how my computer normally functions, its really fast, games never lose fps under 23, I can be running a highend game, switch out from game to desktop, to chrome with very little slowing down in the process, now after I injected that dll, my computer runs a lot slower than normal, and sometimes low end roblox games freeze up and skip frames down to 7 fps, this never happened before.  Anyways thanks for all your help so far. I appreciate it

with the uac sounds for no obvious reasons, refreshing desktops etc........thats the exact behavior I noticed on my system. Especially when running a cleanup tool, as soon as I click "clean infection" my desktop refreshes. So theres a hacker sitting there with remote access blocking my actions. How do you disconnect the access ??

THis topic's link.

https://www.bleepingcomputer.com/forums/t/642834/i-think-i-got-a-rat-please-help/#entry4212476


Start at step 6.... You can use same title.

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 bobby01

bobby01

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 03 April 2017 - 02:28 PM

We should get a deeper look.. We will make a new topic..(see last step of Guide below).

Repost this

Now here are my concerns.  The creator of the exploit who crypted the backdoor into the exploits dll specializes in VT, or as he likes to put it, "it's like opening a box, inside of a box, then using your box to execute scripts to control the box you are inhabiting."  That's how he explained it when he was describing how his exploit creates a virtual box inside Roblox, where we could then pass on LUA scripts from his box to be executed by the server.  I used to have lot of respect for this guy, and was actually pretty close to him, even shared the same discord for a while, so it really surprised me when he RATed everyone.  Now, my concern is, that windows explorer error didn't occur before I got sploited, it started recently right after I injected the dll into roblox process for the first time. So, I guess my question or concern is, even though the log files look normal is there a more indepth scan we can do just to be 100% sure?  I have heard through the grapevine, from others in our game exploiting community, that he was using tool like blackshades or darkcomet.  Is there any scan we can do a scan to see if I'm infected with something like that?  I know how my computer normally functions, its really fast, games never lose fps under 23, I can be running a highend game, switch out from game to desktop, to chrome with very little slowing down in the process, now after I injected that dll, my computer runs a lot slower than normal, and sometimes low end roblox games freeze up and skip frames down to 7 fps, this never happened before.  Anyways thanks for all your help so far. I appreciate it

with the uac sounds for no obvious reasons, refreshing desktops etc........thats the exact behavior I noticed on my system. Especially when running a cleanup tool, as soon as I click "clean infection" my desktop refreshes. So theres a hacker sitting there with remote access blocking my actions. How do you disconnect the access ??

THis topic's link.

https://www.bleepingcomputer.com/forums/t/642834/i-think-i-got-a-rat-please-help/#entry4212476


Start at step 6.... You can use same title.

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.

 

 

 

 

 

 

 

 

 

 

Thanks for your response, so I will go and run farbar? and then post this/ new topic

I actually ran farbar last night but never posted so i'll go with that one okay??


Edited by bobby01, 03 April 2017 - 02:31 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 03 April 2017 - 02:56 PM

Yes, please.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 bobby01

bobby01

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 03 April 2017 - 04:19 PM

i need to delete my inquiries/requests and move them to the malware removal board so I may properly post FRST logs and hopefully get my issue fixed



#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 04 April 2017 - 10:19 AM

Start the new topic include the FRST log and info from my post # 8

Steps 6,7 and 8 from the Prep Guide
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 IThinkIGottaRat

IThinkIGottaRat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 04 April 2017 - 11:45 AM

ok I have posted the new logs in the other forums here is the link.  I have found something interesting as well, I tracked down the guy who infected everyone with some good detective work. He was offering a new lvl7 exploit for roblox which I grabbed a copy but didnt run it.  Instead I sent it in for some more advanced scanning.  Here is my new link. Thanks again.

 

https://www.bleepingcomputer.com/forums/t/643638/i-think-i-may-have-a-rat-update-staff-requested-i-repost-here/



#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 04 April 2017 - 01:01 PM

Thanks. I'll ask Grinler if he'd like a copy.
When they reply to your topic now it will be quick one on one help.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.
The current wait time is 1 - 3 days and ALL logs are answered.
If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:58 PM

Posted 04 April 2017 - 01:07 PM

ok I have posted the new logs in the other forums here is the link.  I have found something interesting as well, I tracked down the guy who infected everyone with some good detective work. He was offering a new lvl7 exploit for roblox which I grabbed a copy but didnt run it.  Instead I sent it in for some more advanced scanning.  Here is my new link. Thanks again.
 
https://www.bleepingcomputer.com/forums/t/643638/i-think-i-may-have-a-rat-update-staff-requested-i-repost-here/


Would love a copy. Can you please submit it to https://www.bleepingcomputer.com/submit-malware.php?channel=3 please?

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users