Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing NetSupport client completely


  • This topic is locked This topic is locked
3 replies to this topic

#1 sarangbi

sarangbi

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 12 November 2017 - 01:26 AM

I've only just recently found out I had this malware when it apparently infected my computer almost a month ago...Nothing seemed suspicious until I was ordering stuff on Amazon and someone had made a purchase of a PlayStation Gift Card  using my Amazon Gift Card balance. ): Anyways, I tried opening the file location of the malware and deleted its folder found in C:\Users\kimbe\AppData\Roaming\Bestr\client32.exe, but I'm not so sure if it's completely removed. 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-11-2017
Ran by kimbe (administrator) on KIMBERLY (11-11-2017 21:48:51)
Running from C:\Users\kimbe\Downloads
Loaded Profiles: kimbe (Available Profiles: kimbe)
Platform: Windows 10 Home Version 1607 14393.1770 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
() C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\winwfpmonitor.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(SafeNet, Inc.) C:\Windows\System32\hasplms.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.6\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.6\GoogleCrashHandler64.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
(Microsoft Corporation) C:\Windows\System32\InputMethod\CHS\ChsIME.exe
(Hewlett-Packard ) C:\Program Files\IDT\WDM\Beats64.exe
() C:\Program Files (x86)\puush\puush.exe
(FreeDownloadManager.org) C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\fdm.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Skillbrains) C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Discord Inc.) C:\Users\kimbe\AppData\Local\Discord\app-0.0.298\Discord.exe
(Discord Inc.) C:\Users\kimbe\AppData\Local\Discord\app-0.0.298\Discord.exe
(Discord Inc.) C:\Users\kimbe\AppData\Local\Discord\app-0.0.298\Discord.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
() C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\browsernativehost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Budy Setiawan Kusumah) C:\Users\kimbe\AppData\Local\Temp\Rar$EXa0.643\Double Driver\dd.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [BeatsOSDApp] => C:\Program Files\IDT\WDM\beats64.exe [41664 2013-11-20] (Hewlett-Packard )
HKLM\...\Run: [COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10}] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1490624 2017-10-30] (COMODO)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-08-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Lightshot] => C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe [225944 2017-04-11] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation)
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\Run: [Discord] => C:\Users\kimbe\AppData\Local\Discord\app-0.0.298\Discord.exe [57477112 2017-08-08] (Discord Inc.)
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\Run: [puush] => C:\Program Files (x86)\puush\puush.exe [568904 2016-09-11] ()
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\Run: [Battle.net] => C:\Program Files (x86)\Battle.net\Battle.net Launcher.exe [3865576 2017-10-20] (Blizzard Entertainment)
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\Run: [Free Download Manager] => C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\fdm.exe [9286656 2016-07-22] (FreeDownloadManager.org)
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3062560 2017-07-17] (Valve Corporation)
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\Run: [Bestr] => C:\Users\kimbe\AppData\Roaming\Bestr\client32.exe
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\RunOnce: [Uninstall C:\Users\kimbe\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\kimbe\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_1\amd64"
Startup: C:\Users\kimbe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2017-10-20]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{1b74868b-f5b8-4c18-8566-8945a83d1e0d}: [NameServer] 156.154.70.22,156.154.71.22
Tcpip\..\Interfaces\{1b74868b-f5b8-4c18-8566-8945a83d1e0d}: [DhcpNameServer] 192.168.43.1
Tcpip\..\Interfaces\{1cc3cf7a-0b7a-43e0-9820-ad8b4dee123d}: [NameServer] 156.154.70.22,156.154.71.22
Tcpip\..\Interfaces\{1cc3cf7a-0b7a-43e0-9820-ad8b4dee123d}: [DhcpNameServer] 209.18.47.61 209.18.47.62
 
Internet Explorer:
==================
BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-11-06] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2017-11-06] (Microsoft Corporation)
BHO-x32: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2017-10-18] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\ssv.dll [2017-10-21] (Oracle Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2017-11-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2ssv.dll [2017-10-21] (Oracle Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-11-06] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-11-06] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-11-06] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-11-06] (Microsoft Corporation)
 
FireFox:
========
FF DefaultProfile: 0ly2rnuk.default
FF ProfilePath: C:\Users\kimbe\AppData\Roaming\Mozilla\Firefox\Profiles\0ly2rnuk.default [2017-09-02]
FF Plugin-x32: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2017-10-21] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2017-10-21] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2017-10-18] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-10-18] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [2017-02-06] (Nexon)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.6\npGoogleUpdate3.dll [2017-11-08] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.6\npGoogleUpdate3.dll [2017-11-08] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-08-10] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3123083050-2831490917-1663241075-1001: iloen.com/MelOnWebLinker -> C:\Windows\System32\npMelOnWebLinker.dll [No File]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3329707&octid=EB_ORIGINAL_CTID&ISID=M06D6FC72-2A8C-47B4-86A8-12195A3130AE&SearchSource=55&CUI=&UM=8&UP=SPF7CE6EE9-F9C2-4ABE-B9BE-62B18441A710&SSPV=
CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3329707&octid=EB_ORIGINAL_CTID&ISID=M06D6FC72-2A8C-47B4-86A8-12195A3130AE&SearchSource=55&CUI=&UM=8&UP=SPF7CE6EE9-F9C2-4ABE-B9BE-62B18441A710&SSPV=","hxxp://search.yahoo.com/?type=198484&fr=spigot-yhp-ch","hxxp://www.mystartsearch.com/?type=hp&ts=1438984467&z=3482aed005cf4cf63ac8514gez0c1b4t2bdz2c2t7o&from=cmi&uid=HitachiXHTS543225L9SA00_081028FB2F00LLCJZTLAX","hxxp://www.google.com","hxxp://www.google.com/","hxxps://www.google.com/"
CHR NewTab: Default ->  Active:"chrome-extension://jpfpebmajhhopeonhlcgidhclcccjcik/newtab.html"
CHR Profile: C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default [2017-11-11]
CHR Extension: (Slides) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-12]
CHR Extension: (Free Download Manager Chrome extension) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahmpjcflkgiildlgicmcieglgoilbfdp [2017-03-04]
CHR Extension: (Docs) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-12]
CHR Extension: (Google Drive) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-07-29]
CHR Extension: (YouTube) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-07-29]
CHR Extension: (uBlock Origin) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2017-11-06]
CHR Extension: (Adobe Acrobat) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-03-04]
CHR Extension: (Sheets) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-12]
CHR Extension: (Google Docs Offline) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-07-29]
CHR Extension: (Speed Dial 2) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpfpebmajhhopeonhlcgidhclcccjcik [2017-06-13]
CHR Extension: (StayFocusd) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\laankejkbhbdhmipfmgcngdelahlfoji [2017-09-17]
CHR Extension: (Google Mail Checker) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff [2016-07-29]
CHR Extension: (Chrome Web Store Payments) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-28]
CHR Extension: (Gmail) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-07-29]
CHR Extension: (Chrome Media Router) - C:\Users\kimbe\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-11-08]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [8063656 2017-10-31] (Microsoft Corporation)
R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [10872400 2017-10-30] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2876096 2017-10-30] (COMODO)
S3 ESRV_SVC_WILLAMETTE; C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe [416408 2016-06-08] ()
R2 hasplms; C:\WINDOWS\system32\hasplms.exe [4574520 2017-02-14] (SafeNet, Inc.)
S2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2960672 2016-05-30] (IObit)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S3 SystemUsageReportSvc_WILLAMETTE; C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe [117400 2016-06-08] ()
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10883824 2017-03-17] (TeamViewer GmbH)
S3 USER_ESRV_SVC_WILLAMETTE; C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe [416408 2016-06-08] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347320 2017-04-27] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2017-08-07] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S0 amdkmafd; C:\WINDOWS\System32\drivers\amdkmafd.sys [31992 2015-06-03] (Advanced Micro Devices, Inc.)
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [102912 2015-07-21] (Advanced Micro Devices)
R1 cmderd; C:\WINDOWS\System32\DRIVERS\cmderd.sys [44088 2017-10-21] (COMODO)
R1 cmdGuard; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [833096 2017-10-21] (COMODO)
R1 cmdhlp; C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [50808 2017-10-21] (COMODO)
S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77432 2017-11-01] ()
R2 gzflt; C:\WINDOWS\System32\DRIVERS\gzflt.sys [155912 2014-10-22] (BitDefender LLC)
R2 hardlock; C:\WINDOWS\system32\drivers\hardlock.sys [1287496 2017-02-14] (SafeNet, Inc.)
R1 inspect; C:\WINDOWS\system32\DRIVERS\inspect.sys [132896 2017-10-21] (COMODO)
R2 MBAMChameleon; C:\WINDOWS\System32\Drivers\MbamChameleon.sys [193464 2017-11-07] (Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\system32\DRIVERS\farflt.sys [110016 2017-11-10] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\DRIVERS\mbam.sys [46008 2017-11-10] (Malwarebytes)
R0 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [253880 2017-11-07] (Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\DRIVERS\mwac.sys [94144 2017-11-11] (Malwarebytes)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 netr28x; C:\WINDOWS\system32\DRIVERS\netr28x.sys [2554528 2015-06-12] (MediaTek Inc.)
R3 rtbth; C:\WINDOWS\System32\drivers\rtbth.sys [1219200 2015-06-03] (Ralink Technology, Corp.)
S3 semav6msr64; C:\Windows\system32\drivers\semav6msr64.sys [21984 2015-06-04] ()
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
S2 vcs; C:\Program Files (x86)\Common Files\Avnex\vcs64.sys [4096 2017-10-11] () [File not signed]
R3 VCSVADHWSer; C:\WINDOWS\system32\DRIVERS\vcsvad.sys [29320 2015-10-01] (AVSOFT Corp.)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
R3 XtuAcpiDriver; C:\WINDOWS\System32\drivers\XtuAcpiDriver.sys [63840 2015-06-06] (Intel Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-11-11 21:48 - 2017-11-11 21:49 - 000019026 _____ C:\Users\kimbe\Downloads\FRST.txt
2017-11-11 21:44 - 2017-11-11 21:44 - 000000000 ____D C:\Users\kimbe\Documents\Double Driver Backup
2017-11-11 21:41 - 2017-11-11 21:41 - 002165485 _____ C:\Users\kimbe\Downloads\double_driver_4.1.0_portable.zip
2017-11-11 21:13 - 2017-11-11 21:13 - 000094144 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2017-11-11 19:17 - 2017-11-11 21:48 - 000000000 ____D C:\FRST
2017-11-11 19:16 - 2017-11-11 19:16 - 002392576 _____ (Farbar) C:\Users\kimbe\Downloads\FRST64.exe
2017-11-10 20:53 - 2017-11-10 20:53 - 000110016 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2017-11-10 20:53 - 2017-11-10 20:53 - 000046008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-11-10 20:47 - 2017-11-10 20:47 - 000000676 _____ C:\Users\kimbe\Desktop\z.txt
2017-11-10 20:25 - 2017-11-10 20:25 - 000001256 _____ C:\Users\Public\Desktop\COMODO Internet Security Premium.lnk
2017-11-10 20:25 - 2017-11-10 20:25 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO
2017-11-10 20:24 - 2017-11-11 21:40 - 001474832 _____ C:\WINDOWS\system32\Drivers\sfi.dat
2017-11-10 20:24 - 2017-11-10 20:24 - 000000000 ____D C:\WINDOWS\System32\Tasks\COMODO
2017-11-10 20:24 - 2017-11-10 20:24 - 000000000 ____D C:\ProgramData\Comodo Downloader
2017-11-10 20:24 - 2017-11-10 20:24 - 000000000 ____D C:\Program Files\COMODO
2017-11-10 20:23 - 2017-11-10 20:23 - 000000000 ____D C:\ProgramData\Shared Space
2017-11-10 20:23 - 2017-11-10 20:23 - 000000000 ____D C:\ProgramData\Comodo
2017-11-10 20:22 - 2017-11-10 20:23 - 075511704 _____ (COMODO) C:\Users\kimbe\Downloads\cispremium_only_installer.exe
2017-11-07 10:17 - 2017-11-07 10:17 - 000193464 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamChameleon.sys
2017-11-07 10:16 - 2017-11-07 10:16 - 000253880 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2017-11-07 10:16 - 2017-11-07 10:16 - 000001920 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-11-07 10:16 - 2017-11-07 10:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-11-07 10:16 - 2017-11-07 10:16 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-11-07 10:16 - 2017-11-07 10:16 - 000000000 ____D C:\Program Files\Malwarebytes
2017-11-07 10:16 - 2017-11-01 08:54 - 000077432 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-11-07 10:15 - 2017-11-07 10:15 - 078346672 _____ (Malwarebytes ) C:\Users\kimbe\Downloads\mb3-setup-consumer-3.3.1.2183.exe
2017-11-06 19:34 - 2017-11-06 19:34 - 000003364 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-3123083050-2831490917-1663241075-1001
2017-11-06 19:34 - 2017-11-06 19:34 - 000002367 _____ C:\Users\kimbe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-11-06 01:01 - 2017-11-06 01:11 - 000747208 _____ C:\Users\kimbe\Documents\lowarousaltohigharousalofficialusethis.mp3.sfk
2017-11-03 21:20 - 2017-11-03 21:21 - 000747528 _____ C:\Users\kimbe\Documents\higharousaltolowarousal.mp3.sfk
2017-11-03 20:54 - 2017-11-03 21:09 - 000000000 ____D C:\Users\kimbe\AppData\Roaming\VEGAS
2017-11-03 20:54 - 2017-11-03 20:54 - 000000000 ____D C:\Users\kimbe\AppData\Roaming\VEGAS Pro
2017-11-03 20:54 - 2017-11-03 20:54 - 000000000 ____D C:\Users\kimbe\AppData\Roaming\Publish Providers
2017-11-03 20:54 - 2017-11-03 20:54 - 000000000 ____D C:\Users\kimbe\AppData\Local\VEGAS Pro
2017-11-03 20:54 - 2017-11-03 20:54 - 000000000 ____D C:\Users\kimbe\AppData\Local\Sony
2017-11-03 20:54 - 2017-11-03 20:54 - 000000000 ____D C:\Users\kimbe\AppData\Local\MAGIX
2017-11-03 20:54 - 2017-11-03 20:54 - 000000000 ____D C:\ProgramData\VEGAS Pro
2017-11-03 20:52 - 2017-11-03 20:52 - 000000000 ____D C:\ProgramData\simplitec
2017-11-03 20:52 - 2017-11-03 20:52 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VEGAS
2017-11-03 20:52 - 2017-11-03 20:52 - 000000000 ____D C:\ProgramData\Magix
2017-11-03 20:52 - 2017-11-03 20:52 - 000000000 ____D C:\Program Files (x86)\MAGIX
2017-11-03 20:51 - 2017-11-03 20:51 - 000000000 ____D C:\Users\kimbe\AppData\Local\VEGAS
2017-11-03 20:51 - 2017-11-03 20:51 - 000000000 ____D C:\ProgramData\VEGAS
2017-11-03 20:51 - 2017-11-03 20:51 - 000000000 ____D C:\Program Files\VEGAS
2017-11-03 20:51 - 2017-11-03 20:51 - 000000000 ____D C:\Program Files (x86)\VEGAS
2017-11-03 20:50 - 2017-11-03 20:51 - 000000000 ____D C:\Users\kimbe\AppData\Roaming\Sony
2017-11-03 20:47 - 2017-11-03 20:54 - 000000000 ____D C:\Users\kimbe\AppData\Roaming\MAGIX
2017-11-03 20:47 - 2017-11-03 20:47 - 000000000 ____D C:\Users\kimbe\Documents\MAGIX Downloads
2017-11-03 20:41 - 2017-11-03 20:41 - 000001461 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2017-11-03 20:41 - 2017-11-03 20:41 - 000001388 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
2017-11-03 20:41 - 2017-11-03 20:41 - 000001004 _____ C:\Users\Public\Desktop\Video Win Movie Maker.lnk
2017-11-03 20:41 - 2017-11-03 20:41 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Win Movie Maker
2017-11-03 20:41 - 2017-11-03 20:41 - 000000000 ____D C:\Program Files (x86)\Windows Live
2017-11-03 20:41 - 2017-11-03 20:41 - 000000000 ____D C:\Program Files (x86)\Video Win Movie Maker
2017-11-03 19:27 - 2017-11-03 19:27 - 000000000 ____D C:\Users\kimbe\AppData\Roaming\Tera_Awesomium
2017-11-03 17:09 - 2017-11-03 17:09 - 000785920 _____ C:\ProgramData\build_startup21.exe
2017-11-02 18:43 - 2017-11-02 18:43 - 000005318 _____ C:\Users\kimbe\Desktop\UCR Agreement Biology.pdf
2017-11-02 18:41 - 2017-11-02 18:41 - 000005725 _____ C:\Users\kimbe\Desktop\UCR Agreement Biochem.pdf
2017-11-01 18:00 - 2017-10-25 10:13 - 000835568 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-11-01 18:00 - 2017-10-25 10:13 - 000177648 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2017-10-30 18:07 - 2017-10-30 18:07 - 000702888 _____ (COMODO) C:\WINDOWS\SysWOW64\guard32.dll
2017-10-30 18:07 - 2017-10-30 18:07 - 000051808 _____ (COMODO) C:\WINDOWS\system32\cmdcsr.dll
2017-10-30 18:06 - 2017-10-30 18:06 - 000913816 _____ (COMODO) C:\WINDOWS\system32\guard64.dll
2017-10-30 18:04 - 2017-10-30 18:04 - 000467136 _____ (COMODO) C:\WINDOWS\system32\cmdvrt64.dll
2017-10-30 18:02 - 2017-10-30 18:02 - 000371392 _____ (COMODO) C:\WINDOWS\SysWOW64\cmdvrt32.dll
2017-10-24 23:07 - 2017-10-24 23:07 - 002537632 _____ C:\Users\kimbe\Desktop\Assignment 8-3 KEY.pdf
2017-10-24 23:07 - 2017-10-24 23:07 - 000290378 _____ C:\Users\kimbe\Desktop\Assignment 8-2-Alkenes addition reactions-Key.pdf
2017-10-24 23:07 - 2017-10-24 23:07 - 000249148 _____ C:\Users\kimbe\Desktop\Assignment 8-1-Alkenes carbocation rearrangement-Key.pdf
2017-10-21 19:09 - 2017-10-21 19:09 - 000088799 _____ C:\Users\kimbe\Downloads\Aristotle-Outline.pdf
2017-10-21 18:16 - 2017-10-21 18:15 - 000097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2017-10-21 15:19 - 2017-10-21 15:19 - 000132896 _____ (COMODO) C:\WINDOWS\system32\Drivers\inspect.sys
2017-10-21 15:18 - 2017-10-21 15:18 - 000833096 _____ (COMODO) C:\WINDOWS\system32\Drivers\cmdguard.sys
2017-10-21 15:18 - 2017-10-21 15:18 - 000050808 _____ (COMODO) C:\WINDOWS\system32\Drivers\cmdhlp.sys
2017-10-21 15:18 - 2017-10-21 15:18 - 000044088 _____ (COMODO) C:\WINDOWS\system32\Drivers\cmderd.sys
2017-10-15 23:51 - 2017-10-15 23:51 - 000345528 _____ C:\Users\kimbe\Desktop\Assignment 7-2-Key.pdf
2017-10-15 23:36 - 2017-10-15 23:36 - 000130297 _____ C:\Users\kimbe\Desktop\Assignment 7-1-Key.pdf
2017-10-13 22:40 - 2017-10-13 22:40 - 049979212 _____ C:\Users\kimbe\Desktop\Klein - Organic Chemistry Solution Manual 2nd Edition.pdf
2017-10-13 22:39 - 2017-10-13 22:40 - 148888310 _____ C:\Users\kimbe\Desktop\Klein - Organic Chemistry 2nd Edition.pdf
2017-10-13 18:18 - 2017-10-13 18:18 - 000000000 ____D C:\Users\kimbe\Documents\Sound recordings
2017-10-13 11:40 - 2017-10-13 11:40 - 000003288 _____ C:\WINDOWS\System32\Tasks\Alcores
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-11-11 21:41 - 2016-07-30 00:20 - 000000000 ____D C:\Users\kimbe\AppData\Local\Free Download Manager
2017-11-11 21:39 - 2016-07-16 03:47 - 000000000 ____D C:\WINDOWS\AppReadiness
2017-11-11 21:35 - 2016-08-05 09:33 - 000000000 ____D C:\Users\kimbe\Documents\Text Documents
2017-11-11 21:17 - 2016-08-05 09:32 - 000000000 ____D C:\Users\kimbe\Documents\Important Files
2017-11-11 20:50 - 2016-07-29 23:04 - 003714956 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-11-11 20:14 - 2016-09-27 03:23 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2017-11-11 19:11 - 2016-12-17 00:32 - 000004154 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{09521263-C666-4DBB-A796-67785A10358F}
2017-11-10 20:52 - 2016-09-27 03:39 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-11-10 20:52 - 2016-07-15 22:04 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2017-11-10 20:24 - 2016-07-16 03:45 - 000000000 ____D C:\WINDOWS\INF
2017-11-10 19:58 - 2016-10-20 19:19 - 000000000 ____D C:\ProgramData\TEMP
2017-11-10 19:48 - 2016-07-16 03:47 - 000000000 ___HD C:\Program Files\WindowsApps
2017-11-08 18:22 - 2016-09-27 03:39 - 000003416 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2017-11-08 18:22 - 2016-09-27 03:39 - 000003292 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2017-11-08 18:22 - 2016-09-11 19:53 - 000000000 ____D C:\ProgramData\ProductData
2017-11-08 03:39 - 2016-09-27 03:28 - 000000000 ____D C:\Users\kimbe
2017-11-08 01:44 - 2016-07-29 23:29 - 000002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-11-08 01:44 - 2016-07-29 23:29 - 000002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-11-07 20:49 - 2016-08-04 21:56 - 000000000 ____D C:\Users\kimbe\AppData\Roaming\discord
2017-11-07 10:40 - 2016-07-16 03:47 - 000000000 ____D C:\WINDOWS\system32\NDF
2017-11-06 19:34 - 2016-07-29 23:07 - 000000000 ___RD C:\Users\kimbe\OneDrive
2017-11-06 19:29 - 2016-07-16 03:47 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-11-06 19:27 - 2016-08-30 20:49 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2017-11-02 19:20 - 2017-09-28 20:52 - 000000000 ____D C:\Program Files\rempl
2017-11-01 18:00 - 2016-07-16 03:36 - 000000000 ____D C:\WINDOWS\CbsTemp
2017-10-28 23:23 - 2016-08-04 22:09 - 000000000 ____D C:\Users\kimbe\AppData\Local\Battle.net
2017-10-28 19:57 - 2016-11-07 18:26 - 000000000 ____D C:\Program Files (x86)\Overwatch Test
2017-10-28 19:54 - 2016-08-04 22:11 - 000000000 ____D C:\Program Files (x86)\Overwatch
2017-10-28 19:52 - 2016-08-04 22:01 - 000000000 ____D C:\Program Files (x86)\Battle.net
2017-10-26 18:59 - 2017-04-03 15:21 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2017-10-23 16:07 - 2016-12-13 00:42 - 000000000 ____D C:\ProgramData\boost_interprocess
2017-10-21 18:16 - 2016-12-17 00:31 - 000000000 ____D C:\ProgramData\Oracle
2017-10-21 18:16 - 2016-12-17 00:31 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-10-21 18:16 - 2016-12-17 00:31 - 000000000 ____D C:\Program Files (x86)\Java
2017-10-19 09:01 - 2016-08-05 09:33 - 000000000 ____D C:\Users\kimbe\Documents\School Work
2017-10-13 18:19 - 2016-10-21 20:48 - 000000000 ____D C:\Users\kimbe\AppData\Local\ElevatedDiagnostics
2017-10-12 18:54 - 2016-07-16 03:47 - 000000000 ____D C:\WINDOWS\rescache
2017-10-12 10:00 - 2017-10-11 19:46 - 000000000 ____D C:\Program Files (x86)\AV Voice Changer 9.5 Diamond
2017-10-12 10:00 - 2017-10-11 19:36 - 000000239 _____ C:\Users\kimbe\Documents\ClownfishVoiceChanger.ini
 
==================== Files in the root of some directories =======
 
2017-07-07 22:53 - 2017-07-07 22:53 - 000000003 _____ () C:\Users\kimbe\AppData\Local\updater.log
2017-07-07 22:53 - 2017-07-07 22:53 - 000000425 _____ () C:\Users\kimbe\AppData\Local\UserProducts.xml
2017-11-03 17:09 - 2017-11-03 17:09 - 000785920 _____ () C:\ProgramData\build_startup21.exe
2017-05-27 12:07 - 2017-05-27 12:07 - 000000016 _____ () C:\ProgramData\mntemp
 
Files to move or delete:
====================
C:\ProgramData\build_startup21.exe
 
 
Some files in TEMP:
====================
2017-10-11 19:43 - 2017-07-05 14:59 - 001814016 _____ () C:\Users\kimbe\AppData\Local\Temp\GLF787A.tmp.dll
2017-01-21 11:13 - 2017-01-21 11:13 - 000739904 _____ (Oracle Corporation) C:\Users\kimbe\AppData\Local\Temp\jre-8u121-windows-au.exe
2017-04-27 17:44 - 2017-04-27 17:44 - 000739904 _____ (Oracle Corporation) C:\Users\kimbe\AppData\Local\Temp\jre-8u131-windows-au.exe
2017-07-20 23:43 - 2017-07-20 23:43 - 000739904 _____ (Oracle Corporation) C:\Users\kimbe\AppData\Local\Temp\jre-8u141-windows-au.exe
2017-10-21 18:15 - 2017-10-21 18:15 - 001856576 _____ (Oracle Corporation) C:\Users\kimbe\AppData\Local\Temp\jre-8u151-windows-au.exe
2017-09-25 16:41 - 2017-09-25 00:25 - 068408664 _____ (Malwarebytes                                                ) C:\Users\kimbe\AppData\Local\Temp\mb3-setup-consumer-3.2.2.2029-1.0.188-1.0.2785.exe
2017-03-01 01:57 - 2017-03-01 01:57 - 018304280 _____ (LOEN Entertainment) C:\Users\kimbe\AppData\Local\Temp\Melon4Setup.exe
2017-02-06 19:28 - 2017-02-06 19:28 - 000765952 _____ (Nexon) C:\Users\kimbe\AppData\Local\Temp\NGMDll.dll
2017-02-06 19:28 - 2017-02-06 19:28 - 000421888 _____ (Nexon) C:\Users\kimbe\AppData\Local\Temp\NGMResource.dll
2017-02-06 19:28 - 2017-02-06 19:28 - 003371008 _____ (Nexon) C:\Users\kimbe\AppData\Local\Temp\NGMSetup.exe
2017-02-06 19:28 - 2017-02-06 19:28 - 000258352 _____ (Microsoft Corporation) C:\Users\kimbe\AppData\Local\Temp\unicows.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-11-01 17:56
 
==================== End of FRST.txt ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-11-2017
Ran by kimbe (11-11-2017 21:49:51)
Running from C:\Users\kimbe\Downloads
Windows 10 Home Version 1607 14393.1770 (X64) (2016-09-27 11:41:38)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3123083050-2831490917-1663241075-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3123083050-2831490917-1663241075-503 - Limited - Disabled)
Guest (S-1-5-21-3123083050-2831490917-1663241075-501 - Limited - Disabled)
kimbe (S-1-5-21-3123083050-2831490917-1663241075-1001 - Administrator - Enabled) => C:\Users\kimbe
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: COMODO Antivirus (Enabled - Up to date) {0C515E80-E355-69BD-3445-A511E5C186FD}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: COMODO Advanced Protection (Enabled - Up to date) {B730BF64-C56F-6633-0EF5-9E639E46CC40}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: COMODO Firewall (Enabled) {346ADFA5-A93A-68E5-1F1A-0C241B12C186}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
¾¢ÎèÍÅV12.7.3 (HKLM-x32\...\{1E9B9AA3-8FAF-407C-94E3-B7345788A121}_is1) (Version:  - 9you)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.012.20098 - Adobe Systems Incorporated)
Amazon Kindle (HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\Amazon Kindle) (Version: 1.20.1.47037 - Amazon)
AMD Catalyst Install Manager (HKLM\...\{66AFB595-BC05-2913-7696-6D58F9B733E1}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Blizzard App (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Clownfish Voice Changer (HKLM\...\ClownfishVoiceChanger) (Version:  - )
COMODO Internet Security Premium (HKLM\...\{01182FCE-8E8E-419F-8745-24236D28F2F9}) (Version: 10.0.2.6396 - COMODO Security Solutions Inc.) Hidden
COMODO Internet Security Premium (HKLM\...\COMODO Internet Security) (Version: 10.0.2.6396 - COMODO Security Solutions Inc.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Discord (HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\Discord) (Version: 0.0.298 - Discord Inc.)
Extended Asian Language font pack for Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-2530-0000-AC0F074E4100}) (Version: 15.007.20033 - Adobe Systems Incorporated)
Free Download Manager (HKLM\...\{43781dff-e0df-49ce-a6d2-47da96a485e7}}_is1) (Version: 5.1.15.4296 - FreeDownloadManager.ORG)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 62.0.3202.89 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Intel® Driver Update Utility 2.6 (HKLM-x32\...\{2B710CA5-99F0-4D29-962C-29A7CFF7A989}) (Version: 2.6.0.32 - Intel) Hidden
Intel® Driver Update Utility (HKLM-x32\...\{3e714701-b89c-4cf2-bf3b-41b2c105ffdc}) (Version: 2.6.0.32 - Intel)
Java 8 Update 151 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180151F0}) (Version: 8.0.1510.12 - Oracle Corporation)
League client alpha (HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\League client alpha 1.0) (Version: 1.0 - Riot Games, Inc)
League of Legends (HKLM-x32\...\{E80C09B5-A296-47E9-BD4B-BCCF2FDCA13E}) (Version: 4.1.2 - Riot Games) Hidden
League of Legends (HKLM-x32\...\League of Legends 4.1.2) (Version: 4.1.2 - Riot Games)
Lightshot-5.4.0.10 (HKLM-x32\...\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.4.0.10 - Skillbrains)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
MapleStory (HKLM-x32\...\MapleStory) (Version:  - )
Melon Player4 (HKLM-x32\...\Melon40) (Version: 5.16.1004.18 - LOEN Entertainment)
MelOnNtfy2 (HKLM-x32\...\MelOnNtfy2) (Version: 5.16.928.11 - LOEN Entertainment)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 16.0.8625.2121 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\OneDriveSetup.exe) (Version: 17.3.7076.1026 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24212 (HKLM-x32\...\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}) (Version: 14.0.24212.0 - Microsoft Corporation)
Minecraft (HKLM-x32\...\{1C16BCA3-EBC1-49F6-8623-8FBFB9CCC872}) (Version: 1.0.3.0 - Mojang)
Movie Maker (HKLM-x32\...\{38F03569-A636-4CF3-BDDE-032C8C251304}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{DD67BE4B-7E62-4215-AFA3-F123A800A389}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 55.0.3 (x64 en-US) (HKLM\...\Mozilla Firefox 55.0.3 (x64 en-US)) (Version: 55.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 55.0.3 - Mozilla)
Nexon Launcher (HKLM-x32\...\Nexon Nexon Launcher) (Version: 2.0.0 - Nexon)
Notepad++ (64-bit x64) (HKLM\...\Notepad++) (Version: 7.5.1 - Notepad++ Team)
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8625.2121 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8625.2121 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8625.2121 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.8326.2107 - Microsoft Corporation) Hidden
osu! (HKLM-x32\...\{897d7aaf-b05c-4653-8c21-aa6fcacb3874}) (Version: latest - ppy Pty Ltd)
Overwatch (HKLM-x32\...\Overwatch) (Version:  - Blizzard Entertainment)
Overwatch Test (HKLM-x32\...\Overwatch Test) (Version:  - Blizzard Entertainment)
puush (HKLM-x32\...\{C3592426-531E-4110-911D-BFECE2CE284B}) (Version: 1.0.0.0 - Dean Herbert)
Sentinel Runtime (HKLM-x32\...\{2C536B88-EA6B-4C24-A241-FD21981A99B0}) (Version: 7.54.1.67019 - Gemalto)
Spybot Anti-Beacon (HKLM-x32\...\{419A7FCF-93E1-474D-BFE9-987CF3F90C88}_is1) (Version: 1.5 - Safer-Networking Ltd.)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
TeamViewer 12 (HKLM-x32\...\TeamViewer) (Version: 12.0.75813 - TeamViewer)
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{17515373-7495-4995-9089-B7D6DF455C38}) (Version: 2.6.0.0 - Microsoft Corporation)
VEGAS Pro 14.0 (64-bit) (HKLM\...\{8BA11E80-4FB0-11E7-9B6D-A9EF5249FCEF}) (Version: 14.0.270 - VEGAS)
Video Win Movie Maker 2016 (HKLM-x32\...\{3CC29C1A-B5FE-457B-8F22-32A2videowin}}_is1) (Version:  - videowinsoft.com)
VitalSource Bookshelf (HKLM-x32\...\{5662bb17-987f-4669-a168-ae4001d70a23}) (Version: 7.6.0004 - Ingram Content Group)
VitalSource Converter PRO version 1.17 (HKLM-x32\...\{4142FCBC-3D39-4F39-9F7A-700ED32EE0C5}_is1) (Version: 1.17 - eBook Converter Team)
Windows 10 Update and Privacy Settings (HKLM\...\{4DFCD818-036A-4229-A67D-CF17DC461D92}) (Version: 1.0.14.0 - Microsoft Corporation)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
Your Uninstaller! 7 (HKLM-x32\...\YU2010_is1) (Version: 7.5.2014.3 - URSoft, Inc.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files\Notepad++\NppShell_06.dll [2017-08-28] ()
ContextMenuHandlers1: [Comodo Antivirus] -> {4255A182-CAD9-4214-A19B-7BA7FB633BBD} => C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll [2017-10-30] (COMODO)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-14] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-14] (Alexander Roshal)
ContextMenuHandlers2: [Comodo Antivirus] -> {4255A182-CAD9-4214-A19B-7BA7FB633BBD} => C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll [2017-10-30] (COMODO)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\atiacm64.dll [2015-08-04] (Advanced Micro Devices, Inc.)
ContextMenuHandlers6: [Comodo Antivirus] -> {4255A182-CAD9-4214-A19B-7BA7FB633BBD} => C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll [2017-10-30] (COMODO)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-14] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-14] (Alexander Roshal)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {063ECB45-1FFE-4CF2-8300-6D14245D2C2B} - System32\Tasks\Intel\Intel Telemetry 2 => C:\Program Files\Intel\Telemetry 2.0\lrio.exe [2016-03-17] (Intel Corporation)
Task: {0FB4E2BB-72E3-40A3-8E8B-96E02BDBBA0B} - System32\Tasks\COMODO\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2017-10-30] (COMODO)
Task: {2578CDA0-49DE-4EA3-B2B1-FDFEE934DB3E} - System32\Tasks\update-S-1-5-21-3123083050-2831490917-1663241075-1001 => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2017-04-12] (TODO: <Company name>)
Task: {2662B1B2-9778-44A9-84E6-9E8E29A56644} - System32\Tasks\Alcores => C:\Users\kimbe\AppData\Roaming\Bestr\client32.exe
Task: {300E4E59-2220-47AD-BBD6-893653854AF9} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2017-11-06] (Microsoft Corporation)
Task: {34EA205D-29CB-4DF2-94F0-EBBB7860D343} - System32\Tasks\COMODO\COMODO Telemetry {18AD3DFA-30C0-4B5F-84F7-F1870B1A4921} => C:\Program Files\COMODO\COMODO Internet Security\cis.exe [2017-10-30] (COMODO)
Task: {3589F078-94C1-4AD4-A44D-449FCEBEE87B} - System32\Tasks\FreeDownloadManagerNetworkMonitor => C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\winwfpmonitor.exe [2016-07-22] ()
Task: {413949FC-9EA8-4A46-8DBE-9F2931922701} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-07-29] (Google Inc.)
Task: {48CB103F-3F36-4602-9867-087382B97CBE} - System32\Tasks\COMODO\COMODO Maintenance {947247B5-026A-4437-9371-770782BE839D} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2017-10-30] (COMODO)
Task: {522B10F5-C176-4079-BC71-11EE2170BEBB} - System32\Tasks\COMODO\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2017-10-30] (COMODO)
Task: {6EFC55CA-C3C9-4654-9D20-1E04ACCCF0A2} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-09-22] ()
Task: {7B4E4B66-0D18-49F7-BD7B-050F8B97ADB5} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2017-11-06] (Microsoft Corporation)
Task: {7BC9DDA4-553F-47B2-92E4-751A28AEB3B8} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-07-29] (Google Inc.)
Task: {7F09DB30-6D91-4233-9F3B-F12D2D0B4418} - System32\Tasks\USER_ESRV_SVC_WILLAMETTE => "C:\Windows\System32\Wscript.exe" //B //NoLogo "C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\task.vbs"
Task: {88DE5DDC-6D3C-4B9A-9DFB-965140F7A20D} - System32\Tasks\COMODO\COMODO CMC {06A09C0F-DD9C-4191-A670-71115CD78627} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2017-10-30] (COMODO)
Task: {B0C1A088-D9A1-4EBC-BCAA-4D63C411D7A6} - System32\Tasks\update-sys => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2017-04-12] (TODO: <Company name>)
Task: {CFDF2CDA-A0CF-4A1D-A83E-B212FC01C6CB} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated)
Task: {D0DE8EA0-E03C-4931-91DC-A84C6AE80C3C} - System32\Tasks\COMODO\COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10} => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [2017-10-30] (COMODO)
Task: {D31C6A6C-4F91-4BE8-96B1-6F8CF9E384E9} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-10-31] (Microsoft Corporation)
Task: {D81F970D-43F1-4035-8846-70A3AFACE141} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2017-11-06] (Microsoft Corporation)
Task: {DDA8063F-780B-40F3-8A2C-D9915C32F366} - System32\Tasks\COMODO\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2017-10-30] (COMODO)
Task: {DDF94603-F6A2-4F1E-9015-896BD838E18F} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-10-31] (Microsoft Corporation)
Task: {E9E9ABDE-11D8-4F52-BABF-B2105C72718A} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-09-22] ()
Task: {F019C487-94FB-455C-ABF7-016CEA13C1CE} - System32\Tasks\Safer-Networking\Spybot Anti-Beacon\Refresh Anti-Beacon immunization => C:\Program Files (x86)\Spybot Anti-Beacon\SDAntiBeacon.exe [2015-10-19] (Safer-Networking Ltd.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\update-S-1-5-21-3123083050-2831490917-1663241075-1001.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\WINDOWS\Tasks\update-sys.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-07-30 00:20 - 2016-07-22 19:21 - 000796672 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\winwfpmonitor.exe
2016-07-30 00:20 - 2016-07-22 19:19 - 000029696 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\WinDivert.dll
2017-10-30 18:04 - 2017-10-30 18:04 - 000156864 _____ () C:\Program Files\COMODO\COMODO Internet Security\cmdwrhlp.dll
2017-10-30 18:03 - 2017-10-30 18:03 - 000106688 _____ () C:\Program Files\COMODO\COMODO Internet Security\cavwpps.dll
2017-10-30 18:03 - 2017-10-30 18:03 - 000241856 _____ () C:\Program Files\COMODO\COMODO Internet Security\cmdcomps.dll
2017-11-07 10:16 - 2017-11-01 08:55 - 002299344 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2017-11-07 10:16 - 2017-11-01 08:54 - 002358736 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2016-07-16 03:42 - 2016-07-16 03:42 - 000231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2017-09-12 19:09 - 2017-09-06 22:01 - 002681200 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2017-11-06 19:27 - 2017-11-06 19:27 - 008931496 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2017-08-28 16:43 - 2017-08-28 16:43 - 000230064 _____ () C:\Program Files\Notepad++\NppShell_06.dll
2016-09-27 04:19 - 2016-09-27 04:19 - 000134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-03-14 19:06 - 2017-03-03 22:31 - 000474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2012-01-10 13:41 - 2016-09-11 19:44 - 000568904 _____ () C:\Program Files (x86)\puush\puush.exe
2016-07-30 00:20 - 2016-06-28 18:14 - 002160128 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\avformat-57.dll
2016-07-30 00:20 - 2016-06-28 18:14 - 000484352 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\avutil-55.dll
2016-07-30 00:20 - 2016-06-28 18:14 - 012621312 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\avcodec-57.dll
2016-07-30 00:20 - 2016-06-28 18:14 - 002111488 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\avfilter-6.dll
2016-07-30 00:20 - 2016-06-28 18:14 - 000663040 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\swscale-4.dll
2016-07-30 00:20 - 2016-06-28 18:14 - 000139264 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\swresample-2.dll
2016-07-30 00:20 - 2016-06-28 18:14 - 000071168 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\postproc-54.dll
2016-07-30 00:20 - 2016-07-22 19:20 - 000099328 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\winunivappfeatures.dll
2016-07-30 00:20 - 2016-06-28 17:32 - 065771520 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\libcef.dll
2016-07-30 00:20 - 2016-06-28 17:32 - 002129920 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\libglesv2.dll
2016-07-30 00:20 - 2016-06-28 17:32 - 000087040 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\libegl.dll
2017-03-14 19:06 - 2017-03-03 22:12 - 009760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-03-14 19:06 - 2017-03-03 22:05 - 001401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-03-14 19:06 - 2017-03-03 22:05 - 000757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2017-10-10 16:55 - 2017-09-17 18:14 - 002424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-10-10 16:55 - 2017-09-17 18:16 - 004853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2017-11-08 01:44 - 2017-11-05 01:12 - 004135768 _____ () C:\Program Files (x86)\Google\Chrome\Application\62.0.3202.89\libglesv2.dll
2017-11-08 01:44 - 2017-11-05 01:12 - 000100184 _____ () C:\Program Files (x86)\Google\Chrome\Application\62.0.3202.89\libegl.dll
2016-07-30 00:20 - 2016-07-22 19:20 - 000799232 _____ () C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\browsernativehost.exe
2017-09-07 08:39 - 2017-09-07 08:39 - 000073920 _____ () C:\Program Files\COMODO\COMODO Internet Security\scanners\smart.cav
2017-08-08 20:34 - 2017-08-08 14:13 - 001893880 _____ () C:\Users\kimbe\AppData\Local\Discord\app-0.0.298\ffmpeg.dll
2017-08-08 20:34 - 2017-08-08 20:34 - 001577976 _____ () \\?\C:\Users\kimbe\AppData\Roaming\discord\0.0.298\modules\discord_toaster\discord_toaster.node
2017-08-08 20:34 - 2017-08-08 14:13 - 001938424 _____ () C:\Users\kimbe\AppData\Local\Discord\app-0.0.298\libglesv2.dll
2017-08-08 20:34 - 2017-08-08 14:13 - 000095736 _____ () C:\Users\kimbe\AppData\Local\Discord\app-0.0.298\libegl.dll
2017-08-08 20:34 - 2017-10-05 20:53 - 009722360 _____ () \\?\C:\Users\kimbe\AppData\Roaming\discord\0.0.298\modules\discord_voice\discord_voice.node
2017-08-08 20:34 - 2017-11-07 11:55 - 001471992 _____ () \\?\C:\Users\kimbe\AppData\Roaming\discord\0.0.298\modules\discord_utils\discord_utils.node
2017-11-11 19:36 - 2017-11-11 19:36 - 000148992 _____ () \\?\C:\Users\kimbe\AppData\Local\Temp\2D3E.tmp.node
2017-08-08 20:34 - 2017-08-08 20:34 - 002658296 _____ () \\?\C:\Users\kimbe\AppData\Roaming\discord\0.0.298\modules\discord_rpc\discord_rpc.node
2017-08-08 21:34 - 2017-08-08 21:34 - 002673656 _____ () \\?\C:\Users\kimbe\AppData\Roaming\discord\0.0.298\modules\discord_contact_import\discord_contact_import.node
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [154]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\inicsis.com -> hxxps://stdpay.inicsis.com
IE trusted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\melon.com -> melon.com
IE trusted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\sharepoint.com -> hxxps://mailpasadena-files.sharepoint.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\1001movie.com -> 1001movie.com
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\1001night.biz -> 1001night.biz
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\100gal.net -> 100gal.net
IE restricted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\100sexlinks.com -> 100sexlinks.com
 
There are 4788 more sites.
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-10-29 23:24 - 2017-11-10 20:57 - 000005016 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1                   idb.iobit.com
127.0.0.1                   asc55.iobit.com
127.0.0.1                   is360.iobit.com
127.0.0.1                   asc.iobit.com
127.0.0.1                   pf.iobit.com
127.0.0.1                   98.129.229.186
0.0.0.0 a.ads1.msn.com
0.0.0.0 a.ads2.msads.net
0.0.0.0 a.ads2.msn.com
0.0.0.0 a.rad.msn.com
0.0.0.0 a-0001.a-msedge.net
0.0.0.0 a-0002.a-msedge.net
0.0.0.0 a-0003.a-msedge.net
0.0.0.0 a-0004.a-msedge.net
0.0.0.0 a-0005.a-msedge.net
0.0.0.0 a-0006.a-msedge.net
0.0.0.0 a-0007.a-msedge.net
0.0.0.0 a-0008.a-msedge.net
0.0.0.0 a-0009.a-msedge.net
0.0.0.0 ac3.msn.com
0.0.0.0 ad.doubleclick.net
0.0.0.0 adnexus.net
0.0.0.0 adnxs.com
0.0.0.0 ads.msn.com
0.0.0.0 ads1.msads.net
0.0.0.0 ads1.msn.com
0.0.0.0 aidps.atdmt.com
0.0.0.0 aka-cdn-ns.adtech.de
0.0.0.0 a-msedge.net
0.0.0.0 apps.skype.com
 
There are 84 more lines.
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\kimbe\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\desktop-_stunning_wallpaper_-hd-_cute.jpg
DNS Servers: 156.154.70.22 - 156.154.71.22
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run: => "WindowsDefender"
HKLM\...\StartupApproved\Run32: => "PlaysTV"
HKLM\...\StartupApproved\Run32: => "Raptr"
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\StartupApproved\Run: => "Discord"
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\StartupApproved\Run: => "Battle.net"
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\StartupApproved\Run: => "Steam"
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\StartupApproved\Run: => "Bestr"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{9DCFB2E1-A874-472C-A089-5CD4C3DF443D}] => (Allow) C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoUpdate.exe
FirewallRules: [{DA9C29D1-5ECF-4419-92A5-1AF15F5DED04}] => (Allow) C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoUpdate.exe
FirewallRules: [UDP Query User{979FA359-CFDD-4105-86AF-98A859F6A42D}C:\program files (x86)\overwatch\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\overwatch.exe
FirewallRules: [TCP Query User{F38B7831-8E54-4AFA-A0AA-7986FFF5E1E9}C:\program files (x86)\overwatch\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\overwatch.exe
FirewallRules: [{AA93A5EE-672B-4AD9-ACBA-92A306D02166}] => (Allow) C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\fdm.exe
FirewallRules: [{E707BDA8-DD82-4122-99C4-EB803180537E}] => (Allow) C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\fdm.exe
FirewallRules: [{782EF869-C1EA-4A30-ABCD-E2393F74CD12}] => (Allow) C:\Program Files (x86)\VitalSource Bookshelf\Bookshelf.exe
FirewallRules: [{141DE41D-E9BF-4FB6-8528-9FED13F8A15B}] => (Allow) C:\Program Files (x86)\VitalSource Bookshelf\Bookshelf.exe
FirewallRules: [{C27B2E2A-B9CE-4134-8FF9-C0C36C370FBF}] => (Allow) C:\Program Files (x86)\VitalSource Bookshelf\Bookshelf.exe
FirewallRules: [{F483B6E6-879C-45F8-A5A5-7DD5631A7D45}] => (Allow) C:\Program Files (x86)\VitalSource Bookshelf\Bookshelf.exe
FirewallRules: [TCP Query User{91CE5057-F832-4640-B183-F43AF6DE5ED7}C:\program files (x86)\overwatch test\overwatch.exe] => (Allow) C:\program files (x86)\overwatch test\overwatch.exe
FirewallRules: [UDP Query User{2E9D82D0-C64A-45A8-BB80-4C14578210F0}C:\program files (x86)\overwatch test\overwatch.exe] => (Allow) C:\program files (x86)\overwatch test\overwatch.exe
FirewallRules: [{713478F8-05D4-41F7-AF0A-D21CAC40D26A}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{C9D13A82-CD33-44D6-ABCD-CF376FB9D43F}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{FEA65D5C-52BD-45AD-A04E-7BCAB7CA26B7}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{EF68CDBC-8A39-4960-AFC9-54DEF1302BA5}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{B575C264-A941-49EA-B399-3A1F1919987B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\TERA\TERA-Launcher.exe
FirewallRules: [{6EA8DCBF-966D-4365-886F-E39F25740CAB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\TERA\TERA-Launcher.exe
FirewallRules: [{E388FF41-61B3-44A2-AA2D-FB9603165636}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{F7BE388E-FCF8-4809-80B1-6AEC6F4B3081}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{3290AC82-0B02-4F2B-9624-3A1E06D71CDD}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{4BADB1F4-BF0F-447B-8B20-2D622C862888}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{308B0EB0-6220-46A1-B239-E206D7D3F595}] => (Allow) C:\ProgramData\NexonUS\NGM\NGM.exe
FirewallRules: [{54768A02-3550-4B82-AB77-E87D6D432E55}] => (Allow) C:\ProgramData\NexonUS\NGM\NGM.exe
FirewallRules: [TCP Query User{78C6EF1D-90B9-4252-BE76-7E90547E4D13}C:\windows\syswow64\melonntfy2.exe] => (Allow) C:\windows\syswow64\melonntfy2.exe
FirewallRules: [UDP Query User{DB0DF049-8DF0-412B-BDCF-3A3AA9D8422E}C:\windows\syswow64\melonntfy2.exe] => (Allow) C:\windows\syswow64\melonntfy2.exe
FirewallRules: [{ED7DE8EE-561B-463B-97A7-04CEC83B18DF}] => (Allow) C:\Program Files (x86)\Melon Player4\system32\p3melonasvr2.exe
FirewallRules: [{C958D389-7777-4B9D-969A-8E60FCFB022A}] => (Allow) C:\Program Files (x86)\Melon Player4\Playback\pino-melon.exe
FirewallRules: [{687C08AB-DA87-4A3A-A64E-E33022B66123}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{3A632143-8411-4E35-A7A0-E8CBAABFC255}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{B4775C6F-C638-43FA-9752-5246866ED5A0}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{55C9BCED-A78B-4A1B-9A62-F394A3B3299C}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [TCP Query User{DE8067F5-E189-4967-89B2-5D278683E0BA}C:\program files (x86)\melon player4\melonntfy2.exe] => (Allow) C:\program files (x86)\melon player4\melonntfy2.exe
FirewallRules: [UDP Query User{5E5D8B3E-21E8-4931-B67C-A2CE11F874EB}C:\program files (x86)\melon player4\melonntfy2.exe] => (Allow) C:\program files (x86)\melon player4\melonntfy2.exe
FirewallRules: [TCP Query User{DCE96AC7-F52D-4940-AEC3-20BB41492F94}C:\nexon\library\maplestory\appdata\fluffyms client.exe] => (Allow) C:\nexon\library\maplestory\appdata\fluffyms client.exe
FirewallRules: [UDP Query User{6B81D3B9-9E45-4335-BEC7-BCF40B0838AE}C:\nexon\library\maplestory\appdata\fluffyms client.exe] => (Allow) C:\nexon\library\maplestory\appdata\fluffyms client.exe
FirewallRules: [TCP Query User{20965B17-9B96-4E77-AF85-96274B776F82}C:\users\kimbe\desktop\appdata\fluffyms client.exe] => (Allow) C:\users\kimbe\desktop\appdata\fluffyms client.exe
FirewallRules: [UDP Query User{46A7BF5B-9CD1-4A7D-8682-F1009238F3C7}C:\users\kimbe\desktop\appdata\fluffyms client.exe] => (Allow) C:\users\kimbe\desktop\appdata\fluffyms client.exe
FirewallRules: [TCP Query User{5D56E89E-89D2-4722-93CB-3B0D1C73BFE2}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{D50AB9C9-EF59-4DCB-BFE1-C1503EE8D7F4}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [{D3A51F3D-8362-4702-924C-7B008B8C3A30}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{77D5DADD-EB8F-4ED8-AA89-59FD8AA41DAD}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{E72A0250-8891-48AE-B624-F1EB0AE98E67}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{B39CE7A2-C5BF-4814-A6A3-96A0014102AA}] => (Allow) C:\WINDOWS\system32\hasplms.exe
FirewallRules: [{B9246B8C-E049-4989-BE9B-ECF2789FC92B}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
01-11-2017 18:00:04 Windows Update
03-11-2017 20:41:24 Installed DirectX
10-11-2017 20:24:24 Installing COMODO Internet Security Premium
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (11/11/2017 12:10:34 AM) (Source: ATIeRecord) (EventID: 16396) (User: )
Description: ATI EEU PnP start/stop failed
 
Error: (11/11/2017 12:10:31 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: KIMBERLY)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (11/11/2017 12:10:30 AM) (Source: ATIeRecord) (EventID: 16396) (User: )
Description: ATI EEU PnP start/stop failed
 
Error: (11/10/2017 08:52:47 PM) (Source: ATIeRecord) (EventID: 16396) (User: )
Description: ATI EEU PnP start/stop failed
 
Error: (11/10/2017 08:51:22 PM) (Source: ATIeRecord) (EventID: 16396) (User: )
Description: ATI EEU PnP start/stop failed
 
Error: (11/10/2017 08:24:58 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider CisWmi attempted to register query "SELECT * FROM CisFileRatingChange" whose target class "CisFileRatingChange" in //./root/cis namespace does not exist. The query will be ignored.
 
Error: (11/10/2017 08:24:58 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider CisWmi attempted to register query "SELECT * FROM CisStatusChange" whose target class "CisStatusChange" in //./root/cis namespace does not exist. The query will be ignored.
 
Error: (11/10/2017 08:24:58 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider CisWmi attempted to register query "SELECT * FROM CisNotification" whose target class "CisNotification" in //./root/cis namespace does not exist. The query will be ignored.
 
Error: (11/10/2017 08:24:58 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider CisWmi attempted to register query "SELECT * FROM FwAlert" whose target class "FwAlert" in //./root/cis namespace does not exist. The query will be ignored.
 
Error: (11/10/2017 08:24:58 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider CisWmi attempted to register query "SELECT * FROM DfAlert" whose target class "DfAlert" in //./root/cis namespace does not exist. The query will be ignored.
 
 
System errors:
=============
Error: (11/11/2017 09:24:31 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (11/11/2017 07:33:39 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (11/11/2017 07:09:32 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (11/11/2017 07:08:20 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (11/11/2017 07:08:20 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (11/11/2017 07:08:20 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (11/11/2017 12:10:31 AM) (Source: DCOM) (EventID: 10010) (User: KIMBERLY)
Description: The server Windows.Networking.BackgroundTransfer.Internal.BackgroundTransferTask.ClassId.1 did not register with DCOM within the required timeout.
 
Error: (11/11/2017 12:10:29 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (11/10/2017 10:20:46 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (11/10/2017 09:00:47 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
 
CodeIntegrity:
===================================
  Date: 2017-11-10 20:55:30.530
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-11-10 20:52:50.655
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-11-10 20:25:23.181
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-11-10 20:25:22.783
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-11-10 20:25:16.621
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-11-09 19:29:03.792
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-11-08 18:24:15.789
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-11-07 20:47:31.597
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-11-07 20:45:59.574
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-11-07 10:27:13.871
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-3770 CPU @ 3.40GHz
Percentage of memory in use: 53%
Total physical RAM: 8131.54 MB
Available physical RAM: 3808.29 MB
Total Virtual: 9411.54 MB
Available Virtual: 3989.36 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:909.13 GB) (Free:742.61 GB) NTFS
Drive d: (Recovery Image) (Fixed) (Total:20.47 GB) (Free:2.51 GB) NTFS ==>[system with boot components (obtained from drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 95A83C63)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:53 AM

Posted 13 November 2017 - 09:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

puush (HKLM-x32\...\{C3592426-531E-4110-911D-BFECE2CE284B}) (Version: 1.0.0.0 - Dean Herbert)
Read about this. If you wish to remove it do it via the Control Panel > Programs > Programs and Features.
https://betanews.com/2015/03/30/fake-puush-update-steals-passwords-from-windows-users/
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\Run: [Bestr] => C:\Users\kimbe\AppData\Roaming\Bestr\client32.exe
BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
BHO-x32: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
FF Plugin HKU\S-1-5-21-3123083050-2831490917-1663241075-1001: iloen.com/MelOnWebLinker -> C:\Windows\System32\npMelOnWebLinker.dll [No File]
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3329707&octid=EB_ORIGINAL_CTID&ISID=M06D6FC72-2A8C-47B4-86A8-12195A3130AE&SearchSource=55&CUI=&UM=8&UP=SPF7CE6EE9-F9C2-4ABE-B9BE-62B18441A710&SSPV=
CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3329707&octid=EB_ORIGINAL_CTID&ISID=M06D6FC72-2A8C-47B4-86A8-12195A3130AE&SearchSource=55&CUI=&UM=8&UP=SPF7CE6EE9-F9C2-4ABE-B9BE-62B18441A710&SSPV=","hxxp://search.yahoo.com/?type=198484&fr=spigot-yhp-ch","hxxp://www.mystartsearch.com/?type=hp&ts=1438984467&z=3482aed005cf4cf63ac8514gez0c1b4t2bdz2c2t7o&from=cmi&uid=HitachiXHTS543225L9SA00_081028FB2F00LLCJZTLAX","hxxp://www.google.com","hxxp://www.google.com/","hxxps://www.google.com/"
CHR NewTab: Default ->  Active:"chrome-extension://jpfpebmajhhopeonhlcgidhclcccjcik/newtab.html"
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [154]
IE trusted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\inicsis.com -> hxxps://stdpay.inicsis.com
C:\Users\kimbe\AppData\Roaming\Bestr

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.

===

Let me know what problem persists.

#3 sarangbi

sarangbi
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 14 November 2017 - 03:40 PM

It seems that the client32.exe is completely removed now since I don't see it in my startup apps anymore. 
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 12-11-2017 03
Ran by kimbe (13-11-2017 21:29:10) Run:1
Running from C:\Users\kimbe\Downloads
Loaded Profiles: kimbe (Available Profiles: kimbe)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\Run: [Bestr] => C:\Users\kimbe\AppData\Roaming\Bestr\client32.exe
BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
BHO-x32: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
FF Plugin HKU\S-1-5-21-3123083050-2831490917-1663241075-1001: iloen.com/MelOnWebLinker -> C:\Windows\System32\npMelOnWebLinker.dll [No File]
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3329707&octid=EB_ORIGINAL_CTID&ISID=M06D6FC72-2A8C-47B4-86A8-12195A3130AE&SearchSource=55&CUI=&UM=8&UP=SPF7CE6EE9-F9C2-4ABE-B9BE-62B18441A710&SSPV=
CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3329707&octid=EB_ORIGINAL_CTID&ISID=M06D6FC72-2A8C-47B4-86A8-12195A3130AE&SearchSource=55&CUI=&UM=8&UP=SPF7CE6EE9-F9C2-4ABE-B9BE-62B18441A710&SSPV=","hxxp://search.yahoo.com/?type=198484&fr=spigot-yhp-ch","hxxp://www.mystartsearch.com/?type=hp&ts=1438984467&z=3482aed005cf4cf63ac8514gez0c1b4t2bdz2c2t7o&from=cmi&uid=HitachiXHTS543225L9SA00_081028FB2F00LLCJZTLAX","hxxp://www.google.com","hxxp://www.google.com/","hxxps://www.google.com/"
CHR NewTab: Default ->  Active:"chrome-extension://jpfpebmajhhopeonhlcgidhclcccjcik/newtab.html"
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [154]
IE trusted site: HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\...\inicsis.com -> hxxps://stdpay.inicsis.com
C:\Users\kimbe\AppData\Roaming\Bestr
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Bestr => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13D67BB7-DB5F-48AA-884D-7A5D94168509} => key removed successfully
HKLM\Software\Classes\CLSID\{13D67BB7-DB5F-48AA-884D-7A5D94168509} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13D67BB7-DB5F-48AA-884D-7A5D94168509} => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{13D67BB7-DB5F-48AA-884D-7A5D94168509} => key not found. 
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\Software\MozillaPlugins\iloen.com/MelOnWebLinker => key removed successfully
C:\Windows\System32\npMelOnWebLinker.dll => not found.
Chrome HomePage => removed successfully
Chrome StartupUrls => removed successfully
Chrome NewTab => removed successfully
C:\ProgramData\TEMP => ":1CE11B51" ADS removed successfully.
HKU\S-1-5-21-3123083050-2831490917-1663241075-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\inicsis.com => key removed successfully
"C:\Users\kimbe\AppData\Roaming\Bestr" => not found.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 103814548 B
Java, Flash, Steam htmlcache => 135413345 B
Windows/system/drivers => 123058053 B
Edge => 61734 B
Chrome => 846320487 B
Firefox => 13117423 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 26674 B
LocalService => 25606 B
NetworkService => 1903254 B
kimbe => 4155525465 B
 
RecycleBin => 0 B
EmptyTemp: => 5 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 21:35:15 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:53 AM

Posted 15 November 2017 - 08:26 AM

Hi,

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users