Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

kmspico error when startup


  • This topic is locked This topic is locked
25 replies to this topic

#1 dukethacore

dukethacore

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 August 2017 - 09:01 AM

Hi, need to check my computer.

 

FARBAR scan - FRST

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-07-2017
Ran by manpreet (administrator) on MY-LAPTOP (04-08-2017 21:43:10)
Running from C:\Users\manpreet\Downloads
Loaded Profiles: manpreet (Available Profiles: manpreet)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(McAfee, Inc.) C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe
(McAfee, Inc.) C:\Program Files\TrueKey\McTkSchedulerService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
() C:\Program Files\Gramblr\gramblr.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
() C:\Windows\Temp\gECB4.tmp.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\mspaint.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508128 2016-07-01] (Adobe Systems Incorporated)
HKLM\...\Run: [WindowsDefender] => "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2383040 2016-08-24] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Windows] => C:\KMSpico\KMSpico_Setup.exe [77960 2014-05-27] (Microsoft Corporation)
HKLM-x32\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe, "C:\KMSpico\KMSpico_Setup.exe"
HKLM-x32\...\Winlogon: [Shell] explorer.exe, "C:\KMSpico\KMSpico_Setup.exe" [ ] () <=== ATTENTION
HKLM\...\Policies\Explorer\Run: [Windows] => C:\KMSpico\KMSpico_Setup.exe [77960 2014-05-27] (Microsoft Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\Run: [uTorrent] => C:\Users\manpreet\AppData\Roaming\uTorrent\uTorrent.exe [2146496 2017-07-02] (BitTorrent Inc.)
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\Run: [Yahoo Messenger Updater] => C:\Users\manpreet\AppData\Roaming\Yahoo Messenger\YMUpdater\YMUpdater.exe [115656 2016-09-29] (Yahoo!, Inc.)
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\Run: [Chromium] => c:\users\manpreet\appdata\local\chromium\application\chrome.exe [1068544 2016-03-19] (The Chromium Authors)
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\Run: [Google Update] => C:\Users\manpreet\AppData\Local\Google\Update\1.3.33.5\GoogleUpdateCore.exe [601168 2017-05-01] (Google Inc.)
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27784672 2017-06-27] (Skype Technologies S.A.)
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\Run: [Windows] => C:\KMSpico\KMSpico_Setup.exe [77960 2014-05-27] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\RunOnce: [DSdeGlr6TY] => C:\DSdeGlr6TYDSdeGlr6TY\DSdeGlr6TY.vbs [190 2017-08-04] ()
Lsa: [Notification Packages] scecli C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter "C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter"
Startup: C:\Users\manpreet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2017-04-26]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3952633B-2B9E-4BA1-9DCA-2C0A266665AE}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{3952633B-2B9E-4BA1-9DCA-2C0A266665AE}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001 -> DefaultScope {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = 
BHO: True Key Helper -> {0F4B8786-5502-4803-8EBC-F652A1153BB6} -> C:\Program Files\Intel Security\True Key\MSIE\truekey_ie64.dll [2017-06-26] (Intel Security)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll [2017-07-08] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\root\Office16\GROOVEEX.DLL [2017-07-27] (Microsoft Corporation)
BHO-x32: True Key Helper -> {0F4B8786-5502-4803-8EBC-F652A1153BB6} -> C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2017-06-26] (Intel Security)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2017-06-17] (Microsoft Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL [2017-07-27] (Microsoft Corporation)
Toolbar: HKLM - True Key - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - C:\Program Files\Intel Security\True Key\MSIE\truekey_ie64.dll [2017-06-26] (Intel Security)
Toolbar: HKLM-x32 - True Key - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2017-06-26] (Intel Security)
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2016-01-04] (Belarc, Inc.)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-07-08] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-07-08] (Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-07-08] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-07-08] (Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-07-08] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-07-08] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-07-08] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-07-08] (Microsoft Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF DefaultProfile: umii3wwl.default
FF ProfilePath: C:\Users\manpreet\AppData\Roaming\Mozilla\Firefox\Profiles\umii3wwl.default [2017-01-18]
FF NewTab: Mozilla\Firefox\Profiles\umii3wwl.default -> about:newtab
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\umii3wwl.default -> Yahoo! Powered
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\umii3wwl.default -> Yahoo! Powered
FF Homepage: Mozilla\Firefox\Profiles\umii3wwl.default -> hxxps://malaysia.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wcg_fremkfs_16_40&param1=1&param2=f%3D1%26b%3DFirefox%26cc%3Dmy%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzz0C0AtA0A0D0FyEzy0FyDzyyD0DyEtN0D0Tzu0StCyBtAzztN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StBtD0B0F0C0A0F0CtGyEtA0DyBtGtA0C0ByDtGyB0AyB0CtGyDzztA0AtC0B0CyEtByDtByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtDtAyByBtDtD0AtG0FyDyByDtGyE0B0EtDtG0BtCtB0CtGtA0CyDzyzyyCzz0AtB0Azzzz2QtN0A0LzuyE%26cr%3D1805758380%26a%3Dwcg_fremkfs_16_40%26os_ver%3D6.3%26os%3DWindows%2B8.1%2BPro
FF Keyword.URL: Mozilla\Firefox\Profiles\umii3wwl.default -> user_pref("keyword.URL", true);
FF SearchPlugin: C:\Users\manpreet\AppData\Roaming\Mozilla\Firefox\Profiles\umii3wwl.default\searchplugins\yahoo! powered.xml [2016-10-05]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-06-17] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2016-08-24] (Adobe Systems)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2017-05-26] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2017-05-26] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-05-01] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-05-01] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-05] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2016-08-24] (Adobe Systems)
FF Plugin HKU\S-1-5-21-2225106580-1076773051-1491251937-1001: @tools.google.com/Google Update;version=3 -> C:\Users\manpreet\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-05-01] (Google Inc.)
FF Plugin HKU\S-1-5-21-2225106580-1076773051-1491251937-1001: @tools.google.com/Google Update;version=9 -> C:\Users\manpreet\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-05-01] (Google Inc.)
StartMenuInternet: FIREFOX.EXE - firefox.exe
 
Chrome: 
=======
CHR NewTab: Default ->  Not-active:"chrome-extension://elmkjjfkkchohaaoljobaffjeedcoocj/ntab.html"
CHR Profile: C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default [2017-08-04]
CHR Extension: (Flash Video Downloader) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiimdkdngfcipjohbjenkahhlhccpdbc [2017-02-26]
CHR Extension: (Google Docs) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-08-26]
CHR Extension: (Google Drive) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-08-26]
CHR Extension: (YouTube) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-08-26]
CHR Extension: (Adobe Acrobat) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-03-04]
CHR Extension: (Google Calendar) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn [2017-01-10]
CHR Extension: (hTab) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj [2017-04-16]
CHR Extension: (HTML Revealer and Password Revealer) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgeopcldenngppapceagonnenonklpbn [2017-04-04]
CHR Extension: (Google Docs Offline) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-26]
CHR Extension: (Kindle Cloud Reader) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icdipabjmbhpdkjaihfjoikhjjeneebd [2016-09-27]
CHR Extension: (Grammarly for Chrome) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen [2017-07-28]
CHR Extension: (Tag Assistant (by Google)) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\kejbdjndbnbjgmefkgdddjlbokphdefk [2017-05-18]
CHR Extension: (Open Plugins) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmafpcnknacbcgigikdfmjfnmimhpkkg [2017-08-04]
CHR Extension: (Take Webpage Screenshots Entirely - FireShot) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbpblocgmgfnpjjppndjkmgjaogfceg [2017-05-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Print Friendly & PDF) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohlencieiipommannpdfcmfdpjjmeolj [2017-02-04]
CHR Extension: (Simple EPUB Reader) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojhbgcchcbdjdenibfmjofobklkkhofc [2016-08-27]
CHR Extension: (Adult Blocker) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\onjjgbgnpbedmhbdoikhknhflbfkecjm [2017-04-04]
CHR Extension: (Gmail) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-08-26]
CHR Extension: (Chrome Media Router) - C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-14]
CHR HKLM\...\Chrome\Extension: [elmkjjfkkchohaaoljobaffjeedcoocj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [elmkjjfkkchohaaoljobaffjeedcoocj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [elmkjjfkkchohaaoljobaffjeedcoocj] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [744640 2016-08-24] (Adobe Systems Incorporated)
R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2246256 2017-05-18] (Adobe Systems, Incorporated)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [4412104 2017-07-18] (Microsoft Corporation)
R2 gramblrclient; C:\Program Files\Gramblr\gramblr.exe [11411536 2017-08-04] () [File not signed]
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319080 2015-06-04] (Intel Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.376\McCHSvc.exe [327944 2016-07-19] (McAfee, Inc.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 TrueKey; C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe [1001920 2017-06-26] (McAfee, Inc.)
R2 TrueKeyScheduler; C:\Program Files\TrueKey\McTkSchedulerService.exe [16928 2017-06-26] (McAfee, Inc.)
S3 TrueKeyServiceHelper; C:\Program Files\TrueKey\McAfee.TrueKey.ServiceHelper.exe [87760 2017-06-26] (McAfee, Inc.)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-13] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-13] (Microsoft Corporation)
S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe -originalversion 4.4.127.0 [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
U0 lfpb; C:\Windows\System32\drivers\kmcafhvd.sys [79064 2017-08-04] (Malwarebytes)
R1 MpKsl13b0a379; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CF741CAD-A639-42C8-AFF5-3298D129D037}\MpKsl13b0a379.sys [44928 2017-08-01] (Microsoft Corporation)
R1 MpKsl234e2d75; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BFA1D7DA-0AF2-4E2B-867C-79FE15D50866}\MpKsl234e2d75.sys [44928 2017-08-04] (Microsoft Corporation)
R3 RTSUER; C:\Windows\system32\Drivers\RtsUer.sys [425216 2016-05-25] (Realsil Semiconductor Corporation)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [274776 2017-01-13] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-13] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-08-04 21:43 - 2017-08-04 21:43 - 000021397 _____ C:\Users\manpreet\Downloads\FRST.txt
2017-08-04 21:41 - 2017-08-04 21:43 - 000000000 ____D C:\FRST
2017-08-04 21:40 - 2017-08-04 21:41 - 002381312 _____ (Farbar) C:\Users\manpreet\Downloads\FRST64.exe
2017-08-04 21:36 - 2017-08-04 21:36 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\remcos
2017-08-04 21:32 - 2017-08-04 21:32 - 000079064 _____ (Malwarebytes) C:\Windows\system32\Drivers\kmcafhvd.sys
2017-08-04 21:12 - 2017-08-04 21:12 - 000001050 _____ C:\Users\Public\Desktop\Revo Uninstaller.lnk
2017-08-04 21:12 - 2017-08-04 21:12 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
2017-08-04 21:10 - 2017-08-04 21:11 - 007178424 _____ (VS Revo Group ) C:\Users\manpreet\Downloads\revosetup.exe
2017-08-04 18:37 - 2017-08-04 19:42 - 000000000 ____D C:\Program Files\KMSpico
2017-08-04 18:37 - 2017-08-04 18:37 - 000004608 _____ C:\Windows\SECOH-QAD.exe
2017-08-04 18:37 - 2017-08-04 18:37 - 000003584 _____ C:\Windows\SECOH-QAD.dll
2017-08-04 18:36 - 2017-08-04 21:34 - 000000000 _RSHD C:\KMSpico
2017-08-04 18:36 - 2017-08-04 21:32 - 000000000 ____D C:\Users\manpreet\DSdeGlr6TY
2017-08-04 18:36 - 2017-08-04 18:36 - 000016744 _____ C:\Windows\System32\Tasks\1211q11562B41351H93574
2017-08-04 18:36 - 2017-08-04 18:36 - 000003472 _____ C:\Windows\System32\Tasks\DSdeGlr6TY
2017-08-04 18:36 - 2017-08-04 18:36 - 000000000 __SHD C:\DSdeGlr6TYDSdeGlr6TY
2017-08-04 18:36 - 2017-08-04 18:36 - 000000000 ___HD C:\ProgramData\1211q11562B41351H93574
2017-08-04 18:31 - 2017-08-04 18:31 - 004874302 _____ C:\Users\manpreet\Downloads\KMSpico Install.rar
2017-08-04 18:06 - 2017-08-04 18:06 - 000496156 _____ ( ) C:\Users\manpreet\Downloads\KMSpico_v10.2.0_All_in_One_Activator_for_Windows_and_Office_-_Cleaned_Version.exe
2017-08-04 08:28 - 2017-08-04 08:28 - 000000000 ____D C:\Users\manpreet\Desktop\copywriting
2017-08-04 07:01 - 2017-08-04 08:30 - 000000000 ____D C:\Users\manpreet\Desktop\project
2017-08-04 04:40 - 2017-08-04 21:40 - 000000302 _____ C:\Windows\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77}.job
2017-08-04 04:40 - 2017-08-04 04:40 - 000002640 _____ C:\Windows\System32\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77}
2017-08-03 22:01 - 2017-08-03 22:21 - 000000000 ____D C:\Users\manpreet\Desktop\stamina
2017-08-03 21:34 - 2017-08-03 21:43 - 000000000 ____D C:\Users\manpreet\Desktop\jason-julius
2017-08-03 20:49 - 2017-08-03 21:25 - 000000000 ____D C:\Users\manpreet\Desktop\clientacquisition-frank
2017-08-03 20:01 - 2017-08-03 20:50 - 000000000 ____D C:\Users\manpreet\Desktop\innercircle
2017-08-03 19:18 - 2017-08-03 19:58 - 000000000 ____D C:\Users\manpreet\Desktop\tendollarbomb
2017-08-03 17:09 - 2017-08-03 17:19 - 000000334 _____ C:\Users\manpreet\Desktop\landing page.txt
2017-08-03 11:29 - 2017-08-03 12:03 - 000000000 ____D C:\Users\manpreet\Desktop\tailopez-lifestyle
2017-08-03 05:52 - 2017-08-03 05:52 - 000000000 ____D C:\Users\manpreet\Downloads\Chris Record - 3 Zero Club & Inner Circle
2017-08-03 05:12 - 2017-08-03 05:12 - 000022517 _____ C:\Users\manpreet\Downloads\MEGA Links2.txt
2017-08-03 05:12 - 2017-08-03 05:12 - 000002084 _____ C:\Users\manpreet\Downloads\MEGA Links.txt
2017-08-03 03:24 - 2017-08-03 04:04 - 000000000 ____D C:\Users\manpreet\Desktop\lazy
2017-08-02 21:27 - 2017-08-02 21:28 - 000089788 _____ C:\Windows\unins000.dat
2017-08-02 21:27 - 2017-08-02 21:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ezvid
2017-08-02 21:27 - 2017-08-02 21:27 - 000001045 _____ C:\Users\Public\Desktop\ezvid.lnk
2017-08-02 21:27 - 2017-08-02 21:27 - 000000000 ____D C:\Program Files (x86)\ezvid
2017-08-02 21:27 - 2017-08-02 20:35 - 000761531 _____ C:\Windows\unins000.exe
2017-08-02 21:27 - 2015-03-10 20:29 - 000462584 _____ (Bytescout) C:\Windows\SysWOW64\BytescoutScreenCapturing.dll
2017-08-02 21:27 - 2015-03-10 20:29 - 000360184 _____ (Bytescout) C:\Windows\SysWOW64\BytescoutScreenCapturingFilter.dll
2017-08-02 21:27 - 2015-03-10 20:29 - 000196344 _____ (Bytescout) C:\Windows\SysWOW64\BytescoutVideoMixerFilter.dll
2017-08-02 21:27 - 2013-04-07 18:09 - 000216064 _____ ( ) C:\Windows\SysWOW64\Lagarith.dll
2017-08-02 21:27 - 2013-04-07 18:09 - 000148992 _____ ( ) C:\Windows\system32\Lagarith.dll
2017-08-02 21:11 - 2017-08-02 21:46 - 000000000 ____D C:\Users\manpreet\Downloads\OBS-Studio-19 0 3-Full-Installer
2017-08-02 20:57 - 2017-08-02 21:48 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\obs-studio
2017-08-02 20:49 - 2017-08-03 19:18 - 000000133 _____ C:\Users\manpreet\Desktop\module 1.txt
2017-08-02 19:37 - 2017-08-02 19:37 - 280755603 _____ C:\Users\manpreet\Desktop\Module 1.zip
2017-08-02 18:48 - 2017-08-02 20:18 - 000000000 ____D C:\Users\manpreet\Downloads\OBS-Studio-19 0 3-Full
2017-08-02 16:20 - 2017-08-04 08:11 - 000000249 _____ C:\Users\manpreet\Desktop\new account.txt
2017-08-02 16:11 - 2017-08-02 16:11 - 000000029 _____ C:\Users\manpreet\Desktop\pass-edollarearn.com.txt
2017-08-02 15:58 - 2017-08-02 15:58 - 043141301 _____ C:\Users\manpreet\Desktop\#Business products.zip
2017-08-02 07:50 - 2017-08-02 07:52 - 001204224 _____ C:\Users\manpreet\Downloads\TinyWallInstaller.msi
2017-08-02 07:49 - 2017-08-02 08:12 - 067681000 _____ (Microsoft Corporation) C:\Users\manpreet\Downloads\NDP461-KB3102436-x86-x64-AllOS-ENU.exe
2017-08-02 07:47 - 2017-08-02 07:47 - 000000135 _____ C:\Users\manpreet\Downloads\RegInfo.ini
2017-08-02 07:43 - 2017-08-02 07:43 - 000000000 ____D C:\Users\manpreet\Downloads\Instructions
2017-08-02 07:40 - 2017-08-02 07:40 - 000000581 _____ C:\Users\manpreet\Downloads\Instructions.rar
2017-08-02 07:22 - 2017-08-02 07:23 - 005718872 _____ (Microsoft Corporation) C:\Users\manpreet\Downloads\vcredist_x64.exe
2017-08-02 06:21 - 2017-08-02 07:13 - 285457368 _____ (TechSmith Corporation) C:\Users\manpreet\Downloads\camtasia.exe
2017-08-02 04:07 - 2017-08-02 04:07 - 000000000 ____D C:\Users\manpreet\Downloads\SuccessRitualsMRR2017
2017-08-02 03:29 - 2017-08-02 03:29 - 001376858 _____ C:\Users\manpreet\Downloads\FIND-S3-BUCKET-DLS-WITHOUT-BUCKET-NAME-REPORT.PDF
2017-08-02 02:58 - 2017-08-02 06:19 - 000000000 ____D C:\Users\manpreet\Downloads\TechSmith Camtasia Studio 9 0 5 Build 2021
2017-08-02 00:54 - 2017-08-02 22:28 - 000008192 _____ C:\Users\manpreet\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2017-08-02 00:54 - 2017-08-02 00:54 - 000000000 ____D C:\Users\manpreet\AppData\Local\ezvid,_inc
2017-08-02 00:53 - 2017-08-02 22:28 - 000000000 ____D C:\Users\manpreet\Documents\ezvid
2017-08-02 00:35 - 2017-08-02 16:47 - 000000000 ____D C:\Users\manpreet\Downloads\videomotionpro
2017-08-02 00:29 - 2017-08-02 00:29 - 001005552 _____ (Ezvid, inc. ) C:\Users\manpreet\Downloads\ezvid1.004.exe
2017-08-01 23:57 - 2017-08-01 23:59 - 000000000 ____D C:\Users\manpreet\Downloads\[Mr Charlie Houpert] Charisma On Command)
2017-08-01 23:52 - 2017-08-02 00:10 - 000000000 ____D C:\Users\manpreet\Downloads\The 9 Laws of Attractive Body Language for Men
2017-08-01 22:30 - 2017-08-01 22:30 - 000000000 ____D C:\Users\manpreet\Downloads\TSC900-II
2017-08-01 22:29 - 2017-08-01 22:29 - 000641073 _____ C:\Users\manpreet\Downloads\TSC900-II.rar
2017-08-01 21:45 - 2017-08-01 22:02 - 100271992 _____ (Microsoft Corporation) C:\Users\manpreet\Downloads\directx_Jun2010_redist.exe
2017-08-01 21:35 - 2017-08-01 21:38 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\FFsplit
2017-08-01 21:17 - 2017-08-01 21:34 - 000000000 ___HD C:\Windows\msdownld.tmp
2017-08-01 21:17 - 2017-08-01 21:17 - 000000000 ____D C:\Windows\SysWOW64\directx
2017-08-01 21:06 - 2017-08-01 21:07 - 008815708 _____ (FFsplit Team ) C:\Users\manpreet\Downloads\FFsplit-07025-Full.exe
2017-08-01 21:01 - 2017-08-01 21:01 - 000021795 _____ C:\Users\manpreet\Downloads\[limetorrents.cc]TechSmith.Camtasia.Studio.8.0.1.Build.903...Patch.-.[S3renity].torrent
2017-08-01 20:46 - 2017-08-01 20:46 - 000005158 _____ C:\Users\manpreet\Downloads\[limetorrents.cc]Techsmith.Camtasia.Studio.8.1.0.Build.1281.Repack.By.Kpojiuk.torrent
2017-08-01 08:53 - 2017-08-03 19:14 - 000000000 ____D C:\Users\manpreet\Desktop\New Project
2017-08-01 08:49 - 2017-08-01 22:23 - 000000000 ____D C:\Users\manpreet\AppData\LocalLow\uTorrent
2017-08-01 08:42 - 2017-08-01 08:42 - 000000000 ____D C:\Windows\system32\appmgmt
2017-08-01 08:35 - 2017-08-01 08:35 - 000002560 _____ C:\Windows\_MSRSTRT.EXE
2017-08-01 08:32 - 2017-08-01 08:33 - 000000000 ____D C:\Users\manpreet\Desktop\New folder (4)
2017-08-01 08:31 - 2017-08-01 08:31 - 000000000 ____D C:\Users\manpreet\Desktop\book
2017-08-01 08:30 - 2017-08-01 08:32 - 000000000 ____D C:\Users\manpreet\Desktop\New folder (2)
2017-07-30 22:50 - 2017-07-30 22:50 - 006329576 _____ C:\Users\manpreet\Downloads\Eugene M. Schwartz The Brilliance Breakthrough How to Talk and Write So That People Will Never Forget You.pdf
2017-07-30 22:49 - 2017-07-30 22:49 - 000000000 ____D C:\Users\manpreet\Downloads\breakthrough-mindmaps
2017-07-30 22:37 - 2017-07-30 22:37 - 000000000 ____D C:\Users\manpreet\Downloads\Million Dollar Mailings
2017-07-30 22:35 - 2017-07-30 22:35 - 000000000 ____D C:\Users\manpreet\Downloads\NC-Action
2017-07-30 22:34 - 2017-07-30 22:34 - 000000000 ____D C:\Users\manpreet\Downloads\Tested Advertising Methods (5th Edition) - John Caples
2017-07-30 21:09 - 2017-07-30 22:16 - 000000000 ____D C:\Users\manpreet\Downloads\Frank Kern - Join me behind the scenes as I film the Book 1481044695275446
2017-07-30 21:09 - 2017-07-30 22:03 - 000000000 ____D C:\Users\manpreet\Downloads\Frank Kern - Join me behind the scenes as I film the Book 1482387125141203
2017-07-30 21:08 - 2017-07-30 22:05 - 000000000 ____D C:\Users\manpreet\Downloads\Frank Kern - Join me behind the scenes as I film the Book 1479898742056708
2017-07-30 13:03 - 2017-04-22 05:53 - 000029376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aspnet_counters.dll
2017-07-30 13:03 - 2017-04-22 05:50 - 000030912 _____ (Microsoft Corporation) C:\Windows\system32\aspnet_counters.dll
2017-07-30 13:03 - 2017-04-22 05:50 - 000018592 _____ (Microsoft Corporation) C:\Windows\system32\msvcr100_clr0400.dll
2017-07-30 13:03 - 2017-04-12 02:27 - 000485576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp120_clr0400.dll
2017-07-30 13:03 - 2017-03-16 02:15 - 000690008 _____ (Microsoft Corporation) C:\Windows\system32\msvcp120_clr0400.dll
2017-07-30 13:02 - 2017-04-22 05:53 - 000018600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr100_clr0400.dll
2017-07-30 13:02 - 2017-04-12 02:27 - 000987840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr120_clr0400.dll
2017-07-30 13:02 - 2017-03-16 02:15 - 000993632 _____ (Microsoft Corporation) C:\Windows\system32\msvcr120_clr0400.dll
2017-07-29 01:03 - 2017-07-29 01:03 - 000001022 _____ C:\Users\manpreet\Downloads\Instructions - SG Online Lead Signup Success (1).txt
2017-07-28 01:10 - 2017-07-28 01:10 - 000003180 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2225106580-1076773051-1491251937-1001
2017-07-27 22:25 - 2017-07-27 22:34 - 000000000 ____D C:\Users\manpreet\Desktop\AG
2017-07-27 22:14 - 2017-07-27 22:17 - 000000000 ____D C:\Users\manpreet\Downloads\Tom Hopkins - The Official Guide To Success
2017-07-27 21:59 - 2017-07-27 21:59 - 000000000 ____D C:\Users\manpreet\Downloads\new
2017-07-27 19:11 - 2017-07-27 19:11 - 000000000 ____D C:\Users\manpreet\Downloads\Brian Tracy - No Excuses The Power of Self-Discipline
2017-07-27 19:08 - 2017-07-27 19:14 - 000000000 ____D C:\Users\manpreet\Downloads\Ryan Holiday - The Obstacle Is the Way audiobook
2017-07-27 19:02 - 2017-07-27 20:50 - 000000000 ____D C:\Users\manpreet\Downloads\Be Obsessed or Be Average by Grant Cardone (Unabridged)
2017-07-27 15:20 - 2017-07-27 15:20 - 000000000 ____D C:\Program Files\Common Files\DESIGNER
2017-07-27 02:47 - 2017-08-04 18:28 - 000000000 ____D C:\Users\manpreet\Desktop\log
2017-07-27 01:37 - 2017-07-27 01:37 - 000256512 _____ C:\Users\manpreet\AppData\Roaming\Megokos.exe
2017-07-26 21:02 - 2017-07-26 21:10 - 000000000 ____D C:\Users\manpreet\Downloads\Dan Kennedy - Personality in Copy
2017-07-26 20:53 - 2017-07-26 20:59 - 000000000 ____D C:\Users\manpreet\Downloads\The Ultimate Sales Letter (4th Edition) - Dan Kennedy
2017-07-26 16:45 - 2017-07-26 16:45 - 000000000 ____D C:\Users\manpreet\Downloads\The Certifiable Salesperson
2017-07-26 13:49 - 2017-07-26 13:59 - 000000000 ____D C:\Users\manpreet\Downloads\ILoveMarketing117
2017-07-26 11:21 - 2017-07-26 11:23 - 000000000 ____D C:\Users\manpreet\Downloads\karbo
2017-07-25 22:58 - 2017-07-25 23:17 - 000000000 ____D C:\Users\manpreet\Downloads\EE-Final
2017-07-25 13:31 - 2017-07-25 13:31 - 243462820 _____ C:\Users\manpreet\Downloads\Duct Tape Marketing.zip
2017-07-25 11:16 - 2017-07-25 12:24 - 000000000 ____D C:\Users\manpreet\Downloads\GS
2017-07-25 11:14 - 2017-07-25 11:32 - 000000000 ____D C:\Users\manpreet\Downloads\webwords
2017-07-25 02:22 - 2017-07-25 02:37 - 033423920 _____ C:\Users\manpreet\Downloads\BB751A77.zip
2017-07-24 00:34 - 2017-07-24 00:34 - 398201175 _____ C:\Users\manpreet\Downloads\IAVSLV3.mp4
2017-07-23 23:53 - 2017-07-23 23:53 - 000001974 _____ C:\Users\manpreet\Downloads\Readme First.txt
2017-07-23 23:53 - 2017-07-23 23:53 - 000000043 _____ C:\Users\manpreet\Downloads\Hank Moody X Files.txt
2017-07-22 23:26 - 2017-07-22 23:26 - 000000000 ____D C:\Users\manpreet\Downloads\docs
2017-07-22 23:23 - 2017-07-22 23:23 - 001565182 _____ C:\Users\manpreet\Downloads\docs.rar
2017-07-22 03:53 - 2017-07-22 03:53 - 687822457 _____ C:\Users\manpreet\Downloads\006 - Personal Brand.zip
2017-07-20 19:45 - 2017-07-20 19:45 - 000000000 ____D C:\Users\manpreet\Downloads\kzzza
2017-07-20 07:24 - 2017-07-20 07:24 - 000000967 _____ C:\Users\manpreet\Downloads\click performance report.csv
2017-07-19 17:10 - 2017-07-19 17:14 - 000000000 ____D C:\Users\manpreet\Downloads\routerpassview
2017-07-19 16:50 - 2017-07-19 16:50 - 000032040 _____ C:\Users\manpreet\Downloads\tsyslog.rg
2017-07-19 16:33 - 2017-07-19 16:33 - 000000000 ____D C:\Users\manpreet\Downloads\SnmpWalk
2017-07-19 16:15 - 2017-07-19 16:15 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Passware
2017-07-19 16:15 - 2017-07-19 16:15 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Passware
2017-07-19 16:15 - 2017-07-19 16:15 - 000000000 ____D C:\Program Files (x86)\Passware
2017-07-19 16:14 - 2017-07-19 16:14 - 000463842 _____ C:\Users\manpreet\Downloads\ariskkey.exe
2017-07-19 16:09 - 2017-07-19 16:09 - 000001181 _____ C:\Users\Public\Desktop\WiFi Password Revealer.lnk
2017-07-19 16:09 - 2017-07-19 16:09 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WiFi Password Revealer
2017-07-19 16:08 - 2017-07-19 16:09 - 000000000 ____D C:\Program Files (x86)\WiFi Password Revealer
2017-07-19 02:07 - 2017-07-19 02:18 - 000000022 _____ C:\Users\manpreet\Downloads\attachments (2).zip
2017-07-19 01:35 - 2017-07-19 01:35 - 000716107 _____ C:\Users\manpreet\Downloads\aplos.1.2.0.zip
2017-07-18 23:05 - 2017-07-18 23:05 - 000000022 _____ C:\Users\manpreet\Downloads\attachments (1).zip
2017-07-18 23:01 - 2017-07-18 23:03 - 000000022 _____ C:\Users\manpreet\Downloads\attachments.zip
2017-07-18 21:38 - 2017-07-18 21:39 - 000000000 ____D C:\Users\manpreet\AppData\Local\MegaDownloader
2017-07-18 21:37 - 2017-07-18 21:37 - 000000896 _____ C:\Users\Public\Desktop\MegaDownloader.lnk
2017-07-18 21:37 - 2017-07-18 21:37 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MegaDownloader
2017-07-18 21:37 - 2017-07-18 21:37 - 000000000 ____D C:\Program Files\MegaDownloader
2017-07-18 21:35 - 2017-08-01 08:35 - 000000000 ____D C:\ProgramData\SpeedBit
2017-07-18 21:35 - 2017-08-01 08:34 - 000000000 ____D C:\ProgramData\TEMP
2017-07-18 21:35 - 2017-07-18 21:35 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\SpeedBit
2017-07-18 21:29 - 2017-07-18 21:31 - 010818216 _____ C:\Users\manpreet\Downloads\dap10_full.exe
2017-07-18 19:17 - 2017-07-18 19:17 - 000400331 _____ C:\Users\manpreet\Downloads\brittney-murphy-design_charbroil.zip
2017-07-17 16:42 - 2017-07-17 16:43 - 001409952 _____ C:\Users\manpreet\Downloads\brilliance.1.2.2.zip
2017-07-17 16:02 - 2017-07-17 16:19 - 000000000 ____D C:\Users\manpreet\Downloads\fresh-framework-1
2017-07-17 15:29 - 2017-07-17 17:48 - 000000000 ____D C:\Users\manpreet\Desktop\logo
2017-07-17 15:10 - 2017-07-17 15:11 - 000068060 _____ C:\Users\manpreet\Downloads\Corbert_Condensed_Regular_Regular.zip
2017-07-17 15:08 - 2017-07-17 15:09 - 000000000 ____D C:\Users\manpreet\Downloads\Self Hypnosis As You Read 42 Life Changing Scripts
2017-07-17 09:40 - 2017-07-17 09:41 - 000000000 ____D C:\Users\manpreet\Downloads\FREE BUSINESS
2017-07-17 08:30 - 2017-07-17 14:59 - 000000000 ____D C:\Users\manpreet\Downloads\SL- 450-Logo-Templates
2017-07-16 18:06 - 2017-07-16 18:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2017-07-14 08:16 - 2017-07-14 08:16 - 000000000 ____D C:\Users\manpreet\AppData\Local\Hardcoded Software
2017-07-14 07:49 - 2017-07-14 07:52 - 008893680 _____ (Auslogics Labs Pty Ltd ) C:\Users\manpreet\Downloads\duplicate-file-finder-setup.exe
2017-07-14 04:42 - 2017-07-14 04:42 - 000282475 _____ C:\Users\manpreet\Downloads\Lynda_huhu.TORRENT
2017-07-14 04:36 - 2017-07-14 04:46 - 000000000 ____D C:\Users\manpreet\Downloads\HLFU
2017-07-13 20:05 - 2017-07-13 20:05 - 122912907 _____ C:\Users\manpreet\Downloads\100 Ways to Stay Motivated.zip
2017-07-13 18:39 - 2017-05-04 07:11 - 000103600 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-07-13 18:39 - 2017-05-03 21:43 - 001555968 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-07-13 18:39 - 2017-05-03 21:43 - 001206272 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-07-13 18:39 - 2017-05-03 21:43 - 000620544 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-07-13 18:39 - 2017-05-03 21:43 - 000535552 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-07-13 18:39 - 2017-05-03 21:43 - 000325632 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-07-13 18:39 - 2017-05-03 21:43 - 000311296 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2017-07-13 18:39 - 2017-05-03 21:43 - 000217088 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-07-13 18:39 - 2017-05-03 21:43 - 000127488 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2017-07-12 16:27 - 2017-06-29 14:27 - 025734656 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-07-12 16:27 - 2017-06-29 13:44 - 005975552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-07-12 16:27 - 2017-06-29 13:23 - 020270592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-07-12 16:26 - 2017-07-06 16:52 - 000119296 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\bthpan.sys
2017-07-12 16:26 - 2017-06-29 14:02 - 000576512 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-07-12 16:26 - 2017-06-29 13:50 - 000817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-07-12 16:26 - 2017-06-29 13:23 - 000499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-07-12 16:26 - 2017-06-29 13:17 - 001033216 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2017-07-12 16:26 - 2017-06-29 13:13 - 000663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-07-12 16:26 - 2017-06-29 13:09 - 000806912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-07-12 16:26 - 2017-06-29 12:58 - 015253504 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-07-12 16:26 - 2017-06-29 12:53 - 003240960 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-07-12 16:26 - 2017-06-29 12:52 - 004549632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-07-12 16:26 - 2017-06-29 12:51 - 000880640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2017-07-12 16:26 - 2017-06-29 12:47 - 000693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2017-07-12 16:26 - 2017-06-29 12:43 - 013663744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-07-12 16:26 - 2017-06-29 12:41 - 001545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-07-12 16:26 - 2017-06-29 12:29 - 000800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-07-12 16:26 - 2017-06-29 12:28 - 002767872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-07-12 16:26 - 2017-06-29 12:24 - 001314816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-07-12 16:26 - 2017-06-29 12:23 - 000710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2017-07-12 16:26 - 2017-06-27 22:29 - 007796736 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2017-07-12 16:26 - 2017-06-27 22:29 - 007077376 _____ (Microsoft Corporation) C:\Windows\system32\glcndFilter.dll
2017-07-12 16:26 - 2017-06-27 22:26 - 005274112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\glcndFilter.dll
2017-07-12 16:26 - 2017-06-27 22:26 - 005268992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2017-07-12 16:26 - 2017-06-22 22:22 - 004169216 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-07-12 16:26 - 2017-06-18 00:45 - 003631616 _____ (Microsoft Corporation) C:\Windows\system32\tquery.dll
2017-07-12 16:26 - 2017-06-18 00:34 - 002749952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tquery.dll
2017-07-12 16:26 - 2017-06-18 00:11 - 002551808 _____ (Microsoft Corporation) C:\Windows\system32\mssrch.dll
2017-07-12 16:26 - 2017-06-18 00:05 - 001920000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssrch.dll
2017-07-12 16:26 - 2017-06-16 06:02 - 000990040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\http.sys
2017-07-12 16:26 - 2017-06-15 21:45 - 007440728 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-07-12 16:26 - 2017-06-15 21:45 - 001674520 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2017-07-12 16:26 - 2017-06-15 21:45 - 001534064 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2017-07-12 16:26 - 2017-06-15 21:45 - 001499920 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2017-07-12 16:26 - 2017-06-15 21:45 - 001370320 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2017-07-12 16:26 - 2017-06-15 21:45 - 000086360 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\pdc.sys
2017-07-12 16:26 - 2017-06-12 08:06 - 000376672 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\clfs.sys
2017-07-12 16:26 - 2017-06-12 06:21 - 000590848 _____ (Microsoft Corporation) C:\Windows\system32\wvc.dll
2017-07-12 16:26 - 2017-06-12 05:43 - 000371200 _____ (Microsoft Corporation) C:\Windows\system32\msinfo32.exe
2017-07-12 16:26 - 2017-06-12 05:25 - 000478720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wvc.dll
2017-07-12 16:26 - 2017-06-12 05:15 - 001436672 _____ (Microsoft Corporation) C:\Windows\system32\wdc.dll
2017-07-12 16:26 - 2017-06-12 05:08 - 000358912 _____ (Microsoft Corporation) C:\Windows\system32\Wldap32.dll
2017-07-12 16:26 - 2017-06-12 05:07 - 000416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sysmon.ocx
2017-07-12 16:26 - 2017-06-12 05:00 - 000962560 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-07-12 16:26 - 2017-06-12 04:58 - 000334336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msinfo32.exe
2017-07-12 16:26 - 2017-06-12 04:40 - 001323008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdc.dll
2017-07-12 16:26 - 2017-06-12 04:35 - 000325120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Wldap32.dll
2017-07-12 16:26 - 2017-06-12 04:31 - 000781312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-07-12 16:26 - 2017-06-11 23:15 - 002013528 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2017-07-12 16:26 - 2017-06-07 04:52 - 003120640 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2017-07-12 16:26 - 2017-06-07 04:42 - 000925696 _____ (Microsoft Corporation) C:\Windows\system32\autoconv.exe
2017-07-12 16:26 - 2017-06-07 04:38 - 000039424 _____ (Microsoft Corporation) C:\Windows\system32\cnvfat.dll
2017-07-12 16:26 - 2017-06-07 04:36 - 000168448 _____ (Microsoft Corporation) C:\Windows\system32\uudf.dll
2017-07-12 16:26 - 2017-06-07 04:36 - 000020992 _____ (Microsoft Corporation) C:\Windows\system32\convert.exe
2017-07-12 16:26 - 2017-06-07 04:35 - 000517120 _____ (Microsoft Corporation) C:\Windows\system32\uReFS.dll
2017-07-12 16:26 - 2017-06-07 03:13 - 000177664 _____ (Microsoft Corporation) C:\Windows\system32\ulib.dll
2017-07-12 16:26 - 2017-06-07 03:11 - 000557568 _____ (Microsoft Corporation) C:\Windows\system32\untfs.dll
2017-07-12 16:26 - 2017-06-07 03:11 - 000220672 _____ (Microsoft Corporation) C:\Windows\system32\ifsutil.dll
2017-07-12 16:26 - 2017-06-07 03:11 - 000131072 _____ (Microsoft Corporation) C:\Windows\system32\ufat.dll
2017-07-12 16:26 - 2017-06-07 03:11 - 000088064 _____ (Microsoft Corporation) C:\Windows\system32\uexfat.dll
2017-07-12 16:26 - 2017-06-07 03:08 - 002712576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2017-07-12 16:26 - 2017-06-07 03:03 - 000837632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\autoconv.exe
2017-07-12 16:26 - 2017-06-07 02:59 - 000034816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cnvfat.dll
2017-07-12 16:26 - 2017-06-07 02:57 - 000141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uudf.dll
2017-07-12 16:26 - 2017-06-07 02:56 - 000375296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uReFS.dll
2017-07-12 16:26 - 2017-06-07 02:03 - 000143360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ulib.dll
2017-07-12 16:26 - 2017-06-07 02:02 - 000513536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\untfs.dll
2017-07-12 16:26 - 2017-06-07 02:02 - 000197120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ifsutil.dll
2017-07-12 16:26 - 2017-06-07 02:02 - 000106496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ufat.dll
2017-07-12 16:26 - 2017-06-07 02:02 - 000074240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uexfat.dll
2017-07-12 16:26 - 2017-06-04 00:27 - 002346496 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2017-07-12 16:26 - 2017-06-04 00:03 - 001549312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2017-07-12 16:26 - 2017-06-01 05:20 - 000470360 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2017-07-12 16:26 - 2017-05-16 06:09 - 000057688 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\stornvme.sys
2017-07-12 16:26 - 2017-05-16 04:03 - 000379744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2017-07-12 16:26 - 2017-05-09 22:37 - 000658432 _____ (Microsoft Corporation) C:\Windows\system32\WSDApi.dll
2017-07-12 16:26 - 2017-05-09 22:35 - 000555520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSDApi.dll
2017-07-12 16:26 - 2017-05-09 22:29 - 000025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wsdchngr.dll
2017-07-12 16:26 - 2017-05-09 22:29 - 000014848 _____ (Microsoft Corporation) C:\Windows\system32\snmptrap.exe
2017-07-12 16:26 - 2017-05-09 22:28 - 000193024 _____ (Microsoft Corporation) C:\Windows\system32\DAFWSD.dll
2017-07-12 16:26 - 2017-05-09 22:28 - 000030208 _____ (Microsoft Corporation) C:\Windows\system32\wsdchngr.dll
2017-07-12 16:26 - 2017-05-09 22:12 - 000448576 _____ C:\Windows\system32\ApnDatabase.xml
2017-07-12 16:26 - 2017-05-07 00:45 - 001114624 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2017-07-12 16:26 - 2017-05-07 00:41 - 000056832 _____ (Microsoft Corporation) C:\Windows\system32\rdsdwmdr.dll
2017-07-12 16:26 - 2017-05-03 04:09 - 000686592 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2017-07-12 16:26 - 2017-05-03 04:08 - 000415744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2017-07-12 16:26 - 2017-05-03 04:08 - 000243200 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2017-07-12 16:26 - 2017-05-03 02:41 - 000044032 _____ (Microsoft Corporation) C:\Windows\system32\sscore.dll
2017-07-12 16:26 - 2017-05-03 02:31 - 000329216 _____ (Microsoft Corporation) C:\Windows\system32\srvsvc.dll
2017-07-12 16:26 - 2017-05-03 02:31 - 000207360 _____ (Microsoft Corporation) C:\Windows\system32\smbwmiv2.dll
2017-07-12 16:26 - 2017-05-03 01:35 - 000031744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sscore.dll
2017-07-12 16:26 - 2017-05-01 00:48 - 000080078 _____ C:\Windows\system32\normidna.nls
2017-07-12 16:26 - 2017-04-28 09:13 - 001292288 _____ (Microsoft Corporation) C:\Windows\system32\certutil.exe
2017-07-12 16:26 - 2017-04-28 09:11 - 001060352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2017-07-12 06:44 - 2017-07-12 06:48 - 000000000 ____D C:\Users\manpreet\Downloads\JR -TS 2016-G P@FB
2017-07-12 04:11 - 2017-07-12 04:19 - 000000022 _____ C:\Users\manpreet\Downloads\Archive-f18f.zip
2017-07-11 01:56 - 2017-07-11 01:56 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AdWords Editor
2017-07-10 15:04 - 2017-07-10 15:06 - 005203840 _____ C:\Users\manpreet\Downloads\affirmations.zip
2017-07-08 00:59 - 2017-07-08 01:01 - 000000000 ____D C:\Users\manpreet\Downloads\The Manual A True Bad Boy Explains
2017-07-07 22:59 - 2017-07-07 23:05 - 000000000 ____D C:\Users\manpreet\Downloads\D1A
2017-07-07 22:47 - 2017-07-07 22:47 - 000000000 ____D C:\Users\manpreet\Downloads\Testosterone Boost Masculinity for Sex Drive Confidence Muscle Mass Fat Loss Energy Avoiding Hair Loss
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-08-04 21:43 - 2016-10-24 16:57 - 000000000 ____D C:\ProgramData\Gramblr
2017-08-04 21:38 - 2016-08-26 13:26 - 000003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2225106580-1076773051-1491251937-1001
2017-08-04 21:36 - 2016-10-15 06:05 - 000000304 _____ C:\Windows\Tasks\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF}.job
2017-08-04 21:33 - 2016-08-27 16:44 - 000000000 __SHD C:\Users\manpreet\IntelGraphicsProfiles
2017-08-04 21:32 - 2016-08-27 04:06 - 000000000 ____D C:\Windows\Panther
2017-08-04 21:18 - 2016-10-05 08:18 - 000000306 _____ C:\Windows\Tasks\{4B1B297A-418E-77BF-4BD3-616E4AD0508E}.job
2017-08-04 21:16 - 2016-11-18 20:50 - 000192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-08-04 21:12 - 2016-08-31 14:35 - 000000000 ____D C:\Program Files\VS Revo Group
2017-08-04 20:34 - 2016-09-06 04:34 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\Skype
2017-08-04 20:17 - 2016-09-14 11:01 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2017-08-04 18:36 - 2016-08-26 13:20 - 000000000 ____D C:\Users\manpreet
2017-08-04 18:08 - 2016-10-05 08:17 - 000000702 __RSH C:\ProgramData\ntuser.pol
2017-08-04 18:00 - 2016-08-26 13:23 - 000003942 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{FA0B958D-923A-4C69-9756-13004FAF1C5B}
2017-08-04 07:48 - 2016-08-26 13:20 - 000000000 ____D C:\Users\manpreet\AppData\Local\Packages
2017-08-04 06:40 - 2016-08-31 03:15 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\vlc
2017-08-04 04:36 - 2016-10-15 06:05 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\{B5E0835B-90B2-EE2D-FB84-C9FF275634C1}
2017-08-04 04:36 - 2016-10-06 00:20 - 000000298 _____ C:\Users\manpreet\AppData\Roaming\WB.CFG
2017-08-04 03:54 - 2016-10-24 16:57 - 000000000 ____D C:\Program Files\Gramblr
2017-08-03 17:12 - 2014-11-21 16:43 - 000865068 _____ C:\Windows\system32\PerfStringBackup.INI
2017-08-03 17:12 - 2013-08-22 21:36 - 000000000 ____D C:\Windows\Inf
2017-08-03 07:36 - 2013-08-22 23:36 - 000000000 ____D C:\Windows\rescache
2017-08-03 05:54 - 2016-08-27 01:50 - 000000000 ____D C:\Users\manpreet\AppData\Local\JDownloader v2.0
2017-08-02 18:34 - 2013-08-22 23:36 - 000000000 ____D C:\Windows\system32\NDF
2017-08-02 08:28 - 2016-08-27 05:59 - 000000000 ____D C:\ProgramData\Package Cache
2017-08-02 08:22 - 2013-08-22 22:45 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-08-02 08:21 - 2013-08-22 23:36 - 000000000 ___SD C:\Windows\Downloaded Program Files
2017-08-01 22:23 - 2017-03-27 11:02 - 000000000 ____D C:\Users\manpreet\Documents\Custom Office Templates
2017-08-01 22:23 - 2016-08-27 03:41 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\uTorrent
2017-08-01 20:28 - 2017-06-01 05:02 - 000000000 ____D C:\Users\manpreet\Downloads\OPEN LINK DOWNLOAD HERE
2017-08-01 09:03 - 2016-09-29 05:05 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\Yahoo Messenger
2017-08-01 08:36 - 2013-08-22 21:25 - 000262144 ___SH C:\Windows\system32\config\BBI
2017-08-01 03:56 - 2017-04-11 23:18 - 000000000 ____D C:\Users\manpreet\Downloads\WHAT GIRLS WANT MEN TO WEAR
2017-07-30 20:22 - 2013-08-22 22:44 - 005125832 _____ C:\Windows\system32\FNTCACHE.DAT
2017-07-30 13:11 - 2013-08-22 23:20 - 000000000 ____D C:\Windows\CbsTemp
2017-07-29 01:38 - 2016-09-29 07:03 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\FileZilla
2017-07-28 01:10 - 2016-11-15 20:37 - 000002350 _____ C:\Users\manpreet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive for Business.lnk
2017-07-28 01:10 - 2016-11-14 23:20 - 000003188 _____ C:\Windows\System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-2225106580-1076773051-1491251937-1001
2017-07-27 15:21 - 2013-08-22 23:36 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-07-27 15:20 - 2013-08-22 23:36 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2017-07-27 15:17 - 2016-09-05 09:44 - 000000000 ____D C:\Program Files\Microsoft Office
2017-07-21 10:26 - 2016-08-26 16:02 - 000003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-07-21 10:26 - 2016-08-26 16:02 - 000003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-07-20 23:11 - 2017-03-22 16:18 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\Google
2017-07-20 21:15 - 2016-09-16 21:30 - 000001456 _____ C:\Users\manpreet\AppData\Local\Adobe Save for Web 13.0 Prefs
2017-07-20 18:38 - 2013-08-22 23:36 - 000000000 ___HD C:\Program Files\WindowsApps
2017-07-20 18:38 - 2013-08-22 23:36 - 000000000 ____D C:\Windows\AppReadiness
2017-07-19 07:48 - 2016-11-14 23:18 - 000000000 ____D C:\Users\manpreet\AppData\Local\Windows Live
2017-07-17 17:37 - 2016-09-29 07:03 - 000000000 ____D C:\Program Files\FileZilla FTP Client
2017-07-17 17:36 - 2016-09-29 07:03 - 000000000 ____D C:\Users\manpreet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
2017-07-16 18:06 - 2016-09-06 04:34 - 000000000 ___RD C:\Program Files (x86)\Skype
2017-07-16 18:06 - 2016-09-06 04:33 - 000000000 ____D C:\ProgramData\Skype
2017-07-14 00:15 - 2016-09-21 22:33 - 000000000 ____D C:\Users\manpreet\Downloads\Product Launch Formula 4.0 [Complete+Bonus]
2017-07-13 20:25 - 2016-09-04 04:42 - 000000000 ____D C:\Windows\system32\MRT
2017-07-13 20:25 - 2016-08-28 19:59 - 000000000 ____D C:\Windows\system32\appraiser
2017-07-13 20:23 - 2016-09-04 04:42 - 135225752 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-07-12 16:44 - 2016-09-06 07:22 - 000000000 ____D C:\Program Files (x86)\McAfee
2017-07-12 16:44 - 2016-09-05 21:11 - 000000000 ____D C:\Program Files\TrueKey
2017-07-12 16:39 - 2016-09-14 11:01 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-07-08 01:36 - 2016-11-21 19:03 - 000000000 ____D C:\Users\manpreet\Desktop\New folder
2017-07-05 16:55 - 2016-09-06 07:23 - 000001185 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\True Key.lnk
2017-07-05 16:55 - 2016-09-06 07:23 - 000001171 _____ C:\Users\Public\Desktop\True Key.lnk
 
==================== Files in the root of some directories =======
 
2017-07-27 01:37 - 2017-07-27 01:37 - 000256512 _____ () C:\Users\manpreet\AppData\Roaming\Megokos.exe
2016-10-15 06:05 - 2016-10-15 06:05 - 003187734 _____ () C:\Users\manpreet\AppData\Roaming\sb578.dat
2016-10-15 06:04 - 2016-10-15 06:04 - 000415744 _____ () C:\Users\manpreet\AppData\Roaming\Setup21974.exe
2016-10-06 00:20 - 2017-08-04 04:36 - 000000298 _____ () C:\Users\manpreet\AppData\Roaming\WB.CFG
2016-09-16 21:30 - 2017-07-20 21:15 - 000001456 _____ () C:\Users\manpreet\AppData\Local\Adobe Save for Web 13.0 Prefs
2017-08-02 00:54 - 2017-08-02 22:28 - 000008192 _____ () C:\Users\manpreet\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-09-29 07:13 - 2016-09-29 19:14 - 000000600 _____ () C:\Users\manpreet\AppData\Local\PUTTY.RND
 
Files to move or delete:
====================
C:\KMSpico\KMSpico_Setup.exe
C:\Windows\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77}.job
C:\Windows\Tasks\{4B1B297A-418E-77BF-4BD3-616E4AD0508E}.job
C:\Windows\Tasks\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF}.job
 
 
Some files in TEMP:
====================
2017-08-04 21:34 - 2017-03-12 19:50 - 000427520 _____ () C:\Users\manpreet\AppData\Local\Temp\5gjp.dll
2017-07-18 21:32 - 2014-07-20 13:24 - 000105064 _____ () C:\Users\manpreet\AppData\Local\Temp\cabex.dll
2017-08-01 08:34 - 2017-07-18 21:32 - 000137896 _____ (Speedbit Ltd.) C:\Users\manpreet\AppData\Local\Temp\DAPREMOVE.EXE
2017-07-23 22:01 - 2017-07-23 22:01 - 000040448 _____ () C:\Users\manpreet\AppData\Local\Temp\proxy_vole6734976626289795480.dll
2017-07-26 01:48 - 2017-07-26 01:48 - 000040448 _____ () C:\Users\manpreet\AppData\Local\Temp\proxy_vole7437453209373642802.dll
2017-07-20 19:20 - 2017-07-20 19:20 - 000040448 ____N () C:\Users\manpreet\AppData\Local\Temp\proxy_vole8371999163550308905.dll
2017-07-30 22:57 - 2017-07-30 22:57 - 000040448 _____ () C:\Users\manpreet\AppData\Local\Temp\proxy_vole8645342612861067655.dll
2017-07-18 21:34 - 2014-07-21 10:23 - 000130712 _____ () C:\Users\manpreet\AppData\Local\Temp\RunWizards.exe
2017-07-18 21:32 - 2013-06-03 08:36 - 000041984 _____ () C:\Users\manpreet\AppData\Local\Temp\SetupUtils6.dll
2017-07-16 17:50 - 2017-07-16 18:01 - 058740704 _____ (Skype Technologies S.A.) C:\Users\manpreet\AppData\Local\Temp\SkypeSetup.exe
2017-07-18 21:33 - 2010-06-09 14:43 - 001821192 _____ (Microsoft Corporation) C:\Users\manpreet\AppData\Local\Temp\vcredist_x86.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-08-04 10:01
 
==================== End of FRST.txt ============================

 

 

FARBAR scan - Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 31-07-2017
Ran by manpreet (04-08-2017 21:44:05)
Running from C:\Users\manpreet\Downloads
Windows 8.1 Pro (Update) (X64) (2016-08-26 05:20:01)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2225106580-1076773051-1491251937-500 - Administrator - Disabled)
Guest (S-1-5-21-2225106580-1076773051-1491251937-501 - Limited - Disabled)
manpreet (S-1-5-21-2225106580-1076773051-1491251937-1001 - Administrator - Enabled) => C:\Users\manpreet
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\uTorrent) (Version: 3.5.0.43916 - BitTorrent Inc.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.009.20058 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 3.8.0.310 - Adobe Systems Incorporated)
Adobe Photoshop CS6 (HKLM-x32\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated)
AdWords Editor (HKLM-x32\...\{F5CB9470-6351-11E7-B35B-480FCF5D6515}) (Version: 12.0.4.0 - Google)
Ashampoo Burning Studio FREE v.1.14.5 (HKLM-x32\...\{91B33C97-91F8-FFB3-581B-BC952C901685}_is1) (Version: 1.14.5 - Ashampoo GmbH & Co. KG)
Asterisk Key 10.0 (HKLM-x32\...\asterisk key) (Version:  - )
Belarc Advisor 8.5c (HKLM-x32\...\Belarc Advisor) (Version: 8.5.3.0 - Belarc Inc.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Desktop-Reminder 2 (HKLM-x32\...\{288487BA-D8C5-4C81-BD89-C7E49DD48E18}) (Version: 2.105 - Polenter - Software Solutions) Hidden
Desktop-Reminder 2 (HKLM-x32\...\Desktop-Reminder 2) (Version: 2.105 - Polenter - Software Solutions)
EssentialPIM (HKLM-x32\...\EssentialPIM) (Version: 7.13 - Astonsoft Ltd)
Ezvid (HKLM-x32\...\{F96D619D-99D6-4C9C-A393-0CD22DE1CA66}_is1) (Version: 1.004 - Ezvid, inc.)
FileZilla Client 3.26.2 (HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\FileZilla Client) (Version: 3.26.2 - Tim Kosse)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 59.0.3071.115 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Gramblr (HKLM\...\Gramblr) (Version: 2.9.53 - Gramblr Team)
Intel Security True Key (HKLM\...\TrueKey) (Version: 4.19.108.1 - Intel Security)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4226 - Intel Corporation)
JDownloader 2 (HKLM\...\jdownloader2) (Version: 2.0 - AppWork GmbH)
Junk Mail filter update (HKLM-x32\...\{0BE9E708-5DC0-4963-9CFD-0AA519090E79}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.11.376.2 - McAfee, Inc.)
MegaDownloader 1.7 (HKLM\...\{C12C2297-65A4-4E64-9AE1-29F0D947FDA0}}_is1) (Version: 1.7 - AppsForMega.info)
Microsoft Office Professional Plus 2016 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 16.0.8229.2103 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\OneDriveSetup.exe) (Version: 17.3.6943.0625 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23918 (HKLM-x32\...\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}) (Version: 14.0.23918.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918 (HKLM-x32\...\{2e085fd2-a3e4-4b39-8e10-6b8d35f55244}) (Version: 14.0.23918.0 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{38F03569-A636-4CF3-BDDE-032C8C251304}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{DD67BE4B-7E62-4215-AFA3-F123A800A389}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 49.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 49.0.1 (x86 en-US)) (Version: 49.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.4.0 - Mozilla)
Mozilla Thunderbird 45.4.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 45.4.0 (x86 en-US)) (Version: 45.4.0 - Mozilla)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.9.1 - Notepad++ Team)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.8229.2103 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.8229.2103 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM\...\{90160000-008C-0409-1000-0000000FF1CE}) (Version: 16.0.8201.2075 - Microsoft Corporation) Hidden
OpenOffice 4.1.2 (HKLM-x32\...\{E6AD67BB-1C33-4AB3-A387-E0D48137AB70}) (Version: 4.12.9782 - Apache Software Foundation)
PDF Settings CS6 (HKLM-x32\...\{BFEAAE77-BD7F-4534-B286-9C5CB4697EB1}) (Version: 11.0 - Adobe Systems Incorporated) Hidden
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.10586.31225 - Realtek Semiconduct Corp.)
Revo Uninstaller 2.0.3 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.0.3 - VS Revo Group, Ltd.)
Revo Uninstaller Pro 3.1.6 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.6 - VS Revo Group, Ltd.)
Skype™ 7.38 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.38.101 - Skype Technologies S.A.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
VueMinder Ultimate (HKLM-x32\...\{A1B6FDC5-9D38-4215-A6EC-6D2B83A6960B}) (Version: 12.10.0410 - VueSoft)
WiFi Password Revealer (HKLM-x32\...\WiFi Password Revealer_is1) (Version: 1.0.0.7 - Magical Jelly Bean)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
WinHTTrack Website Copier 3.48-22 (x64) (HKLM\...\WinHTTrack Website Copier_is1) (Version: 3.48.22 - HTTrack)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
XAMPP (HKLM-x32\...\xampp) (Version: 7.0.8-0 - Bitnami)
Yahoo Messenger (HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\yahoomessenger) (Version: 0.8.288 - Yahoo! Inc)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\manpreet\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\manpreet\AppData\Local\Microsoft\OneDrive\17.3.6943.0625\amd64\FileCoAuthLib64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)
CustomCLSID: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\manpreet\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\manpreet\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
CustomCLSID: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\manpreet\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll (Google Inc.)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-05-22] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-05-22] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-05-22] ()
ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-05-22] ()
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files (x86)\Notepad++\NppShell_06.dll [2016-03-29] ()
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll [2016-03-10] (Malwarebytes)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\Windows\system32\igfxDTCM.dll [2015-06-04] (Intel Corporation)
ContextMenuHandlers6: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-05-22] ()
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll [2016-03-10] (Malwarebytes)
ContextMenuHandlers6: [RUShellExt] -> {2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} => C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll [2012-12-29] (VS Revo Group)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-15] (Alexander Roshal)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {034BC9E8-3CEA-485B-A8B8-296CC6A0847D} - System32\Tasks\{4B1B297A-418E-77BF-4BD3-616E4AD0508E} => C:\Users\manpreet\AppData\Roaming\{CB23F~1\synctask.exe <==== ATTENTION
Task: {256CD172-19EE-4101-BC02-06F64BB654C7} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-07-08] ()
Task: {2900EC99-6F73-4B7E-8822-A107B731E5B3} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-07-08] ()
Task: {370F0139-F4D1-4AB4-B177-664486B7EF84} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-07-18] (Microsoft Corporation)
Task: {3D8DF46E-593B-410E-B59A-979CB1595F65} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2225106580-1076773051-1491251937-1001Core => C:\Users\manpreet\AppData\Local\Google\Update\GoogleUpdate.exe [2017-03-22] (Google Inc.)
Task: {5129A2C7-B833-4B56-90FE-2D9EFF30029D} - System32\Tasks\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF} => C:\Users\manpreet\AppData\Roaming\{B5E08~1\Updater.exe [2013-04-23] () <==== ATTENTION
Task: {604461A0-B4C7-44A8-9583-EF8A969EA6FE} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated)
Task: {63E6CBF7-0DDB-4791-831C-FCDB999FF59E} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-07-18] (Microsoft Corporation)
Task: {678440B8-71D4-4364-BD26-822E4A2905A0} - System32\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77} => C:\Users\manpreet\AppData\Local\099F2B~1\SYNCVE~1.EXE <==== ATTENTION
Task: {6DA57061-2AB8-4160-9FD8-4C82249DC58A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-08-26] (Google Inc.)
Task: {91005E81-B89C-4629-ACF5-6C7AE018A096} - System32\Tasks\McAfee Remediation (Prepare) => C:\Program Files\Common Files\AV\McAfee Anti-Virus And Anti-Spyware\upgrade.exe [2016-12-15] (McAfee, Inc.)
Task: {965BF249-80F3-46A5-B24F-4EE3935AD41B} - System32\Tasks\1211q11562B41351H93574 => C:\Windows\system32\rundll32.exe "C:\ProgramData\1211q11562B41351H93574\1211q11562B41351H93574.dll",qBHfXzOyBS <==== ATTENTION
Task: {9924668A-DF2B-43DA-AD85-945590A2C74A} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2225106580-1076773051-1491251937-1001UA => C:\Users\manpreet\AppData\Local\Google\Update\GoogleUpdate.exe [2017-03-22] (Google Inc.)
Task: {9A118EB3-0B7C-4AED-B8B9-4170B5AB3DC1} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [2017-07-27] (Microsoft Corporation)
Task: {BC5D80C3-FD6C-42CB-AC86-22A877F85321} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-08-26] (Google Inc.)
Task: {BDB52666-85C9-4A8D-88DB-3561DEA979CF} - System32\Tasks\DSdeGlr6TY => C:\DSdeGlr6TYDSdeGlr6TY\DSdeGlr6TY.vbs [2017-08-04] () <==== ATTENTION
Task: {F3C3764F-EC5A-4AA6-B031-2C36D30A89E3} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [2017-07-27] (Microsoft Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77}.job => C:\Users\manpreet\AppData\Local\099F2B~1\SYNCVE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\{4B1B297A-418E-77BF-4BD3-616E4AD0508E}.job => C:\Users\manpreet\AppData\Roaming\{CB23F~1\synctask.exe <==== ATTENTION
Task: C:\Windows\Tasks\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF}.job => C:\Users\manpreet\AppData\Roaming\{B5E08~1\Updater.exe <==== ATTENTION
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
Shortcut: C:\Users\manpreet\AppData\Local\Microsoft\Windows\ConnectedSearch\History\site_1919035336_en-us.lnk -> hxxp://paint.ne
 
ShortcutWithArgument: C:\Users\manpreet\Desktop\Simple EPUB Reader.lnk -> C:\Users\manpreet\AppData\Local\chromium\Application\chrome.exe (The Chromium Authors) ->  --profile-directory=Default --app-id=ojhbgcchcbdjdenibfmjofobklkkhofc
ShortcutWithArgument: C:\Users\manpreet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromium Apps\Simple EPUB Reader.lnk -> C:\Users\manpreet\AppData\Local\chromium\Application\chrome.exe (The Chromium Authors) ->  --profile-directory=Default --app-id=ojhbgcchcbdjdenibfmjofobklkkhofc
ShortcutWithArgument: C:\Users\manpreet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Simple EPUB Reader.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --profile-directory=Default --app-id=ojhbgcchcbdjdenibfmjofobklkkhofc
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-10-24 16:57 - 2017-08-04 03:54 - 011411536 _____ () C:\Program Files\Gramblr\gramblr.exe
2017-08-04 18:36 - 2014-03-22 14:50 - 003104768 ____N () C:\ProgramData\1211q11562B41351H93574\1211q11562B41351H93574.dll
2017-08-04 20:01 - 2017-08-04 20:01 - 000481792 _____ () C:\Windows\TEMP\gECB4.tmp.exe
2016-05-22 19:33 - 2016-05-22 19:33 - 000491184 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll
2017-03-06 13:23 - 2017-07-08 01:30 - 008932040 _____ () C:\Program Files\Microsoft Office\root\Office16\1033\GrooveIntlResource.dll
2017-06-28 21:44 - 2017-06-23 11:21 - 003807064 _____ () C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\libglesv2.dll
2017-06-28 21:44 - 2017-06-23 11:21 - 000100184 _____ () C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\libegl.dll
2017-08-04 21:34 - 2017-03-12 19:50 - 000427520 _____ () C:\Users\manpreet\AppData\Local\Temp\5gjp.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\ProgramData\TEMP:56E2E879 [135]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 21:25 - 2017-08-04 20:01 - 000013501 _____ C:\Windows\system32\Drivers\etc\hosts
 
0.0.0.1 mssplus.mcafee.com
127.0.0.1 gf.tools.avast.com
127.0.0.1 pair.ff.avast.com
127.0.0.1 ipm-provider.ff.avast.com
127.0.0.1 ipm-provider.ff.avast.com
127.0.0.1 ipm-provider.ff.avast.com
127.0.0.1 id.avast.com
127.0.0.1 v4618535.iavs9x.u.avast.com
127.0.0.1 v4618535.ivps9x.u.avast.com
127.0.0.1 v4618535.ivps9tiny.u.avast.com
127.0.0.1 v4618535.vpsnitro.u.avast.com
127.0.0.1 v4618535.vpsnitrotiny.u.avast.com
127.0.0.1 v4618535.iavs5x.u.avast.com
127.0.0.1 v7.stats.avast.com
127.0.0.1 v7.stats.avast.com
127.0.0.1 v7event.stats.avast.com
127.0.0.1 sm00.avast.com
127.0.0.1 submit5.avast.com
127.0.0.1 geoip.avast.com
127.0.0.1 w9448963.iavs9x.u.avast.com
127.0.0.1 w9448963.ivps9x.u.avast.com
127.0.0.1 w9448963.ivps9tiny.u.avast.com
127.0.0.1 w9448963.vpsnitro.u.avast.com
127.0.0.1 w9448963.vpsnitrotiny.u.avast.com
127.0.0.1 w9448963.iavs5x.u.avast.com
127.0.0.1 v7.stats.avast.com
127.0.0.1 v7.stats.avast.com
127.0.0.1 v7event.stats.avast.com
127.0.0.1 sm00.avast.com
127.0.0.1 submit5.avast.com
 
There are 333 more lines.
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\manpreet\AppData\Roaming\Microsoft\Windows Photo Viewer\Windows Photo Viewer Wallpaper.jpg
DNS Servers: 8.8.8.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "AdobeCS6ServiceManager"
HKLM\...\StartupApproved\Run32: => "SwitchBoard"
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\StartupApproved\Run: => "uTorrent"
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\StartupApproved\Run: => "Skype"
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\StartupApproved\Run: => "Chromium"
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\StartupApproved\Run: => "Yahoo Messenger Updater"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{B66604A9-BF2A-481B-A268-48E1EF6BC2F2}] => (Allow) C:\Users\manpreet\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{9E32E7EE-53FE-4089-8E2D-6D8210C1A441}] => (Allow) C:\Users\manpreet\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{281F7A45-FDE1-488C-8CD4-77530142AC13}C:\xampp\apache\bin\httpd.exe] => (Allow) C:\xampp\apache\bin\httpd.exe
FirewallRules: [UDP Query User{EB2E36D2-4255-4554-B732-0295097530F3}C:\xampp\apache\bin\httpd.exe] => (Allow) C:\xampp\apache\bin\httpd.exe
FirewallRules: [TCP Query User{9E9A5ABA-00F1-41C1-AC07-81EB20FD62F0}C:\xampp\mysql\bin\mysqld.exe] => (Allow) C:\xampp\mysql\bin\mysqld.exe
FirewallRules: [UDP Query User{61F72EE7-DEC9-4013-97AD-3ADB3FA9209D}C:\xampp\mysql\bin\mysqld.exe] => (Allow) C:\xampp\mysql\bin\mysqld.exe
FirewallRules: [{670F0942-6CDC-4A8B-99CC-12C055B71809}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{7CF9DB14-D2B0-43C6-AF3F-5715C1D65ABB}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{E2F6D475-564B-4504-BAC2-A0FA328095B2}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{607DE1C4-E2E7-4506-9CFC-0889D08F8D8E}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{BAC2E9B4-B326-48C0-BA00-26ACD418FBFB}] => (Allow) C:\Program Files (x86)\VueSoft\VueMinder\VueMinder.exe
FirewallRules: [{2325112C-52C9-467A-8C06-0CF8F994B5CB}] => (Allow) C:\Users\manpreet\AppData\Local\Chromium\Application\chrome.exe
FirewallRules: [{0BA01A1D-7342-4EE8-9AAA-F9FEFB8B5E79}] => (Allow) C:\Users\manpreet\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [{87556692-46B7-4EEE-9E0D-CD0E1F7EB641}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{87B22584-2202-4038-A623-0C11BC72ECFC}] => (Allow) LPort=2869
FirewallRules: [{5F1DAD10-8C45-4B31-8FB5-570186F5B753}] => (Allow) LPort=1900
FirewallRules: [{D94471C4-4163-4FC5-A07B-9E5B91B2C981}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{F5446AD2-DE77-4BD5-AFE9-9FABD403B2E9}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{A4A37CCA-A41A-4FDC-9544-8C9E643CF87F}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{C04ED66F-A537-48EC-B8BB-5EB4F87AF8DE}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{3F6FC87E-4454-422A-AD21-D490E589AA90}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [TCP Query User{FE27B812-ADF7-4441-8486-0D4F646A6F7E}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{017D6741-309E-4556-8416-F817A8ADAD83}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{36075939-6B6A-4F44-B7D9-52C55FF1122A}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{4FB6AC5B-A1B5-4514-8269-3EA627C2E7D7}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [TCP Query User{2F598B2E-7480-4420-9E53-F588D4A7A7EA}C:\program files\megadownloader\megadownloader.exe] => (Allow) C:\program files\megadownloader\megadownloader.exe
FirewallRules: [UDP Query User{CFCFBB7C-7957-44CD-82CD-91217145A615}C:\program files\megadownloader\megadownloader.exe] => (Allow) C:\program files\megadownloader\megadownloader.exe
FirewallRules: [{12E38056-47D4-46C9-89D4-70D2105B4B2D}] => (Allow) C:\Windows\system32\rundll32.exe
FirewallRules: [{B979CE4E-9798-4DD1-AF09-9A2E55437FB8}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{2DAB3603-5D4D-4218-8A7F-A6DDF1B96DE5}] => (Allow) C:\Windows\System32\rundll32.exe
 
==================== Restore Points =========================
 
23-07-2017 13:08:00 Scheduled Checkpoint
30-07-2017 12:59:38 Windows Update
01-08-2017 08:40:45 Removed dupeGuru
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (08/04/2017 09:39:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: KMSpico_Setup.exe, version: 8.0.50727.8007, time stamp: 0x537dab39
Faulting module name: cscomp.dll, version: 6.3.9600.18696, time stamp: 0x5915ecd6
Exception code: 0xc0000135
Fault offset: 0x0009d4c2
Faulting process id: 0xdc8
Faulting application start time: 0x01d30d266b6ac94e
Faulting application path: C:\KMSpico\KMSpico_Setup.exe
Faulting module path: cscomp.dll
Report Id: 4fcb9477-791a-11e7-829a-9c2a7052fd1e
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (08/04/2017 09:32:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 59.0.3071.115, time stamp: 0x594c442d
Faulting module name: ntdll.dll, version: 6.3.9600.18696, time stamp: 0x59153753
Exception code: 0xc0000409
Fault offset: 0x00000000000815f8
Faulting process id: 0x9d4
Faulting application start time: 0x01d30d223aa7be73
Faulting application path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 6006f718-7919-11e7-829a-9c2a7052fd1e
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (08/04/2017 09:15:06 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "c:\program files (x86)\Adobe\adobe creative cloud\Utils\Creative Cloud Uninstaller.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_a9ec6aab013aafee.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8.manifest.
 
Error: (08/04/2017 09:13:32 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "c:\program files (x86)\Adobe\adobe creative cloud\Utils\Creative Cloud Uninstaller.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_a9ec6aab013aafee.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8.manifest.
 
Error: (08/04/2017 09:08:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: KMSpico_Setup.exe, version: 8.0.50727.8007, time stamp: 0x537dab39
Faulting module name: cscomp.dll, version: 6.3.9600.18696, time stamp: 0x5915ecd6
Exception code: 0xc0000135
Fault offset: 0x0009d4c2
Faulting process id: 0xc58
Faulting application start time: 0x01d30d22286b704b
Faulting application path: C:\KMSpico\KMSpico_Setup.exe
Faulting module path: cscomp.dll
Report Id: f9b86303-7915-11e7-829a-9c2a7052fd1e
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (08/04/2017 09:08:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: KMSpico_Setup.exe, version: 8.0.50727.8007, time stamp: 0x537dab39
Faulting module name: cscomp.dll, version: 6.3.9600.18696, time stamp: 0x5915ecd6
Exception code: 0xc0000135
Fault offset: 0x0009d4c2
Faulting process id: 0x1650
Faulting application start time: 0x01d30d2227fd5968
Faulting application path: C:\KMSpico\KMSpico_Setup.exe
Faulting module path: cscomp.dll
Report Id: f94e310c-7915-11e7-829a-9c2a7052fd1e
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (08/04/2017 09:08:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: KMSpico_Setup.exe, version: 8.0.50727.8007, time stamp: 0x537dab39
Faulting module name: cscomp.dll, version: 6.3.9600.18696, time stamp: 0x5915ecd6
Exception code: 0xc0000135
Fault offset: 0x0009d4c2
Faulting process id: 0xe78
Faulting application start time: 0x01d30d22278baaec
Faulting application path: C:\KMSpico\KMSpico_Setup.exe
Faulting module path: cscomp.dll
Report Id: f8b8f25a-7915-11e7-829a-9c2a7052fd1e
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (08/04/2017 08:34:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 59.0.3071.115, time stamp: 0x594c442d
Faulting module name: ntdll.dll, version: 6.3.9600.18696, time stamp: 0x59153753
Exception code: 0xc0000409
Fault offset: 0x00000000000815f8
Faulting process id: 0x112c
Faulting application start time: 0x01d30d167f20d96c
Faulting application path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 4a6f2776-7911-11e7-829a-9c2a7052fd1e
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (08/04/2017 08:22:44 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe, version: 6.3.9600.17415, time stamp: 0x54076885
Faulting module name: ntdll.dll, version: 6.3.9600.18696, time stamp: 0x5915ecd6
Exception code: 0xc0000018
Fault offset: 0x0009d4c2
Faulting process id: 0x94c
Faulting application start time: 0x01d30d1c5f937d6a
Faulting application path: C:\Windows\SysWOW64\svchost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 9d62ade2-790f-11e7-829a-9c2a7052fd1e
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (08/04/2017 07:42:20 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: gramblr.exe, version: 0.0.0.0, time stamp: 0x59833dde
Faulting module name: ntdll.dll, version: 6.3.9600.18696, time stamp: 0x59153753
Exception code: 0xc0000005
Fault offset: 0x0000000000054a71
Faulting process id: 0x1714
Faulting application start time: 0x01d30cb72bd98b4c
Faulting application path: C:\Program Files\Gramblr\gramblr.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: f8d6f58c-7909-11e7-829a-9c2a7052fd1e
Faulting package full name: 
Faulting package-relative application ID:
 
 
System errors:
=============
Error: (08/04/2017 07:42:21 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Connectivity Manager for Gramblr service terminated unexpectedly.  It has done this 11 time(s).  The following corrective action will be taken in 500 milliseconds: Restart the service.
 
Error: (08/04/2017 06:40:21 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Defender Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Run the configured recovery program.
 
Error: (08/04/2017 10:02:26 AM) (Source: DCOM) (EventID: 10010) (User: my-laptop)
Description: The server {1B1F472E-3221-4826-97DB-2C2324D389AE} did not register with DCOM within the required timeout.
 
Error: (08/04/2017 10:01:55 AM) (Source: DCOM) (EventID: 10010) (User: my-laptop)
Description: The server {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} did not register with DCOM within the required timeout.
 
Error: (08/04/2017 08:18:17 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Connectivity Manager for Gramblr service terminated unexpectedly.  It has done this 10 time(s).  The following corrective action will be taken in 500 milliseconds: Restart the service.
 
Error: (08/04/2017 08:18:17 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Windows Connectivity Manager for Gramblr service terminated with the following error: 
Incorrect function.
 
Error: (08/03/2017 08:51:38 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Connectivity Manager for Gramblr service terminated unexpectedly.  It has done this 9 time(s).  The following corrective action will be taken in 500 milliseconds: Restart the service.
 
Error: (08/03/2017 08:51:38 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Windows Connectivity Manager for Gramblr service terminated with the following error: 
Incorrect function.
 
Error: (08/03/2017 07:19:05 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (08/03/2017 07:17:55 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Connectivity Manager for Gramblr service terminated unexpectedly.  It has done this 8 time(s).  The following corrective action will be taken in 500 milliseconds: Restart the service.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-3337U CPU @ 1.80GHz
Percentage of memory in use: 54%
Total physical RAM: 3965.27 MB
Available physical RAM: 1795.46 MB
Total Virtual: 5711.37 MB
Available Virtual: 2861.48 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:243.06 GB) (Free:37.82 GB) NTFS
Drive d: (data) (Fixed) (Total:212.81 GB) (Free:79.59 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: AB416AB7)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,630 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:54 PM

Posted 04 August 2017 - 09:35 AM

Hi dukethacore :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button;
    • If it asks you to restart your computer to complete the removal, do so;
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 dukethacore

dukethacore
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 August 2017 - 10:07 AM

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 4/8/2017
Scan Time: 10:48 PM
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2017.08.04.09
Rootkit Database: v2017.08.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: manpreet
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 259831
Time Elapsed: 11 min, 10 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 4
Backdoor.Agent.E.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|Windows, "C:\KMSpico\KMSpico_Setup.exe", Quarantined, [dc7d0980e3c62115e730daa3c53b48b8]
Backdoor.Agent.E.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows, "C:\KMSpico\KMSpico_Setup.exe", Quarantined, [dc7d0980e3c62115e730daa3c53b48b8]
Backdoor.Agent.E.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|Windows, "C:\KMSpico\KMSpico_Setup.exe", Quarantined, [dc7d0980e3c62115e730daa3c53b48b8]
Backdoor.Agent.E.Generic, HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows, "C:\KMSpico\KMSpico_Setup.exe", Quarantined, [dc7d0980e3c62115e730daa3c53b48b8]
 
Registry Data: 2
Backdoor.Agent.E.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, C:\WINDOWS\system32\userinit.exe, "C:\KMSpico\KMSpico_Setup.exe", Good: (), Bad: (C:\KMSpico\KMSpico_Setup.exe),Replaced,[dc7d0980e3c62115e730daa3c53b48b8]
Backdoor.Agent.E.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Shell, explorer.exe, "C:\KMSpico\KMSpico_Setup.exe", Good: (), Bad: (C:\KMSpico\KMSpico_Setup.exe),Replaced,[dc7d0980e3c62115e730daa3c53b48b8]
 
Folders: 1
Spyware.Remcos, C:\Users\manpreet\AppData\Roaming\remcos, Quarantined, [96c31673f5b48aacaf88e46c02fe49b7], 
 
Files: 3
Trojan.Injector, C:\Users\manpreet\AppData\Local\Temp\5gjp.dll, Quarantined, [3f1a6d1cdccdb680c7b50402b44d27d9], 
Spyware.Remcos, C:\Users\manpreet\AppData\Roaming\remcos\logs.dat, Quarantined, [96c31673f5b48aacaf88e46c02fe49b7], 
Backdoor.Agent.E.Generic, C:\KMSpico\KMSpico_Setup.exe, Quarantined, [dc7d0980e3c62115e730daa3c53b48b8], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#4 dukethacore

dukethacore
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 August 2017 - 10:22 AM

Hey Aura,  i cannot seem to open windows defender, it's been disabled, can you check, what should i do next ?



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,630 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:54 PM

Posted 04 August 2017 - 10:24 AM

Good, thank you :) Now let's delete the rest.

LdH4gmf.pngGoogle Chrome - Remove Extension/App
  • In Google Chrome, enter chrome://extensions in the address bar and press on Enter;
  • In the Extensions page, uninstall these (by clicking on the little garbage can icon on their right):
    • hTab
    • Open Plugins
  • If you don't see the extension listed, it means that it's installed as an App. So enter chrome://apps in the address bar and press on Enter;
  • From the Apps page, look for the app, right-click on it and select Remove from Chrome;
iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 dukethacore

dukethacore
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 August 2017 - 10:37 AM

I can't remove this extension, it says, installed by enterprise policy

  • Open Plugins


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,630 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:54 PM

Posted 04 August 2017 - 10:42 AM

Alright, leave it be for now, we'll address it after. Move on with the FRST fix.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 dukethacore

dukethacore
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 August 2017 - 10:44 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 31-07-2017
Ran by manpreet (04-08-2017 23:38:24) Run:1
Running from C:\Users\manpreet\Desktop
Loaded Profiles: manpreet (Available Profiles: manpreet)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
 
DeleteKey: HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj
DeleteKey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj
DeleteKey: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\Google\Chrome\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj
 
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\Run: [Chromium] => c:\users\manpreet\appdata\local\chromium\application\chrome.exe [1068544 2016-03-19] (The Chromium Authors)
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\RunOnce: [DSdeGlr6TY] => C:\DSdeGlr6TYDSdeGlr6TY\DSdeGlr6TY.vbs [190 2017-08-04] ()
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
 
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\umii3wwl.default -> Yahoo! Powered
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\umii3wwl.default -> Yahoo! Powered
FF Homepage: Mozilla\Firefox\Profiles\umii3wwl.default -> hxxps://malaysia.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wcg_fremkfs_16_40&param1=1&param2=f%3D1%26b%3DFirefox%26cc%3Dmy%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzz0C0AtA0A0D0FyEzy0FyDzyyD0DyEtN0D0Tzu0StCyBtAzztN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StBtD0B0F0C0A0F0CtGyEtA0DyBtGtA0C0ByDtGyB0AyB0CtGyDzztA0AtC0B0CyEtByDtByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtDtAyByBtDtD0AtG0FyDyByDtGyE0B0EtDtG0BtCtB0CtGtA0CyDzyzyyCzz0AtB0Azzzz2QtN0A0LzuyE%26cr%3D1805758380%26a%3Dwcg_fremkfs_16_40%26os_ver%3D6.3%26os%3DWindows%2B8.1%2BPro
FF SearchPlugin: C:\Users\manpreet\AppData\Roaming\Mozilla\Firefox\Profiles\umii3wwl.default\searchplugins\yahoo! powered.xml [2016-10-05]
 
CHR NewTab: Default ->  Not-active:"chrome-extension://elmkjjfkkchohaaoljobaffjeedcoocj/ntab.html"
 
CustomCLSID: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\manpreet\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\manpreet\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
 
Task: {034BC9E8-3CEA-485B-A8B8-296CC6A0847D} - System32\Tasks\{4B1B297A-418E-77BF-4BD3-616E4AD0508E} => C:\Users\manpreet\AppData\Roaming\{CB23F~1\synctask.exe <==== ATTENTION
Task: {5129A2C7-B833-4B56-90FE-2D9EFF30029D} - System32\Tasks\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF} => C:\Users\manpreet\AppData\Roaming\{B5E08~1\Updater.exe [2013-04-23] () <==== ATTENTION
Task: {678440B8-71D4-4364-BD26-822E4A2905A0} - System32\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77} => C:\Users\manpreet\AppData\Local\099F2B~1\SYNCVE~1.EXE <==== ATTENTION
Task: {965BF249-80F3-46A5-B24F-4EE3935AD41B} - System32\Tasks\1211q11562B41351H93574 => C:\Windows\system32\rundll32.exe "C:\ProgramData\1211q11562B41351H93574\1211q11562B41351H93574.dll",qBHfXzOyBS <==== ATTENTION
Task: {BDB52666-85C9-4A8D-88DB-3561DEA979CF} - System32\Tasks\DSdeGlr6TY => C:\DSdeGlr6TYDSdeGlr6TY\DSdeGlr6TY.vbs [2017-08-04] () <==== ATTENTION
Task: C:\Windows\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77}.job => C:\Users\manpreet\AppData\Local\099F2B~1\SYNCVE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\{4B1B297A-418E-77BF-4BD3-616E4AD0508E}.job => C:\Users\manpreet\AppData\Roaming\{CB23F~1\synctask.exe <==== ATTENTION
Task: C:\Windows\Tasks\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF}.job => C:\Users\manpreet\AppData\Roaming\{B5E08~1\Updater.exe <==== ATTENTION
 
AlternateDataStreams: C:\ProgramData\TEMP:56E2E879 [135]
 
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\StartupApproved\Run: => "Chromium"
 
FirewallRules: [{2325112C-52C9-467A-8C06-0CF8F994B5CB}] => (Allow) C:\Users\manpreet\AppData\Local\Chromium\Application\chrome.exe
 
C:\DSdeGlr6TYDSdeGlr6TY
C:\KMSpico
C:\Program Files\KMSpico
C:\ProgramData\1211q11562B41351H93574
C:\ProgramData\ntuser.pol
C:\Users\manpreet\DSdeGlr6TY
C:\Users\manpreet\Downloads\KMSpico Install.rar
C:\Users\manpreet\Downloads\KMSpico_v10.2.0_All_in_One_Activator_for_Windows_and_Office_-_Cleaned_Version.exe
C:\Users\manpreet\AppData\Local\099F2B~1
c:\users\manpreet\appdata\local\chromium
C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj
C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmafpcnknacbcgigikdfmjfnmimhpkkg
C:\Users\manpreet\AppData\Roaming\{CB23F~1
C:\Users\manpreet\AppData\Roaming\{B5E08~1
C:\Users\manpreet\AppData\Roaming\Megokos.exe
C:\Users\manpreet\AppData\Roaming\Setup21974.exe
C:\Users\manpreet\AppData\Roaming\sb578.dat
C:\Windows\SECOH-QAD.exe
C:\Windows\SECOH-QAD.dll
C:\Windows\Temp\gECB4.tmp.exe
C:\Windows\Temp\*.tmp.exe
 
Hosts:
EmptyTemp:
*****************
 
Processes closed successfully.
Restore point was successfully created.
HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj => key removed successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj => key removed successfully
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\Google\Chrome\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj => key removed successfully
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Chromium => value removed successfully
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\DSdeGlr6TY => value removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Google => key removed successfully
Firefox DefaultSearchEngine removed successfully
Firefox SelectedSearchEngine removed successfully
Firefox "homepage" removed successfully
C:\Users\manpreet\AppData\Roaming\Mozilla\Firefox\Profiles\umii3wwl.default\searchplugins\yahoo! powered.xml => moved successfully
Chrome NewTab => removed successfully
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04} => key removed successfully
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{034BC9E8-3CEA-485B-A8B8-296CC6A0847D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{034BC9E8-3CEA-485B-A8B8-296CC6A0847D} => key removed successfully
C:\Windows\System32\Tasks\{4B1B297A-418E-77BF-4BD3-616E4AD0508E} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{4B1B297A-418E-77BF-4BD3-616E4AD0508E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5129A2C7-B833-4B56-90FE-2D9EFF30029D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5129A2C7-B833-4B56-90FE-2D9EFF30029D} => key removed successfully
C:\Windows\System32\Tasks\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{678440B8-71D4-4364-BD26-822E4A2905A0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{678440B8-71D4-4364-BD26-822E4A2905A0} => key removed successfully
C:\Windows\System32\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{099F2B44-8926-1316-394E-6FF3DFC20A77} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{965BF249-80F3-46A5-B24F-4EE3935AD41B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{965BF249-80F3-46A5-B24F-4EE3935AD41B} => key removed successfully
C:\Windows\System32\Tasks\1211q11562B41351H93574 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\1211q11562B41351H93574 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BDB52666-85C9-4A8D-88DB-3561DEA979CF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BDB52666-85C9-4A8D-88DB-3561DEA979CF} => key removed successfully
C:\Windows\System32\Tasks\DSdeGlr6TY => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DSdeGlr6TY => key removed successfully
C:\Windows\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77}.job => moved successfully
C:\Windows\Tasks\{4B1B297A-418E-77BF-4BD3-616E4AD0508E}.job => moved successfully
C:\Windows\Tasks\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF}.job => moved successfully
C:\ProgramData\TEMP => ":56E2E879" ADS removed successfully.
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\Chromium => value removed successfully
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Chromium => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2325112C-52C9-467A-8C06-0CF8F994B5CB} => value removed successfully
C:\DSdeGlr6TYDSdeGlr6TY => moved successfully
C:\KMSpico => moved successfully
C:\Program Files\KMSpico => moved successfully
C:\ProgramData\1211q11562B41351H93574 => moved successfully
C:\ProgramData\ntuser.pol => moved successfully
C:\Users\manpreet\DSdeGlr6TY => moved successfully
C:\Users\manpreet\Downloads\KMSpico Install.rar => moved successfully
C:\Users\manpreet\Downloads\KMSpico_v10.2.0_All_in_One_Activator_for_Windows_and_Office_-_Cleaned_Version.exe => moved successfully
"C:\Users\manpreet\AppData\Local\099F2B~1" => not found.
c:\users\manpreet\appdata\local\chromium => moved successfully
C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj => moved successfully
C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmafpcnknacbcgigikdfmjfnmimhpkkg => moved successfully
"C:\Users\manpreet\AppData\Roaming\{CB23F~1" => not found.
C:\Users\manpreet\AppData\Roaming\{B5E08~1 => moved successfully
C:\Users\manpreet\AppData\Roaming\Megokos.exe => moved successfully
C:\Users\manpreet\AppData\Roaming\Setup21974.exe => moved successfully
C:\Users\manpreet\AppData\Roaming\sb578.dat => moved successfully
C:\Windows\SECOH-QAD.exe => moved successfully
C:\Windows\SECOH-QAD.dll => moved successfully
C:\Windows\Temp\gECB4.tmp.exe => moved successfully
 
=========== "C:\Windows\Temp\*.tmp.exe" ==========
 
not found
 
========= End -> "C:\Windows\Temp\*.tmp.exe" ========
 
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 11040350 B
Java, Flash, Steam htmlcache => 916 B
Windows/system/drivers => 446489682 B
Edge => 0 B
Chrome => 434535631 B
Firefox => 61289261 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 24963 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 7096330 B
manpreet => 855848921 B
 
RecycleBin => 0 B
EmptyTemp: => 1.7 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 23:41:23 ====


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,630 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:54 PM

Posted 04 August 2017 - 10:51 AM

Good. Can you .zip the following folder C:\FRST\Quarantine and upload it to the link below?

http://www.bleepingcomputer.com/submit-malware.php?channel=194

If it says it's too big, let me know.

Also, we'll do a sweep with AdwCleaner and JRT now.

zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes;
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
iT103hr.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
Your next reply(ies) should therefore contain:
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted JRT log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 dukethacore

dukethacore
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 August 2017 - 11:28 AM

# AdwCleaner 7.0.1.0 - Logfile created on Fri Aug 04 16:15:26 2017
# Updated on 2017/05/08 by Malwarebytes 
# Running on Windows 8.1 Pro (X64)
# Mode: clean
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
Deleted: C:\ProgramData\Speedbit
Deleted: C:\ProgramData\Application Data\Speedbit
Deleted: C:\Users\All Users\Speedbit
Deleted: C:\Users\manpreet\AppData\Roaming\Speedbit
Deleted: C:\ProgramData\{6EDBDBF3-ED1B-4CF1-80B9-21175D532D2A}
 
 
***** [ Files ] *****
 
No malicious files deleted.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks deleted.
 
***** [ Registry ] *****
 
Deleted: [Key] - HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\SpeedBit
Deleted: [Key] - HKCU\Software\SpeedBit
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|windows
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|windows
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|windows
Deleted: [Value] - HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\Microsoft\Windows\CurrentVersion\Run|windows
Deleted: [Value] - HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|windows
Deleted: [Value] - HKCU\Software\Microsoft\Windows\CurrentVersion\Run|windows
Deleted: [Key] - HKLM\SOFTWARE\Auslogics
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries deleted.
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[S0].txt - [2321 B] - [2017/8/4 16:8:1]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 8.1 Pro x64 
Ran by manpreet (Administrator) on Sat 05/08/2017 at  0:20:47.72
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 4 
 
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{f7bb050c-e116-44da-89c2-6f2b68c54836} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{f7bb050c-e116-44da-89c2-6f2b68c54836} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 05/08/2017 at  0:25:40.59
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,630 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:54 PM

Posted 04 August 2017 - 11:29 AM

Were you able to do this?

Good. Can you .zip the following folder C:\FRST\Quarantine and upload it to the link below?

http://www.bleepingcomputer.com/submit-malware.php?channel=194

If it says it's too big, let me know.


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 dukethacore

dukethacore
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 August 2017 - 11:36 AM

Yes i am uploading the file, its big file 363 MB, will take sometime,  whats next ?



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,630 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:54 PM

Posted 04 August 2017 - 11:56 AM

It's 363MB? Stop the upload, and run the following FRST fix.

Also, is the Open Plugins extension still there in Google Chrome?

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 dukethacore

dukethacore
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 August 2017 - 12:04 PM

Open Plugin is gone now.

 

Here is the log

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 31-07-2017
Ran by manpreet (05-08-2017 01:00:29) Run:2
Running from C:\Users\manpreet\Desktop
Loaded Profiles: manpreet (Available Profiles: manpreet)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
 
DeleteKey: HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj
DeleteKey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj
DeleteKey: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\Google\Chrome\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj
 
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\Run: [Chromium] => c:\users\manpreet\appdata\local\chromium\application\chrome.exe [1068544 2016-03-19] (The Chromium Authors)
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\RunOnce: [DSdeGlr6TY] => C:\DSdeGlr6TYDSdeGlr6TY\DSdeGlr6TY.vbs [190 2017-08-04] ()
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
 
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\umii3wwl.default -> Yahoo! Powered
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\umii3wwl.default -> Yahoo! Powered
FF Homepage: Mozilla\Firefox\Profiles\umii3wwl.default -> hxxps://malaysia.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wcg_fremkfs_16_40&param1=1&param2=f%3D1%26b%3DFirefox%26cc%3Dmy%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzz0C0AtA0A0D0FyEzy0FyDzyyD0DyEtN0D0Tzu0StCyBtAzztN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StBtD0B0F0C0A0F0CtGyEtA0DyBtGtA0C0ByDtGyB0AyB0CtGyDzztA0AtC0B0CyEtByDtByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtDtAyByBtDtD0AtG0FyDyByDtGyE0B0EtDtG0BtCtB0CtGtA0CyDzyzyyCzz0AtB0Azzzz2QtN0A0LzuyE%26cr%3D1805758380%26a%3Dwcg_fremkfs_16_40%26os_ver%3D6.3%26os%3DWindows%2B8.1%2BPro
FF SearchPlugin: C:\Users\manpreet\AppData\Roaming\Mozilla\Firefox\Profiles\umii3wwl.default\searchplugins\yahoo! powered.xml [2016-10-05]
 
CHR NewTab: Default ->  Not-active:"chrome-extension://elmkjjfkkchohaaoljobaffjeedcoocj/ntab.html"
 
CustomCLSID: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\manpreet\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\manpreet\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
 
Task: {034BC9E8-3CEA-485B-A8B8-296CC6A0847D} - System32\Tasks\{4B1B297A-418E-77BF-4BD3-616E4AD0508E} => C:\Users\manpreet\AppData\Roaming\{CB23F~1\synctask.exe <==== ATTENTION
Task: {5129A2C7-B833-4B56-90FE-2D9EFF30029D} - System32\Tasks\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF} => C:\Users\manpreet\AppData\Roaming\{B5E08~1\Updater.exe [2013-04-23] () <==== ATTENTION
Task: {678440B8-71D4-4364-BD26-822E4A2905A0} - System32\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77} => C:\Users\manpreet\AppData\Local\099F2B~1\SYNCVE~1.EXE <==== ATTENTION
Task: {965BF249-80F3-46A5-B24F-4EE3935AD41B} - System32\Tasks\1211q11562B41351H93574 => C:\Windows\system32\rundll32.exe "C:\ProgramData\1211q11562B41351H93574\1211q11562B41351H93574.dll",qBHfXzOyBS <==== ATTENTION
Task: {BDB52666-85C9-4A8D-88DB-3561DEA979CF} - System32\Tasks\DSdeGlr6TY => C:\DSdeGlr6TYDSdeGlr6TY\DSdeGlr6TY.vbs [2017-08-04] () <==== ATTENTION
Task: C:\Windows\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77}.job => C:\Users\manpreet\AppData\Local\099F2B~1\SYNCVE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\{4B1B297A-418E-77BF-4BD3-616E4AD0508E}.job => C:\Users\manpreet\AppData\Roaming\{CB23F~1\synctask.exe <==== ATTENTION
Task: C:\Windows\Tasks\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF}.job => C:\Users\manpreet\AppData\Roaming\{B5E08~1\Updater.exe <==== ATTENTION
 
AlternateDataStreams: C:\ProgramData\TEMP:56E2E879 [135]
 
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\...\StartupApproved\Run: => "Chromium"
 
FirewallRules: [{2325112C-52C9-467A-8C06-0CF8F994B5CB}] => (Allow) C:\Users\manpreet\AppData\Local\Chromium\Application\chrome.exe
 
C:\DSdeGlr6TYDSdeGlr6TY
C:\KMSpico
C:\Program Files\KMSpico
C:\ProgramData\1211q11562B41351H93574
C:\ProgramData\ntuser.pol
C:\Users\manpreet\DSdeGlr6TY
C:\Users\manpreet\Downloads\KMSpico Install.rar
C:\Users\manpreet\Downloads\KMSpico_v10.2.0_All_in_One_Activator_for_Windows_and_Office_-_Cleaned_Version.exe
C:\Users\manpreet\AppData\Local\099F2B~1
c:\users\manpreet\appdata\local\chromium
C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj
C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmafpcnknacbcgigikdfmjfnmimhpkkg
C:\Users\manpreet\AppData\Roaming\{CB23F~1
C:\Users\manpreet\AppData\Roaming\{B5E08~1
C:\Users\manpreet\AppData\Roaming\Megokos.exe
C:\Users\manpreet\AppData\Roaming\Setup21974.exe
C:\Users\manpreet\AppData\Roaming\sb578.dat
C:\Windows\SECOH-QAD.exe
C:\Windows\SECOH-QAD.dll
C:\Windows\Temp\gECB4.tmp.exe
C:\Windows\Temp\*.tmp.exe
 
Hosts:
EmptyTemp:
*****************
 
Processes closed successfully.
Restore point was successfully created.
HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj => key not found. 
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj => key not found. 
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\Google\Chrome\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj => key not found. 
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value not found.
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Chromium => value not found.
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\DSdeGlr6TY => value not found.
"C:\Windows\system32\GroupPolicy\Machine" => not found.
HKLM\SOFTWARE\Policies\Google => key not found. 
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\umii3wwl.default -> Yahoo! Powered => not found
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\umii3wwl.default -> Yahoo! Powered => not found
FF Homepage: Mozilla\Firefox\Profiles\umii3wwl.default -> hxxps://malaysia.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wcg_fremkfs_16_40&param1=1&param2=f%3D1%26b%3DFirefox%26cc%3Dmy%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzz0C0AtA0A0D0FyEzy0FyDzyyD0DyEtN0D0Tzu0StCyBtAzztN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StBtD0B0F0C0A0F0CtGyEtA0DyBtGtA0C0ByDtGyB0AyB0CtGyDzztA0AtC0B0CyEtByDtByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtDtAyByBtDtD0AtG0FyDyByDtGyE0B0EtDtG0BtCtB0CtGtA0CyDzyzyyCzz0AtB0Azzzz2QtN0A0LzuyE%26cr%3D1805758380%26a%3Dwcg_fremkfs_16_40%26os_ver%3D6.3%26os%3DWindows%2B8.1%2BPro => not found
"C:\Users\manpreet\AppData\Roaming\Mozilla\Firefox\Profiles\umii3wwl.default\searchplugins\yahoo! powered.xml" => not found.
Chrome NewTab => removed successfully
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04} => key not found. 
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{034BC9E8-3CEA-485B-A8B8-296CC6A0847D} => key not found. 
C:\Windows\System32\Tasks\{4B1B297A-418E-77BF-4BD3-616E4AD0508E} => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{4B1B297A-418E-77BF-4BD3-616E4AD0508E} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5129A2C7-B833-4B56-90FE-2D9EFF30029D} => key not found. 
C:\Windows\System32\Tasks\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF} => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{678440B8-71D4-4364-BD26-822E4A2905A0} => key not found. 
C:\Windows\System32\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77} => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{099F2B44-8926-1316-394E-6FF3DFC20A77} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{965BF249-80F3-46A5-B24F-4EE3935AD41B} => key not found. 
C:\Windows\System32\Tasks\1211q11562B41351H93574 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\1211q11562B41351H93574 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BDB52666-85C9-4A8D-88DB-3561DEA979CF} => key not found. 
C:\Windows\System32\Tasks\DSdeGlr6TY => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DSdeGlr6TY => key not found. 
C:\Windows\Tasks\{099F2B44-8926-1316-394E-6FF3DFC20A77}.job => not found.
C:\Windows\Tasks\{4B1B297A-418E-77BF-4BD3-616E4AD0508E}.job => not found.
C:\Windows\Tasks\{7526AF81-90A0-CD02-6FC3-5F7C48AF70CF}.job => not found.
"C:\ProgramData\TEMP" => ":56E2E879" ADS not found.
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\Chromium => value not found.
HKU\S-1-5-21-2225106580-1076773051-1491251937-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Chromium => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2325112C-52C9-467A-8C06-0CF8F994B5CB} => value not found.
"C:\DSdeGlr6TYDSdeGlr6TY" => not found.
"C:\KMSpico" => not found.
"C:\Program Files\KMSpico" => not found.
"C:\ProgramData\1211q11562B41351H93574" => not found.
C:\ProgramData\ntuser.pol => moved successfully
"C:\Users\manpreet\DSdeGlr6TY" => not found.
"C:\Users\manpreet\Downloads\KMSpico Install.rar" => not found.
"C:\Users\manpreet\Downloads\KMSpico_v10.2.0_All_in_One_Activator_for_Windows_and_Office_-_Cleaned_Version.exe" => not found.
"C:\Users\manpreet\AppData\Local\099F2B~1" => not found.
"c:\users\manpreet\appdata\local\chromium" => not found.
"C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\elmkjjfkkchohaaoljobaffjeedcoocj" => not found.
"C:\Users\manpreet\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmafpcnknacbcgigikdfmjfnmimhpkkg" => not found.
"C:\Users\manpreet\AppData\Roaming\{CB23F~1" => not found.
"C:\Users\manpreet\AppData\Roaming\{B5E08~1" => not found.
"C:\Users\manpreet\AppData\Roaming\Megokos.exe" => not found.
"C:\Users\manpreet\AppData\Roaming\Setup21974.exe" => not found.
"C:\Users\manpreet\AppData\Roaming\sb578.dat" => not found.
"C:\Windows\SECOH-QAD.exe" => not found.
"C:\Windows\SECOH-QAD.dll" => not found.
"C:\Windows\Temp\gECB4.tmp.exe" => not found.
 
=========== "C:\Windows\Temp\*.tmp.exe" ==========
 
not found
 
========= End -> "C:\Windows\Temp\*.tmp.exe" ========
 
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7504464 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 2512261 B
Edge => 0 B
Chrome => 46917984 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 0 B
manpreet => 164795 B
 
RecycleBin => 0 B
EmptyTemp: => 62.5 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 01:01:08 ====


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,630 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:54 PM

Posted 04 August 2017 - 12:07 PM

Ah sorry, I gave you the wrong fixlist. Here, use this one. You can attach the fixlog.txt afterwards, as it might be a bit big.

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users