Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:\lbug.pif can't be removed, virus on temp folder, high cpu usage


  • This topic is locked This topic is locked
39 replies to this topic

#1 Yuvie

Yuvie

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 28 December 2017 - 12:56 PM

I'm running 64-bit win7

 

For the past several weeks C:\lbug.pif keeps appearing after being removed. If I delete it, it will come back after a few seconds, the same if I file scan and quaraintine with malwarebytes. Whenever it appears, malwarebytes detects virus on appdata\local\temp folder one by one, after quarantining one, another will appear after a few minutes. It also caused processes (such as java update and my printer's myEpson portal) to have unusually high cpu usage, about 40-50.

 

What I would do to temporarily removed it is run malwarebytes (I have premium... if you need to know), malwarebytes anti rootkit, Roguekiller, HitmanPro, and spybot then restart (doesn't seem to work if I don't use all). After reboot, the lbug.pif is gone, and no detection from malwarebyte but after a few days-weeks it will come back. There are times that it came back right after I opened bittorent, vlc player, and surprisingly there was a time it came back right after uninstalling bittorent, but maybe that's is just a coincidence since there are few time that it just came back suddenly.

 

For the past few days though, it seems to be acting differently. This happened twice, the lbug.pif appeared again but it doesn't seem to cause virus on temp folder but it still cause processes to go wild on cpu. It suddenly came back after a day, I removed it, then it came back again after a day around the same time.

 

I ran FRST right after removing lbug.pif (after reboot), so it is temporarily gone again at this moment. Hope this will finally be fixed, I've been searching everywhere!

Edit: it came back 12 hours later

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-12-2017
Ran by Miguel (administrator) on WIN7ULT-PC (29-12-2017 01:10:05)
Running from C:\Users\Miguel\Desktop
Loaded Profiles: Miguel (Available Profiles: Miguel)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Garena Online ) C:\Program Files (x86)\Garena\Garena\2.0.1710.1317\gxxsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE
(Seiko Epson Corporation) C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Seiko Epson Corporation) C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe
(TunnelBear) C:\Program Files (x86)\TunnelBear\TBear.Maintenance.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Windscribe Limited) C:\Program Files (x86)\Windscribe\WindscribeService.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ShadowPlay] => "C:\Windows\system32\rundll32.exe" C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [297272 2017-12-11] (Apple Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4174464 2017-05-23] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-19\...\Run: [TunnelBear] => C:\Program Files (x86)\TunnelBear\TunnelBear.UI.exe [1352064 2017-06-13] (TunnelBear)
HKU\S-1-5-20\...\Run: [TunnelBear] => C:\Program Files (x86)\TunnelBear\TunnelBear.UI.exe [1352064 2017-06-13] (TunnelBear)
HKU\S-1-5-21-975107635-2959990657-2744162888-1001\...\Run: [EPSON L100 Series] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGTP.EXE [224768 2010-01-12] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-975107635-2959990657-2744162888-1001\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize
HKU\S-1-5-21-975107635-2959990657-2744162888-1001\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [5913720 2017-05-23] (Safer-Networking Ltd.)
HKU\S-1-5-21-975107635-2959990657-2744162888-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-14] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [TunnelBear] => C:\Program Files (x86)\TunnelBear\TunnelBear.UI.exe [1352064 2017-06-13] (TunnelBear)
AlternateShell:

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{F5219E5C-13BE-493C-9BE2-26FF70104B80}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-975107635-2959990657-2744162888-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ph.search.yahoo.com/yhs/web?hspart=lvs&hsimp=yhs-awc&type=lvs__webcompa__1_0__ya__hp_WCYID10427__171222__yaie
SearchScopes: HKU\S-1-5-21-975107635-2959990657-2744162888-1001 -> {C0C3A6C6-03BC-4195-8FCB-AEA091301353} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=lvs&hsimp=yhs-awc&type=lvs__webcompa__1_0__ya__ch_WCYID10427__171222__yaie&p={searchTerms}
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: kezgewuw.default
FF ProfilePath: C:\Users\Miguel\AppData\Roaming\Mozilla\Firefox\Profiles\kezgewuw.default [2017-12-29]
FF Homepage: Mozilla\Firefox\Profiles\kezgewuw.default -> hxxps://www.google.com.ph/
FF NewTab: Mozilla\Firefox\Profiles\kezgewuw.default -> hxxps://www.google.com.ph/
FF Extension: (uBlock Origin) - C:\Users\Miguel\AppData\Roaming\Mozilla\Firefox\Profiles\kezgewuw.default\Extensions\uBlock0@raymondhill.net.xpi [2017-12-15]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_27_0_0_130.dll [2017-09-25] ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_130.dll [2017-09-25] ()
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2017-08-22] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2017-08-22] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-15] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-05] (Adobe Systems Inc.)
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\dsengine.js [2017-12-22] <==== ATTENTION (Points to *.cfg file)
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\dsengine.cfg [2017-12-22] <==== ATTENTION

Chrome:
=======
CHR Profile: C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default [2017-12-22]
CHR Extension: (Slides) - C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-11-26]
CHR Extension: (Docs) - C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-11-26]
CHR Extension: (Google Drive) - C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-07-27]
CHR Extension: (YouTube) - C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-07-27]
CHR Extension: (Sheets) - C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-11-26]
CHR Extension: (Google Docs Offline) - C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-07-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-09-09]
CHR Extension: (Gmail) - C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-07-27]
CHR Extension: (Chrome Media Router) - C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-11-26]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-11-27] (Apple Inc.)
R2 GarenaPlatform; C:\Program Files (x86)\Garena\Garena\2.0.1710.1317\gxxsvc.exe [313168 2017-10-13] (Garena Online )
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)
R2 MyEpson Portal Service; C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe [714712 2017-06-28] (Seiko Epson Corporation)
S3 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [513144 2017-08-22] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [513144 2017-08-22] (NVIDIA Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [462784 2017-08-22] (NVIDIA Corporation)
R2 NvTelemetryContainer; C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe [450168 2017-08-22] (NVIDIA Corporation)
S3 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1776864 2017-05-23] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2131760 2017-05-23] (Safer-Networking Ltd.)
S3 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [233936 2017-05-23] (Safer-Networking Ltd.)
R2 TunnelBearMaintenance; C:\Program Files (x86)\TunnelBear\TBear.Maintenance.exe [38272 2017-06-13] (TunnelBear)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WindscribeService; C:\Program Files (x86)\Windscribe\WindscribeService.exe [442472 2017-11-12] (Windscribe Limited)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77376 2017-06-27] ()
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [188352 2017-12-29] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [101784 2017-12-29] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [45472 2017-12-29] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [253856 2017-12-29] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [84256 2017-12-29] (Malwarebytes)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [30328 2017-08-22] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [48248 2017-08-22] (NVIDIA Corporation)
R3 nvvhci; C:\Windows\System32\DRIVERS\nvvhci.sys [57976 2017-08-22] (NVIDIA Corporation)
S3 tap-tb-0901; C:\Windows\System32\DRIVERS\tap-tb-0901.sys [38656 2017-06-13] (The OpenVPN Project)
R3 tapwindscribe0901; C:\Windows\System32\DRIVERS\tapwindscribe0901.sys [45560 2017-09-13] (The OpenVPN Project)
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [59904 2009-07-14] (Microsoft Corporation)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-12-29 01:10 - 2017-12-29 01:10 - 000013081 _____ C:\Users\Miguel\Desktop\FRST.txt
2017-12-29 01:09 - 2017-12-29 01:10 - 000000000 ____D C:\FRST
2017-12-29 01:07 - 2017-12-29 01:07 - 002391552 _____ (Farbar) C:\Users\Miguel\Desktop\FRST64.exe
2017-12-28 22:23 - 2017-12-28 22:23 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\365792C4.sys
2017-12-28 00:39 - 2017-12-28 00:39 - 000000000 ____D C:\Users\Miguel\Documents\ProcAlyzer Dumps
2017-12-27 23:29 - 2017-12-27 23:29 - 000001853 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2017-12-27 23:29 - 2017-12-27 23:29 - 000000000 ____D C:\Program Files\HitmanPro
2017-12-27 23:28 - 2017-12-27 23:28 - 011584088 _____ (SurfRight B.V.) C:\Users\Miguel\Downloads\HitmanPro_x64(3).exe
2017-12-27 23:24 - 2017-12-27 23:25 - 011584088 _____ (SurfRight B.V.) C:\Users\Miguel\Downloads\HitmanPro_x64(2).exe
2017-12-27 22:42 - 2017-12-27 22:43 - 036309224 _____ (Adlice Software ) C:\Users\Miguel\Downloads\setup(4).exe
2017-12-27 22:20 - 2017-12-27 22:20 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\123601DC.sys
2017-12-27 22:09 - 2017-12-27 22:09 - 000000000 ____D C:\Windows\system32\appmgmt
2017-12-27 11:20 - 2017-12-27 11:20 - 000001707 _____ C:\Users\Public\Desktop\iTunes.lnk
2017-12-27 11:20 - 2017-12-27 11:20 - 000000000 ____D C:\Users\Miguel\AppData\Roaming\Apple Computer
2017-12-27 11:20 - 2017-12-27 11:20 - 000000000 ____D C:\Users\Miguel\AppData\Local\Apple Computer
2017-12-27 11:20 - 2017-12-27 11:20 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2017-12-27 11:20 - 2017-12-27 11:20 - 000000000 ____D C:\Program Files\iPod
2017-12-27 11:19 - 2017-12-27 11:20 - 000000000 ____D C:\Program Files\iTunes
2017-12-27 11:19 - 2017-12-27 11:19 - 000000000 ____D C:\ProgramData\Apple Computer
2017-12-27 11:18 - 2017-12-27 11:18 - 000000000 ____D C:\Users\Miguel\AppData\Local\Apple
2017-12-27 11:17 - 2017-12-27 11:17 - 000002519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2017-12-27 11:17 - 2017-12-27 11:17 - 000000000 ____D C:\Program Files\Bonjour
2017-12-27 11:17 - 2017-12-27 11:17 - 000000000 ____D C:\Program Files (x86)\Bonjour
2017-12-27 11:17 - 2017-12-27 11:17 - 000000000 ____D C:\Program Files (x86)\Apple Software Update
2017-12-27 11:16 - 2017-12-27 11:17 - 000000000 ____D C:\Program Files\Common Files\Apple
2017-12-27 11:15 - 2017-12-27 11:17 - 000000000 ____D C:\ProgramData\Apple
2017-12-27 10:56 - 2017-12-27 11:10 - 264339784 _____ (Apple Inc.) C:\Users\Miguel\Downloads\iTunes64Setup.exe
2017-12-27 00:15 - 2017-12-27 00:15 - 000008478 _____ C:\Users\Miguel\AppData\Local\recently-used.xbel
2017-12-24 17:58 - 2017-12-24 17:58 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\4626C221.sys
2017-12-22 22:41 - 2017-12-22 22:41 - 000000458 _____ C:\Windows\Tasks\gxx speed launcher.job
2017-12-22 22:38 - 2017-12-22 22:44 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\7612C4F9.sys
2017-12-22 22:36 - 2017-12-22 22:36 - 000000620 _____ C:\Windows\system32\.crusader
2017-12-22 21:45 - 2017-12-22 21:49 - 036251728 _____ (Adlice Software ) C:\Users\Miguel\Downloads\setup(3).exe
2017-12-22 21:20 - 2017-12-22 21:32 - 239352488 _____ C:\Users\Miguel\Downloads\[HorribleSubs] Inuyashiki - 02 [720p].mkv
2017-12-22 21:20 - 2017-12-22 21:20 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft
2017-12-22 21:19 - 2017-12-22 21:19 - 000000874 _____ C:\Users\Miguel\Desktop\BitTorrent.lnk
2017-12-22 21:19 - 2017-12-22 21:19 - 000000854 _____ C:\Users\Miguel\AppData\Roaming\Microsoft\Windows\Start Menu\BitTorrent.lnk
2017-12-22 21:17 - 2017-12-22 21:17 - 002870880 _____ (BitTorrent Inc.) C:\Users\Miguel\Downloads\BitTorrent(1).exe
2017-12-20 15:35 - 2017-12-20 15:36 - 004601375 _____ C:\Users\Miguel\Downloads\CGG2017•CATALOG.pdf
2017-12-17 21:26 - 2017-12-28 23:57 - 000000000 ____D C:\Users\Miguel\AppData\Roaming\vlc
2017-12-17 20:42 - 2017-12-17 20:42 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\4335F6CF.sys
2017-12-17 19:27 - 2017-12-17 19:27 - 000001066 _____ C:\Users\Public\Desktop\VLC media player.lnk
2017-12-17 19:27 - 2017-12-17 19:27 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2017-12-17 19:24 - 2017-12-17 19:25 - 030863288 _____ C:\Users\Miguel\Downloads\vlc-2.2.8-win32.exe
2017-12-17 19:14 - 2017-12-17 19:15 - 000039674 _____ C:\Users\Miguel\Documents\cc_20171217_191449.reg
2017-12-17 19:14 - 2017-12-17 19:14 - 000003872 _____ C:\Windows\System32\Tasks\CCleaner Update
2017-12-17 19:14 - 2017-12-17 19:14 - 000002796 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2017-12-17 19:13 - 2017-12-17 19:14 - 000000000 ____D C:\Program Files\CCleaner
2017-12-17 19:13 - 2017-12-17 19:13 - 000000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-12-17 19:13 - 2017-12-17 19:13 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-12-17 19:10 - 2017-12-17 19:11 - 011201632 _____ (Piriform Ltd) C:\Users\Miguel\Downloads\ccsetup538.exe
2017-12-17 18:50 - 2017-12-17 18:50 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\1661128C.sys
2017-12-16 23:58 - 2017-12-16 23:58 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\4649F536.sys
2017-12-16 18:44 - 2017-12-16 18:44 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\72539150.sys
2017-12-16 17:42 - 2017-12-27 22:44 - 000000818 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2017-12-16 17:42 - 2017-12-27 22:44 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-12-16 17:42 - 2017-12-27 22:44 - 000000000 ____D C:\Program Files\RogueKiller
2017-12-16 17:32 - 2017-12-16 17:33 - 036195904 _____ (Adlice Software ) C:\Users\Miguel\Downloads\setup(2).exe
2017-12-10 14:26 - 2017-12-19 16:43 - 000000000 ____D C:\Users\Miguel\AppData\Roaming\audacity
2017-12-10 14:26 - 2017-12-10 14:26 - 000000000 ____D C:\Users\Miguel\Documents\audacity
2017-12-10 14:26 - 2017-12-10 14:26 - 000000000 ____D C:\Users\Miguel\AppData\Local\Audacity
2017-12-09 19:10 - 2017-12-09 19:11 - 012426884 _____ C:\Users\Miguel\Downloads\SACRAMENTS.pptx
2017-12-04 22:48 - 2017-12-04 22:48 - 000078742 _____ C:\Users\Miguel\Downloads\Thesis The Voice.pdf
2017-11-29 10:35 - 2017-11-29 10:35 - 000000000 ____D C:\Users\Miguel\AppData\Local\Windscribe
2017-11-29 10:34 - 2017-11-30 08:48 - 000000000 ____D C:\Program Files (x86)\Windscribe
2017-11-29 10:34 - 2017-11-29 10:34 - 000001071 _____ C:\Users\Public\Desktop\Windscribe.lnk
2017-11-29 10:34 - 2017-11-29 10:34 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windscribe
2017-11-29 10:34 - 2017-09-13 21:43 - 000045560 _____ (The OpenVPN Project) C:\Windows\system32\Drivers\tapwindscribe0901.sys
2017-11-29 10:32 - 2017-11-29 10:33 - 016518584 _____ (Windscribe Limited ) C:\Users\Miguel\Downloads\Windscribe.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-12-29 00:59 - 2009-07-14 12:45 - 000026576 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-12-29 00:59 - 2009-07-14 12:45 - 000026576 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-12-29 00:56 - 2009-07-14 13:13 - 000781298 _____ C:\Windows\system32\PerfStringBackup.INI
2017-12-29 00:56 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\inf
2017-12-29 00:55 - 2017-10-17 12:13 - 000000000 ____D C:\ProgramData\boost_interprocess
2017-12-29 00:52 - 2017-07-15 11:13 - 000000000 ____D C:\Users\Miguel\AppData\LocalLow\Mozilla
2017-12-29 00:51 - 2017-07-27 15:26 - 000188352 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-12-29 00:51 - 2017-07-27 15:26 - 000101784 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-12-29 00:51 - 2017-07-27 15:26 - 000084256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-12-29 00:51 - 2017-07-27 15:25 - 000253856 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-12-29 00:51 - 2017-07-27 15:25 - 000045472 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-12-29 00:50 - 2017-11-18 11:17 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-12-29 00:50 - 2017-09-09 16:35 - 000000000 ____D C:\ProgramData\NVIDIA
2017-12-29 00:50 - 2009-07-14 13:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-12-28 22:53 - 2017-11-17 20:33 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-12-28 22:44 - 2017-11-18 11:17 - 000000000 ____D C:\Users\Miguel\Desktop\mbar
2017-12-28 21:53 - 2017-08-19 11:44 - 000000000 ____D C:\Program Files (x86)\Steam
2017-12-28 18:19 - 2017-10-20 19:34 - 000000000 ____D C:\Users\Miguel\AppData\Local\Warframe
2017-12-28 01:43 - 2017-09-09 13:52 - 000007598 _____ C:\Users\Miguel\AppData\Local\Resmon.ResmonCfg
2017-12-27 00:39 - 2017-07-26 19:28 - 000000000 ____D C:\Users\Miguel\Documents\hw
2017-12-27 00:20 - 2017-07-27 10:07 - 000000000 ____D C:\Users\Miguel\.gimp-2.8
2017-12-27 00:15 - 2017-07-27 10:16 - 000000000 ____D C:\Users\Miguel\AppData\Local\gtk-2.0
2017-12-26 22:43 - 2017-07-26 17:20 - 000031465 _____ C:\Users\Miguel\Documents\animelist1.txt
2017-12-24 16:36 - 2017-08-19 22:57 - 000000000 ____D C:\Users\Miguel\Documents\vst plugin
2017-12-23 07:42 - 2017-07-27 15:25 - 000002020 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-12-22 22:43 - 2017-07-24 18:40 - 000000000 ____D C:\Users\Miguel\AppData\Roaming\BitTorrent
2017-12-22 21:21 - 2017-07-15 11:13 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-12-22 10:55 - 2017-08-19 22:57 - 000000000 ____D C:\Users\Miguel\AppData\Roaming\Tokyo Dawn Labs
2017-12-22 00:29 - 2017-07-27 12:14 - 000000000 ____D C:\Users\Miguel\Documents\guitar
2017-12-20 01:05 - 2017-11-17 18:42 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-12-17 19:26 - 2017-07-27 08:16 - 000000000 ____D C:\Program Files (x86)\VideoLAN
2017-12-17 19:18 - 2017-08-20 12:43 - 000000000 ____D C:\Users\Miguel\Documents\games
2017-12-12 17:24 - 2017-09-09 19:47 - 000000000 ____D C:\Users\Miguel\AppData\Local\CrashDumps
2017-12-12 17:11 - 2009-07-14 13:08 - 000032564 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-12-11 19:10 - 2017-07-27 10:06 - 000001116 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP 2.lnk
2017-12-10 09:14 - 2017-07-15 11:13 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-12-09 09:19 - 2017-07-27 10:35 - 000002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-12-09 09:19 - 2017-07-27 10:35 - 000002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-12-04 22:52 - 2009-07-14 13:32 - 000000000 ____D C:\Windows\system32\FxsTmp
2017-11-30 09:02 - 2017-07-29 10:18 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk

==================== Files in the root of some directories =======

2017-12-27 00:15 - 2017-12-27 00:15 - 000008478 _____ () C:\Users\Miguel\AppData\Local\recently-used.xbel
2017-09-09 13:52 - 2017-12-28 01:43 - 000007598 _____ () C:\Users\Miguel\AppData\Local\Resmon.ResmonCfg

Some files in TEMP:
====================
2017-12-22 23:47 - 2017-05-13 02:24 - 001732864 _____ (Microsoft Corporation) C:\Users\Miguel\AppData\Local\Temp\dllnt_dump.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-12-20 11:58

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 26-12-2017
Ran by Miguel (29-12-2017 01:10:55)
Running from C:\Users\Miguel\Desktop
Windows 7 Ultimate Service Pack 1 (X64) (2017-07-15 02:03:56)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-975107635-2959990657-2744162888-500 - Administrator - Disabled)
Guest (S-1-5-21-975107635-2959990657-2744162888-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-975107635-2959990657-2744162888-1002 - Limited - Enabled)
Miguel (S-1-5-21-975107635-2959990657-2744162888-1001 - Administrator - Enabled) => C:\Users\Miguel

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Spybot - Search and Destroy (Disabled - Up to date) {4C1D9672-63FE-5C90-371E-8FDA591C5B75}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
Adobe Flash Player 27 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 27.0.0.130 - Adobe Systems Incorporated)
Ample Bass P Lite II version 2.3.1 (HKLM-x32\...\{26ACA0DD-7C66-40D7-B992-CC27CA024F2A}_is1) (Version: 2.3.1 - Ample Sound Technology Co., Ltd.)
Ansel (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Ansel) (Version: 385.41 - NVIDIA Corporation) Hidden
Apple Application Support (32-bit) (HKLM-x32\...\{BC7C46A4-D7A7-48EC-A98C-32A7762B5EFA}) (Version: 6.2.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{F0C4B709-8BF4-4A72-B527-12E7BF5482F8}) (Version: 6.2.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BD6778C5-6FA5-492A-ADD6-E706339C2A7B}) (Version: 11.0.2.4 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{C1BBFD2A-BCDD-45B3-8C0B-66BD434970A8}) (Version: 2.4.8.1 - Apple Inc.)
ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.14 - Michael Tippach)
BitTorrent (HKU\S-1-5-21-975107635-2959990657-2744162888-1001\...\BitTorrent) (Version: 7.10.0.44091 - BitTorrent Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.38 - Piriform)
CPUID CPU-Z 1.74 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
Cubase 5 (HKLM\...\{51AC53CA-6D26-459A-9BDF-53BAEB3E11A3}) (Version: 5.1.2 - Steinberg)
EPSON L100 Series Printer Uninstall (HKLM\...\EPSON L100 Series) (Version:  - SEIKO EPSON Corporation)
FabFilter Pro-Q 2.11 (64-bit) (HKLM-x32\...\FabFilter Pro-Q 2.11 (64-bit)) (Version:  - )
Garena (remove only) (HKLM-x32\...\gxx) (Version: 2.0.1710.1317 - Garena)
GIMP 2.8.22 (HKLM\...\GIMP-2_is1) (Version: 2.8.22 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.84 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
HandBrake 1.0.7 (HKLM-x32\...\HandBrake) (Version: 1.0.7 - )
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.20.286 - SurfRight B.V.)
Inkscape 0.92.2 (HKU\S-1-5-21-975107635-2959990657-2744162888-1001\...\Inkscape) (Version: 0.92.2 - Inkscape Project)
iTunes (HKLM\...\{D7D4465C-B3B6-4BC1-B336-2803FB57BFAF}) (Version: 12.7.2.60 - Apple Inc.)
Malwarebytes version 3.1.2.1733 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.1.2.1733 - Malwarebytes)
Microsoft .NET Framework 4.7 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02053 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4734.1000 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24123 (HKLM-x32\...\{2cbcedbb-f38c-48a3-a3e1-6c6fd821a7f4}) (Version: 14.0.24123.0 - Microsoft Corporation)
Mozilla Firefox 57.0.2 (x64 en-US) (HKLM\...\Mozilla Firefox 57.0.2 (x64 en-US)) (Version: 57.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 54.0.1 - Mozilla)
MyEpson Portal (HKLM-x32\...\{3361D415-BA35-4143-B301-661991BA6219}) (Version: 1.0.0.7 - SEIKO EPSON CORPORATION) Hidden
MyEpson Portal (HKLM-x32\...\MyEpson Portal) (Version:  - SEIKO EPSON Corporation)
NVIDIA 3D Vision Controller Driver 369.04 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 369.04 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 385.41 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 385.41 - NVIDIA Corporation)
NVIDIA GeForce Experience 3.9.0.61 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 3.9.0.61 - NVIDIA Corporation)
NVIDIA Graphics Driver 385.41 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 385.41 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.27 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.27 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.17.0524 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.17.0524 - NVIDIA Corporation)
PreSonus Studio One 3 x64 (HKLM\...\PreSonus Studio One 3) (Version: 3.3.4.41933 - PreSonus Audio Electronics)
ReaPlugs/x64 (HKLM\...\ReaPlugs) (Version:  - )
RogueKiller version 12.11.30.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.11.30.0 - Adlice Software)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.6.46 - Safer-Networking Ltd.)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
TunnelBear (HKLM-x32\...\{cccb8171-b60b-4da8-8a0a-00e21ff41860}) (Version: 3.0.36.9 - TunnelBear)
TunnelBear (HKLM-x32\...\{DDEA404F-1524-4CA1-B740-A3A0AD6DAFB0}) (Version: 3.0.36.9 - TunnelBear) Hidden
Vegas Pro 13.0 (64-bit) (HKLM\...\{1EEE0BEE-0BC8-11E5-A19E-F04DA23A5C58}) (Version: 13.0.453 - Sony)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.8 - VideoLAN)
Vulkan Run Time Libraries 1.0.51.0 (HKLM\...\VulkanRT1.0.51.0) (Version: 1.0.51.0 - LunarG, Inc.)
Windscribe (HKLM-x32\...\{fa690e90-ddb0-4f0c-b3f1-136c084e5fc7}_is1) (Version: 1.80 Build 33 - Windscribe Limited)
WinRAR 5.50 beta 5 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.5 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2017-05-23] (Safer-Networking Ltd.)
ContextMenuHandlers1: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2017-05-23] (Safer-Networking Ltd.)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-07-23] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-07-23] (Alexander Roshal)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-05-09] (Malwarebytes)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2017-08-22] (NVIDIA Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-05-09] (Malwarebytes)
ContextMenuHandlers6: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2017-05-23] (Safer-Networking Ltd.)
ContextMenuHandlers6: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2017-05-23] (Safer-Networking Ltd.)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-07-23] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-07-23] (Alexander Roshal)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {190B3A1B-868C-4620-B208-A1F2DB428521} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {22052A8E-C2DA-4441-8EA8-1EC08835F59F} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [2017-08-22] (NVIDIA Corporation)
Task: {52F5A6EC-9445-439B-BA0E-DE3AB3ADBD66} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2017-12-14] (Piriform Ltd)
Task: {60B32233-5DC9-466A-8956-30266645973A} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2017-05-23] (Safer-Networking Ltd.)
Task: {60DA0DB2-5935-42DF-B218-4EABF1F0132F} - System32\Tasks\gxx speed launcher => C:\Program Files (x86)\Garena\Garena\Garena.exe [2017-10-13] (Garena Online )
Task: {69C8F2A1-37CC-425B-AB76-66CA110757CB} - System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe [2017-08-22] (NVIDIA Corporation)
Task: {7BE638C3-315D-458B-9D27-3B1B91152E25} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2017-08-22] (NVIDIA Corporation)
Task: {7F1DE345-E9CB-402B-94D2-DBF09286F572} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-12-14] (Piriform Ltd)
Task: {856338A6-CC91-4B6B-9332-EA4285037441} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-07-27] (Google Inc.)
Task: {8AF3627B-CF64-43A5-9DF0-0B97D8DB25B4} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2017-05-23] (Safer-Networking Ltd.)
Task: {8FB4728F-FF4A-4E67-9EB1-6F641A6F983E} - System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [2017-08-22] (NVIDIA Corporation)
Task: {A1B15321-FA0C-435B-8B9C-48E4A39AF8D7} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2017-05-23] (Safer-Networking Ltd.)
Task: {C2B3F191-7866-4F1E-84CC-6CA98EA93B15} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe [2017-08-22] (NVIDIA Corporation)
Task: {CF97B785-C428-4B44-8522-08710F6EA7F5} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe [2017-08-22] (NVIDIA Corporation)
Task: {DCCAA5D5-0ABD-4869-B2C6-1450A299A08D} - System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [2017-08-22] (NVIDIA Corporation)
Task: {EA7A7DD5-0C47-4A62-B581-918D7D3DA215} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-07-27] (Google Inc.)
Task: {F05F9A3B-89C6-4BDA-BC1C-2A32F6440994} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2017-08-22] (NVIDIA Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\gxx speed launcher.job => C:\Program Files (x86)\Garena\Garena\Garena.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-12-08 01:48 - 2017-12-08 01:48 - 001356088 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2017-12-08 01:48 - 2017-12-08 01:48 - 000088888 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2017-12-11 11:05 - 2017-12-11 11:05 - 001356088 _____ () C:\Program Files\iTunes\libxml2.dll
2017-12-11 11:05 - 2017-12-11 11:05 - 000088888 _____ () C:\Program Files\iTunes\zlib1.dll
2017-07-27 15:25 - 2017-06-27 12:06 - 002260432 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2017-10-13 14:46 - 2017-10-13 14:46 - 000266424 _____ () C:\Program Files (x86)\Garena\Garena\2.0.1710.1317\libprotobuf-lite.dll
2017-10-13 17:36 - 2017-10-13 17:36 - 001423192 _____ () C:\Program Files (x86)\Garena\Garena\2.0.1710.1317\libs\gxx_pipe_engine.dll
2017-10-13 17:35 - 2017-10-13 17:35 - 002189648 _____ () C:\Program Files (x86)\Garena\Garena\2.0.1710.1317\libs\FSFileSytem.dll
2017-11-17 18:42 - 2016-09-13 14:00 - 000109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2017-11-17 18:42 - 2016-09-13 14:00 - 000416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2017-11-17 18:42 - 2016-09-13 14:00 - 000167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-975107635-2959990657-2744162888-1001\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-975107635-2959990657-2744162888-1001\...\webcompanion.com -> hxxp://webcompanion.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 10:34 - 2009-06-11 05:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-975107635-2959990657-2744162888-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Miguel\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{1FE03A07-9636-41B8-9156-8384498684B0}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{94737619-32DB-4DF5-AAF1-4EE510A0478F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{3BC3D605-2FA6-4ED5-A162-EE214D26EA2C}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{C506B147-06BC-4D0C-88EA-6221EFD4F946}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{4D7353F5-9D89-4C0A-B837-4B5080E6F82E}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{B875A143-2610-42E0-A0B6-046E38451167}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{C1C14C73-0006-46F4-AC0F-E51E5C9AC957}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
FirewallRules: [{C31D8F4A-4325-4F0E-A10C-C75BAF8F0C08}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
FirewallRules: [{B6E99091-1AD0-4384-B2C1-AEFBB74FFBBC}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{B7ADAC7F-E017-45BF-A22D-815F9E51D1C7}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{F86B2171-87FA-46E4-BE65-4FBCF131AE2B}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
FirewallRules: [TCP Query User{B56AD8E3-A976-4216-A0DE-5DEA901ACCF7}C:\program files (x86)\java\jre1.8.0_144\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_144\bin\javaw.exe
FirewallRules: [UDP Query User{E4542AC9-339F-4681-A386-06372FABBF11}C:\program files (x86)\java\jre1.8.0_144\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_144\bin\javaw.exe
FirewallRules: [{1ACD2979-3092-4149-83FC-C7CF983C1114}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{AFB7C9E6-4EBC-413E-9CEE-C15C404E6BF4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{2DFDEB15-8B2F-4B34-B1E9-3904BB108DAC}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{BC2BF696-C7F7-485A-B837-B1C37089D275}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{E50020DB-F195-4B6E-8D44-58F58E0CBFBA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Tools\Launcher.exe
FirewallRules: [{1F4A3F1C-71B5-4C93-B8D6-85FD8482F8AA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Tools\RemoteCrashSender.exe
FirewallRules: [{C472EB4F-9664-4738-8B31-92A816950C21}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{19F3F80A-C81A-49A1-B271-E34226591881}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{8FF8FFFD-8411-4163-B414-F5FA65B651B3}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{D842B797-2420-459E-8EED-20317FACA783}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{57227414-44E3-4D43-9F15-04A4450ECF86}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Tools\Launcher.exe
FirewallRules: [{567DC106-AC04-4427-AF93-95D0F64C815D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Tools\RemoteCrashSender.exe
FirewallRules: [{D4DA7FB9-A243-40EE-BA00-E18F193089E6}] => (Allow) C:\Program Files\PreSonus\Studio One 3\Studio One.exe
FirewallRules: [TCP Query User{28E2B9FA-CA9C-4C61-9F0C-83852D6F705D}C:\program files (x86)\videolan\vlc\vlc.exe] => (Block) C:\program files (x86)\videolan\vlc\vlc.exe
FirewallRules: [UDP Query User{C34D2B82-5653-4BEE-A567-9F0F9C77C791}C:\program files (x86)\videolan\vlc\vlc.exe] => (Block) C:\program files (x86)\videolan\vlc\vlc.exe
FirewallRules: [TCP Query User{B27EB646-CC67-4DCE-9124-722672FF40F4}C:\program files (x86)\epson\myepson portal\mep.exe] => (Block) C:\program files (x86)\epson\myepson portal\mep.exe
FirewallRules: [UDP Query User{23734A8A-45B1-45F2-B93A-137B5A62C99D}C:\program files (x86)\epson\myepson portal\mep.exe] => (Block) C:\program files (x86)\epson\myepson portal\mep.exe
FirewallRules: [TCP Query User{6B4FF96F-9B02-44FF-9EFB-CD73F475ADCB}C:\program files (x86)\common files\java\java update\jucheck.exe] => (Allow) C:\program files (x86)\common files\java\java update\jucheck.exe
FirewallRules: [UDP Query User{8FFA143F-20EC-4D3D-ADB7-86457A9D56E3}C:\program files (x86)\common files\java\java update\jucheck.exe] => (Allow) C:\program files (x86)\common files\java\java update\jucheck.exe
FirewallRules: [TCP Query User{A243FF88-93B1-45AB-9058-3A9EE15603E7}C:\program files (x86)\tunnelbear\tunnelbear.ui.exe] => (Block) C:\program files (x86)\tunnelbear\tunnelbear.ui.exe
FirewallRules: [UDP Query User{3F78FA4C-17F8-449E-9B1B-34591A8BDC29}C:\program files (x86)\tunnelbear\tunnelbear.ui.exe] => (Block) C:\program files (x86)\tunnelbear\tunnelbear.ui.exe
FirewallRules: [TCP Query User{698F4482-EEA2-4848-8F1D-F28BEB245904}C:\program files (x86)\common files\java\java update\jusched.exe] => (Block) C:\program files (x86)\common files\java\java update\jusched.exe
FirewallRules: [UDP Query User{8A598E15-BA27-4DF8-96B2-71CB1EE8B979}C:\program files (x86)\common files\java\java update\jusched.exe] => (Block) C:\program files (x86)\common files\java\java update\jusched.exe
FirewallRules: [{FB8BF3CC-5E32-460B-B6A4-2239B298D398}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{36C2B814-4A4C-4CE5-9A07-106E5ACA37BF}] => (Allow) C:\Users\Miguel\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{9E796AB5-A743-491F-AD5E-AE7F709F1016}] => (Allow) C:\Users\Miguel\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{C6B33329-A97E-4FD0-B883-D7CE271832AF}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
FirewallRules: [{C6245673-76EF-4548-ABB5-EA74D2B5AA36}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{0B3AF4C4-9301-43C7-8331-5A9B3AEA3584}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{FF9C45F9-D574-4C08-9992-48FAF348DF9A}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{80FE06A9-4390-455C-BE0F-768DE414B613}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{1F7A3FE3-3277-4B9B-86D5-7A38DBF4E862}] => (Allow) C:\Program Files\iTunes\iTunes.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\TunnelBear\v2\OpenSSL\vpn.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Users\Miguel\AppData\Roaming\BitTorrent\BitTorrent.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Windows Media Player\wmplayer.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\VideoLAN\VLC\vlc.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Steam\Steam.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\VideoLAN\VLC\uninstall.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Users\Miguel\AppData\Local\Temp\~nsuA.tmp\Au_.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Users\Miguel\AppData\Local\Temp\winssjht.exe] => Enabled:ipsec

==================== Restore Points =========================

22-12-2017 22:35:48 Checkpoint by HitmanPro
22-12-2017 23:01:17 Malwarebytes Anti-Rootkit Restore Point
27-12-2017 11:18:05 Installed iTunes
27-12-2017 22:07:52 Removed Java 8 Update 144
27-12-2017 23:37:04 Checkpoint by HitmanPro
27-12-2017 23:38:33 Checkpoint by HitmanPro
27-12-2017 23:41:23 Checkpoint by HitmanPro

==================== Faulty Device Manager Devices =============

Name: TunnelBear Adapter V9
Description: TunnelBear Adapter V9
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: TunnelBear Provider V9
Service: tap-tb-0901
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/29/2017 12:52:26 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/28/2017 10:15:06 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "c:\program files (x86)\spybot - search & destroy 2\SDTasks.dll".Error in manifest or policy file "c:\program files (x86)\spybot - search & destroy 2\SDTasks.dll" on line 2.
The manifest file root element must be assembly.

Error: (12/28/2017 10:15:05 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "c:\program files (x86)\spybot - search & destroy 2\SDResources.dll".Error in manifest or policy file "c:\program files (x86)\spybot - search & destroy 2\SDResources.dll" on line 2.
The manifest file root element must be assembly.

Error: (12/28/2017 10:15:05 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "c:\program files (x86)\spybot - search & destroy 2\SDLists.dll".Error in manifest or policy file "c:\program files (x86)\spybot - search & destroy 2\SDLists.dll" on line 2.
The manifest file root element must be assembly.

Error: (12/28/2017 10:15:05 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "c:\program files (x86)\spybot - search & destroy 2\SDLicense.dll".Error in manifest or policy file "c:\program files (x86)\spybot - search & destroy 2\SDLicense.dll" on line 2.
The manifest file root element must be assembly.

Error: (12/28/2017 10:15:05 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "c:\program files (x86)\spybot - search & destroy 2\SDImmunizeLibrary.dll".Error in manifest or policy file "c:\program files (x86)\spybot - search & destroy 2\SDImmunizeLibrary.dll" on line 2.
The manifest file root element must be assembly.

Error: (12/28/2017 10:15:05 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "c:\program files (x86)\spybot - search & destroy 2\SDFileScanLibrary.dll".Error in manifest or policy file "c:\program files (x86)\spybot - search & destroy 2\SDFileScanLibrary.dll" on line 2.
The manifest file root element must be assembly.

Error: (12/28/2017 10:15:05 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "c:\program files (x86)\spybot - search & destroy 2\SDFileScanHelper.exe".Error in manifest or policy file "c:\program files (x86)\spybot - search & destroy 2\SDFileScanHelper.exe" on line 2.
The manifest file root element must be assembly.

Error: (12/28/2017 10:15:05 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "c:\program files (x86)\spybot - search & destroy 2\SDEvents.dll".Error in manifest or policy file "c:\program files (x86)\spybot - search & destroy 2\SDEvents.dll" on line 2.
The manifest file root element must be assembly.

Error: (12/28/2017 10:15:05 AM) (Source: SideBySide) (EventID: 72) (User: )
Description: Activation context generation failed for "c:\program files (x86)\spybot - search & destroy 2\SDECon32.dll".Error in manifest or policy file "c:\program files (x86)\spybot - search & destroy 2\SDECon32.dll" on line 17.
The element compatibility appears as a child of element urn:schemas-microsoft-com:asm.v1^assembly which is not supported by this version of Windows.


System errors:
=============
Error: (12/27/2017 11:21:44 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 70. The internal error state is 105.

Error: (12/27/2017 11:21:00 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 70. The internal error state is 105.

Error: (12/27/2017 12:40:40 AM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The Diagnostics Tracking Service service did not shut down properly after receiving a preshutdown control.

Error: (12/26/2017 09:36:50 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 9:35:36 PM on ‎12/‎26/‎2017 was unexpected.

Error: (12/24/2017 09:04:09 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (12/24/2017 09:04:08 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (12/24/2017 09:03:35 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (12/24/2017 09:03:35 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (12/24/2017 09:37:22 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (12/24/2017 09:37:22 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.


==================== Memory info ===========================

Processor: Pentium® Dual-Core CPU E5200 @ 2.50GHz
Percentage of memory in use: 30%
Total physical RAM: 4095.18 MB
Available physical RAM: 2862.53 MB
Total Virtual: 8188.54 MB
Available Virtual: 6692.45 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:196.95 GB) (Free:36.24 GB) NTFS
Drive d: () (Fixed) (Total:39.06 GB) (Free:0.85 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: () (Fixed) (Total:229.75 GB) (Free:10.44 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 73FD73FD)
Partition 1: (Active) - (Size=39.1 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=426.7 GB) - (Type=OF Extended)

==================== End of Addition.txt ============================


Edited by Yuvie, 29 December 2017 - 12:40 AM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:41 AM

Posted 29 December 2017 - 01:23 PM

Greetings Yuvie and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me just a bit of time to review what you have posted.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:41 AM

Posted 29 December 2017 - 02:36 PM

Greetings again and thank you for your patience.

Due to the number of errors detailed in your logs related to Spybot I would like to remove that program.

Please do these things.

===================================================

Uninstalling Programs Using Revo Uninstaller Free

--------------------

I recommend uninstalling the below listed program(s) from your computer.

Revo Uninstaller is more thorough in deleting programs on your computer than using the Add/Remove option in Windows. Since it is a more powerful tool, please be sure to follow the instructions carefully.

Please note there is a chance when you look for this program to uninstall through Revo it might not be listed because of a previous uninstall. If that is the case simply stop and let me know.
  • Please download and install Revo Uninstaller Free
  • Double click the Revo Uninstaller icon
  • From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
Spybot - Search & Destroy
  • If presented with the program uninstall option click Uninstall
  • If asked to reboot select Reboot later
  • Under Scanning Modes select Advanced then select Scan
  • On the Found leftover Registry items click Select All, Delete, then confirm the deletion
  • When prompted click on Next
  • On the Found leftover files and folders click Select All, Delete, then confirm the deletion
  • Reboot your computer
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
Start::
CreateRestorePoint:
CloseProcesses:
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\dsengine.cfg [2017-12-22] <==== ATTENTION
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\Miguel\AppData\Local\Temp\~nsuA.tmp
StandardProfile\AuthorizedApplications: [C:\Users\Miguel\AppData\Local\Temp\~nsuA.tmp\Au_.exe] => Enabled:ipsec
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Removeproxy:
emptytemp:
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Malwarebytes AdwCleaner

-------------------
  • Please download AdwCleaner and save it on your desktop.
  • Close all open programs and browsers
  • Double click on AdwCleaner.exe, click Run, then select I agree if it appears
  • Click Scan
  • Once the scan has completed if there are threats found you will see Found 3 threats or something similar above the progress bar
  • Click each tab under Results and uncheck any items you want to keep
  • Click on Clean
  • Confirm the cleaning and rebooting of your computer by clicking OK
  • Click OK twice to finish the removal process by automatically rebooting your computer
  • Once completed an AdwCleaner document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Did Spybot uninstall?
  • Fixlog
  • AdwCleaner log
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Yuvie

Yuvie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 29 December 2017 - 09:53 PM

Hi! You can call me Miguel, thanks for help thus far

 

Before doing any of the instruction you gave me, my computer doesn't seem to have any process having unusual high cpu when I turned it on today, but I'm still worried that lbug.pif can't be removed by malwarebytes

 

Spybot was uninstalled successfully

 

After I used FRST though,  mozilla firefox is unable to run after reboot. When I open, it says "failed to read configuration file. Please contact your system administrator". Hmmmm, I did the instruction correctly, run as admin, ctrl + c ( I guess it doesn't need to be pasted?) then fix.

 

Again my computer seems to be running normally, lbug.pif is still there though

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 26-12-2017
Ran by Miguel (30-12-2017 10:22:38) Run:1
Running from C:\Users\Miguel\Desktop
Loaded Profiles: Miguel (Available Profiles: Miguel)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\dsengine.cfg [2017-12-22] <==== ATTENTION
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\Miguel\AppData\Local\Temp\~nsuA.tmp
StandardProfile\AuthorizedApplications: [C:\Users\Miguel\AppData\Local\Temp\~nsuA.tmp\Au_.exe] => Enabled:ipsec
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Removeproxy:
emptytemp:
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Program Files (x86)\mozilla firefox\dsengine.cfg => moved successfully
"HKLM\System\CurrentControlSet\Services\VGPU" => removed successfully
VGPU => service removed successfully
"C:\Users\Miguel\AppData\Local\Temp\~nsuA.tmp" => not found
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Users\Miguel\AppData\Local\Temp\~nsuA.tmp\Au_.exe" => removed successfully
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset C:\resettcpip.txt =========
 
Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= Bitsadmin /Reset /Allusers =========
 
 
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
{72AC0B10-7FE3-49F4-929B-23D23BC3A432} canceled.
1 out of 1 jobs canceled.
 
========= End of CMD: =========
 
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= RemoveProxy: =========
 
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
"HKU\S-1-5-21-975107635-2959990657-2744162888-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer" => removed successfully
"HKU\S-1-5-21-975107635-2959990657-2744162888-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\S-1-5-21-975107635-2959990657-2744162888-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
 
 
========= End of RemoveProxy: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 29557457 B
Java, Flash, Steam htmlcache => 198329038 B
Windows/system/drivers => 529408 B
Edge => 0 B
Chrome => 48822555 B
Firefox => 457945899 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 60221424 B
systemprofile32 => 69310 B
LocalService => 66228 B
NetworkService => 153536 B
Miguel => 419038234 B
 
RecycleBin => 164943335 B
EmptyTemp: => 1.3 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 10:24:35 ====
 
# AdwCleaner 7.0.6.0 - Logfile created on Sat Dec 30 02:37:19 2017
# Updated on 2017/21/12 by Malwarebytes 
# Running on Windows 7 Ultimate (X64)
# Mode: clean
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
Deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft\WebCompanion
 
 
***** [ Files ] *****
 
No malicious files deleted.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks deleted.
 
***** [ Registry ] *****
 
Deleted: [Key] - HKLM\SOFTWARE\Lavasoft\Web Companion
Deleted: [Key] - HKU\S-1-5-21-975107635-2959990657-2744162888-1001\Software\Lavasoft\Web Companion
Deleted: [Key] - HKCU\Software\Lavasoft\Web Companion
Deleted: [Value] - HKU\S-1-5-21-975107635-2959990657-2744162888-1001\Software\Microsoft\Windows\CurrentVersion\Run|Web Companion
Deleted: [Value] - HKCU\Software\Microsoft\Windows\CurrentVersion\Run|Web Companion
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries deleted.
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[S0].txt - [948 B] - [2017/11/17 11:55:46]
C:/AdwCleaner/AdwCleaner[S1].txt - [1673 B] - [2017/12/30 2:34:42]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########


#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:41 AM

Posted 29 December 2017 - 10:46 PM

Greetings Miguel.

You didn't do anything wrong. We will correct that Firefox error.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
Start::
RestoreQuarantine: C:\FRST\Quarantine\C:\Program Files (x86)\mozilla firefox\dsengine.cfg
cmd: type "C:\Program Files (x86)\mozilla firefox\dsengine.cfg"
cmd: type "C:\FRST\Quarantine\C:\Program Files (x86)\mozilla firefox\dsengine.cfg"
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Copy/paste the following in the Search: box
SearchAll: lbug.pif
  • Click Search File(s) button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of that document your reply
  • Search log
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Search log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Yuvie

Yuvie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 30 December 2017 - 04:22 AM

Firefox still doesn't work and lbug.pif wasn't found.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 26-12-2017
Ran by Miguel (30-12-2017 11:54:02) Run:2
Running from C:\Users\Miguel\Desktop
Loaded Profiles: Miguel (Available Profiles: Miguel)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
RestoreQuarantine: C:\FRST\Quarantine\C:\Program Files (x86)\mozilla firefox\dsengine.cfg
cmd: type "C:\Program Files (x86)\mozilla firefox\dsengine.cfg"
cmd: type "C:\FRST\Quarantine\C:\Program Files (x86)\mozilla firefox\dsengine.cfg"
 
*****************
 
"C:\FRST\Quarantine\C:\Program Files (x86)\mozilla firefox\dsengine.cfg"=> path not found.
 
========= type "C:\Program Files (x86)\mozilla firefox\dsengine.cfg" =========
 
The system cannot find the file specified.
 
========= End of CMD: =========
 
 
========= type "C:\FRST\Quarantine\C:\Program Files (x86)\mozilla firefox\dsengine.cfg" =========
 
The filename, directory name, or volume label syntax is incorrect.
 
========= End of CMD: =========
 
 
==== End of Fixlog 11:54:02 ====
 
Farbar Recovery Scan Tool (x64) Version: 26-12-2017
Ran by Miguel (30-12-2017 11:55:56)
Running from C:\Users\Miguel\Desktop
Boot Mode: Normal
 
================== Search Files: "SearchAll: lbug.pif" =============
 
File:
========
 
folder:
========
 
Registry:
========
 
 
====== End of Search ======


#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:41 AM

Posted 30 December 2017 - 03:23 PM

Please do this.

===================================================

Farbar's Recovery Scan Tool Search

--------------------
  • Launch FRST
  • Copy/paste the following in the Search: box
dsengine.cfg
  • Click Search File(s) button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Search.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 Yuvie

Yuvie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 30 December 2017 - 07:55 PM

By the way, my printer's myEpson portal got high cpu usage again yesterday for a moment until I stopped the process and lbug.pif is still there.
Oh, and since firefox is like this, is it a good idea to just reinstall firefox?
 
Farbar Recovery Scan Tool (x64) Version: 26-12-2017
Ran by Miguel (31-12-2017 08:42:55)
Running from C:\Users\Miguel\Desktop
Boot Mode: Normal
 
================== Search Files: "dsengine.cfg" =============
 
 
====== End of Search ======


#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:41 AM

Posted 30 December 2017 - 09:08 PM

Hold off on reinstalling Firefox and let's try this instead.

===================================================

Selecting Previous System Restore Point in Windows 7

--------------------
  • Click Start, Control Panel, then System
  • Click on System Protection in the left-hand task list
  • Click on the System Restore button
  • Click Next
  • Select the restore point dated 30-12-2017 10:22:38 (or thereabouts)
  • Click Next, then Finish
  • Upon reboot test Firefox
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
Start::
zip: C:\lbug.pif
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • The tool will also create a zip file on your Desktop with today's date and time, example 05.12.2016_13.04.06.zip. Please attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • System Restore successful
  • Firefox?
  • Attached zip file

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 Yuvie

Yuvie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 30 December 2017 - 10:24 PM

Thanks for help!

System restore was successful and Firefox is back and running

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 26-12-2017
Ran by Miguel (31-12-2017 11:10:19) Run:3
Running from C:\Users\Miguel\Desktop
Loaded Profiles: Miguel (Available Profiles: Miguel)
Boot Mode: Normal
==============================================

fixlist content:
*****************
zip: C:\lbug.pif

*****************

================== Zip: ===================
C:\lbug.pif -> copied successfully to C:\Users\Miguel\Desktop\31.12.2017_11.10.19.zip
=========== Zip: End ===========

==== End of Fixlog 11:10:19 ====

Attached Files



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:41 AM

Posted 30 December 2017 - 11:13 PM

Unfortunately the file was not included. Can you use Windows Explorer to navigate to the file and upload the file here.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Yuvie

Yuvie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 30 December 2017 - 11:57 PM

File sent :)



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:41 AM

Posted 31 December 2017 - 10:41 AM

Greetings.

I'm afraid I have very bad news.

===================================================

BACKDOOR WARNING! - Sality Virus

--------------------

Your system is infected with Win32/Sality. I would suggest you review the information in the link I provided. This determination is based on the analysis of the file you uploaded to me well as other evidence in your logs. I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. All of these accounts should be monitored from this point forward.

This particular infection allows hackers to remotely control your computer, steal critical system information and download and execute files. The Sality Virus is so severe the only recommendation I can make is to completely reformat your hard drive and reinstall your operating system and programs. Absent this you should always consider your computer compromised with the very real possibility for theft of your personal information and all that might flow from that. It could never be considered clean.

Please let me know your thoughts.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 Yuvie

Yuvie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 31 December 2017 - 09:50 PM

... I didn't think it would be like this, sigh

I think I would just reformat my hard drive. I'm wondering though, is there harm when copying my files in a flash drive? Is it possible for the flash drive to be infected too?



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:41 AM

Posted 31 December 2017 - 10:42 PM

Yes, it is unfortunate.

We can run an antivirus scan of your flash drive once your data files have been copied to it. I can leave the topic open and assist you when you are ready if you'd like.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users