Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

qtipr.com


  • This topic is locked This topic is locked
14 replies to this topic

#1 SoFiA11

SoFiA11

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 25 March 2017 - 12:28 PM

Hello,

two days ago i downloaded a file that filled my pc with viruses like maoha, microleaves, kuaizip and conduit.i think i cleaned everything except qtipr.com that keeps appearing as my firefox homepage. I've tried malwarebytes, adwcleaner and a few others..adwcleaner was the only program that detected it, i cleaned it and then reboot the pc but it still appears as my homepage

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-03-2017
Ran by user (administrator) on USER-PC (25-03-2017 19:54:24)
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available Profiles: user)
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) Language: Ελληνικά (Ελλάδας)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(VideoLAN) C:\Program Files\VideoLAN\VLC\vlc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\wbem\scrcons.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [PWRISOVM.EXE] => C:\Program Files\PowerISO\PWRISOVM.EXE [366904 2015-10-08] (Power Software Ltd)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKU\S-1-5-21-2409919422-1588465601-1606171075-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [7348440 2017-03-03] (Piriform Ltd)
HKU\S-1-5-21-2409919422-1588465601-1606171075-1000\...\MountPoints2: F - F:\AUTORUN.EXE
HKU\S-1-5-21-2409919422-1588465601-1606171075-1000\...\MountPoints2: {ba93af71-cbe8-11e5-af6b-001ec96566c7} - E:\Startme.exe
HKU\S-1-5-18\...\Run: [] => [X]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2017-01-30]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.500\SSScheduler.exe (McAfee, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ulead Photo Express 3.0 SE Calendar Checker.lnk [2016-02-16]
ShortcutTarget: Ulead Photo Express 3.0 SE Calendar Checker.lnk -> C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe (Ulead Systems, Inc.)
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2016-03-06]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE (No File)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 0.0.0.1    mssplus.mcafee.com
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{39369167-D450-4A71-A9D9-674596B70B3E}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{FBC7739E-0BC7-43D1-9EA1-FAA1BB5FDAE3}: [DhcpNameServer] 192.168.1.1 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-2409919422-1588465601-1606171075-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/el-gr/?ocid=iehp
BHO: AcroIEHlprObj Class -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03] (Adobe Systems Incorporated)

FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3w5ke06o.default-1490448279200 [2017-03-25]
FF Homepage: Mozilla\Firefox\Profiles\3w5ke06o.default-1490448279200 -> hxxps://www.google.gr
FF Extension: (Site Deployment Checker) - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3w5ke06o.default-1490448279200\features\{c99db0db-4c87-4999-88fc-69c52b3e8668}\deployment-checker@mozilla.org.xpi [2017-03-25]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_20_0_0_306.dll [2016-02-28] ()

Chrome:
=======
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default [2017-03-25]
CHR Extension: (Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-03-25]
CHR Extension: (Google Drive ) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-03-25]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-03-25]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-03-25]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [3303888 2017-01-20] (Malwarebytes)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.500\McCHSvc.exe [272136 2017-01-19] (McAfee, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AR9271; C:\Windows\System32\DRIVERS\athuw.sys [1763584 2013-06-29] (Atheros Communications, Inc.)
R3 e1express; C:\Windows\System32\DRIVERS\e1e6232.sys [232312 2012-10-30] (Intel Corporation)
R1 SCDEmu; C:\Windows\system32\Drivers\SCDEmu.sys [114368 2015-10-08] (Power Software Ltd)
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S1 ZAM; \??\C:\Windows\System32\drivers\zam32.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard32.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-25 19:54 - 2017-03-25 19:55 - 00006409 _____ C:\Users\user\Downloads\FRST.txt
2017-03-25 19:53 - 2017-03-25 19:53 - 01766912 _____ (Farbar) C:\Users\user\Downloads\FRST.exe
2017-03-25 19:00 - 2017-03-25 19:00 - 00000000 ____D C:\Users\user\AppData\Local\CrashDumps
2017-03-25 18:17 - 2017-03-25 18:27 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-03-25 18:10 - 2017-03-25 19:54 - 00000000 ____D C:\FRST
2017-03-25 17:52 - 2017-03-25 17:52 - 00000000 ____D C:\ProgramData\VS Revo Group
2017-03-25 17:42 - 2017-03-25 17:42 - 00000000 ___SD C:\ComboFix
2017-03-25 17:41 - 2017-03-25 17:42 - 00000000 ____D C:\Qoobox
2017-03-25 17:40 - 2017-03-25 17:40 - 00000000 ____D C:\Windows\erdnt
2017-03-25 17:35 - 2017-03-25 17:37 - 00181738 _____ C:\TDSSKiller.3.1.0.12_25.03.2017_17.35.56_log.txt
2017-03-25 15:49 - 2017-03-25 15:49 - 00000000 ____D C:\Users\user\AppData\Local\ESET
2017-03-25 15:24 - 2017-03-25 19:55 - 00001047 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2017-03-25 15:23 - 2017-03-25 15:24 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-03-25 14:12 - 2017-03-25 14:12 - 00000378 _____ C:\Users\user\Documents\cc_20170325_141159.reg
2017-03-25 12:50 - 2017-03-25 12:51 - 00000510 _____ C:\Users\user\Documents\cc_20170325_125057.reg
2017-03-25 12:50 - 2017-03-25 12:50 - 00000590 _____ C:\Users\user\Documents\cc_20170325_125013.reg
2017-03-25 12:10 - 2017-03-25 12:10 - 00009398 _____ C:\Users\user\Documents\cc_20170325_121012.reg
2017-03-25 12:07 - 2017-03-25 12:07 - 00461714 _____ C:\Users\user\Documents\cc_20170325_120731.reg
2017-03-25 12:05 - 2017-03-25 12:05 - 00000969 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-03-25 12:05 - 2017-03-25 12:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-03-25 12:05 - 2017-03-25 12:05 - 00000000 ____D C:\Program Files\CCleaner
2017-03-25 12:03 - 2017-03-25 12:06 - 00000000 ____D C:\Program Files\Google
2017-03-25 12:03 - 2017-03-25 12:05 - 00000000 ____D C:\Users\user\AppData\Local\Google
2017-03-25 11:50 - 2017-03-25 12:02 - 00000000 ____D C:\ProgramData\HitmanPro
2017-03-25 11:44 - 2017-03-25 12:11 - 00120469 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-03-25 11:44 - 2017-03-25 11:47 - 00016995 _____ C:\Windows\ZAM.krnl.trace
2017-03-25 11:43 - 2017-03-25 11:43 - 00000000 ____D C:\Users\user\AppData\Local\Zemana
2017-03-25 11:03 - 2017-03-25 11:05 - 00000000 ____D C:\Users\user\AppData\Local\NPE
2017-03-25 11:03 - 2017-03-25 11:03 - 00000000 ____D C:\ProgramData\Norton
2017-03-25 08:30 - 2017-03-25 19:10 - 00000000 ____D C:\AdwCleaner
2017-03-23 20:40 - 2017-03-23 20:40 - 00000000 ____D C:\Program Files\McAfee
2017-03-23 20:39 - 2017-03-23 20:39 - 15715088 _____ (McAfee Inc) C:\Users\user\Desktop\stinger32.exe
2017-03-23 20:38 - 2017-03-23 20:38 - 01110564 _____ (Igor Pavlov) C:\Users\user\Desktop\7z1604.exe
2017-03-23 19:37 - 2017-03-25 18:58 - 00161216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-03-23 19:37 - 2017-03-25 18:58 - 00064288 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-03-23 19:37 - 2017-03-25 18:57 - 00095672 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-03-23 19:36 - 2017-03-25 18:57 - 00219584 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-03-23 19:36 - 2017-03-25 18:57 - 00039360 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-03-23 19:36 - 2017-03-25 18:17 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-03-23 19:36 - 2017-03-23 19:36 - 00002024 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-03-23 19:36 - 2017-03-23 19:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-03-23 19:36 - 2017-03-23 19:36 - 00000000 ____D C:\Program Files\Malwarebytes
2017-03-23 19:36 - 2017-02-24 06:23 - 00059968 _____ C:\Windows\system32\Drivers\mbae.sys
2017-03-23 18:18 - 2017-03-23 18:18 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
2017-03-23 18:18 - 2017-03-23 18:18 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-25 19:55 - 2016-02-03 14:28 - 00001059 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-03-25 19:05 - 2009-07-14 06:34 - 00021856 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-03-25 19:05 - 2009-07-14 06:34 - 00021856 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-03-25 19:04 - 2016-11-18 13:36 - 00000000 ____D C:\Users\user\AppData\LocalLow\Mozilla
2017-03-25 19:03 - 2016-02-05 13:28 - 00000000 ____D C:\Users\user\AppData\Roaming\vlc
2017-03-25 18:59 - 2016-03-08 12:03 - 00000000 ____D C:\Users\user\AppData\Roaming\Kodi
2017-03-25 18:57 - 2009-07-14 06:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-03-25 18:43 - 2016-02-05 13:01 - 00000000 ____D C:\Users\user\AppData\Roaming\uTorrent
2017-03-25 15:24 - 2016-11-18 12:50 - 00000000 ____D C:\Program Files\Mozilla Firefox
2017-03-25 14:14 - 2009-07-14 04:37 - 00000000 ____D C:\Program Files\Common Files\System
2017-03-25 10:52 - 2016-11-18 17:49 - 00024008 _____ C:\Users\user\AppData\Roaming\Notepad2.ini
2017-03-25 09:47 - 2016-11-27 10:38 - 00403456 ___SH C:\Users\user\Documents\Thumbs.db
2017-03-24 09:29 - 2016-02-06 15:20 - 00000000 ____D C:\Program Files\7-Zip
2017-03-23 22:18 - 2016-02-08 08:20 - 00000000 ____D C:\Users\user\Documents\Soulseek Downloads
2017-03-20 09:57 - 2010-11-21 04:26 - 00549104 _____ C:\Windows\system32\perfh008.dat
2017-03-20 09:57 - 2010-11-21 04:26 - 00085864 _____ C:\Windows\system32\perfc008.dat
2017-03-20 09:57 - 2010-11-20 23:01 - 01337414 _____ C:\Windows\system32\PerfStringBackup.INI
2017-03-20 09:57 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\inf

==================== Files in the root of some directories =======

2016-02-28 16:12 - 2017-02-04 15:40 - 0000555 _____ () C:\Users\user\AppData\Roaming\koukou.ini
2016-11-18 17:49 - 2017-03-25 10:52 - 0024008 _____ () C:\Users\user\AppData\Roaming\Notepad2.ini

Some files in TEMP:
====================
2017-03-25 12:02 - 2017-03-25 11:50 - 11005320 _____ (SurfRight B.V.) C:\Users\user\AppData\Local\Temp\HitmanPro.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-14 10:46

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 15-03-2017
Ran by user (25-03-2017 19:55:36)
Running from C:\Users\user\Downloads
Microsoft Windows 7 Home Premium  Service Pack 1 (X86) (2016-02-03 12:15:57)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2409919422-1588465601-1606171075-500 - Administrator - Disabled)
Guest (S-1-5-21-2409919422-1588465601-1606171075-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2409919422-1588465601-1606171075-1002 - Limited - Enabled)
user (S-1-5-21-2409919422-1588465601-1606171075-1000 - Administrator - Enabled) => C:\Users\user

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Malwarebytes (Disabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Disabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 16.04 (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
Adobe Flash Player 10 ActiveX (HKLM\...\{18BBF24A-6D04-4CA4-B6B4-1CF372162EEC}) (Version: 10.2.152.32 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 20.0.0.306 - Adobe Systems Incorporated)
Adobe Reader 6.0.1 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A00000000001}) (Version: 006.000.001 - Adobe Systems Incorporated)
CCleaner (HKLM\...\CCleaner) (Version: 5.28 - Piriform)
Dell System Detect (HKU\S-1-5-21-2409919422-1588465601-1606171075-1000\...\58d94f3ce2c27db0) (Version: 6.12.0.5 - Dell)
iGIFmaker version 4.4.0 (HKLM\...\{32C9C345-EB93-42D4-98D7-D8EF2980C595}_is1) (Version: 4.4.0 - iGIFmaker.com)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1867 - Intel Corporation)
Intel® Management Engine Interface (HKLM\...\HECI) (Version:  - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 18.5 - Intel)
Kodi (HKU\S-1-5-21-2409919422-1588465601-1606171075-1000\...\Kodi) (Version:  - XBMC-Foundation)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.11.500.3 - McAfee, Inc.)
Microsoft Office PowerPoint Viewer 2007 (Greek) (HKLM\...\{95120000-00AF-0408-0000-0000000FF1CE}) (Version: 12.0.4518.1029 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2409919422-1588465601-1606171075-1000\...\OneDriveSetup.exe) (Version: 17.3.4604.0120 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Mozilla Firefox 52.0.1 (x86 el) (HKLM\...\Mozilla Firefox 52.0.1 (x86 el)) (Version: 52.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 52.0.1 - Mozilla)
Notepad2 (Notepad Replacement) (HKLM\...\Notepad2) (Version: 4.2.25  - Florian Balmer)
Photoshop Camera Raw (Version: 5.0 - Adobe Systems Incorporated) Hidden
Pixel Bender Toolkit (Version: 1.0 - Adobe Systems Incorporated) Hidden
PowerISO (HKLM\...\PowerISO) (Version: 6.4 - Power Software Ltd)
SoulseekQt (HKLM\...\SoulseekQt) (Version:  - )
Suite Shared Configuration CS4 (Version: 1.0 - Adobe Systems Incorporated) Hidden
Ulead Photo Express 3.0 SE (HKLM\...\Ulead Photo Express 3.0 SE) (Version:  - )
VideoPad Video Editor (HKLM\...\VideoPad) (Version: 3.89 - NCH Software)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.4 - VideoLAN)
WavePad Sound Editor (HKLM\...\WavePad) (Version: 6.52 - NCH Software)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {00DFA2FD-FCC7-4631-8F22-77BBDEBD4911} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-03-03] (Piriform Ltd)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION

Shortcut: C:\Users\user\Favorites\NCH Software Download Site.lnk -> hxxp://www.nch.com.au/index.htm

ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox (2).lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/

==================== Loaded Modules (Whitelisted) ==============

2016-06-01 16:17 - 2016-06-01 16:17 - 00144832 _____ () C:\Program Files\VideoLAN\VLC\libvlc.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 02632640 _____ () C:\Program Files\VideoLAN\VLC\libvlccore.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00554944 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00041920 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00039872 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00086464 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00078272 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 02231744 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00114112 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_bd_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00245184 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00089536 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00055744 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00072128 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libsmooth_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00598976 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhttplive_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00771520 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libdash_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00131520 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libzip_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00052672 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\librar_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00023488 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00145856 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 01566656 _____ () C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00334784 _____ () C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 01265600 _____ () C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00024512 _____ () C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00069568 _____ () C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00048576 _____ () C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 12001728 _____ () C:\Program Files\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00242624 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00108992 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00096704 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00091584 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00036800 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00032192 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00024512 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00084928 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00030144 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00034752 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00961472 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00137152 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 01308096 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00046528 _____ () C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00261056 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00027072 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00298944 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 01291200 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00754624 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00344512 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00028608 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libdts_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00036800 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00052160 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00456128 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00035776 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00024512 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00157632 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 02680768 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00356288 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00028096 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00028096 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libmpeg_audio_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00031680 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00370112 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00121792 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libdvbsub_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00028608 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 14929344 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 01782208 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00038336 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 01568704 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libzvbi_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00024512 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00067008 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00789952 _____ () C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00022464 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00038848 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00027072 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00030144 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_mmx_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 01504704 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00746432 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libswscale_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00036800 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00125888 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00065472 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00028608 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00027584 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00024512 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00031168 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00027584 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00029120 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00037824 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00024000 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_i420_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00023488 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll
2016-06-01 16:19 - 2016-06-01 16:19 - 00022976 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_filter\libyuvp_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00022976 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00086976 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00026560 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll
2016-06-01 16:18 - 2016-06-01 16:18 - 00100800 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-2409919422-1588465601-1606171075-1000\...\dell.com -> dell.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:04 - 2017-01-30 18:07 - 00000869 ____A C:\Windows\system32\Drivers\etc\hosts


0.0.0.1    mssplus.mcafee.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2409919422-1588465601-1606171075-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{8194209D-8A50-4E81-A455-8E1C8E839A4C}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{DF2A662A-0317-4612-9BF5-58BC49948002}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{02EDAF41-B283-40AD-BD56-28787545FCCC}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{F29DF9A2-676C-4AE4-B3CA-C31A19590334}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{8A373610-6A0A-462C-9989-13C91C96BF10}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{041A3809-962B-4B00-8106-FB8849EF4A4B}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{EF8A4FB0-F26F-4E94-B7A0-EBEF72203034}C:\program files\soulseekqt\soulseekqt.exe] => (Block) C:\program files\soulseekqt\soulseekqt.exe
FirewallRules: [UDP Query User{D6D17786-9C70-45C4-90D2-35C63331CE9C}C:\program files\soulseekqt\soulseekqt.exe] => (Block) C:\program files\soulseekqt\soulseekqt.exe
FirewallRules: [{830DA697-F942-4509-AE5B-B39F4122EA96}] => (Allow) C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe
FirewallRules: [TCP Query User{C8991F36-0857-4EC9-897B-A8F483B738D5}C:\program files\kodi\kodi.exe] => (Allow) C:\program files\kodi\kodi.exe
FirewallRules: [UDP Query User{27C12E42-4595-40F6-910D-1C3C21205108}C:\program files\kodi\kodi.exe] => (Allow) C:\program files\kodi\kodi.exe
FirewallRules: [{49CE866A-D90B-463B-A309-F448DC329081}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{6B5EB211-D6AC-4BC9-8A2C-8BEA19692091}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Restore Points =========================

25-03-2017 11:58:53 Checkpoint by HitmanPro
25-03-2017 19:00:37 JRT Pre-Junkware Removal
25-03-2017 19:06:10 Installed XML Notepad 2007
25-03-2017 19:08:19 Removed XML Notepad 2007

==================== Faulty Device Manager Devices =============

Name: ZAM Helper Driver
Description: ZAM Helper Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: ZAM
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: ZAM Guard Driver
Description: ZAM Guard Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: ZAM_Guard
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (03/25/2017 06:59:56 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Όνομα ελαττωματικής εφαρμογής Kodi.exe, έκδοση 15.2.0.0, χρονική σήμανση 0x56249459
Όνομα ελαττωματικής λειτουργικής μονάδας python27.dll, έκδοση 2.7.8150.1013, χρονική σήμανση 0x53b1ecd6
Κωδικός εξαίρεσης: 0x40000015
Μετατόπιση σφάλματος: 0x001161bb
Αναγνωριστικό ελαττωματικής διεργασίας: 0xa1c
Χρόνος έναρξης ελαττωματικής εφαρμογής: 0x01d2a58916dbdcfa
Διαδρομή ελαττωματικής εφαρμογής: C:\Program Files\Kodi\Kodi.exe
Διαδρομή ελλατωματικής λειτουργικής μονάδας:C:\Program Files\Kodi\python27.dll
Αναγνωριστικό αναφοράς:78a07275-117c-11e7-acc8-001ec96566c7

Error: (03/25/2017 06:59:01 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/25/2017 06:42:48 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/25/2017 01:56:58 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: Ένα πρόβλημα απέτρεψε την αποστολή των δεδομένων του Προγράμματος βελτίωσης εμπειρίας πελάτη στη Microsoft, (Σφάλμα 80004005).

Error: (03/25/2017 12:14:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/25/2017 10:30:47 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/25/2017 08:45:10 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/25/2017 08:18:36 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/25/2017 08:08:58 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/24/2017 06:13:18 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: Ένα πρόβλημα απέτρεψε την αποστολή των δεδομένων του Προγράμματος βελτίωσης εμπειρίας πελάτη στη Microsoft, (Σφάλμα 80004005).


System errors:
=============
Error: (03/25/2017 06:55:49 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Η υπηρεσία Υπηρεσία κοινής χρήσης δικτύου του Windows Media Player τερματίστηκε απροσδόκητα.  Αυτό έχει συμβεί 1 φορές.  Θα εκτελεστεί η ακόλουθη διορθωτική κίνηση σε 30000 χιλιοστά του δευτερολέπτου: Επανεκκίνηση της υπηρεσίας.

Error: (03/25/2017 06:55:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Η υπηρεσία Windows Search τερματίστηκε απροσδόκητα.  Αυτό έχει συμβεί 1 φορές.  Θα εκτελεστεί η ακόλουθη διορθωτική κίνηση σε 30000 χιλιοστά του δευτερολέπτου: Επανεκκίνηση της υπηρεσίας.

Error: (03/25/2017 06:55:47 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Η υπηρεσία Ουρά εκτύπωσης τερματίστηκε απροσδόκητα.  Αυτό έχει συμβεί 1 φορές.  Θα εκτελεστεί η ακόλουθη διορθωτική κίνηση σε 60000 χιλιοστά του δευτερολέπτου: Επανεκκίνηση της υπηρεσίας.

Error: (03/25/2017 06:39:46 PM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: Η υπηρεσία Υπολογιστής-πελάτης πολιτικής ομάδας δεν τερματίστηκε σωστά μετά τη λήψη ενός στοιχείου ελέγχου προ-τερματισμού.

Error: (03/25/2017 06:39:13 PM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: Η υπηρεσία Windows Update δεν τερματίστηκε σωστά μετά τη λήψη ενός στοιχείου ελέγχου προ-τερματισμού.

Error: (03/25/2017 03:05:27 PM) (Source: DCOM) (EventID: 10016) (User: user-PC)
Description: Οι συγκεκριμένου υπολογιστή ρυθμίσεις δικαιωμάτων δεν παραχωρούν δικαιώματα Τοπική Ενεργοποίηση για την εφαρμογή διακομιστή COM με CLSID
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
 και APPID
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
 στο χρήστη user-PC\user SID (S-1-5-21-2409919422-1588465601-1606171075-1000) από τη διεύθυνση LocalHost (Χρήση LRPC). Αυτά τα δικαιώματα ασφαλείας είναι δυνατό να τροποποιηθούν με το εργαλείο διαχείρισης Υπηρεσίες στοιχείων.

Error: (03/25/2017 03:05:21 PM) (Source: DCOM) (EventID: 10016) (User: user-PC)
Description: Οι συγκεκριμένου υπολογιστή ρυθμίσεις δικαιωμάτων δεν παραχωρούν δικαιώματα Τοπική Ενεργοποίηση για την εφαρμογή διακομιστή COM με CLSID
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
 και APPID
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
 στο χρήστη user-PC\user SID (S-1-5-21-2409919422-1588465601-1606171075-1000) από τη διεύθυνση LocalHost (Χρήση LRPC). Αυτά τα δικαιώματα ασφαλείας είναι δυνατό να τροποποιηθούν με το εργαλείο διαχείρισης Υπηρεσίες στοιχείων.

Error: (03/25/2017 12:11:31 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: Ο διακομιστής {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} δεν καταχωρήθηκε με το διακομιστή DCOM μέσα το απαιτούμενο χρονικό όριο.

Error: (03/25/2017 11:47:05 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Η λειτουργία της υπηρεσίας ZAM Controller Service τερματίστηκε αναπάντεχα. Αυτό συνέβη 1 φορά(ές).

Error: (03/25/2017 10:27:23 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: Ο διακομιστής {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} δεν καταχωρήθηκε με το διακομιστή DCOM μέσα το απαιτούμενο χρονικό όριο.


==================== Memory info ===========================

Processor: Intel® Pentium® Dual CPU E2160 @ 1.80GHz
Percentage of memory in use: 62%
Total physical RAM: 2004.61 MB
Available physical RAM: 753.51 MB
Total Virtual: 4009.22 MB
Available Virtual: 2523.3 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:74.5 GB) (Free:53.43 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive g: (My Passport) (Fixed) (Total:931.48 GB) (Free:103.14 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: 5119B361)
Partition 1: (Active) - (Size=74.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 1EEB2082)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

any idea what's wrong?

 

thanks in advance

p.s.i've noticed that some notes are written in greek.pls if you need them translated tell me and i'll try to write them in english.


Edited by SoFiA11, 25 March 2017 - 01:02 PM.


BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:38 AM

Posted 26 March 2017 - 10:19 AM

SoFiA11:

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum. My name is Phil. May I address you by your first name?

I will be assisting you with your computer issues. I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

I will need some time to review your FRST logs. That could take a day or two.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues. It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:38 AM

Posted 26 March 2017 - 12:04 PM

SoFiA11:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: Please rename your copy of FRST.exe to FRSTEnglish.exe. FRST.exe can be found in this folder: C:\Users\user\Downloads.
This will result in future FRST scan and fix logs being output in English. I apologize, but I do not speak Greek, just English and some French. You do not need to re-run the FRST scans at this time.

.

:step2: The logs show that McAfee Security Scan Plus is installed on your computer. Please check this link to assess whether you want to keep this program. Personally, I would not have it installed on my computer. If you do want to keep it, please go to the Control Panel, Add/Remove Programs, and uninstall it. Please let me know what you decided to do: kept it or uninstalled it.

.

:step3: In going over your logs I noticed that you have the uTorrent program> installed. Please consider the following advice to reduce the possibility of being infected when surfing the web.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

.

:step4: The logs show that you have installed, and used, ComboFix on your computer. Please see this link to learn why you should never run ComboFix, unless you are under the supervision of someone trained in its use, and only then, when specifically requested to do so. Please do not touch ComboFix for now. We will try to uninstall it at a later step.

.

:step5: Please run a FRST "Fix" for me.

Copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the folder: C:\Users\user\Downloads.

NOTE: It is important that both files, FRSTEnglish.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

CreateRestorePoint:
CloseProcesses:

Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2016-03-06]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE (No File)
Hosts:
S1 ZAM; \??\C:\Windows\System32\drivers\zam32.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard32.sys [X]
Folder: C:\ComboFix
Folder: C:\Qoobox
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION
ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox (2).lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
  • Right click FRSTEnglish.exe, and select "Run as Administrator".
  • Then press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log to the C:\Users\user\Downloads folder (Fixlog.txt). Please copy and paste the contents into your reply.

.


Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#4 SoFiA11

SoFiA11
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 26 March 2017 - 02:35 PM

Hi and thanks for your response!

 

1. I uninstalled McAfee Security Scan

2. I uninstalled uTorrent and Soulseek

3. I used DeFogger to Disable any CD/DVD emulation software

4. Here's my Fixlog

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 15-03-2017
Ran by user (26-03-2017 22:24:29) Run:1
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:

Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2016-03-06]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE (No File)
Hosts:
S1 ZAM; \??\C:\Windows\System32\drivers\zam32.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard32.sys [X]
Folder: C:\ComboFix
Folder: C:\Qoobox
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION
ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox (2).lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk => moved successfully
C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE => not found.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
HKLM\System\CurrentControlSet\Services\ZAM => key removed successfully.
ZAM => service removed successfully.
HKLM\System\CurrentControlSet\Services\ZAM_Guard => key removed successfully.
ZAM_Guard => service removed successfully.

========================= Folder: C:\ComboFix ========================

2013-08-15 06:57 - 2013-08-15 06:57 - 0041424 _____ () C:\ComboFix\023.dat
2010-11-26 22:07 - 2010-11-26 22:07 - 0002181 _____ () C:\ComboFix\023v.dat
2010-02-12 20:55 - 2010-02-12 20:55 - 0000660 _____ () C:\ComboFix\023w7.dat
2012-11-02 14:01 - 2012-11-02 14:01 - 0001218 _____ () C:\ComboFix\023w8.dat
2012-02-10 21:12 - 2012-02-10 21:12 - 0000690 _____ () C:\ComboFix\ActiveDrv.vbs
2015-08-02 21:34 - 2015-08-02 21:34 - 0362047 _____ () C:\ComboFix\AppDataFile.cfx
2016-12-01 21:42 - 2016-12-01 21:42 - 0043891 _____ () C:\ComboFix\AppDataFolder.cfx
2000-08-31 03:00 - 2000-08-31 03:00 - 0006760 _____ () C:\ComboFix\appinit.bad
2009-07-13 18:09 - 2009-07-13 18:09 - 0000602 _____ () C:\ComboFix\asp.str
2010-04-15 17:11 - 2010-04-15 17:11 - 0004144 _____ () C:\ComboFix\Assoc.cmd
2017-03-25 18:41 - 2009-07-14 04:14 - 0016384 ____R (Microsoft Corporation) C:\ComboFix\ATTRIB.3XE
2011-07-19 23:38 - 2011-07-19 23:38 - 0005194 _____ () C:\ComboFix\Auto-RC.cmd
2012-06-07 13:56 - 2012-06-07 13:56 - 0004638 _____ () C:\ComboFix\av.cmd
2010-12-15 18:02 - 2010-12-15 18:02 - 0002933 _____ () C:\ComboFix\av.vbs
2011-06-26 18:16 - 2011-06-26 18:16 - 0000666 _____ () C:\ComboFix\AWF.cmd
2017-03-21 05:28 - 2017-03-21 05:28 - 1256830 _____ () C:\ComboFix\badclsid.c
2012-01-03 12:27 - 2012-01-03 12:27 - 0040960 _____ () C:\ComboFix\BFE.dat
2013-06-27 21:07 - 2013-06-27 21:07 - 0008564 _____ () C:\ComboFix\Boot.bat
2010-07-27 11:55 - 2010-07-27 11:55 - 0000875 _____ () C:\ComboFix\BootDrv.vbs
2012-09-11 17:47 - 2012-09-11 17:47 - 0005343 _____ () C:\ComboFix\Boot-Rk.cmd
2015-03-01 05:53 - 2015-03-01 05:53 - 0065746 _____ () C:\ComboFix\c.bat
2017-03-25 18:42 - 2017-03-25 18:42 - 0000000 _____ () C:\ComboFix\c.mrk
2009-04-17 12:37 - 2009-04-17 12:37 - 0147456 ____R () C:\ComboFix\catchme.3XE
2010-10-21 11:45 - 2010-10-21 11:45 - 0001080 _____ () C:\ComboFix\Catch-sub.cmd
2017-03-25 18:42 - 2017-03-25 18:42 - 0000094 _____ () C:\ComboFix\CCS.bat
2017-03-25 18:42 - 2017-03-25 18:41 - 0302592 ____R (Microsoft Corporation) C:\ComboFix\CF8837.3XE
2012-10-13 21:00 - 2012-10-13 21:00 - 0031271 _____ () C:\ComboFix\CF-Script.cmd
2017-03-25 18:41 - 2017-03-25 18:41 - 0000019 _____ () C:\ComboFix\CHCP.bat
2017-03-21 05:28 - 2017-03-21 05:28 - 0275547 _____ () C:\ComboFix\clsid.c
2011-10-30 14:38 - 2011-10-30 14:38 - 0008216 _____ () C:\ComboFix\Combobatch.bat
2010-08-19 18:16 - 2010-08-19 18:16 - 0001024 _____ () C:\ComboFix\Combo-Fix.sys
2000-08-31 03:00 - 2000-08-31 03:00 - 0236032 ____R () C:\ComboFix\ComboFix-Download.3XE
2011-07-12 16:19 - 2011-07-12 16:19 - 0019312 _____ () C:\ComboFix\Create.cmd
2015-08-02 21:30 - 2015-08-02 21:30 - 0628594 _____ () C:\ComboFix\Creg.dat
2014-07-18 22:13 - 2014-07-18 22:13 - 0004628 _____ () C:\ComboFix\CregC.cmd
2010-04-17 12:21 - 2010-04-17 12:21 - 0000472 _____ () C:\ComboFix\CregC.dat
2017-03-25 18:41 - 2009-07-14 04:14 - 0126976 ____R (Microsoft Corporation) C:\ComboFix\CSCRIPT.3XE
2011-06-06 12:52 - 2011-06-06 12:52 - 0101376 ____R () C:\ComboFix\dd.3XE
2009-05-25 04:59 - 2009-05-25 04:59 - 0007983 _____ () C:\ComboFix\ddsDo.sed
2013-09-10 19:17 - 2013-09-10 19:17 - 0001996 _____ () C:\ComboFix\DelClsid.bat
2013-09-10 19:17 - 2013-09-10 19:17 - 0002005 _____ () C:\ComboFix\DelClsid64.bat
2017-03-25 18:40 - 2017-03-25 18:42 - 0000113 _____ () C:\ComboFix\desktop.ini
2014-08-28 13:14 - 2014-08-28 13:14 - 0021919 _____ () C:\ComboFix\DesktopFile.cfx
2017-03-25 18:41 - 2017-03-25 18:41 - 0000006 _____ () C:\ComboFix\DisclaimED.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0000746 _____ () C:\ComboFix\DPF.str
2010-04-18 21:44 - 2010-04-18 21:44 - 0000650 _____ () C:\ComboFix\DrvRun.vbs
2000-08-31 03:00 - 2000-08-31 03:00 - 0051200 ____R () C:\ComboFix\dumphive.3XE
2000-08-31 03:00 - 2000-08-31 03:00 - 0000303 _____ () C:\ComboFix\embedded.sed
2005-10-20 15:02 - 2005-10-20 15:02 - 0163328 _____ () C:\ComboFix\ERDNT.e_e
2000-08-31 03:00 - 2000-08-31 03:00 - 0002815 _____ () C:\ComboFix\ERDNTDOS.LOC
2000-08-31 03:00 - 2000-08-31 03:00 - 0003275 _____ () C:\ComboFix\ERDNTWIN.LOC
2005-10-20 15:00 - 2005-10-20 15:00 - 0394752 ____R () C:\ComboFix\ERUNT.3XE
2017-03-25 18:42 - 2017-03-25 18:42 - 0000010 _____ () C:\ComboFix\erunt.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0004090 _____ () C:\ComboFix\ERUNT.LOC
2014-07-18 22:03 - 2014-07-18 22:03 - 0018262 _____ () C:\ComboFix\Exe.reg
2000-08-31 03:00 - 2000-08-31 03:00 - 0052736 ____R () C:\ComboFix\extract.3XE
2010-09-05 11:52 - 2010-09-05 11:52 - 0000020 _____ () C:\ComboFix\FavoriteFolder.cfx
2014-01-21 20:13 - 2014-01-21 20:13 - 0013797 _____ () C:\ComboFix\FavoritesFile.cfx
2012-11-02 14:12 - 2012-11-02 14:12 - 0011766 _____ () C:\ComboFix\FD-SV.cmd
2010-08-29 23:45 - 2010-08-29 23:45 - 0038901 _____ () C:\ComboFix\ffdefstr.dll
2012-10-14 01:36 - 2012-10-14 01:36 - 0000480 _____ () C:\ComboFix\ffext.pif
2000-08-31 03:00 - 2000-08-31 03:00 - 0145920 ____R () C:\ComboFix\FileKill.3XE
2017-03-21 05:28 - 2017-03-21 05:28 - 0003490 _____ () C:\ComboFix\files.pif
2010-08-09 23:32 - 2010-08-09 23:32 - 0000677 _____ () C:\ComboFix\Fin.dat
2014-07-20 21:12 - 2014-07-20 21:12 - 0036477 _____ () C:\ComboFix\FIND3M.bat
2013-10-03 12:05 - 2013-10-03 12:05 - 0079579 _____ () C:\ComboFix\FIXLSP.bat
2013-10-03 14:05 - 2013-10-03 14:05 - 0066239 _____ () C:\ComboFix\FIXLSP64.cmd
2011-07-19 23:38 - 2011-07-19 23:38 - 0001115 _____ () C:\ComboFix\FKMGen.cmd
2013-06-06 14:20 - 2013-06-06 14:20 - 0006103 _____ () C:\ComboFix\GetHive.cmd
2000-08-31 03:00 - 2000-08-31 03:00 - 0080412 ____R () C:\ComboFix\grep.3XE
2000-08-31 03:00 - 2000-08-31 03:00 - 0015360 ____R () C:\ComboFix\gsar.3XE
2008-11-18 08:15 - 2008-11-18 08:15 - 0417136 ____R (Sysinternals) C:\ComboFix\handle.3XE
2005-08-15 20:54 - 2005-08-15 20:54 - 0001536 ____R () C:\ComboFix\hidec.3XE
2009-10-20 12:25 - 2009-10-20 12:25 - 0000954 _____ () C:\ComboFix\history.bat
2010-07-14 19:44 - 2010-07-14 19:44 - 0074529 _____ () C:\ComboFix\hwid.pif
2009-04-20 07:56 - 2009-04-20 07:56 - 0060416 _____ (NirSoft) C:\ComboFix\iexplore.exe
2000-08-31 03:00 - 2000-08-31 03:00 - 0001057 _____ () C:\ComboFix\image001.gif
2010-09-05 02:07 - 2010-09-05 02:07 - 0000224 _____ () C:\ComboFix\Imefile.dat
2011-07-14 12:30 - 2011-07-14 12:30 - 0008096 _____ () C:\ComboFix\Install-RC.cmd
2012-09-12 18:28 - 2012-09-12 18:28 - 0001667 _____ () C:\ComboFix\iphlpsvc.vista.dat
2012-09-12 18:30 - 2012-09-12 18:30 - 0001735 _____ () C:\ComboFix\iphlpsvc.w7.dat
2012-11-02 15:52 - 2012-11-02 15:52 - 0002363 _____ () C:\ComboFix\iphlpsvc.w8.dat
2011-03-09 04:49 - 2011-03-09 04:49 - 0001374 _____ () C:\ComboFix\katch.cmd
2011-07-14 12:29 - 2011-07-14 12:29 - 0001395 _____ () C:\ComboFix\Kill-All.cmd
2017-03-25 18:42 - 2017-03-25 18:42 - 0000012 _____ () C:\ComboFix\kmd.dat
2012-09-03 17:04 - 2012-09-03 17:04 - 0000322 _____ () C:\ComboFix\KNetSvcs.vbs
2012-06-25 03:55 - 2012-06-25 03:55 - 0254294 _____ () C:\ComboFix\Lang.bat
2016-12-01 21:44 - 2016-12-01 21:44 - 3304360 _____ () C:\ComboFix\List.bat
2015-03-14 15:05 - 2015-03-14 15:05 - 0033825 _____ () C:\ComboFix\List-B.bat
2014-11-10 18:26 - 2014-11-10 18:26 - 0292529 _____ () C:\ComboFix\List-C.bat
2015-02-13 10:25 - 2015-02-13 10:25 - 0121899 _____ () C:\ComboFix\List-D.bat
2013-06-13 01:25 - 2013-06-13 01:25 - 0002556 _____ () C:\ComboFix\lnkread.vbs
2015-06-30 19:30 - 2015-06-30 19:30 - 0035156 _____ () C:\ComboFix\LocalAppDataFile.cfx
2015-06-30 20:01 - 2015-06-30 20:01 - 0010609 _____ () C:\ComboFix\LocalAppDataFolder.cfx
2000-08-31 03:00 - 2000-08-31 03:00 - 0000225 _____ () C:\ComboFix\LocalService.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0000091 _____ () C:\ComboFix\LocalServiceNetworkRestricted.dat
2015-03-14 15:07 - 2015-03-14 15:07 - 0004567 _____ () C:\ComboFix\LocalSettingsFile.cfx
2015-01-03 23:44 - 2015-01-03 23:44 - 0000096 _____ () C:\ComboFix\LocalSettingsFolder.cfx
2000-08-31 03:00 - 2000-08-31 03:00 - 0000198 _____ () C:\ComboFix\LocalSystemNetworkRestricted.dat
2009-10-25 01:11 - 2009-10-25 01:11 - 0184320 ____R () C:\ComboFix\mbr.3XE
2010-08-29 06:30 - 2010-08-29 06:30 - 0002141 _____ () C:\ComboFix\mbr.chk
2017-03-21 05:28 - 2017-03-21 05:28 - 0007344 _____ () C:\ComboFix\md5sum.pif
2012-07-25 23:26 - 2012-07-25 23:26 - 0279004 _____ () C:\ComboFix\MDWht.dat
2011-07-28 22:06 - 2011-07-28 22:06 - 0002862 _____ () C:\ComboFix\MoveIt.bat
2012-02-11 07:48 - 2012-02-11 07:48 - 0008192 _____ () C:\ComboFix\MpsSvc.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0011264 ____R () C:\ComboFix\mtee.3XE
2017-03-25 18:41 - 2017-03-25 18:41 - 0000014 _____ () C:\ComboFix\MUI
2000-08-31 03:00 - 2000-08-31 03:00 - 0000000 _____ () C:\ComboFix\mynul.dat
2013-01-31 21:43 - 2013-01-31 21:43 - 0000033 _____ () C:\ComboFix\MZChanged.dat
2011-08-26 15:38 - 2011-08-26 15:38 - 0008543 _____ () C:\ComboFix\ncmd.com
2012-10-30 18:56 - 2012-10-30 18:56 - 0067554 _____ () C:\ComboFix\ND_.bat
2012-10-30 18:57 - 2012-10-30 18:57 - 0018996 _____ () C:\ComboFix\ND_64.bat
2009-12-24 11:12 - 2009-12-24 11:12 - 0000283 _____ () C:\ComboFix\ndis_combofix.dat
2010-04-14 13:21 - 2010-04-14 13:21 - 0000520 _____ () C:\ComboFix\netsvc.bad.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0000159 _____ () C:\ComboFix\netsvc.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0000481 _____ () C:\ComboFix\netsvc.vista.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0000525 _____ () C:\ComboFix\netsvc.xp.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0000088 _____ () C:\ComboFix\NetworkService.dat
2009-04-20 07:56 - 2009-04-20 07:56 - 0060416 ____R (NirSoft) C:\ComboFix\NirCmd.3XE
2017-03-25 18:41 - 2009-04-20 07:56 - 0060416 _____ (NirSoft) C:\ComboFix\NircmdB.exe
2009-04-20 07:56 - 2009-04-20 07:56 - 0058880 ____R (NirSoft) C:\ComboFix\NirCmdC.3XE
2009-04-20 07:56 - 2009-04-20 07:56 - 0060416 ____R (NirSoft) C:\ComboFix\NIRKMD.3XE
2017-03-25 18:41 - 2017-03-25 18:41 - 0000006 _____ () C:\ComboFix\NlsLanguageDefault
2013-07-07 19:43 - 2013-07-07 19:43 - 0049591 _____ () C:\ComboFix\NT-OS.cmd
2017-03-25 18:42 - 2017-03-25 18:42 - 0000000 _____ () C:\ComboFix\NULL
2000-08-31 03:00 - 2000-08-31 03:00 - 0000977 _____ () C:\ComboFix\OSid.vbs
2002-09-29 08:01 - 2002-09-29 08:01 - 0180224 ____R () C:\ComboFix\pausep.3XE
2015-07-05 21:45 - 2015-07-05 21:45 - 0020790 _____ () C:\ComboFix\PersonalFile.cfx
2015-03-14 15:07 - 2015-03-14 15:07 - 0000652 _____ () C:\ComboFix\PersonalFolder.cfx
2011-06-26 09:45 - 2011-06-26 09:45 - 0256000 ____R () C:\ComboFix\pev.3XE
2017-03-25 18:41 - 2011-06-26 09:45 - 0256000 _____ () C:\ComboFix\PEV.exe
2011-01-28 04:28 - 2011-01-28 04:28 - 0102400 ____R () C:\ComboFix\pevb.3XE
2017-03-25 18:41 - 2009-07-14 04:14 - 0015360 ____R (Microsoft Corporation) C:\ComboFix\PING.3XE
2009-07-05 22:51 - 2009-07-05 22:51 - 0002992 _____ () C:\ComboFix\Policies.dat
2010-05-13 11:57 - 2010-05-13 11:57 - 0000064 _____ () C:\ComboFix\powp.dat
2013-08-16 19:55 - 2013-08-16 19:55 - 0002896 _____ () C:\ComboFix\Prep.inf
2015-08-02 21:34 - 2015-08-02 21:34 - 0039878 _____ () C:\ComboFix\ProfilesFile.cfx
2014-10-26 19:16 - 2014-10-26 19:16 - 0002051 _____ () C:\ComboFix\ProfilesFolder.cfx
2014-10-26 19:13 - 2014-10-26 19:13 - 0012690 _____ () C:\ComboFix\ProgramsFile.cfx
2014-12-10 17:47 - 2014-12-10 17:47 - 0018313 _____ () C:\ComboFix\ProgramsFolder.cfx
2000-08-31 03:00 - 2000-08-31 03:00 - 0000404 _____ () C:\ComboFix\Purity.dat
2006-03-03 00:42 - 2006-03-03 00:42 - 0073728 ____R () C:\ComboFix\PV.3XE
2006-03-02 18:42 - 2006-03-02 18:42 - 0073728 _____ () C:\ComboFix\pv.com
2017-03-25 18:40 - 2017-03-25 18:40 - 0000106 _____ () C:\ComboFix\rar_sfx.cmd
2000-08-31 03:00 - 2000-08-31 03:00 - 0007478 _____ () C:\ComboFix\RCLink.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0003558 _____ () C:\ComboFix\REGDACL.sed
2000-08-31 03:00 - 2000-08-31 03:00 - 0009203 _____ () C:\ComboFix\RegDo.sed
2010-09-16 23:03 - 2010-09-16 23:03 - 0001153 _____ () C:\ComboFix\region.dat
2013-08-01 20:07 - 2013-08-01 20:07 - 0057411 _____ () C:\ComboFix\RegScan.cmd
2012-11-02 15:55 - 2012-11-02 15:55 - 0022204 _____ () C:\ComboFix\RegScan64.cmd
2017-03-25 18:41 - 2017-03-25 18:41 - 0000230 _____ () C:\ComboFix\Resident.txt
2009-05-01 17:26 - 2009-05-01 17:26 - 0000587 _____ () C:\ComboFix\restore_pt.vbs
2009-11-15 00:35 - 2009-11-15 00:35 - 0000442 _____ () C:\ComboFix\Rkey.cmd
2010-11-07 20:20 - 2010-11-07 20:20 - 0208896 ____R () C:\ComboFix\rmbr.3XE
2012-08-31 00:19 - 2012-08-31 00:19 - 0819857 ____R () C:\ComboFix\RNullFix64.3XE
2012-10-30 20:43 - 2012-10-30 20:43 - 0000810 _____ () C:\ComboFix\rogues.dat
2017-03-25 18:41 - 2009-07-14 04:14 - 0017920 ____R (Microsoft Corporation) C:\ComboFix\ROUTE.3XE
2000-08-31 03:00 - 2000-08-31 03:00 - 0000287 _____ () C:\ComboFix\run2.sed
2009-06-10 06:38 - 2009-06-10 06:38 - 0000030 _____ () C:\ComboFix\Rust.str
1999-11-10 19:00 - 1999-11-10 19:00 - 0038400 ____R () C:\ComboFix\s0rt.3XE
2000-08-31 03:00 - 2000-08-31 03:00 - 0000329 _____ () C:\ComboFix\safeboot.dat
2009-06-09 21:25 - 2009-06-09 21:25 - 0001464 _____ () C:\ComboFix\safeboot.def.dat
2010-11-26 21:53 - 2010-11-26 21:53 - 0000482 _____ () C:\ComboFix\safeboot.def.vista.dat
2012-11-02 09:25 - 2012-11-02 09:25 - 0000610 _____ () C:\ComboFix\Safeboot.def.w7.dat
2012-11-02 09:48 - 2012-11-02 09:48 - 0000914 _____ () C:\ComboFix\Safeboot.def.w8.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0098816 ____R () C:\ComboFix\sed.3XE
2014-07-12 07:42 - 2014-07-12 07:42 - 0017606 _____ () C:\ComboFix\SetEnvmt.bat
2000-08-31 03:00 - 2000-08-31 03:00 - 0066172 ____R () C:\ComboFix\setpath.3XE
2017-03-25 18:41 - 2017-03-25 18:41 - 0002423 _____ () C:\ComboFix\setpath_N.cmd
2006-06-10 15:42 - 2006-06-10 15:42 - 0049152 _____ (Inv Softworks LLC) C:\ComboFix\SF.exe
2017-03-25 18:41 - 2017-03-25 18:41 - 0000014 _____ () C:\ComboFix\sfx.cmd
2012-05-23 19:10 - 2012-05-23 19:10 - 0376832 _____ () C:\ComboFix\ShAccess.dat
2011-06-23 21:52 - 2011-06-23 21:52 - 0004634 _____ () C:\ComboFix\SnapShot.cmd
2009-05-25 03:52 - 2009-05-25 03:52 - 0520621 ____R () C:\ComboFix\sqlite3.3XE
2012-05-20 09:53 - 2012-05-20 09:53 - 0002147 _____ () C:\ComboFix\SRestore.cmd
2015-10-07 11:03 - 2015-10-07 11:03 - 0404614 _____ () C:\ComboFix\srizbi.md5
2017-03-25 18:42 - 2017-03-25 18:42 - 0000002 _____ () C:\ComboFix\Start_dat
2014-10-26 19:14 - 2014-10-26 19:14 - 0009377 _____ () C:\ComboFix\StartMenuFile.cfx
2014-10-26 19:14 - 2014-10-26 19:14 - 0000651 _____ () C:\ComboFix\StartMenuFolder.cfx
2015-06-22 20:10 - 2015-06-22 20:10 - 0053868 _____ () C:\ComboFix\StartUpFile.cfx
2012-11-12 11:48 - 2012-11-12 11:48 - 0021075 _____ () C:\ComboFix\SuppScan.cmd
2009-11-29 01:42 - 2009-11-29 01:42 - 0011987 _____ () C:\ComboFix\svc_wht.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0002176 _____ () C:\ComboFix\SvcDrv.vbs
2012-06-20 16:03 - 2012-06-20 16:03 - 0000582 _____ () C:\ComboFix\svchost.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0000668 _____ () C:\ComboFix\svchost.vista.dat
2010-11-27 08:12 - 2010-11-27 08:12 - 0000749 _____ () C:\ComboFix\svchost.vista.x64.dat
2013-06-03 20:06 - 2013-06-03 20:06 - 0001117 _____ () C:\ComboFix\svchost.w7.dat
2013-06-03 20:06 - 2013-06-03 20:06 - 0001467 _____ () C:\ComboFix\svchost.w7.x64.dat
2013-07-07 19:57 - 2013-07-07 19:57 - 0001348 _____ () C:\ComboFix\svchost.w8.dat
2012-11-02 10:03 - 2012-11-02 10:03 - 0001268 _____ () C:\ComboFix\svchost.w8.x64.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0518144 ____R (SteelWerX) C:\ComboFix\swreg.3XE
2000-08-31 03:00 - 2000-08-31 03:00 - 0406528 ____R (SteelWerX) C:\ComboFix\swsc.3XE
2000-08-31 03:00 - 2000-08-31 03:00 - 0212480 ____R (SteelWerX) C:\ComboFix\swxcacls.3XE
2000-08-31 03:00 - 2000-08-31 03:00 - 0000276 _____ () C:\ComboFix\system_ini.dat
1999-11-10 03:00 - 1999-11-10 03:00 - 0035328 ____R () C:\ComboFix\tail.3XE
2015-06-22 20:11 - 2015-06-22 20:11 - 0009596 _____ () C:\ComboFix\TemplatesFile.cfx
2015-03-14 13:37 - 2015-03-14 13:37 - 0000188 _____ () C:\ComboFix\TemplatesFolder.cfx
2009-10-30 08:26 - 2009-10-30 08:26 - 0000633 _____ () C:\ComboFix\toolbar.sed
2012-01-10 04:47 - 2012-01-10 04:47 - 0003987 _____ () C:\ComboFix\Update-CF.cmd
2012-02-18 22:06 - 2012-02-18 22:06 - 0009098 _____ () C:\ComboFix\VBR.pif
2017-03-25 18:41 - 2017-03-25 18:42 - 0000571 _____ () C:\ComboFix\VerCF.bat
2011-06-22 11:40 - 2011-06-22 11:40 - 0003819 _____ () C:\ComboFix\VInfo
2015-04-14 19:30 - 2015-04-14 19:30 - 0023322 _____ () C:\ComboFix\VInfo2
2011-06-22 11:40 - 2011-06-22 11:40 - 0000557 _____ () C:\ComboFix\VINFO3
2010-05-10 18:30 - 2010-05-10 18:30 - 0000308 _____ () C:\ComboFix\Vipev.dat
2017-03-25 18:40 - 2017-03-25 18:42 - 0000004 _____ () C:\ComboFix\Vista.krl
2010-07-26 22:17 - 2010-07-26 22:17 - 0000440 _____ () C:\ComboFix\vistaMcode.dat
2015-06-22 20:02 - 2015-06-22 20:02 - 0028841 _____ () C:\ComboFix\vistareg.dat
2010-06-20 23:05 - 2010-06-20 23:05 - 0007584 _____ () C:\ComboFix\vun.dat
2010-07-31 12:05 - 2010-07-31 12:05 - 0000244 _____ () C:\ComboFix\VwinTemp.dacl
2017-03-25 18:40 - 2017-03-25 18:40 - 0000006 _____ () C:\ComboFix\W7.mac
2010-07-23 23:20 - 2010-07-23 23:20 - 0000440 _____ () C:\ComboFix\w7Mcode.dat
2015-06-22 19:11 - 2015-06-22 19:11 - 0029323 _____ () C:\ComboFix\w7reg.dat
2015-06-22 19:15 - 2015-06-22 19:15 - 0032607 _____ () C:\ComboFix\w8reg.dat
2010-12-11 22:38 - 2010-12-11 22:38 - 0001127 _____ () C:\ComboFix\Wmi_rem.vbs
2010-07-22 17:14 - 2010-07-22 17:14 - 0000440 _____ () C:\ComboFix\xpmcode.dat
2013-09-04 21:33 - 2013-09-04 21:33 - 0068035 _____ () C:\ComboFix\xpreg.dat
2010-02-02 13:41 - 2010-02-02 13:41 - 0013090 _____ () C:\ComboFix\XPSBoot.reg
2000-08-31 03:00 - 2000-08-31 03:00 - 0023773 _____ () C:\ComboFix\zDomain.dat
2016-12-01 21:35 - 2016-12-01 21:35 - 0134321 _____ () C:\ComboFix\zhsvc.dat
2000-08-31 03:00 - 2000-08-31 03:00 - 0068096 ____R () C:\ComboFix\zip.3XE
2017-03-25 18:42 - 2017-03-25 18:42 - 0000000 ____D () C:\ComboFix\el-GR
2017-03-25 18:42 - 2010-11-21 05:26 - 0002048 _____ (Microsoft Corporation) C:\ComboFix\el-GR\ATTRIB.3XE.mui
2017-03-25 18:42 - 2010-11-21 05:26 - 0157696 _____ (Microsoft Corporation) C:\ComboFix\el-GR\CF8837.3XE.mui
2017-03-25 18:42 - 2010-11-21 05:26 - 0157696 _____ (Microsoft Corporation) C:\ComboFix\el-GR\cmd.3XE.mui
2017-03-25 18:42 - 2010-11-21 05:26 - 0014336 _____ (Microsoft Corporation) C:\ComboFix\el-GR\CSCRIPT.3XE.mui
2017-03-25 18:42 - 2010-11-21 05:26 - 0012800 _____ (Microsoft Corporation) C:\ComboFix\el-GR\PING.3XE.mui
2017-03-25 18:42 - 2010-11-21 05:26 - 0054784 _____ (Microsoft Corporation) C:\ComboFix\el-GR\REGT.3XE.mui
2017-03-25 18:42 - 2010-11-21 05:26 - 0013824 _____ (Microsoft Corporation) C:\ComboFix\el-GR\ROUTE.3XE.mui
2017-03-25 18:42 - 2017-03-25 18:42 - 0000000 ____D () C:\ComboFix\en-US
2017-03-25 18:42 - 2010-11-21 05:26 - 0131072 _____ (Microsoft Corporation) C:\ComboFix\en-US\ATTRIB.3XE.mui
2017-03-25 18:42 - 2010-11-21 05:26 - 0131072 _____ (Microsoft Corporation) C:\ComboFix\en-US\CF8837.3XE.mui
2017-03-25 18:42 - 2010-11-21 05:26 - 0131072 _____ (Microsoft Corporation) C:\ComboFix\en-US\cmd.3XE.mui
2017-03-25 18:42 - 2010-11-21 05:26 - 0131072 _____ (Microsoft Corporation) C:\ComboFix\en-US\CSCRIPT.3XE.mui
2017-03-25 18:42 - 2005-08-15 20:54 - 0001536 _____ () C:\ComboFix\en-US\iexplore.exe
2017-03-25 18:42 - 2010-11-21 05:26 - 0009728 _____ (Microsoft Corporation) C:\ComboFix\en-US\PING.3XE.mui
2017-03-25 18:42 - 2010-11-21 05:26 - 0131072 _____ (Microsoft Corporation) C:\ComboFix\en-US\REGT.3XE.mui
2017-03-25 18:42 - 2010-11-21 05:26 - 0012288 _____ (Microsoft Corporation) C:\ComboFix\en-US\ROUTE.3XE.mui
2017-03-25 18:42 - 2017-03-25 18:42 - 0000000 ____D () C:\ComboFix\N_
2017-03-25 18:42 - 2017-03-25 18:42 - 0000000 _____ () C:\ComboFix\N_\10041
2017-03-25 18:42 - 2017-03-25 18:42 - 0001786 _____ () C:\ComboFix\N_\11468
2017-03-25 18:42 - 2017-03-25 18:42 - 0000041 _____ () C:\ComboFix\N_\17504
2017-03-25 18:42 - 2017-03-25 18:42 - 0000000 _____ () C:\ComboFix\N_\25383
2017-03-25 18:42 - 2017-03-25 18:42 - 0000028 _____ () C:\ComboFix\N_\2678
2017-03-25 18:42 - 2017-03-25 18:42 - 0000000 _____ () C:\ComboFix\N_\29464
2017-03-25 18:42 - 2017-03-25 18:42 - 0000032 _____ () C:\ComboFix\N_\3942

====== End of Folder: ======


========================= Folder: C:\Qoobox ========================

2017-03-25 18:42 - 2017-03-25 18:42 - 0000000 ____D () C:\Qoobox\BackEnv
2017-03-25 18:42 - 2017-03-25 18:42 - 0000000 ____D () C:\Qoobox\LastRun
2017-03-25 18:41 - 2017-03-25 18:42 - 0000000 ____D () C:\Qoobox\Quarantine
2017-03-25 18:42 - 2017-03-25 18:42 - 0000051 _____ () C:\Qoobox\Quarantine\catchme.log
2017-03-25 18:41 - 2017-03-25 18:41 - 0000000 ____D () C:\Qoobox\Quarantine\Registry_backups
2017-03-25 18:42 - 2017-03-25 18:42 - 0000000 ____D () C:\Qoobox\Test
2017-03-25 18:42 - 2017-03-25 18:42 - 0000000 ____D () C:\Qoobox\TestC

====== End of Folder: ======

WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION => removed successfully.
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox (2).lnk => Shortcut argument removed successfully..
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => Shortcut argument removed successfully..
C:\Users\Public\Desktop\Mozilla Firefox.lnk => Shortcut argument removed successfully..


The system needed a reboot.

==== End of Fixlog 22:25:14 ====



#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:38 AM

Posted 27 March 2017 - 11:25 AM

SoFiA11:

 

Thank you for posting the contents of your "fixlog.txt" file.  Are you still being redirected to qtipr.com?

 

Next, we want to uninstall ComboFix from your computer.

 

Please open an elevated (Administrative) command prompt.  Please type the following command:

ComboFix /uninstall

and then press the <Enter> key.  Please noted that there is a space between "ComboFix" and "/uninstall".

 

Please reboot your computer when the uninstall finishes and post back to let me know how it went.

 

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#6 SoFiA11

SoFiA11
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 27 March 2017 - 01:57 PM

Hi,

1.Unfortunately I'm still being redirected to qtipr.com.

2.For ComboFix: I did what you told me but I don't know if I managed to uninstall it cause there's something wrong with the letters of command prompt.They're weird (I mean they're like "ίϊάή").How am I going to find out if I did it?


Edited by SoFiA11, 27 March 2017 - 02:03 PM.


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:38 AM

Posted 28 March 2017 - 08:14 AM

SoFiA11:
 
Thank you for your post.  It sounds like you have "enabled" a foreign language keyboard, perhaps by accident.  Short-cut keys can do that.
 
To determine if ComboFix is gone, please launch Windows File Explorer and see if you can find the following files/folders:

  • C:\ComboFix.exe
  • C:\ComboFix
  • C:\Qoobox

If those files are folders are present, then ComboFix was not uninstalled.
 
.
 
:step1: Please download SystemLook from one of the links below and save it to your Desktop.
For 32-bit versions of Windows: SystemLook.exe

:regfind
qtipr.com
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please copy and paste the contents of this log into your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt

.


:step2: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!

.


:step3: Please run a Malwarebytes Anti-Malware scan for me.

  • Please download Malwarebytes to your Desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • Then click Finish.
  • Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If an update of the definitions is available, it will be downloaded and installed before the scan commences.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

.


Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#8 SoFiA11

SoFiA11
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 28 March 2017 - 10:31 AM

Hello,

 

1. I found BOTH C:\ComboFix AND C:\Qoobox. So I couldn't uninstall it, I don't know why though.

2.Here's my SystemLook log:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 16:40 on 28/03/2017 by user
Administrator - Elevation successful

========== regfind ==========

Searching for "qtipr.com"
No data found.

-= EOF =-

 

3.Here's my ESET text:

 

C:\Program Files\NCH Software\VideoPad\videopad.exe    a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application    cleaned by deleting
C:\Program Files\NCH Software\VideoPad\videopadsetup_v3.89.exe    a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application    deleted
C:\Users\user\Desktop\NCH VideoPad Video Editor Professional 3.89 Final Incl. Keys [ATOM]\vppsetup.exe    a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application    deleted
 

4. As for Malwarebytes, I did everything you told me and it found one threat. There was no "Remove selected" option so I quarantined it and then I deleted it. It didn't say anything about rebooting, plus I couldn't find a "History" button.

I selected "View report" and it opened a window where it named the Trojan and said "Removal failed" so I selected "Export" of this report and here it is:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/28/17
Scan Time: 5:57 PM
Logfile: Malwarebytes Scan report.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.75
Update Package Version: 1.0.1614
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: user-PC\user

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 266650
Time Elapsed: 16 min, 44 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Trojan.WMIHijacker.ClnShrt, C:\USERS\USER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3W5KE06O.DEFAULT-1490448279200\SESSIONSTORE-BACKUPS\RECOVERY.JS, Removal Failed, [2577], [358768],1.0.1614

Physical Sector: 0
(No malicious items detected)


(end)



#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:38 AM

Posted 28 March 2017 - 12:45 PM

SoFiA11:

Thank you for your post.

.

:step1: I have attached a batch file, called "cfu.bat", to the bottom of this post, which will hopefully uninstall ComboFix from your computer. Please click on it to download it and save it to your Desktop. Double-click the batch file and it should run. It might take a few minutes. Once the batch file has completed, a file called "cf_uninstall.txt" should appear on your Desktop. Please open that file in Notepad and then copy and paste the contents into your next reply.

If the ComboFix.exe file is not present on your computer, then we will have to go at this another way because the batch file will be unable to locate the ComboFix.exe file and the batch file will fail and therefore it will not uninstall the ComboFix program components.

.

:step2: Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

.


:step3: Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please copy and paste the contents of JRT.txt into your next message.

.


Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#10 SoFiA11

SoFiA11
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 29 March 2017 - 12:00 PM

Hi!

 

1. ComboFix.exe not present (I tried to use cfu.bat but the window opened briefly and an empty notepad file appeared)

2. My Adwcleaner log:

 

# AdwCleaner v6.045 - *Logfile created 29/03/2017 *at 19:43:07
# *Updated on 28/03/2017 by Malwarebytes
# *Database : 2017-03-29.1 [*Server]
# *Operating System : Windows 7 Home Premium Service Pack 1 (X86)
# *Username : user - USER-PC
# *Running from : C:\Users\user\Desktop\AdwCleaner.exe
# *Mode: Scan
# *Support : https://www.malwarebytes.com/support



***** [ *Services ] *****

*No malicious services found.


***** [ *Folders ] *****

*No malicious folders found.


***** [ *Files ] *****

*No malicious files found.


***** [ DLL ] *****

*No malicious DLLs found.


***** [ WMI ] *****

*No malicious keys found.


***** [ *Shortcuts ] *****

*Shortcut infected: C:\Users\Public\Desktop\Mozilla Firefox.lnk ( hxxp://qtipr.com/ )
*Shortcut infected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk ( hxxp://qtipr.com/ )
*Shortcut infected: C:\users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox (2).lnk ( hxxp://qtipr.com/ )


***** [ *Scheduled tasks ] *****

*No malicious task found.


***** [ *Registry ] *****

*No malicious registry entries found.


***** [ *Web browsers ] *****

*No malicious Firefox based browser items found.
*No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [4910 *Bytes] - [25/03/2017 09:41:27]
C:\AdwCleaner\AdwCleaner[C2].txt - [1470 *Bytes] - [25/03/2017 19:38:14]
C:\AdwCleaner\AdwCleaner[C3].txt - [1618 *Bytes] - [25/03/2017 19:55:52]
C:\AdwCleaner\AdwCleaner[S0].txt - [4613 *Bytes] - [25/03/2017 09:38:52]
C:\AdwCleaner\AdwCleaner[S1].txt - [1703 *Bytes] - [25/03/2017 19:37:40]
C:\AdwCleaner\AdwCleaner[S2].txt - [1851 *Bytes] - [25/03/2017 19:55:16]
C:\AdwCleaner\AdwCleaner[S3].txt - [1999 *Bytes] - [25/03/2017 20:10:47]
C:\AdwCleaner\AdwCleaner[S4].txt - [1878 *Bytes] - [29/03/2017 19:43:07]

########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [1952 *Bytes] ##########
 

 

3. My JRT log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 7 Home Premium x86
Ran by user (Administrator) on Τετ 29/03/2017 at 19:50:57,12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 8

Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDOTD2C0 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D4SOXNSE (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OR528NXJ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X25TKQBV (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDOTD2C0 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D4SOXNSE (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OR528NXJ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X25TKQBV (Temporary Internet Files Folder)



Registry: 1

Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchUrl\\Default (Registry Value)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Τετ 29/03/2017 at 19:55:41,42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:38 AM

Posted 29 March 2017 - 01:32 PM

SoFiA11:
 
Thank you for your AdwCleaner and JRT scan logs.  The good news is that AdwCleaner found the culprits so now we must instruct AdwCleaner to clean them out (delete them).
 
.
 
:step1: Double click on AdwCleaner.exe to run the tool again. Vista/Windows 7/8/10 users right-click and select Run As Administrator

  • The tool will start to update the database, please wait for the update to complete.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • Uncheck any PUP and adware applications that you want to keep.  In your case, you can skip this step - what it found, you don't want! :)
  • Then this time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Please copy and paste the contents of that logfile into your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

.


Please let me know after the reboot if you are still being redirected to qtipr.com.

 

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#12 SoFiA11

SoFiA11
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 29 March 2017 - 03:10 PM

Yay we did it!!

 

# AdwCleaner v6.045 - *Logfile created 29/03/2017 *at 23:01:40
# *Updated on 28/03/2017 by Malwarebytes
# *Database : 2017-03-29.1 [*Local]
# *Operating System : Windows 7 Home Premium Service Pack 1 (X86)
# *Username : user - USER-PC
# *Running from : C:\Users\user\Desktop\AdwCleaner.exe
# *Mode: Clean
# *Support : https://www.malwarebytes.com/support



***** [ *Services ] *****



***** [ *Folders ] *****



***** [ *Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ *Shortcuts ] *****

[-] *Shortcut disinfected: C:\Users\Public\Desktop\Mozilla Firefox.lnk
[-] *Shortcut disinfected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[-] *Shortcut disinfected: C:\users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox (2).lnk


***** [ *Scheduled Tasks ] *****



***** [ *Registry ] *****



***** [ *Browsers ] *****



*************************

:: *"Tracing" keys deleted
:: *Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [4910 *Bytes] - [25/03/2017 09:41:27]
C:\AdwCleaner\AdwCleaner[C2].txt - [1470 *Bytes] - [25/03/2017 19:38:14]
C:\AdwCleaner\AdwCleaner[C3].txt - [1618 *Bytes] - [25/03/2017 19:55:52]
C:\AdwCleaner\AdwCleaner[C4].txt - [1314 *Bytes] - [29/03/2017 23:01:40]
C:\AdwCleaner\AdwCleaner[S0].txt - [4613 *Bytes] - [25/03/2017 09:38:52]
C:\AdwCleaner\AdwCleaner[S1].txt - [1703 *Bytes] - [25/03/2017 19:37:40]
C:\AdwCleaner\AdwCleaner[S2].txt - [1851 *Bytes] - [25/03/2017 19:55:16]
C:\AdwCleaner\AdwCleaner[S3].txt - [1999 *Bytes] - [25/03/2017 20:10:47]
C:\AdwCleaner\AdwCleaner[S4].txt - [2032 *Bytes] - [29/03/2017 19:43:07]
C:\AdwCleaner\AdwCleaner[S5].txt - [2105 *Bytes] - [29/03/2017 23:01:25]

########## EOF - C:\AdwCleaner\AdwCleaner[C4].txt - [1832 *Bytes] ##########
 

Thank you very much!!!!

 

Now: 1. What do we do about ComboFix?

         2. Can I delete all the logs I've saved on my desktop?

         3. Can I remove all those programs we used?

 

Thanks again!



#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:38 AM

Posted 30 March 2017 - 12:55 PM

SoFiA11:
 
Thank you for your post.  I am really happy that AdwCleaner was able to stop those redirects. :thumbsup:
 
I am going to assist you in getting rid of ComboFix and all of the tools and logs that we used.
 
.
 
 
:step1: Please click on this link and a program will download, called CF_UNINST.EXE. Locate that file, right click it, and select "Run as Administrator". Wait for the tool to finish running, and then reboot your computer, if it does reboot itself.
 
.
 
 
:step2: bwebb7v.jpgDownload Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click the Run button.

When the tool is finished, a log will open in notepad. Please copy and paste the contents of the log into your next reply.

.

Your computer appears clean!

Are you having any computer problems now? If so, please let me know. Otherwise, ENJOY your repaired computer :thumbsup:
 

.
 

:step3: . . . Some Final Advice . . .

The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do to the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. You can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out-of-date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows Vista or later is fine) and leaving it on, and using and keeping up-to-date an antivirus solution such as Bitdefender. Antiviral solutions don't even have to cost money; for instance Microsoft Security Essentials provides perfectly acceptable protection for free. If for some reason you don't like MSE, there are other free products available as well:

  • Avira (shows nag screen to purchase full product when updating, home use only)
  • Bitdefender Free (home use only)

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:

If you want more information on methods malware uses to infect your computer, consider browsing our How did I get infected? topic.

.

It has been a pleasure assisting you and I hope that you will avoid any further infections in the future. Your most important protection step is to ALWAYS HAVE MORE THAN ONE RECENT BACKUP OF YOUR ENTIRE SYSTEM on an external drive that is only connected to your computer long enough to backup or restore. I do system images weekly. With the free backup software out there (Easeus ToDo Backup Home, Macrium Reflect, etc.), and the very reasonable prices for external USB hard drives, there is no reason to not have a backup.

Please copy and paste the contents of the Delfix log into your reply. If that looks good, then we can conclude your topic.

On behalf of the Bleeping Computer Community, thank you for choosing BC to assist you with your computer issues, stay safe out there in cyberspace, and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#14 SoFiA11

SoFiA11
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 31 March 2017 - 02:21 AM

Hi Phil,

 

thanks for the advice, I'll keep it in mind.

I did everything and I got rid of ComboFix and the logs and all the programs we used.

 

# DelFix v1.013 - Logfile created 31/03/2017 at 10:13:55
# Updated 17/04/2016 by Xplode
# Username : user - USER-PC
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)

~ Removing disinfection tools ...

Deleted : C:\Combofix
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\TDSSKiller.3.1.0.12_25.03.2017_17.35.56_log.txt
Deleted : C:\Users\user\Desktop\Additional FRST scan.txt
Deleted : C:\Users\user\Desktop\AdwCleaner.exe
Deleted : C:\Users\user\Desktop\AdwCleaner[S4].txt
Deleted : C:\Users\user\Desktop\Defogger.exe
Deleted : C:\Users\user\Desktop\defogger_disable.log
Deleted : C:\Users\user\Desktop\esetsmartinstaller_enu.exe
Deleted : C:\Users\user\Desktop\FRST scan.txt
Deleted : C:\Users\user\Desktop\JRT.exe
Deleted : C:\Users\user\Desktop\JRT.txt
Deleted : C:\Users\user\Desktop\SystemLook.exe
Deleted : C:\Users\user\Desktop\SystemLook.txt
Deleted : C:\Users\user\Downloads\Addition.txt
Deleted : C:\Users\user\Downloads\Fixlog.txt
Deleted : C:\Users\user\Downloads\FRST.txt
Deleted : C:\Users\user\Downloads\FRSTEnglish.exe
Deleted : HKLM\SOFTWARE\Swearware

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #127 [Checkpoint by HitmanPro | 03/25/2017 09:58:53]
Deleted : RP #128 [JRT Pre-Junkware Removal | 03/25/2017 17:00:37]
Deleted : RP #129 [Installed XML Notepad 2007 | 03/25/2017 17:06:10]
Deleted : RP #130 [Removed XML Notepad 2007 | 03/25/2017 17:08:19]
Deleted : RP #132 [Restore Point Created by FRST | 03/26/2017 19:24:35]
Deleted : RP #133 [JRT Pre-Junkware Removal | 03/29/2017 16:50:58]

New restore point created !

 

 

 

 

 

Thanks for everything! :)



#15 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:38 AM

Posted 31 March 2017 - 07:11 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users