Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop running Windows 8.1 infected with WinSAPSvc, Kitty.exe, SNARE, and more


  • This topic is locked This topic is locked
15 replies to this topic

#1 radiomusings

radiomusings

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 23 April 2017 - 05:18 AM

The laptop that I'm using now is a hand-me-down from my mother because we can't afford to buy a new one yet. Unfortunately, my mother isn't really that tech-savvy, so I think she got fooled by those rubbish installers that actually install malicious stuff along with the software you want. As a result, this laptop right now is infected with lots of adware. I've been tracking the suspicious services/programs that pop up for about a month now, trying to do what I could (clean up with Malwarebytes, Windows Defender, HitmanPro, and stuff), but the problems just keep coming back so I think it's time I asked for help. Here are some of the suspicious stuff I found in the Task Manager, Programs list in the Control Panel, C:\Program Files (x86) folder, and C:\Windows\Temp folder:

  • WinSAPSvc
  • SNARE
  • Kitty.exe
  • Jzachsuiry
  • MIO.exe
  • AlphaGo
  • jumpeasy
  • AntannaDB, AlltieDB, DohatDB
  • two programs with Chinese characters I didn't get (I don't even speak Chinese so there's no reason for it to be on the laptop)
  • a program that pretends to be Firefox (weird because I uninstalled Firefox as soon as I got the laptop)

I've been noticing a lot of weird behavior on the laptop, which I think has been caused by the things I listed above. Here are some of the weird things that have been happening:

  • Chrome crashes all the time for no reason
  • Sometimes a pop-up saying that it has crashed and has to be relauched appears; the problem is, the pop-up doesn't have the Chrome icon (it has the icon of one of the Chinese programs I talked about earlier), and if I relaunch 'Chrome', it redirects to a new home page, with a new search engine (ourluckysites, trotux, etc.)
  • Shortcuts for Chrome and Firefox appear on my Desktop and taskbar, which is suspicious because I never put a lot of icons on my Desktop or taskbar because it looks cluttered
  • Clicking those 'shortcuts' lead to those adware home pages
  • Suspicious programs, processes, and services like the ones I listed above keep reinstalling themselves, even if I try removing them through antiviruses, or even if I uninstall them through the Programs list in the Control Panel
  • Somehow, where Chrome 'writes' its data is manipulated, so sometimes I get a notification saying, "Chrome cannot write to [something]" and when I check that folder, it has been changed to Read-only; additionally, the malware changes parts of my Chrome profile (the search engine and home page)
  • When I view the properties of the WinSAPSvc, SNARE, and Kitty processes, the location from which they originate is apparently the system32 or SysWOW64 folder
  • Malwarebytes will run, but never get past the first or second stage, it stops after 30 seconds

The bottom line is, I'm stumped and I do not know how to even begin cleaning up this mess. I hope you guys will be able to help me, because I'm really at my wit's end. :( 

 

Here are the logs from FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-04-2017
Ran by Sophia (administrator) on DONATCHORVANESS (23-04-2017 17:35:56)
Running from C:\Users\Sophia\Desktop\Cleanup
Loaded Profiles: Sophia (Available Profiles: Donnatzchovaness & Sophia & Administrator)
Platform: Windows 8.1 Single Language (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Baidu, Inc.) C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavSvc.exe
(Baidu, Inc.) C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BHipsSvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
(Dritek System INC.) C:\Windows\RfBtnSvc64.exe
(Atheros) C:\Program Files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Baidu, Inc.) C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.148966.0\bavhm.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMutilps32.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
() C:\Program Files (x86)\Launchy\Launchy.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerTray.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
(Rainmeter) C:\Program Files\Rainmeter\Rainmeter.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe
() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
() C:\Program Files\Sublime Text 3\sublime_text.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE
() C:\Program Files\Sublime Text 3\plugin_host.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12503184 2012-06-11] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1212048 2012-06-07] (Realtek Semiconductor)
HKLM\...\Run: [BtPreLoad] => C:\Program Files (x86)\Bluetooth Suite\BtPreLoad.exe [64640 2012-08-11] ()
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2912056 2012-08-10] (Synaptics Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2786768 2016-11-29] (Malwarebytes)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [164152 2016-07-26] (Apple Inc.)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [28344776 2017-04-17] (Dropbox, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\S-1-5-21-2125098403-3852564767-392213445-1004\...\Run: [Wox] => C:\Users\Sophia\AppData\Local\Wox\app-1.3.357\Wox.exe
HKU\S-1-5-21-2125098403-3852564767-392213445-1004\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23819304 2017-03-21] (Google)
ShellIconOverlayIdentifiers: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2017-03-21] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2017-03-21] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2017-03-21] (Google)
ShellIconOverlayIdentifiers: [BaiduAntivirusIconLock] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CC} => C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavShx64.dll [2017-04-11] (Baidu, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Acer Backup Manager Tray.lnk [2012-09-07]
ShortcutTarget: Acer Backup Manager Tray.lnk -> C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe (NTI Corporation)
Startup: C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launchy.lnk [2017-03-04]
ShortcutTarget: Launchy.lnk -> C:\Program Files (x86)\Launchy\Launchy.exe ()
Startup: C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk [2017-02-26]
ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe (Rainmeter)
Startup: C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2017-03-03]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)
BootExecute: autocheck autochk /k:G * 
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{B3160963-5D3A-4656-8EB1-5501F7363CC4}: [NameServer] 10.0.0.108
Tcpip\..\Interfaces\{DD6EC5E2-0AAE-474B-BAF8-F06D41249982}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491885682&z=514234e829261b82d7c55c2g5z2t8gebab9wbm7e3q&from=che0812&uid=WDCXWD5000BPVT-22A1YT0_WD-WXA1C12P3335P3335&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491885682&z=514234e829261b82d7c55c2g5z2t8gebab9wbm7e3q&from=che0812&uid=WDCXWD5000BPVT-22A1YT0_WD-WXA1C12P3335P3335&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491885682&z=514234e829261b82d7c55c2g5z2t8gebab9wbm7e3q&from=che0812&uid=WDCXWD5000BPVT-22A1YT0_WD-WXA1C12P3335P3335&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491885682&z=514234e829261b82d7c55c2g5z2t8gebab9wbm7e3q&from=che0812&uid=WDCXWD5000BPVT-22A1YT0_WD-WXA1C12P3335P3335&q={searchTerms}
HKU\S-1-5-21-2125098403-3852564767-392213445-1004\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\S-1-5-21-2125098403-3852564767-392213445-1004 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll [2017-03-06] (Microsoft Corporation)
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-08-11] (Qualcomm Atheros Commnucations)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\root\Office16\GROOVEEX.DLL [2017-03-06] (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2017-03-06] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\ssv.dll [2017-04-09] (Oracle Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL [2017-03-06] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-04-09] (Oracle Corporation)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-03-06] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-03-06] (Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-03-06] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-03-06] (Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-03-06] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-03-06] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-03-06] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-03-06] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
StartMenuInternet: IEXPLORE.EXE - c:\program files\internet explorer\iexplore.exe hxxp://www.ourluckysites.com/?type=sc&ts=1491885682&z=514234e829261b82d7c55c2g5z2t8gebab9wbm7e3q&from=che0812&uid=WDCXWD5000BPVT-22A1YT0_WD-WXA1C12P3335P3335

FireFox:
========
FF DefaultProfile: 6mi0f0v9.default
FF ProfilePath: C:\Users\Sophia\AppData\Roaming\Firefox\Firefox\Profiles\6mi0f0v9.default [2017-04-20]
FF Extension: (FF Adr) - C:\Users\Sophia\AppData\Roaming\Firefox\Firefox\Profiles\6mi0f0v9.default\Extensions\@H99KV4DO-UCCF-9PFO-9ZLK-8RRP4FVOKD9O.xpi [2017-04-20] [not signed]
FF SearchPlugin: C:\Users\Sophia\AppData\Roaming\Firefox\Firefox\Profiles\6mi0f0v9.default\searchplugins\startsearch.xml [2017-04-20]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
FF HKU\S-1-5-21-2125098403-3852564767-392213445-1004\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi
FF Extension: (IDM integration) - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi [2016-11-16]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_25_0_0_148.dll [2017-04-12] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50906.0\npctrl.dll [2017-03-09] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-03-06] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2014-04-28] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_148.dll [2017-04-12] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-12-18] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2014-01-07] (Google, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-07] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-07] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-04-09] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-04-09] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2017-03-06] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50906.0\npctrl.dll [2017-03-09] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2017-03-06] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-13] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2014-04-28] (Adobe Systems)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npBitCometAgent.dll [2012-01-12] (BitComet)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)

Chrome: 
=======
CHR DefaultProfile: Profile 1
CHR StartupUrls: Profile 1 -> "hxxp://global.gmarket.co.kr/home/main"
CHR Profile: C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default [2017-04-22]
CHR Extension: (Google Docs) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-04-03]
CHR Extension: (Google Drive) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-04-03]
CHR Extension: (YouTube) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-04-03]
CHR Extension: (uBlock Origin) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2017-04-18]
CHR Extension: (Hide Multireddit Bar) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcoojfjhnagenhdglfkkoiogffmikndm [2017-04-03]
CHR Extension: (Tampermonkey) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2017-04-03]
CHR Extension: (Google Docs Offline) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-04-02]
CHR Extension: (New XKit) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\inobiceghmpkaklcknpniboilbjmlald [2017-04-03]
CHR Extension: (Dropbox) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\ioekoebejdcmnlefjiknokhhafglcjdl [2017-04-03]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2017-04-03]
CHR Extension: (Skype) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2017-04-02]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2017-04-04]
CHR Extension: (Save to Pocket) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\niloccemoadcdkdjlinkgdfekeahmflj [2017-04-03]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-02]
CHR Extension: (Gmail) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-04-03]
CHR Extension: (Chrome Media Router) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-02]
CHR Profile: C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Profile 1 [2017-04-23]
CHR Extension: (Google Slides) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-04-04]
CHR Extension: (Google Docs) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2017-04-04]
CHR Extension: (Google Drive) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-04-04]
CHR Extension: (YouTube) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-04-04]
CHR Extension: (Google Sheets) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-04-04]
CHR Extension: (Google Docs Offline) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-04-05]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2017-04-04]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-04]
CHR Extension: (Gmail) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-04-04]
CHR Extension: (Chrome Media Router) - C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-04]
CHR Profile: C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\System Profile [2017-04-04]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2016-12-15]
CHR HKU\S-1-5-21-2125098403-3852564767-392213445-1004\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
HKU\S-1-5-21-2125098403-3852564767-392213445-1004\...\StartMenuInternet\ChromeHTML: -> C:\Program Files (x86)\Dohat\Application\chrome.exe <==== ATTENTION

Opera: 
=======
OPR Extension: (Reddit Enhancement Suite) - C:\Users\Sophia\AppData\Roaming\Opera Software\Opera Stable\Extensions\gfdcmdcpehpkengmkhkbpifajmbhfgae [2017-04-22]
OPR Extension: (Pocket (formerly Read It Later)) - C:\Users\Sophia\AppData\Roaming\Opera Software\Opera Stable\Extensions\hedlhkdmdlcjhiblbmfggdiaeekblnoi [2017-04-23]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [211584 2012-08-11] (Qualcomm Atheros Commnucations) [File not signed]
R2 BavSvc; C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavSvc.exe [2791312 2017-04-11] (Baidu, Inc.)
S3 BdSandboxSrv; C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BdSandboxSrv64.exe [490528 2015-03-05] (Baidu, Inc.)
R2 BHipsSvc; C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BHipsSvc.exe [531232 2017-04-11] (Baidu, Inc.)
R2 CCDMonitorService; C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe [2435728 2012-08-24] (Acer Incorporated)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [3737792 2017-03-26] (Microsoft Corporation)
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-03-25] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-03-25] (Dropbox, Inc.)
R2 DbxSvc; C:\WINDOWS\system32\DbxSvc.exe [48944 2017-04-17] (Dropbox, Inc.)
S3 DeviceFastLaneService; C:\Program Files\Acer\Acer Device Fast-lane\DeviceFastLaneSvc.exe [468624 2012-08-23] (Acer Incorporated)
R3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [658576 2012-08-23] (Acer Incorporated)
R2 GameExplorerUpdate; C:\ProgramData\Microsoft\Windows\GameExplorer\Resources.dll [113664 2017-04-19] () [File not signed]
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135488 2017-04-12] (SurfRight B.V.)
R2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [319376 2014-10-02] (Intel Corporation)
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [128896 2012-07-18] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [165760 2012-07-18] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-11-29] (Malwarebytes)
R2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [259136 2012-08-23] (NTI Corporation)
R2 RfButtonDriverService; C:\Windows\RfBtnSvc64.exe [93296 2012-09-23] (Dritek System INC.)
S4 SNARE; C:\Users\Sophia\AppData\Local\SNARE\Snarer.dll [0 ] (InterSect Alliance Pty Ltd) <==== ATTENTION (zero byte File/Folder) <==== ATTENTION
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe [81536 2012-08-01] (Atheros) [File not signed]
S4 AlltieSU; "C:\Users\Sophia\AppData\Local\Temp\1\bbu.exe" /i [X] <==== ATTENTION
S4 AntannaSU; "C:\WINDOWS\TEMP\hp7657.tmp\ttff.exe" /i [X]
S2 FirefoxU; "C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe" [X] <==== ATTENTION
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 BdApiUtil; C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BdApiUtil64.sys [116968 2017-04-11] (Baidu, Inc.)
R3 bdark64; C:\WINDOWS\system32\drivers\bdark64.sys [78792 2015-05-28] ()
R3 BdCameraProtect; C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BdCameraProtect64.sys [25032 2017-04-11] (Baidu, Inc.)
S3 BdSandbox; C:\WINDOWS\System32\drivers\BdSandbox.sys [236920 2015-03-05] (Baidu, Inc.)
R1 Bfilter; C:\WINDOWS\System32\drivers\Bfilter.sys [61896 2017-04-11] (Baidu, Inc.)
R1 Bfmon; C:\WINDOWS\System32\drivers\Bfmon.sys [38344 2017-04-11] (Baidu, Inc.)
R0 Bhbase; C:\WINDOWS\System32\drivers\Bhbase.sys [83144 2017-04-11] (Baidu, Inc.)
R1 Bnbase; C:\WINDOWS\System32\drivers\bnbasex64.sys [62792 2017-04-11] (Baidu, Inc.)
R1 Bndef; C:\WINDOWS\System32\drivers\bndef64.sys [485672 2017-04-11] (Baidu, Inc.)
R3 Bnmon; C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.148966.0\Bnmon64.sys [82376 2017-04-11] (Baidu, Inc.)
R1 Bprotect; C:\WINDOWS\System32\drivers\Bprotect.sys [262088 2017-04-11] (Baidu, Inc.)
S3 BTATH_LWFLT; C:\WINDOWS\system32\DRIVERS\btath_lwflt.sys [76952 2012-08-11] (Qualcomm Atheros)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [250816 2017-04-22] (Malwarebytes)
R3 Ps2Kb2Hid; C:\WINDOWS\System32\drivers\aPs2Kb2Hid.sys [26736 2012-09-23] (Dritek System Inc.)
S3 QRDCIO; C:\WINDOWS\System32\drivers\QRDCIO.sys [9728 2009-10-20] (QUANTA)
S3 RimUsb; C:\WINDOWS\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
S3 RimVSerPort; C:\WINDOWS\system32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [43832 2012-08-10] (Synaptics Incorporated)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S3 Baidu PC Faster FileShredder; \??\C:\Program Files (x86)\PC Faster\5.1.0.0\FileKill_x64.sys [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
S3 huawei_enumerator; \SystemRoot\System32\drivers\ew_jubusenum.sys [X]
S1 sfoqbfzp; \??\C:\WINDOWS\system32\drivers\sfoqbfzp.sys [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\WINDOWS\System32\drivers\zamguard64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-23 09:53 - 2017-04-23 09:53 - 00126180 _____ C:\Users\Sophia\Downloads\application_form.zip
2017-04-22 09:12 - 2017-04-22 09:12 - 00370071 _____ C:\Users\Sophia\Downloads\combinepdf.pdf
2017-04-22 07:00 - 2017-04-22 07:00 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\WinSAPSvc
2017-04-22 07:00 - 2017-04-22 07:00 - 00000000 ____D C:\Program Files (x86)\AlphaGo
2017-04-22 07:00 - 2017-04-22 07:00 - 00000000 ____D C:\Program Files (x86)\58FA8F0D_jumpeasy
2017-04-22 07:00 - 2017-04-22 07:00 - 00000000 _____ C:\WINDOWS\SysWOW64\22
2017-04-22 07:00 - 2017-04-22 07:00 - 00000000 _____ C:\WINDOWS\SysWOW64\11
2017-04-22 05:47 - 2017-04-22 05:47 - 01201768 _____ (Adobe Systems Incorporated) C:\Users\Sophia\Downloads\flashplayer25pp_fa_install.exe
2017-04-21 04:16 - 2017-04-21 04:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2017-04-20 23:39 - 2017-04-20 23:39 - 00000007 _____ C:\WINDOWS\SysWOW64\FB5F.tmp
2017-04-20 23:39 - 2017-04-20 23:39 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\Firefox
2017-04-20 23:39 - 2017-04-20 23:39 - 00000000 ____D C:\Users\Sophia\AppData\Local\Firefox
2017-04-20 05:01 - 2017-04-20 23:39 - 00002170 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-04-20 05:01 - 2017-04-20 05:01 - 00000007 _____ C:\WINDOWS\SysWOW64\8FA2.tmp
2017-04-20 05:01 - 2017-04-20 05:01 - 00000000 ____D C:\Users\Sophia\AppData\Local\Dohat
2017-04-18 17:30 - 2017-04-18 17:30 - 00000000 ____D C:\WINDOWS\Update
2017-04-16 21:06 - 2017-04-16 21:06 - 00390456 _____ C:\Users\Sophia\Downloads\Thermo Spectronic - The basic principles of UV-VIS spectroscopy.pdf
2017-04-16 13:22 - 2017-04-16 13:22 - 01356843 _____ C:\Users\Sophia\Downloads\Group 2- The Alkaline Earth Metals (2).pdf
2017-04-16 07:49 - 2017-04-16 07:49 - 00103208 _____ C:\Users\Sophia\Downloads\2017-Undergraduate-International-AdmissionsEng-1.pdf
2017-04-15 21:12 - 2017-04-15 21:12 - 00045290 _____ C:\Users\Sophia\Downloads\000246589.xlsx
2017-04-14 15:14 - 2015-03-05 13:12 - 00421784 _____ (Baidu, Inc.) C:\WINDOWS\system32\BdSandboxDll64.dll
2017-04-14 15:14 - 2015-03-05 13:12 - 00332320 _____ (Baidu, Inc.) C:\WINDOWS\SysWOW64\BdSandboxDll32.dll
2017-04-14 15:14 - 2015-03-05 13:12 - 00236920 _____ (Baidu, Inc.) C:\WINDOWS\system32\Drivers\BdSandbox.sys
2017-04-14 15:04 - 2017-04-14 15:04 - 00000000 ____D C:\Users\Sophia\AppData\Local\Alltie
2017-04-14 14:50 - 2017-04-14 14:50 - 00000007 _____ C:\WINDOWS\SysWOW64\F555.tmp
2017-04-14 14:49 - 2017-04-14 14:49 - 00000000 ____D C:\ProgramData\Software
2017-04-14 07:22 - 2017-04-17 23:14 - 00048944 _____ (Dropbox, Inc.) C:\WINDOWS\system32\DbxSvc.exe
2017-04-13 18:53 - 2017-04-13 18:53 - 00019380 _____ C:\Users\Sophia\Downloads\Philipines_thekoreph@gmail.com_1st order (1).xlsx
2017-04-13 17:20 - 2017-04-13 17:20 - 00019380 _____ C:\Users\Sophia\Downloads\Philipines_thekoreph@gmail.com_1st order.xlsx
2017-04-13 16:06 - 2017-04-13 16:06 - 00001456 _____ C:\Users\Sophia\AppData\Local\Adobe Save for Web 13.0 Prefs
2017-04-13 15:32 - 2017-04-20 23:18 - 00000000 ____D C:\Users\Sophia\AppData\Local\SNARE
2017-04-13 13:24 - 2017-04-13 13:24 - 00059128 _____ C:\Users\Sophia\Downloads\2.htm
2017-04-13 09:58 - 2017-04-13 09:58 - 00003840 _____ C:\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 1492048681
2017-04-13 09:58 - 2017-04-13 09:58 - 00001109 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2017-04-13 09:58 - 2017-04-13 09:58 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\Opera Software
2017-04-13 09:58 - 2017-04-13 09:58 - 00000000 ____D C:\Users\Sophia\AppData\Local\Opera Software
2017-04-13 09:54 - 2017-04-13 09:59 - 00000000 ____D C:\Program Files\Opera
2017-04-13 09:53 - 2017-04-13 09:53 - 01186072 _____ (Opera Software) C:\Users\Sophia\Downloads\OperaSetup.exe
2017-04-12 07:42 - 2017-04-22 05:41 - 00000376 _____ C:\WINDOWS\system32\.crusader
2017-04-12 07:29 - 2017-04-12 07:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2017-04-12 07:29 - 2017-04-12 07:29 - 00000000 ____D C:\Program Files\HitmanPro
2017-04-12 07:28 - 2017-04-12 07:42 - 00000000 ____D C:\ProgramData\HitmanPro
2017-04-12 07:27 - 2017-04-12 07:28 - 11583584 _____ (SurfRight B.V.) C:\Users\Sophia\Downloads\hitmanpro_x64.exe
2017-04-12 01:02 - 2017-04-22 10:24 - 00250816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-04-12 01:01 - 2017-04-12 01:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-04-12 01:01 - 2016-11-29 06:27 - 00077408 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-04-11 23:44 - 2017-04-22 07:00 - 00003602 _____ C:\WINDOWS\System32\Tasks\Milimili
2017-04-11 23:44 - 2017-04-20 23:19 - 00003520 _____ C:\WINDOWS\System32\Tasks\Windows-PG
2017-04-11 17:35 - 2017-04-11 17:35 - 00000000 ____D C:\ProgramData\BavSvc_exe
2017-04-11 17:28 - 2017-04-11 17:28 - 00485672 _____ (Baidu, Inc.) C:\WINDOWS\system32\Drivers\bndef64.sys
2017-04-11 17:28 - 2017-04-11 17:28 - 00262088 _____ (Baidu, Inc.) C:\WINDOWS\system32\Drivers\Bprotect.sys
2017-04-11 17:28 - 2017-04-11 17:28 - 00083144 _____ (Baidu, Inc.) C:\WINDOWS\system32\Drivers\Bhbase.sys
2017-04-11 17:28 - 2017-04-11 17:28 - 00075248 _____ (Baidu, Inc.) C:\WINDOWS\system32\bdhookx64.dll
2017-04-11 17:28 - 2017-04-11 17:28 - 00062792 _____ (Baidu, Inc.) C:\WINDOWS\system32\Drivers\bnbasex64.sys
2017-04-11 17:28 - 2017-04-11 17:28 - 00061896 _____ (Baidu, Inc.) C:\WINDOWS\system32\Drivers\Bfilter.sys
2017-04-11 17:28 - 2017-04-11 17:28 - 00038344 _____ (Baidu, Inc.) C:\WINDOWS\system32\Drivers\Bfmon.sys
2017-04-11 17:28 - 2017-04-11 17:28 - 00032752 _____ (Baidu, Inc.) C:\WINDOWS\SysWOW64\bdhookx86.dll
2017-04-11 17:28 - 2017-04-11 17:28 - 00003544 _____ C:\WINDOWS\System32\Tasks\060184C3-9766-46a0-B258-F4518A0B2633
2017-04-11 17:28 - 2017-04-11 17:28 - 00003456 _____ C:\WINDOWS\System32\Tasks\Baidu Antivirus Update
2017-04-11 17:28 - 2017-04-11 17:28 - 00000000 ____D C:\Users\Sophia\AppData\LocalLow\BAVData
2017-04-11 17:28 - 2017-04-11 17:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Baidu Antivirus
2017-04-11 17:28 - 2015-05-28 19:45 - 00078792 _____ C:\WINDOWS\system32\Drivers\bdark64.sys
2017-04-11 17:22 - 2017-04-11 21:36 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\BavMini
2017-04-11 17:21 - 2017-04-11 17:21 - 02028168 _____ (Baidu, Inc.) C:\Users\Sophia\Downloads\BavPro_Setup_Mini_GL.exe
2017-04-11 17:00 - 2017-04-11 17:00 - 00000000 ____D C:\ProgramData\common
2017-04-11 16:57 - 2017-04-22 10:26 - 00000000 _____ C:\Users\Public\Documents\temp.dat
2017-04-11 16:57 - 2017-04-22 07:00 - 00000000 _____ C:\Users\Public\Documents\report.dat
2017-04-11 13:19 - 2017-04-23 17:35 - 00000000 ____D C:\FRST
2017-04-11 13:03 - 2017-04-23 17:35 - 00000000 ____D C:\Users\Sophia\Desktop\Cleanup
2017-04-11 13:03 - 2017-04-14 15:08 - 00000000 ____D C:\AdwCleaner
2017-04-11 13:02 - 2017-04-11 13:04 - 35207600 _____ (Adlice Software ) C:\Users\Sophia\Downloads\setup.exe
2017-04-11 12:58 - 2017-04-11 12:59 - 02424832 _____ (Farbar) C:\Users\Sophia\Downloads\FRST64.exe
2017-04-11 12:58 - 2017-04-11 12:58 - 04089296 _____ C:\Users\Sophia\Downloads\adwcleaner_6.045.exe
2017-04-11 12:58 - 2017-04-11 12:58 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Sophia\Downloads\rkill_2.8.4.0.exe
2017-04-11 12:55 - 2017-04-11 12:55 - 00000022 _____ C:\Users\Sophia\Downloads\ESETPoweliksCleaner.exe_20170411.125522.5892.zip
2017-04-11 12:52 - 2017-04-11 12:52 - 00549504 _____ (ESET) C:\Users\Sophia\Downloads\ESETPoweliksCleaner.exe
2017-04-10 22:15 - 2017-04-10 22:15 - 00000218 _____ C:\Users\Sophia\AppData\Local\recently-used.xbel
2017-04-09 08:39 - 2017-04-09 08:43 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\MultiDoge
2017-04-09 08:37 - 2017-04-09 08:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MultiDoge
2017-04-09 08:37 - 2017-04-09 08:37 - 00000000 ____D C:\Program Files (x86)\MultiDoge-0.1.7
2017-04-09 08:28 - 2017-04-09 08:28 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\Sun
2017-04-09 08:28 - 2017-04-09 08:28 - 00000000 ____D C:\Users\Sophia\AppData\LocalLow\Sun
2017-04-09 08:27 - 2017-04-09 08:27 - 00097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2017-04-09 08:27 - 2017-04-09 08:27 - 00000000 ____D C:\ProgramData\Oracle
2017-04-09 08:27 - 2017-04-09 08:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-04-09 08:27 - 2017-04-09 08:27 - 00000000 ____D C:\Program Files (x86)\Java
2017-04-09 07:51 - 2017-04-09 07:51 - 00738880 _____ (Oracle Corporation) C:\Users\Sophia\Downloads\chromeinstall-8u121.exe
2017-04-09 07:16 - 2017-04-09 07:22 - 10129920 _____ C:\Users\Sophia\Downloads\multidoge-0.1.7-windows-setup.exe
2017-04-09 06:39 - 2017-04-09 06:40 - 00000000 ____D C:\WINDOWS\LastGood
2017-04-07 18:22 - 2017-04-07 19:32 - 00000000 ____D C:\Program Files (x86)\MIO
2017-04-06 21:13 - 2017-04-06 21:13 - 00116080 _____ (Pangolin Laser Systems Inc.) C:\Users\Sophia\Downloads\PangoBright.exe
2017-04-06 04:12 - 2017-04-06 04:13 - 03693233 _____ C:\Users\Sophia\Downloads\Period 3 Elements PROPERTIES FINAL.pdf
2017-04-06 04:12 - 2017-04-06 04:13 - 01356843 _____ C:\Users\Sophia\Downloads\Group 2- The Alkaline Earth Metals (1).pdf
2017-04-06 04:12 - 2017-04-06 04:12 - 01072283 _____ C:\Users\Sophia\Downloads\Group-3-Abu-Adlawon-Camense-Grecia-Mata-Chemistry-Report-Outline.pdf
2017-04-06 04:12 - 2017-04-06 04:12 - 00797790 _____ C:\Users\Sophia\Downloads\Chem-Handout.pdf
2017-04-06 04:12 - 2017-04-06 04:12 - 00771584 _____ C:\Users\Sophia\Downloads\Group 2-compiled.ppt
2017-04-05 04:49 - 2017-04-05 04:49 - 00000000 ____D C:\Program Files\Common Files\DESIGNER
2017-04-04 19:57 - 2017-04-04 19:57 - 00001058 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-04-04 19:40 - 2017-04-23 17:28 - 00000000 ___RD C:\Users\Sophia\Google Drive
2017-04-04 19:37 - 2017-04-04 19:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2017-04-04 19:30 - 2017-04-04 19:31 - 01129376 _____ (Google Inc.) C:\Users\Sophia\Downloads\googledrivesync.exe
2017-04-04 06:11 - 2017-04-04 06:11 - 01356843 _____ C:\Users\Sophia\Downloads\Group 2- The Alkaline Earth Metals.pdf
2017-04-02 20:09 - 2017-04-02 20:09 - 00000000 ____D C:\Program Files\Malwarebytes
2017-04-02 07:29 - 2017-04-02 07:29 - 00056034 _____ C:\Users\Sophia\Downloads\Search.htm
2017-04-01 19:45 - 2017-04-01 19:46 - 00933647 _____ C:\Users\Sophia\Downloads\General-format.psd
2017-04-01 19:43 - 2017-04-01 19:44 - 00702555 _____ C:\Users\Sophia\Downloads\General-format_2.psd
2017-04-01 01:48 - 2017-04-01 01:48 - 01457640 _____ C:\Users\Sophia\Downloads\roboto.zip
2017-03-31 23:34 - 2017-03-31 23:34 - 00716374 _____ C:\Users\Sophia\Downloads\GifCam.zip
2017-03-31 21:27 - 2017-04-13 22:41 - 00003330 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2017-03-31 21:27 - 2017-04-13 22:41 - 00003202 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2017-03-31 20:44 - 2017-03-31 20:44 - 00000007 _____ C:\WINDOWS\SysWOW64\6DB.tmp
2017-03-31 05:56 - 2017-03-31 05:56 - 00000000 ____D C:\Update
2017-03-30 10:04 - 2017-03-30 10:04 - 01347914 _____ C:\Users\Sophia\Downloads\Real Estate Solutions.pdf
2017-03-30 03:59 - 2017-03-30 03:59 - 01634816 _____ C:\Users\Sophia\Downloads\GROUP_II.ppt
2017-03-29 21:28 - 2017-03-29 21:29 - 01015905 _____ C:\Users\Sophia\Downloads\arimo.zip
2017-03-26 03:42 - 2017-04-23 17:30 - 00000000 ___RD C:\Users\Sophia\Dropbox
2017-03-25 21:09 - 2017-03-25 21:09 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\Dropbox
2017-03-25 21:03 - 2017-04-23 17:27 - 00000936 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job
2017-03-25 21:03 - 2017-04-23 10:08 - 00000940 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job
2017-03-25 21:03 - 2017-04-21 04:16 - 00000000 ____D C:\Program Files (x86)\Dropbox
2017-03-25 21:03 - 2017-03-27 05:42 - 00000000 ____D C:\Users\Sophia\AppData\Local\Dropbox
2017-03-25 21:03 - 2017-03-25 21:03 - 00003912 _____ C:\WINDOWS\System32\Tasks\DropboxUpdateTaskMachineUA
2017-03-25 21:03 - 2017-03-25 21:03 - 00003676 _____ C:\WINDOWS\System32\Tasks\DropboxUpdateTaskMachineCore
2017-03-25 21:03 - 2017-03-25 21:03 - 00000000 ____D C:\ProgramData\Dropbox
2017-03-25 21:02 - 2017-03-25 21:02 - 00690080 _____ (Dropbox, Inc.) C:\Users\Sophia\Downloads\DropboxInstaller.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-23 17:32 - 2017-02-27 21:11 - 00003958 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{41EA6F3E-CFBF-4CC7-A256-B66F3A9C0FD8}
2017-04-23 17:30 - 2017-02-23 20:57 - 00000000 ___RD C:\Users\Sophia\OneDrive
2017-04-23 17:30 - 2017-02-23 20:30 - 00000000 ____D C:\Users\Sophia
2017-04-23 10:36 - 2017-02-27 00:49 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\foobar2000
2017-04-23 10:12 - 2017-02-23 20:49 - 00000000 ____D C:\Users\Sophia\AppData\Local\Packages
2017-04-23 07:38 - 2017-02-23 21:52 - 00000000 ____D C:\Users\Sophia\AppData\Local\Adobe
2017-04-22 12:37 - 2017-02-23 20:56 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2125098403-3852564767-392213445-1004
2017-04-22 10:23 - 2013-08-22 22:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-04-21 03:56 - 2017-03-19 17:00 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\Mp3tag
2017-04-21 03:51 - 2013-08-22 21:36 - 00000000 ____D C:\WINDOWS\Inf
2017-04-20 23:40 - 2017-02-27 20:36 - 00000000 ____D C:\Users\Sophia\AppData\LocalLow\Mozilla
2017-04-20 23:39 - 2017-02-27 20:36 - 00001904 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-04-20 23:32 - 2015-05-23 07:54 - 00005388 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-04-20 23:24 - 2013-08-22 21:25 - 01048576 ___SH C:\WINDOWS\system32\config\BBI
2017-04-20 05:13 - 2017-03-17 11:07 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\iFunbox_UserCache
2017-04-17 05:56 - 2012-07-26 15:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-04-15 18:03 - 2013-01-07 07:16 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2017-04-15 18:03 - 2013-01-07 07:16 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2017-04-15 13:08 - 2013-08-07 08:39 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-04-15 13:04 - 2015-10-15 14:05 - 148601744 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-04-15 13:03 - 2013-01-07 07:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2017-04-15 11:50 - 2017-02-27 00:13 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\Launchy
2017-04-14 08:45 - 2017-02-26 18:50 - 00003188 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-04-14 08:45 - 2017-02-26 18:50 - 00002305 _____ C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive for Business.lnk
2017-04-14 08:45 - 2017-02-25 07:03 - 00003196 _____ C:\WINDOWS\System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-2125098403-3852564767-392213445-1004
2017-04-12 07:24 - 2013-08-22 23:36 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-04-12 07:24 - 2013-08-22 23:36 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-04-12 07:24 - 2013-01-07 05:11 - 00004288 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2017-04-12 01:01 - 2017-02-27 21:01 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-04-11 21:53 - 2017-03-01 21:11 - 00000000 _____ C:\WINDOWS\SysWOW64\1
2017-04-11 17:28 - 2013-12-15 04:18 - 00000000 ____D C:\Program Files (x86)\Baidu Security
2017-04-11 16:58 - 2017-02-27 21:33 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\Smadav
2017-04-11 13:12 - 2017-02-27 20:32 - 00000000 ____D C:\WINDOWS\system32\log
2017-04-11 12:41 - 2017-02-23 20:49 - 00001627 _____ C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-04-10 10:11 - 2017-02-28 04:17 - 00000000 ____D C:\Users\Sophia\Downloads\Torrents
2017-04-09 15:28 - 2013-08-22 23:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-04-09 15:28 - 2013-08-22 23:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-04-09 10:20 - 2014-11-13 16:47 - 00000451 _____ C:\WINDOWS\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat
2017-04-09 07:21 - 2017-02-23 23:00 - 00000000 ____D C:\Users\Sophia\AppData\Roaming\deluge
2017-04-05 04:50 - 2013-08-22 23:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-04-05 04:49 - 2013-08-22 23:36 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2017-04-05 04:47 - 2017-02-25 06:52 - 00000000 ____D C:\Program Files\Microsoft Office
2017-04-04 19:57 - 2014-11-12 18:40 - 00001058 _____ C:\Users\Donnatzchovaness\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-04-04 19:37 - 2017-02-23 20:49 - 00000000 ____D C:\Users\Sophia\AppData\Local\Google
2017-04-04 19:37 - 2013-01-06 19:55 - 00000000 ____D C:\Program Files (x86)\Google
2017-04-03 05:04 - 2013-08-22 22:44 - 00626712 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-04-03 04:59 - 2017-02-27 21:01 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2017-04-01 19:25 - 2017-03-01 21:36 - 00000000 _____ C:\WINDOWS\SysWOW64\4
2017-04-01 19:25 - 2017-03-01 21:36 - 00000000 _____ C:\WINDOWS\SysWOW64\3
2017-03-31 21:03 - 2012-09-23 09:05 - 00000000 ___HD C:\Program Files (x86)\Temp
2017-03-31 20:44 - 2017-02-23 21:57 - 00000000 ____D C:\ProgramData\Package Cache
2017-03-24 06:06 - 2014-11-12 17:58 - 00000000 ____D C:\Users\Donnatzchovaness

==================== Files in the root of some directories =======

2015-12-06 21:19 - 2015-12-06 21:19 - 6420480 _____ () C:\Program Files (x86)\GUTF761.tmp
2017-02-27 21:07 - 2017-03-02 00:23 - 0003674 _____ () C:\Program Files (x86)\metadata
2017-04-13 16:06 - 2017-04-13 16:06 - 0001456 _____ () C:\Users\Sophia\AppData\Local\Adobe Save for Web 13.0 Prefs
2017-04-10 22:15 - 2017-04-10 22:15 - 0000218 _____ () C:\Users\Sophia\AppData\Local\recently-used.xbel
2012-09-23 09:06 - 2012-09-23 09:06 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
2017-03-02 00:13 - 2017-02-27 00:57 - 0389765 _____ () C:\Users\Sophia\AppData\Local\Temp\IDM Patch Uninstaller.exe
2017-03-02 21:06 - 2017-02-23 20:42 - 0389738 _____ () C:\Users\Sophia\AppData\Local\Temp\Patch Uninstaller.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-04-22 12:37

==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:06 PM

Posted 23 April 2017 - 02:02 PM

Welcome. :)

Download the attached file [attachment=193434:Fixlist.txt] and save it in the same directory FRST64 is saved.

  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

iO5EZayK.png


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 radiomusings

radiomusings
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 24 April 2017 - 07:57 AM

Contents of fixlog.txt

Fix result of Farbar Recovery Scan Tool (x64) Version: 23-04-2017 01
Ran by Sophia (24-04-2017 07:06:30) Run:1
Running from C:\Users\Sophia\Desktop\Cleanup
Loaded Profiles: Sophia (Available Profiles: Donnatzchovaness & Sophia & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION 
HKU\S-1-5-21-2125098403-3852564767-392213445-1004\...\StartMenuInternet\ChromeHTML: -> C:\Program Files (x86)\Dohat\Application\chrome.exe <==== ATTENTION 
S4 SNARE; C:\Users\Sophia\AppData\Local\SNARE\Snarer.dll [0 ] (InterSect Alliance Pty Ltd) <==== ATTENTION (zero byte File/Folder) <==== ATTENTION 
S4 AlltieSU; "C:\Users\Sophia\AppData\Local\Temp\1\bbu.exe" /i [X] <==== ATTENTION 
S2 FirefoxU; "C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe" [X] <==== ATTENTION 
S4 AlltieSU; "C:\Users\Sophia\AppData\Local\Temp\1\bbu.exe" /i [X] <==== ATTENTION 
2017-03-31 21:03 - 2012-09-23 09:05 - 00000000 ___HD C:\Program Files (x86)\Temp 
2017-03-02 00:13 - 2017-02-27 00:57 - 0389765 _____ () C:\Users\Sophia\AppData\Local\Temp\IDM Patch Uninstaller.exe 
2017-03-02 21:06 - 2017-02-23 20:42 - 0389738 _____ () C:\Users\Sophia\AppData\Local\Temp\Patch Uninstaller.exe 
S4 AntannaSU; "C:\WINDOWS\TEMP\hp7657.tmp\ttff.exe" /i [X] 
C:\WINDOWS\TEMP\hp7657.tmp
2017-04-20 23:39 - 2017-04-20 23:39 - 00000007 _____ C:\WINDOWS\SysWOW64\FB5F.tmp 
2017-04-20 05:01 - 2017-04-20 05:01 - 00000007 _____ C:\WINDOWS\SysWOW64\8FA2.tmp 
2017-04-14 14:50 - 2017-04-14 14:50 - 00000007 _____ C:\WINDOWS\SysWOW64\F555.tmp 
2017-03-31 20:44 - 2017-03-31 20:44 - 00000007 _____ C:\WINDOWS\SysWOW64\6DB.tmp 
2015-12-06 21:19 - 2015-12-06 21:19 - 6420480 _____ () C:\Program Files (x86)\GUTF761.tmp 
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON 
CMD: ipconfig /flushdns 
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP: 
Reboot:

*****************

HKLM\SOFTWARE\Policies\Google => key removed successfully
HKU\S-1-5-21-2125098403-3852564767-392213445-1004\SOFTWARE\Clients\StartMenuInternet\ChromeHTML => key removed successfully
HKLM\System\CurrentControlSet\Services\SNARE => key removed successfully
SNARE => service removed successfully
HKLM\System\CurrentControlSet\Services\AlltieSU => key removed successfully
AlltieSU => service removed successfully
HKLM\System\CurrentControlSet\Services\FirefoxU => key removed successfully
FirefoxU => service removed successfully
AlltieSU => service not found.
C:\Program Files (x86)\Temp => moved successfully
C:\Users\Sophia\AppData\Local\Temp\IDM Patch Uninstaller.exe => moved successfully
C:\Users\Sophia\AppData\Local\Temp\Patch Uninstaller.exe => moved successfully
HKLM\System\CurrentControlSet\Services\AntannaSU => key removed successfully
AntannaSU => service removed successfully
"C:\WINDOWS\TEMP\hp7657.tmp" => not found.
C:\WINDOWS\SysWOW64\FB5F.tmp => moved successfully
C:\WINDOWS\SysWOW64\8FA2.tmp => moved successfully
C:\WINDOWS\SysWOW64\F555.tmp => moved successfully
C:\WINDOWS\SysWOW64\6DB.tmp => moved successfully
C:\Program Files (x86)\GUTF761.tmp => moved successfully

========= netsh advfirewall reset =========

Ok.


========= End of CMD: =========


========= netsh advfirewall set allprofiles state ON =========

Ok.


========= End of CMD: =========


========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ip reset C:\resettcpip.txt =========

Resetting Global, OK!
Resetting Interface, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Route, OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========

Failed to clear log AirSpaceChannel. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.
Failed to clear log Microsoft-Windows-DxpTaskRingtone/Analytic. The system cannot find the file specified.
Failed to clear log Microsoft-Windows-USBVideo/Analytic. The instance name passed was not recognized as valid by a WMI data provider.

========= End of CMD: =========


========= Bitsadmin /Reset /Allusers =========


BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to cancel {941ADB53-D4CD-450C-B2D8-847D9D8FACA8}.
Unable to cancel {EC1CC695-AE9A-4F76-89F2-28F237A0B146}.
Unable to cancel {DC2D52A9-1720-4337-B9D9-EB58BC8F7A07}.
Unable to cancel {451D38B9-A380-433C-BB4B-9317D1B902C7}.
0 out of 4 jobs canceled.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9098187 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 113597686 B
Edge => 0 B
Chrome => 702768640 B
Firefox => 0 B
Opera => 443930994 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 314304 B
systemprofile32 => 36773297 B
LocalService => 10740 B
NetworkService => 8705084 B
Donnatzchovaness => 10436422 B
Sophia => 1482595561 B
Administrator => 12137 B

RecycleBin => 870829144 B
EmptyTemp: => 3.4 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 07:11:49 ====

Contents of JRT.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 8.1 Single Language x64 
Ran by Sophia (Administrator) on Mon 04/24/2017 at 16:29:12.82
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0 




Registry: 0 





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 04/24/2017 at 16:32:24.23
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Contents of AdwCleaner[S0].txt

# AdwCleaner v6.045 - Logfile created 24/04/2017 at 19:43:03
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-22.1 [Server]
# Operating System : Windows 8.1 Single Language  (X64)
# Username : Sophia - DONATCHORVANESS
# Running from : C:\Users\Sophia\Desktop\Cleanup\adwcleaner_6.045.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

Folder Found:  C:\Users\Sophia\AppData\Local\Alltie
Folder Found:  C:\Users\Sophia\AppData\Local\Dohat
Folder Found:  C:\Users\Sophia\AppData\Roaming\WinSAPSvc
Folder Found:  C:\Users\Sophia\AppData\Roaming\Firefox
Folder Found:  C:\Users\Sophia\AppData\Local\Firefox
Folder Found:  C:\UPDATE\PSGO
Folder Found:  C:\Users\Sophia\AppData\Local\SNARE
Folder Found:  C:\WINDOWS\Update\psgo


***** [ Files ] *****

File Found:  C:\Users\Public\Documents\temp.dat
File Found:  C:\Users\Public\Documents\report.dat


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

Shortcut infected:  C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk ( hxxp://www.ourluckysites.com/?type=sc&ts=1491885682&z=514234e829261b82d7c55c2g5z2t8gebab9wbm7e3q&from=che0


***** [ Scheduled Tasks ] *****

Task Found:  Milimili
Task Found:  Windows-PG


***** [ Registry ] *****

Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SNARER
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SNARER
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SNARE
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SNARE
Key Found:  HKLM\SOFTWARE\ScreenShot
Key Found:  HKLM\SOFTWARE\ourluckysitesSoftware
Key Found:  [x64] HKLM\SOFTWARE\InterSect Alliance
Data Found:  HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL] - hxxp://www.ourluckysites.com/search/?type=ds&ts=1491885682&z=514234e829261b82d7c55c2g5z2t8gebab9wbm7e3q&from=che0812&uid=WDCXWD500
Data Found:  HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page] - hxxp://www.ourluckysites.com/search/?type=ds&ts=1491885682&z=514234e829261b82d7c55c2g5z2t8gebab9wbm7e3q&from=che0812&uid=WDCXWD5000BPVT-2
Data Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL] - hxxp://www.ourluckysites.com/search/?type=ds&ts=1491885682&z=514234e829261b82d7c55c2g5z2t8gebab9wbm7e3q&from=che0812&uid=WDCXWD5
Data Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page] - hxxp://www.ourluckysites.com/search/?type=ds&ts=1491885682&z=514234e829261b82d7c55c2g5z2t8gebab9wbm7e3q&from=che0812&uid=WDCXWD5000BPVT
Data Found:  HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command [] - "c:\program files\internet explorer\iexplore.exe" hxxp://www.ourluckysites.com/?type=sc&ts=1491885682&z=514234e829261b82d7c
Value Found:  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [WinSAPSvc]
Key Found:  HKCU\SOFTWARE\Classes\ChromeHTML


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Web data] - trotux
Chrome pref Found:  [C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - hxxp://www.delta-search.com/?affID=119816&babsrc=HP_ss&mntrId=f20252d10000000000006c626d32822f

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [8851 Bytes] - [11/04/2017 13:13:14]
C:\AdwCleaner\AdwCleaner[C2].txt - [3033 Bytes] - [11/04/2017 16:54:13]
C:\AdwCleaner\AdwCleaner[S0].txt - [8348 Bytes] - [11/04/2017 13:08:11]
C:\AdwCleaner\AdwCleaner[S1].txt - [8182 Bytes] - [11/04/2017 13:12:34]
C:\AdwCleaner\AdwCleaner[S2].txt - [2495 Bytes] - [11/04/2017 16:53:24]
C:\AdwCleaner\AdwCleaner[S3].txt - [4079 Bytes] - [14/04/2017 15:08:05]
C:\AdwCleaner\AdwCleaner[S4].txt - [4199 Bytes] - [24/04/2017 19:43:03]

########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [4272 Bytes] ##########



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:06 PM

Posted 24 April 2017 - 12:20 PM

Re-Scan with AdwCleaner. Once the scan is completed, click on the Clean button.
 
favicon-32x32.png Please run Malwarebytes Antimalware.
 
Update the program and under the Scan options and select "Threat Scan".
 
The Scan Pane is the introduction to scan-related options in the program. When you click Scan in the Menu Pane, you will see the screen shown below.
 
10a.png
 
After a scan has been executed, scan results are displayed as shown below. In this scan, three threats were detected.
 
13a.png
 
Put a checkmark on all detected and click on "Quarantine Selected"
 
18a.png
 
Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.
 
19a.png
 
Please note that an Export button is shown at the bottom left corner of this screen. This allows you to make a copy of the log for use by other programs. You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:06 PM

Posted 28 April 2017 - 06:51 PM

Are you still with us?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 radiomusings

radiomusings
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 29 April 2017 - 01:23 AM

Yep, sorry, I just had an extremely demanding week at school so I couldn't find the time to do the scans.

 

Contents of AdwCleaner[C4].txt

# AdwCleaner v6.046 - Logfile created 29/04/2017 at 14:08:41
# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-04-29.1 [Server]
# Operating System : Windows 8.1 Single Language  (X64)
# Username : Sophia - DONATCHORVANESS
# Running from : C:\Users\Sophia\Desktop\Cleanup\adwcleaner_6.046.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

[-] Service deleted: WinSAPSvc
[-] Service deleted: SNARE
[-] Service deleted: Kitty


***** [ Folders ] *****

[-] Folder deleted: C:\Users\Sophia\AppData\Roaming\WinSAPSvc
[-] Folder deleted: C:\Users\Sophia\AppData\Local\SNARE
[-] Folder deleted: C:\Users\Sophia\AppData\Local\Kitty


***** [ Files ] *****

[-] File deleted: C:\Users\Public\Documents\temp.dat


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****

[-] Task deleted: Milimili
[-] Task deleted: Windows-PG


***** [ Registry ] *****

[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SNARE
[#] Key deleted on reboot: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SNARE
[-] Key deleted: HKLM\SOFTWARE\ScreenShot
[-] Key deleted: [x64] HKLM\SOFTWARE\InterSect Alliance
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [WinSAPSvc]
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [Kitty]


***** [ Web browsers ] *****

[-] [C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: trotux
[-] [C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
[-] [C:\Users\Sophia\AppData\Local\Google\Chrome\User Data\Default] [homepage] Deleted: hxxp://www.delta-search.com/?affID=119816&babsrc=HP_ss&mntrId=f20252d10000000000006c626d32822f


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [8851 Bytes] - [11/04/2017 13:13:14]
C:\AdwCleaner\AdwCleaner[C2].txt - [3033 Bytes] - [11/04/2017 16:54:13]
C:\AdwCleaner\AdwCleaner[C3].txt - [3856 Bytes] - [24/04/2017 19:56:55]
C:\AdwCleaner\AdwCleaner[C4].txt - [2349 Bytes] - [29/04/2017 14:08:41]
C:\AdwCleaner\AdwCleaner[S0].txt - [8348 Bytes] - [11/04/2017 13:08:11]
C:\AdwCleaner\AdwCleaner[S1].txt - [8182 Bytes] - [11/04/2017 13:12:34]
C:\AdwCleaner\AdwCleaner[S2].txt - [2495 Bytes] - [11/04/2017 16:53:24]
C:\AdwCleaner\AdwCleaner[S3].txt - [4079 Bytes] - [14/04/2017 15:08:05]
C:\AdwCleaner\AdwCleaner[S4].txt - [4371 Bytes] - [24/04/2017 19:43:03]
C:\AdwCleaner\AdwCleaner[S5].txt - [2820 Bytes] - [29/04/2017 14:06:46]

########## EOF - C:\AdwCleaner\AdwCleaner[C4].txt - [2860 Bytes] ##########

Something weird is happening to Malwarebytes. I followed the instructions you gave me, but I think something is causing the program to cancel the scan 12 seconds after starting it. This didn't use to happen before. I've tried multiple times to run the scan but it always stops. In any case, here is exported log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/29/17
Scan Time: 2:19 PM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.4.1269
Components Version: 
Update Package Version: 
License: Free

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: DONATCHORVANESS\Sophia

-Scan Summary-
Scan Type: Threat Scan
Result: Cancelled
Objects Scanned: 0
(No malicious items detected)
Time Elapsed: 0 min, 12 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:06 PM

Posted 29 April 2017 - 02:51 PM

Remove Malwarebytes Antimalware following the instructions here. Once done,

 

favicon-32x32.png Please download Malwarebytes to your desktop.
 
Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
 
Once the program has fully updated, Proceed with the Scan options and select "Threat Scan".
 
The Scan Pane is the introduction to scan-related options in the program. When you click Scan in the Menu Pane, you will see the screen shown below.
 
10a.png
 
After a scan has been executed, scan results are displayed as shown below. In this scan, three threats were detected.
 
13a.png
 
Put a checkmark on all detected and click on "Quarantine Selected"
 
18a.png
 
Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.
 
19a.png
 
Please note that an Export button is shown at the bottom left corner of this screen. This allows you to make a copy of the log for use by other programs. You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 radiomusings

radiomusings
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 30 April 2017 - 02:23 AM

I followed your instructions and thankfully, Malwarebytes went back to normal. :) Here are the contents of the scan log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/30/17
Scan Time: 2:37 PM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.75
Update Package Version: 1.0.1838
License: Free

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: DONATCHORVANESS\Sophia

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 520760
Time Elapsed: 36 min, 11 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 4
Adware.Elex, C:\Program Files (x86)\Jzachsuiry\_ALLOWDEL_16d4c55a, Quarantined, [2], [375983],1.0.1838
Adware.Elex, C:\PROGRAM FILES (X86)\Jzachsuiry, Quarantined, [2], [375983],1.0.1838
Adware.Elex, C:\Program Files (x86)\MIO\loader, Quarantined, [2], [387131],1.0.1838
Adware.Elex, C:\PROGRAM FILES (X86)\MIO, Quarantined, [2], [387131],1.0.1838

File: 5
Adware.Elex.Generic, C:\PROGRAMDATA\COMMON\APPLE\APPS\AZURETOOLS.DLL, Quarantined, [1063], [388884],1.0.1838
Adware.Elex, C:\Program Files (x86)\Jzachsuiry\_ALLOWDEL_16d4c55a\11, Quarantined, [2], [375983],1.0.1838
Adware.Elex, C:\Program Files (x86)\Jzachsuiry\_ALLOWDEL_16d4c55a\22, Quarantined, [2], [375983],1.0.1838
Adware.Elex, C:\PROGRAM FILES (X86)\MIO\LOADER\wdcxwd5000bpvt-22a1yt0_wd-wxa1c12p3335p3335.dat, Quarantined, [2], [387131],1.0.1838
Adware.Elex, C:\Program Files (x86)\MIO\MIO.exe, Quarantined, [2], [387131],1.0.1838

Physical Sector: 0
(No malicious items detected)


(end)


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:06 PM

Posted 30 April 2017 - 08:58 AM

We still see some entries popup.

 

Temporarily disable your AntiVirus and AntiSpyware protection - instructions here.

  • Please visit the ESET Online Scanner website
  • Click the SCAN NOW button to download the esetonlinescanner_enu.exe file to the Desktop
  • Double click esetonlinescanner_enu.exe. Accept the Terms of Use
  • Select Enable detection of potentially unwanted applications
  • In Advanced Settings: make sure that Clean threats automatically is unchecked
  • And Enable detection of potentially unsafe applications, Enable detection of suspicious applications, Scan archives, and Enable Anti-Stealth technology are all checked.
  • Click Scan
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When completed it'll show a list of "Threats found", click beneath it on Save to text file.... and save it as ESET log.txt on your Desktop.
  • Then click Do not clean. Place a checkmark at Delete application's data on close, click Finish and close the program.

Post the ESET log.txt report.

Don't forget to re-enable previously switched-off protection software!

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 radiomusings

radiomusings
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 30 April 2017 - 06:50 PM

Contents of ESET log.txt:

C:\AdwCleaner\quarantine\files\bcywvrblxmwgzyebjpssgmqnojiegebo.back	LNK/Agent.DR trojan	
C:\AdwCleaner\quarantine\files\afidcsbgdoumlmaclbqhwskanuqnnwqu\WinSAP.dll	a variant of Win32/Adware.ELEX.MC application	
C:\AdwCleaner\quarantine\files\cutojrrszcmnsxeggxmkoghagedxtxad\WinSAP.dll	a variant of Win32/Adware.ELEX.MC application	
C:\AdwCleaner\quarantine\files\iwnkjvnnmhyuunijccmixugemxwefcjn\Snarer.dll	a variant of Win64/Snarasite.D trojan	
C:\AdwCleaner\quarantine\files\mivmxxrxcbawbuvbhredbusjeznvsgcv\Snarer.dll	a variant of Win64/Snarasite.D trojan	
C:\AdwCleaner\quarantine\files\muzehqbjvnjrfgurvkfauncbmigqfncn\WinSAP.dll	a variant of Win32/Adware.ELEX.MC application	
C:\AdwCleaner\quarantine\files\rrytesviwqscvwtxetgexcbakwmvvkfi\Snarer.dll	a variant of Win64/Snarasite.D trojan	
C:\AdwCleaner\quarantine\files\tabukeviibzphqavrhsibkuygpjsdeql\WinSAP.dll	a variant of Win32/Adware.ELEX.MC application	
C:\AdwCleaner\quarantine\files\vfitkrjbtlqblyirxgyorxknbpbhlshq\Snarer.dll	a variant of Win64/Snarasite.D trojan	
C:\AdwCleaner\quarantine\files\wqyrvttwgobddxidpgqlntthcnutihut\Kitty.dll	Win32/Adware.ELEX.MW application	
C:\Downloads\Rock Of Ages {2012} DVDRIP. Jaybob\Jaybob's_Movies_Toolbar_Internet Explorer.exe	a variant of Win32/Toolbar.Conduit.AU potentially unwanted application	
C:\ProgramData\InstallMate\{B99C8B87-1434-449F-A674-5C16627FA971}\Custom.dll	Win32/InstalleRex.M potentially unwanted application	
C:\ProgramData\KMSAutoS\bin\TunMirror.exe	a variant of MSIL/HackTool.TunMirror.A potentially unsafe application	
C:\ProgramData\KMSAutoS\bin\TunMirror2.exe	a variant of MSIL/HackTool.TunMirror.A potentially unsafe application	
C:\Users\All Users\InstallMate\{B99C8B87-1434-449F-A674-5C16627FA971}\Custom.dll	Win32/InstalleRex.M potentially unwanted application	
C:\Users\All Users\KMSAutoS\bin\TunMirror.exe	a variant of MSIL/HackTool.TunMirror.A potentially unsafe application	
C:\Users\All Users\KMSAutoS\bin\TunMirror2.exe	a variant of MSIL/HackTool.TunMirror.A potentially unsafe application	
C:\Users\Donnatzchovaness\Desktop\CCleaner\ccsetup521pro.exe	Win32/Bundled.Toolbar.Google.D potentially unsafe application	
C:\Users\Donnatzchovaness\Downloads\CCleaner 5.21.5700 with Patch (Professional, Business & Technician Edition).zip	Win32/Bundled.Toolbar.Google.D potentially unsafe application	
C:\Users\Donnatzchovaness\Downloads\installer_adobe_flash_player_English.exe	Win32/TrojanDropper.Addrop.B trojan	
C:\Windows\Installer\53d4b89.msi	a variant of Win32/Adware.ELEX.GJ application	
C:\Windows\Installer\MSI3794.tmp	a variant of Win32/Bundled.Toolbar.Ask.N potentially unsafe application	



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:06 PM

Posted 30 April 2017 - 07:17 PM

Download the attached file [attachment=193688:Fixlist.txt] and save it in the same directory FRST64 is saved.
  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply.
 
 
 
How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:06 PM

Posted 02 May 2017 - 11:59 AM

Are you still with us?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 radiomusings

radiomusings
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 04 May 2017 - 05:58 AM

I'm still with you, sorry for the late reply, school is killing me.

 

Contents of the Fixlog.txt

Fix result of Farbar Recovery Scan Tool (x64) Version: 03-05-2017 01
Ran by Sophia (04-05-2017 18:45:31) Run:2
Running from C:\Users\Sophia\Desktop\Cleanup
Loaded Profiles: Sophia (Available Profiles: Donnatzchovaness & Sophia & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
C:\Downloads\Rock Of Ages {2012} DVDRIP. Jaybob\Jaybob's_Movies_Toolbar_Internet Explorer.exe
C:\ProgramData\InstallMate\{B99C8B87-1434-449F-A674-5C16627FA971}\Custom.dll
C:\ProgramData\KMSAutoS\bin\TunMirror.exe
C:\ProgramData\KMSAutoS\bin\TunMirror2.exe
C:\Users\All Users\InstallMate\{B99C8B87-1434-449F-A674-5C16627FA971}\Custom.dll
C:\Users\All Users\KMSAutoS\bin\TunMirror.exe
C:\Users\All Users\KMSAutoS\bin\TunMirror2.exe
C:\Users\Donnatzchovaness\Desktop\CCleaner\ccsetup521pro.exe
C:\Users\Donnatzchovaness\Downloads\CCleaner 5.21.5700 with Patch (Professional, Business & Technician Edition).zip
C:\Users\Donnatzchovaness\Downloads\installer_adobe_flash_player_English.exe
C:\Windows\Installer\53d4b89.msi
C:\Windows\Installer\MSI3794.tmp
*****************

C:\Downloads\Rock Of Ages {2012} DVDRIP. Jaybob\Jaybob's_Movies_Toolbar_Internet Explorer.exe => moved successfully
C:\ProgramData\InstallMate\{B99C8B87-1434-449F-A674-5C16627FA971}\Custom.dll => moved successfully
C:\ProgramData\KMSAutoS\bin\TunMirror.exe => moved successfully
C:\ProgramData\KMSAutoS\bin\TunMirror2.exe => moved successfully
"C:\Users\All Users\InstallMate\{B99C8B87-1434-449F-A674-5C16627FA971}\Custom.dll" => not found.
"C:\Users\All Users\KMSAutoS\bin\TunMirror.exe" => not found.
"C:\Users\All Users\KMSAutoS\bin\TunMirror2.exe" => not found.
C:\Users\Donnatzchovaness\Desktop\CCleaner\ccsetup521pro.exe => moved successfully
C:\Users\Donnatzchovaness\Downloads\CCleaner 5.21.5700 with Patch (Professional, Business & Technician Edition).zip => moved successfully
C:\Users\Donnatzchovaness\Downloads\installer_adobe_flash_player_English.exe => moved successfully
C:\Windows\Installer\53d4b89.msi => moved successfully
C:\Windows\Installer\MSI3794.tmp => moved successfully

==== End of Fixlog 18:45:37 ====

As for how the computer is going, recently--as in, I was in the middle of editing my math project online five minutes ago--the browser I was currently using (Opera) crashed and then fake shortcuts for Mozilla Firefox and Chrome got added to my Desktop and Taskbar. I knew these were fake because the only shortcuts I have are for foobar2000 and Sublime Text 3. Plus, this already happened to me before. I tried to re-open Opera but it kept closing as soon as I did. I deleted the fake shortcuts immediately and checked the Task Manager. I found several suspicious processes (Kitty, WinSAPSvc, SNAREA) and stopped them. Opera opened normally once I did.



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:06 PM

Posted 04 May 2017 - 09:20 AM

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

iO5EZayK.png

  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg

  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt

 

Please download Zemana AntiMalware and save it to your Desktop.

  • Right-click on the icon and select Run as administrator to install the program.
  • Click Yes to accept the security warning.
  • Once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
  • Click on the Back button.
  • On the top right corner click on Reports icon (the one with three bars) and double click on the latest report.
  • Now click File > Save As, then choose your Desktop and click the Save button.
  • Please attach the saved report in your next reply.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:06 PM

Posted 12 May 2017 - 11:48 AM

Are you still with us?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users