Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit infection detected by AswMbr. What to do?


  • This topic is locked This topic is locked
32 replies to this topic

#1 Dell_User7

Dell_User7

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 25 January 2018 - 11:41 AM

Hello, I have a Dell computer with Windows 7 Pro on it and I've recently been a little suspicious that

I might have had a MBR or rootkit virus on my computer, because of accessing a flash drive on my Windows 7 Pro computer

from an older HP Windows XP SP2 computer that was conprimised already.

 

I scanned (only) with MBRcheck and aswMbr. Mbrcheck said I was clean.

However, AswMbr found several locked entries that point to a Kaspersky rootkit infection. 

 

However, I do not believe that I was infected any time recently by any rootkit virus or Mbr virus.

Certainly not from accessing a flash drive that I had connected to my Windows XP computer a week ago, then inserted for a moment back into my main computer, but rather from installing and running Kaspersky several years ago. I suspect I had been infected then, because several of the system drivers that aswmbr reports as a rootkit infection are Kaspersky system driver files.

 

I haven't had Kaspersky on my main computer for several years, but I have noticed that when ever I install any new anti-virus software, it usually detects Kaspersky as another active entry of currently installed anti-viruses. I get a general warning that I must uninstall any other currently installed aniti-virus software before installing a new aniti-virus software. However, any attempt I ever gave at truly uninstalling and removing Kaspersky has failed. 

And I would usually get a message like "we have failed to remove Kaspersky from your computer, the program seems to be locked or in use by another program." Or it would say "Kaspersky was not found to remove on your computer". 

 

Anyway, I've never seen a big increase on my system resources since I've uninstalled (or so I thought) Kaspersky, nor have I ever had any major, suspicious virus activity. But I've always sort of suspected that Kaspersky had put some kind of secret, hidden rootkit or spyware of some kind, after removing the software.

 

Now with Aswmbr finding several possible rootkit infections on my computer, all of which seem to link back to a Kaspersky system driver of some kind, I nearly have my earlier suspicions confirmed to me.

 

However, before I try to click on that "Fix" button on Aswmbr, I want someone here to carefully look over my log that I have saved from doing a partial scan from AswMbr, to help guide me on weather or not I should back up my files or even attempt a fix to remove the rootkits, or if you think the found infections are even important enough to treat or not in the first place.

 

I was only able to do a partial scan, because the first time I ran AswMbr, it froze and had to close, shortly after it detected a good handful of possible Kaspersky rootkit infections..so at this time, I only want to focus on these reported infections, along with my operation system specifications, on what I should about these possible infections. Please feel free to ask me any questions, if I haven't yet provided all of the necessary questions needed thus far on the issue. I will be following this topic closely. Thank you.

 

--

I can't figure out how to add an attachment, so I will just copy and paste the Aswmbr log here, I hope that is okay.

I also apologize if I'm leaving out some other necessary details, but this is my first time posting to a tech help forum so I'm a little rough around the edges.

--

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2018-01-25 10:12:17
-----------------------------
10:12:17.930    OS Version: Windows x64 6.1.7601 Service Pack 1
10:12:17.930    Number of processors: 4 586 0x3A09
10:12:17.930    ComputerName: ZAR-UNITYV4-PC  UserName: Zar-Unityv4
10:12:18.914    Initialize success
10:12:18.929    VM: initialized successfully
10:12:18.929    VM: Intel CPU supported 
10:12:24.541    VM: not used
10:12:32.898    AVAST engine defs: 18012502
10:13:02.944    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:13:02.959    Disk 0 Vendor: ST1000DM CC47 Size: 953869MB BusType: 3
10:13:03.164    Disk 0 MBR read successfully
10:13:03.164    Disk 0 MBR scan
10:13:03.164    Disk 0 Windows VISTA default MBR code
10:13:04.697    Disk 0 Partition 1 00     DE   Dell Utility DELL 4.1       39 MB offset 63
10:13:04.713    Disk 0 Partition 2 80 (A) 07      HPFS/NTFS NTFS        22186 MB offset 81920
10:13:04.728    Disk 0 Boot: NTFS     code=1
10:13:04.728    Disk 0 Partition 3 00     07      HPFS/NTFS NTFS       931642 MB offset 45518848
10:13:04.791    Disk 0 scanning C:\Windows\system32\drivers
10:13:21.241    Service scanning
 
INFECTIONS SEEN HERE IN RED TEXT:
10:13:24.632    Service cm_km C:\Windows\system32\DRIVERS\cm_km.sys **LOCKED** 5
10:13:28.540    Service kl1 C:\Windows\system32\DRIVERS\kl1.sys **LOCKED** 5
10:13:28.556    Service klbackupdisk C:\Windows\system32\DRIVERS\klbackupdisk.sys **LOCKED** 5
10:13:28.604    Service kldisk C:\Windows\system32\DRIVERS\kldisk.sys **LOCKED** 5
10:13:28.635    Service klflt C:\Windows\system32\DRIVERS\klflt.sys **LOCKED** 5
10:13:28.682    Service klhk C:\Windows\system32\DRIVERS\klhk.sys **LOCKED** 5
10:13:28.729    Service KLIM6 C:\Windows\system32\DRIVERS\klim6.sys **LOCKED** 5
10:13:28.791    Service klkbdflt C:\Windows\system32\DRIVERS\klkbdflt.sys **LOCKED** 5
10:13:28.853    Service klmouflt C:\Windows\system32\DRIVERS\klmouflt.sys **LOCKED** 5
10:13:28.901    Service kltdi C:\Windows\system32\DRIVERS\kltdi.sys **LOCKED** 5
10:13:28.932    Service Klwtp C:\Windows\system32\DRIVERS\klwtp.sys **LOCKED** 5
10:13:28.964    Service kneps C:\Windows\system32\DRIVERS\kneps.sys **LOCKED** 5
 
10:13:38.217    Modules scanning
10:13:38.217    Disk 0 trace - called modules:
10:13:38.232    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys 
10:13:38.248    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009abf060]
10:13:38.248    3 CLASSPNP.SYS[fffff88001d2243f] -> nt!IofCallDriver -> [0xfffffa80070c6400]
10:13:38.248    5 ACPI.sys[fffff880017767a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007106050]
10:13:38.951    AVAST engine scan C:\Windows
10:13:43.419    AVAST engine scan C:\Windows\system32
10:15:53.557    AVAST engine scan C:\Windows\system32\drivers
10:16:07.706    AVAST engine scan C:\Users\Zar-Unityv4
10:17:13.282    Disk 0 MBR has been saved successfully to "C:\Users\Zar-Unityv4\Documents\__The useful box__\3) Software Usage & Info\MBR.dat"
10:17:13.282    The log file has been saved successfully to "C:\Users\Zar-Unityv4\Documents\__The useful box__\3) Software Usage & Info\aswMBR_log.txt"

Edited by hamluis, 25 January 2018 - 12:22 PM.
Moved from AII to MRL - Hamluis.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:02 PM

Posted 25 January 2018 - 12:11 PM

Hello, in order to clean this please post a new topic.. Include this info and the FRST log in guide.
Do steps 6 & 7

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:02 PM

Posted 27 January 2018 - 03:41 PM

Greetings Dell_User7 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please do this. If necessary, download the below program onto a USB device from a clean computer and transfer it over to the infected computer.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your Desktop. <<< Important
  • Right click on the icon and select Run as administrator
  • Click Yes to the disclaimer
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of each report in separate reply windows
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 28 January 2018 - 10:32 PM

Hello, sorry about the delay, here are my logs..

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21.01.2018
Ran by Zar-Unityv4 (administrator) on ZAR-UNITYV4-PC (26-01-2018 12:05:08)
Running from C:\Users\Zar-Unityv4\Documents\__The useful box__
Loaded Profiles: Zar-Unityv4 (Available Profiles: Zar-Unityv4)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie_5.20 (64)\SbieSvc.exe
(AVAST Software) C:\Program Files\AVAST_Internet_Security\Avast\AvastSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(VoodooSoft, LLC ) C:\Program Files\VoodooShield\VoodooShieldService.exe
(Atheros) C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(VoodooSoft, LLC ) C:\Program Files\VoodooShield\VoodooShield.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie_5.20 (64)\SbieCtrl.exe
(AVAST Software) C:\Program Files\AVAST_Internet_Security\Avast\AvastUI.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GlassWire.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(IObit) C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(AVAST Software) C:\Program Files\AVAST_Internet_Security\Avast\afwServ.exe
(AVAST Software) C:\Program Files\AVAST_Internet_Security\Avast\x64\aswidsagenta.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie_5.20 (64)\SbieSvc.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie_5.20 (64)\SandboxieRpcSs.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie_5.20 (64)\SandboxieDcomLaunch.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie_5.20 (64)\SandboxieCrypto.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie_5.20 (64)\SbieSvc.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie_5.20 (64)\SandboxieBITS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\Zar-Unityv4\Documents\__The useful box__\FarBar_RST64.exe
(Piotr Pawlowski) C:\Program Files (x86)\foobar2000\foobar2000.exe
(Last.fm) C:\Program Files (x86)\Last.fm\Last.fm Scrobbler.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [303928 2017-05-09] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST_Internet_Security\Avast\AvLaunch.exe [246120 2018-01-24] (AVAST Software)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [133400 2011-12-16] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-27] (Intel Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\Run: [SandboxieControl] => C:\Program Files\Sandboxie_5.20 (64)\SbieCtrl.exe [799880 2017-10-30] (Sandboxie Holdings, LLC)
HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\Run: [GlassWire] => C:\Program Files (x86)\GlassWire\glasswire.exe [5805520 2017-07-25] (SecureMix LLC)
HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7964576 2017-10-17] (SUPERAntiSpyware)
HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9803992 2017-06-13] (Piriform Ltd)
HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\Policies\Explorer: [NoInstrumentation] 1
HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
BootExecute: autocheck autochk * sdnclean64.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{842EEBF7-5F77-4BA2-B7D1-7636C4167F86}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{93D7F91C-E7C8-4A14-A0D6-BF481CD4E433}: [NameServer] 84.200.69.80,84.200.70.40
 
Internet Explorer:
==================
HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.duckduckgo.com/
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000 -> DefaultScope {30C483B9-17D5-4680-A41F-59A2F4459F52} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000 -> {30C483B9-17D5-4680-A41F-59A2F4459F52} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000 -> {B689767B-A433-421B-A274-EA7DA2D126DB} URL = 
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll [2017-03-28] (IObit)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2016-07-26] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST_Internet_Security\Avast\aswWebRepIE64.dll [2018-01-24] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2016-07-26] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST_Internet_Security\Avast\aswWebRepIE.dll [2018-01-24] (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} -  No File
Toolbar: HKLM-x32 - No Name - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} -  No File
Handler: vipresg - No CLSID Value
 
FireFox:
========
FF DefaultProfile: bmyd2o81.default
FF DefaultProfile: wozuvf7m.default
FF ProfilePath: C:\Users\Zar-Unityv4\AppData\Roaming\Mozilla\SeaMonkey\Profiles\bmyd2o81.default [2018-01-14]
FF Homepage: Mozilla\SeaMonkey\Profiles\bmyd2o81.default -> hxxp://www.instagc.com
FF Extension: (Bluhell Firewall) - C:\Users\Zar-Unityv4\AppData\Roaming\Mozilla\SeaMonkey\Profiles\bmyd2o81.default\Extensions\{6BB5760D-F97E-421B-AF5B-8457A90C3CED}.xpi [2017-07-23] [Legacy]
FF ProfilePath: C:\Users\Zar-Unityv4\AppData\Roaming\Mozilla\Firefox\Profiles\8vx3qnh5.default-1480343040250 [2018-01-25]
FF Homepage: Mozilla\Firefox\Profiles\8vx3qnh5.default-1480343040250 -> www.duckduckgo.com/
FF Session Restore: Mozilla\Firefox\Profiles\8vx3qnh5.default-1480343040250 -> is enabled.
FF Extension: (Windscribe VPN) - C:\Users\Zar-Unityv4\AppData\Roaming\Mozilla\Firefox\Profiles\8vx3qnh5.default-1480343040250\Extensions\@windscribeff.xpi [2017-12-25]
FF Extension: (AdGuard AdBlocker) - C:\Users\Zar-Unityv4\AppData\Roaming\Mozilla\Firefox\Profiles\8vx3qnh5.default-1480343040250\Extensions\adguardadblocker@adguard.com.xpi [2018-01-20]
FF Extension: (S3.Translator) - C:\Users\Zar-Unityv4\AppData\Roaming\Mozilla\Firefox\Profiles\8vx3qnh5.default-1480343040250\Extensions\s3google@translator.xpi [2017-12-25]
FF Extension: (Avast SafePrice) - C:\Users\Zar-Unityv4\AppData\Roaming\Mozilla\Firefox\Profiles\8vx3qnh5.default-1480343040250\Extensions\sp@avast.com.xpi [2018-01-24]
FF Extension: (Avast Online Security) - C:\Users\Zar-Unityv4\AppData\Roaming\Mozilla\Firefox\Profiles\8vx3qnh5.default-1480343040250\Extensions\wrc@avast.com.xpi [2018-01-24]
FF Extension: (Bluhell Firewall) - C:\Users\Zar-Unityv4\AppData\Roaming\Mozilla\Firefox\Profiles\8vx3qnh5.default-1480343040250\Extensions\{6BB5760D-F97E-421B-AF5B-8457A90C3CED}.xpi [2017-08-14] [Legacy]
FF ProfilePath: C:\Users\Zar-Unityv4\AppData\Roaming\8pecxstudios\Cyberfox\Profiles\wozuvf7m.default [2018-01-24]
FF Homepage: 8pecxstudios\Cyberfox\Profiles\wozuvf7m.default -> hxxp:/www.Duckduckgo.com
FF Extension: (Disconnect) - C:\Users\Zar-Unityv4\AppData\Roaming\8pecxstudios\Cyberfox\Profiles\wozuvf7m.default\Extensions\2.0@disconnect.me.xpi [2016-04-28] [Legacy]
FF Extension: (AdBlocker Ultimate) - C:\Users\Zar-Unityv4\AppData\Roaming\8pecxstudios\Cyberfox\Profiles\wozuvf7m.default\Extensions\adblockultimate@adblockultimate.net.xpi [2016-04-26] [Legacy]
FF Extension: (Ghostery) - C:\Users\Zar-Unityv4\AppData\Roaming\8pecxstudios\Cyberfox\Profiles\wozuvf7m.default\Extensions\firefox@ghostery.com.xpi [2016-05-10] [Legacy]
FF Extension: (Google Disconnect) - C:\Users\Zar-Unityv4\AppData\Roaming\8pecxstudios\Cyberfox\Profiles\wozuvf7m.default\Extensions\google@disconnect.me.xpi [2016-04-28] [Legacy]
FF Extension: (Bluhell Firewall) - C:\Users\Zar-Unityv4\AppData\Roaming\8pecxstudios\Cyberfox\Profiles\wozuvf7m.default\Extensions\{6BB5760D-F97E-421B-AF5B-8457A90C3CED}.xpi [2016-03-21] [Legacy]
FF Extension: (All Aboard) - C:\Program Files (x86)\Mozilla Firefox\distribution\extensions\@all-aboard-v1-5 [2017-07-29] [Legacy]
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_28_0_0_137.dll [2018-01-15] ()
FF Plugin: @java.com/DTPlugin,version=10.80.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2016-07-26] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.80.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2016-07-26] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_137.dll [2018-01-15] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-04] (Adobe Systems Inc.)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2017-05-09]
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxp://www.duckduckgo.com/
CHR DefaultSearchURL: Default -> hxxps://duckduckgo.com/?q={searchTerms}
CHR DefaultSearchKeyword: Default -> duckdg
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default [2018-01-26]
CHR Extension: (Docs) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-19]
CHR Extension: (Google Drive) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-08-10]
CHR Extension: (YouTube) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-08-10]
CHR Extension: (Adblock for Youtube™) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmedhionkhpnakcndndgjdbohmhepckk [2017-08-10]
CHR Extension: (Spotify - Music for every moment) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnkjkdjlofllcpbemipjbcpfnglbgieh [2017-08-10]
CHR Extension: (Blue Bird) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\elhjijmekiobeohmhenmnccklpjakino [2018-01-16]
CHR Extension: (Avast SafePrice) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2018-01-25]
CHR Extension: (Google Docs Offline) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-08-25]
CHR Extension: (Avast Online Security) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2018-01-25]
CHR Extension: (Windscribe - Free VPN and Ad Blocker) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnmpcagpplmpfojmgmnngilcnanddlhb [2017-12-31]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-25]
CHR Extension: (Ads Killer Adblocker Plus) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgbllmbdjgcalkoimdfcpknbjgnhjclg [2017-12-15]
CHR Extension: (Gmail) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-08-10]
CHR Extension: (Chrome Media Router) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-01-14]
CHR Profile: C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 1 [2017-11-14]
CHR Extension: (Google Docs) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2017-08-10]
CHR Extension: (Google Drive) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-08-10]
CHR Extension: (YouTube) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-08-10]
CHR Extension: (Adblock Plus) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2017-10-02]
CHR Extension: (Adblock for Youtube™) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\cmedhionkhpnakcndndgjdbohmhepckk [2017-08-10]
CHR Extension: (Google Docs Offline) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-10-02]
CHR Extension: (Disconnect) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\jeoacafpbcihiomhlakheieifhpjdfeo [2017-08-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-10-02]
CHR Extension: (Gmail) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-08-10]
CHR Extension: (Chrome Media Router) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-10-02]
CHR Profile: C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 2 [2018-01-16]
CHR Extension: (Google Drive) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-08-16]
CHR Extension: (YouTube) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-08-16]
CHR Extension: (Google Docs Offline) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-09-24]
CHR Extension: (ZenMate Web Firewall (Free, Plus Ad Blocker)) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\hphffohcfcaeoekbkfibilcmmoakhmfc [2017-08-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-09-24]
CHR Extension: (Gmail) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-08-16]
CHR Extension: (Chrome Media Router) - C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-09-24]
CHR Profile: C:\Users\Zar-Unityv4\AppData\Local\Google\Chrome\User Data\System Profile [2017-08-25]
CHR HKLM\...\Chrome\Extension: [ccbpbkebodcjkknkfkpmfeciinhidaeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [eahebamiopdhefndnmappcihfajigkka] - hxxps://chrome.google.com/webstore/detail/eahebamiopdhefndnmappcihfajigkka
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ccbpbkebodcjkknkfkpmfeciinhidaeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-30] (SUPERAntiSpyware.com)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-04-03] (Apple Inc.)
R3 aswbIDSAgent; C:\Program Files\AVAST_Internet_Security\Avast\x64\aswidsagenta.exe [7538536 2018-01-24] (AVAST Software)
R2 avast! Antivirus; C:\Program Files\AVAST_Internet_Security\Avast\AvastSvc.exe [301168 2018-01-24] (AVAST Software)
R2 avast! Firewall; C:\Program Files\AVAST_Internet_Security\Avast\afwServ.exe [351552 2018-01-24] (AVAST Software)
S3 AVP16.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe [194000 2015-12-05] (Kaspersky Lab ZAO)
S3 CGVPNCliService; C:\Program Files\CyberGhost 5\Service.exe [65128 2016-08-08] (CyberGhost S.R.L)
S3 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2573520 2015-05-22] (Dell Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-06-09] (Dell Inc.)
R2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [4354000 2017-07-25] (SecureMix LLC)
S2 IObitUnSvr; C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe [360736 2017-03-28] (IObit)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 SbieSvc; C:\Program Files\Sandboxie_5.20 (64)\SbieSvc.exe [198792 2017-10-30] (Sandboxie Holdings, LLC)
S3 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31928 2016-04-22] (Dell Inc.)
R2 VoodooShieldService; C:\Program Files\VoodooShield\VoodooShieldService.exe [132944 2017-12-25] (VoodooSoft, LLC )
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-12-02] (Microsoft Corporation)
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [73728 2012-02-08] (Atheros) [File not signed]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [185096 2018-01-24] (AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [321512 2018-01-24] (AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [199448 2018-01-24] (AVAST Software)
R0 aswblog; C:\Windows\System32\drivers\aswbloga.sys [343768 2018-01-24] (AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [57696 2018-01-24] (AVAST Software)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [46976 2018-01-24] (AVAST Software)
R2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [146648 2018-01-24] (AVAST Software)
R3 aswNetNd6; C:\Windows\System32\DRIVERS\aswNetNd6.sys [38152 2018-01-24] (AVAST Software)
R1 aswNetSec; C:\Windows\System32\drivers\aswNetSec.sys [580480 2018-01-24] (AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [110336 2018-01-24] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [84384 2018-01-24] (AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1025176 2018-01-24] (AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [457896 2018-01-24] (AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [204456 2018-01-24] (AVAST Software)
S3 aswTap; C:\Windows\System32\DRIVERS\aswTap.sys [44640 2014-07-01] (The OpenVPN Project)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [358672 2018-01-24] (AVAST Software)
R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [389816 2015-07-05] (Kaspersky Lab ZAO)
S3 DDDriver; C:\Windows\System32\drivers\DDDriver64Dcsa.sys [23760 2015-02-26] (Dell Computer Corporation)
S3 DellProf; C:\Windows\System32\drivers\DellProf.sys [24240 2015-05-22] (Dell Computer Corporation)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77432 2017-11-29] ()
S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [40584 2015-08-27] (ThreatTrack Security)
S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [32400 2016-03-04] (ThreatTrack Security)
R1 gwdrv; C:\Windows\System32\DRIVERS\gwdrv.sys [33248 2015-05-28] (SecureMix LLC)
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [27552 2016-01-25] (REALiX™)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [478392 2015-06-22] (Kaspersky Lab ZAO)
R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [53432 2015-06-06] (Kaspersky Lab ZAO)
R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [70000 2015-06-27] (Kaspersky Lab ZAO)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [77728 2016-05-10] (AO Kaspersky Lab)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [181640 2015-12-05] (AO Kaspersky Lab)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [237480 2016-05-24] (AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [943536 2016-05-24] (AO Kaspersky Lab)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [49240 2016-05-24] (AO Kaspersky Lab)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [41144 2015-06-06] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [41648 2015-06-07] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [41352 2015-12-05] (AO Kaspersky Lab)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [65208 2015-06-11] (Kaspersky Lab ZAO)
R1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [103096 2015-06-16] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [187056 2015-06-23] (Kaspersky Lab ZAO)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193968 2018-01-15] (Malwarebytes)
R3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [46008 2018-01-24] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2018-01-16] (Malwarebytes)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2015-07-28] (Intel Corporation)
S3 Neo_VPN-Zar; C:\Windows\System32\DRIVERS\Neo_0013.sys [28768 2014-12-11] (SoftEther VPN Project at University of Tsukuba, Japan.)
S3 RTSUER; C:\Windows\System32\Drivers\RtsUer.sys [404184 2016-01-21] (Realsil Semiconductor Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SbieDrv; C:\Program Files\Sandboxie_5.20 (64)\SbieDrv.sys [209544 2017-10-30] (Sandboxie Holdings, LLC)
R1 SBRE; C:\Windows\system32\drivers\SBREdrv.sys [55384 2011-08-29] (Sunbelt Software)
S3 sbwtis; C:\Windows\System32\DRIVERS\sbwtis.sys [95608 2015-09-29] (ThreatTrack Security)
S3 tapwindscribe0901; C:\Windows\System32\DRIVERS\tapwindscribe0901.sys [40240 2015-12-26] (The OpenVPN Project)
R3 VSScanner; C:\Windows\System32\DRIVERS\vsscanner.sys [21064 2016-08-19] (VoodooSoft, LLC)
R2 WebExaminer; C:\Windows\system32\Drivers\WebExaminer64.sys [34408 2015-10-16] (ThreatTrack Security Inc.)
U1 aswbdisk; no ImagePath
S3 cpuz137; \??\C:\Users\ZAR-UN~1\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X] <==== ATTENTION
S3 FileMonitor; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [X]
U0 Partizan; system32\drivers\Partizan.sys [X]
S3 RegFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [X]
U2 TMAgent; no ImagePath
S3 UrlFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
U3 aswMBR; \??\C:\Users\ZAR-UN~1\AppData\Local\Temp\aswMBR.sys [X] <==== ATTENTION
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-26 12:00 - 2018-01-26 12:05 - 000000000 ____D C:\FRST
2018-01-25 10:07 - 2018-01-25 10:12 - 000457274 _____ C:\TDSSKiller.3.1.0.16_25.01.2018_10.07.52_log.txt
2018-01-25 10:04 - 2018-01-25 10:04 - 000000366 _____ C:\TDSSKiller.3.1.0.15_25.01.2018_10.04.19_log.txt
2018-01-24 20:28 - 2018-01-24 20:28 - 000046008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-01-24 20:13 - 2018-01-24 20:13 - 000000000 ____D C:\ProgramData\SWCUTemp
2018-01-24 19:43 - 2018-01-24 19:43 - 000457896 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2018-01-24 19:43 - 2018-01-24 19:43 - 000146648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2018-01-24 19:43 - 2018-01-24 19:43 - 000003932 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2018-01-24 19:43 - 2018-01-24 19:43 - 000001979 _____ C:\Users\Public\Desktop\Avast Internet Security.lnk
2018-01-24 19:43 - 2018-01-24 19:43 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\AVAST Software
2018-01-24 19:43 - 2018-01-24 19:43 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2018-01-24 19:43 - 2018-01-24 19:42 - 001025176 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2018-01-24 19:43 - 2018-01-24 19:42 - 000580480 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetSec.sys
2018-01-24 19:43 - 2018-01-24 19:42 - 000358672 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2018-01-24 19:43 - 2018-01-24 19:42 - 000343768 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbloga.sys
2018-01-24 19:43 - 2018-01-24 19:42 - 000321512 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2018-01-24 19:43 - 2018-01-24 19:42 - 000204456 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2018-01-24 19:43 - 2018-01-24 19:42 - 000199448 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsha.sys
2018-01-24 19:43 - 2018-01-24 19:42 - 000185096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2018-01-24 19:43 - 2018-01-24 19:42 - 000110336 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2018-01-24 19:43 - 2018-01-24 19:42 - 000084384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2018-01-24 19:43 - 2018-01-24 19:42 - 000057696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniva.sys
2018-01-24 19:43 - 2018-01-24 19:42 - 000046976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2018-01-24 19:42 - 2018-01-24 19:42 - 000365680 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2018-01-24 19:42 - 2018-01-24 19:42 - 000038152 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetNd6.sys
2018-01-24 19:41 - 2018-01-24 19:41 - 000000000 ____D C:\Program Files\AVAST_Internet_Security
2018-01-23 02:46 - 2018-01-23 02:46 - 000001159 _____ C:\Users\Zar-Unityv4\Desktop\BootDisk2BootStick.lnk
2018-01-23 02:46 - 2018-01-23 02:46 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BootDisk2BootStick
2018-01-23 02:46 - 2018-01-23 02:46 - 000000000 ____D C:\Program Files (x86)\BootDisk2BootStick
2018-01-16 04:35 - 2018-01-16 04:35 - 000001102 _____ C:\Users\Zar-Unityv4\Desktop\VSDC Free Screen Recorder.lnk
2018-01-16 04:35 - 2018-01-16 04:35 - 000001090 _____ C:\Users\Zar-Unityv4\Desktop\VSDC Free Video Capture.lnk
2018-01-16 04:35 - 2018-01-16 04:35 - 000000977 _____ C:\Users\Zar-Unityv4\Desktop\VSDC Free Video Editor.lnk
2018-01-16 04:35 - 2018-01-16 04:35 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FlashIntegro (VSDC Video editor)
2018-01-16 04:35 - 2018-01-16 04:35 - 000000000 ____D C:\Program Files\FlashIntegro
2018-01-16 03:34 - 2018-01-16 03:34 - 000000000 ____D C:\Program Files\Lightworks
2018-01-16 00:56 - 2018-01-16 00:56 - 000000000 ____D C:\Users\Zar-Unityv4\Documents\FlashIntegro
2018-01-16 00:56 - 2018-01-16 00:56 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\FlashIntegro
2018-01-16 00:56 - 2018-01-16 00:56 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Local\CrashRpt
2018-01-16 00:54 - 2018-01-16 00:54 - 000000000 ____D C:\Program Files\Common Files\FlashIntegro
2018-01-16 00:54 - 2018-01-09 17:58 - 000076472 _____ (Flash-Integro LLC) C:\Windows\system32\mslvddsfilter4.ax
2018-01-16 00:54 - 2011-12-07 18:32 - 000216064 _____ ( ) C:\Windows\system32\Lagarith.dll
2018-01-16 00:54 - 2005-08-01 18:43 - 000245760 _____ () C:\Windows\system32\lame.ax
2018-01-16 00:54 - 2004-12-10 09:03 - 000438272 _____ (On2.com) C:\Windows\system32\vp6vfw.dll
2018-01-16 00:54 - 2004-09-06 15:06 - 000053248 _____ C:\Windows\system32\xvid.ax
2018-01-16 00:54 - 2004-07-03 20:08 - 000139264 _____ C:\Windows\system32\xvidvfw.dll
2018-01-16 00:54 - 2004-07-03 19:59 - 000524288 _____ C:\Windows\system32\xvidcore.dll
2018-01-16 00:54 - 2004-02-04 20:11 - 000081920 _____ (fccHandler) C:\Windows\system32\AC3ACM.acm
2018-01-16 00:54 - 2003-05-22 11:26 - 000638976 _____ (DivXNetworks, Inc.) C:\Windows\system32\divx.dll
2018-01-16 00:54 - 2003-05-22 11:26 - 000221215 _____ (DivXNetworks, Inc.) C:\Windows\system32\divxdec.ax
2018-01-16 00:54 - 2003-05-21 22:50 - 001700352 _____ (Microsoft Corporation) C:\Windows\system32\GdiPlus.dll
2018-01-16 00:54 - 2003-05-21 22:50 - 000261632 _____ (MainConcept) C:\Windows\system32\mcdvd_32.dll
2018-01-16 00:54 - 2003-05-21 22:50 - 000156910 _____ C:\Windows\WMSysPr8.prx
2018-01-16 00:54 - 2003-05-21 22:50 - 000082944 _____ (Voxware, Inc.) C:\Windows\system32\vct3216.acm
2018-01-16 00:54 - 2003-05-21 22:50 - 000038912 _____ (NCT Company) C:\Windows\system32\alf2cd.acm
2018-01-16 00:54 - 2003-05-21 22:50 - 000024576 _____ (Microsoft Corporation) C:\Windows\system32\msxml3a.dll
2018-01-16 00:54 - 2003-03-25 04:49 - 000098304 _____ (Fraunhofer Institut Integrierte Schaltungen IIS) C:\Windows\system32\L3CODECX.AX
2018-01-16 00:54 - 2002-08-19 23:41 - 000413760 _____ (Microsoft Corporation) C:\Windows\system32\mpg4c32.dll
2018-01-16 00:54 - 2000-03-14 19:55 - 000013239 _____ (SHARP Corporation) C:\Windows\system32\Scg726.acm
2018-01-15 23:03 - 2018-01-23 08:21 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2018-01-15 23:01 - 2018-01-15 23:47 - 000000000 ____D C:\ProgramData\RogueKiller
2018-01-15 23:00 - 2018-01-15 23:00 - 000000826 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2018-01-15 23:00 - 2018-01-15 23:00 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2018-01-15 23:00 - 2018-01-15 23:00 - 000000000 ____D C:\Program Files\RogueKiller
2018-01-15 03:35 - 2018-01-15 03:35 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sandboxie
2018-01-15 00:33 - 2018-01-15 00:33 - 000193968 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-01-15 00:31 - 2018-01-16 03:45 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-01-15 00:31 - 2018-01-15 00:31 - 000001837 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-01-15 00:31 - 2018-01-15 00:31 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-01-15 00:31 - 2017-11-29 09:11 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-26 12:05 - 2016-02-08 22:19 - 000000000 ____D C:\Users\Zar-Unityv4\Documents\__The useful box__
2018-01-26 12:02 - 2017-08-28 21:09 - 000000000 ____D C:\ProgramData\VoodooShield
2018-01-26 12:01 - 2014-01-24 01:07 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\foobar2000
2018-01-25 10:49 - 2014-01-22 02:08 - 000023613 _____ C:\Users\Zar-Unityv4\Documents\-All New Passwords-.txt
2018-01-25 10:05 - 2016-11-28 06:36 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\LocalLow\Mozilla
2018-01-25 09:29 - 2014-07-15 14:55 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Local\CrashDumps
2018-01-24 20:19 - 2009-07-13 23:45 - 000021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-01-24 20:19 - 2009-07-13 23:45 - 000021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-01-24 20:12 - 2009-07-14 00:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-01-24 20:07 - 2016-07-20 09:24 - 000000000 ___RD C:\Program Files (x86)\Skype
2018-01-24 20:07 - 2016-07-20 09:24 - 000000000 ____D C:\ProgramData\Skype
2018-01-24 19:43 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\inf
2018-01-24 19:36 - 2017-11-19 12:31 - 000000000 ____D C:\ProgramData\AVAST Software
2018-01-24 07:23 - 2016-12-21 08:48 - 000000000 ____D C:\ProgramData\ProductData
2018-01-24 07:19 - 2015-07-25 15:59 - 000020014 _____ C:\Users\Zar-Unityv4\Documents\Music links and special info.txt
2018-01-24 06:04 - 2017-11-24 14:35 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\qBittorrent
2018-01-23 18:08 - 2014-09-25 19:06 - 000007598 _____ C:\Users\Zar-Unityv4\AppData\Local\Resmon.ResmonCfg
2018-01-23 02:24 - 2009-07-14 00:13 - 000896288 _____ C:\Windows\system32\PerfStringBackup.INI
2018-01-22 02:07 - 2014-12-24 16:03 - 000007621 _____ C:\Users\Zar-Unityv4\Documents\Alternative passwords (for porn).txt
2018-01-22 01:00 - 2017-07-18 03:53 - 000003728 _____ C:\Windows\Sandboxie.ini
2018-01-21 02:09 - 2014-01-24 01:11 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Local\Last.fm
2018-01-16 03:44 - 2016-01-25 19:57 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\IObit
2018-01-16 03:44 - 2014-01-17 00:46 - 000000000 ____D C:\ProgramData\Package Cache
2018-01-16 03:44 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\registration
2018-01-16 00:23 - 2017-08-10 09:30 - 000002375 _____ C:\Users\Zar-Unityv4\Desktop\Zar - Chrome.lnk
2018-01-15 23:55 - 2014-10-14 00:27 - 000000000 ____D C:\AdwCleaner
2018-01-15 19:22 - 2017-04-19 20:23 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-01-15 19:22 - 2016-11-28 07:36 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-01-15 19:21 - 2014-07-15 22:00 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Local\Adobe
2018-01-15 19:20 - 2013-12-02 20:13 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-01-15 19:20 - 2013-12-02 20:13 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2018-01-15 19:20 - 2013-12-02 20:13 - 000004314 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2018-01-15 19:19 - 2013-12-02 20:13 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-01-15 19:19 - 2013-12-02 20:13 - 000000000 ____D C:\Windows\system32\Macromed
2018-01-15 00:31 - 2017-06-12 23:55 - 000000000 ____D C:\Program Files\Malwarebytes
2018-01-15 00:31 - 2014-10-14 23:31 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-01-15 00:27 - 2016-12-21 04:33 - 000009877 _____ C:\Windows\ZAM_Guard.krnl.trace
2018-01-15 00:24 - 2016-12-21 04:33 - 000010251 _____ C:\Windows\ZAM.krnl.trace
2018-01-15 00:15 - 2017-07-29 17:33 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-01-14 23:12 - 2015-12-03 17:04 - 000000000 ____D C:\Windows\System32\Tasks\AVAST Software
2018-01-14 22:26 - 2017-08-28 21:09 - 000000830 _____ C:\Users\Public\Desktop\Voodoo Shield.lnk
2018-01-14 22:26 - 2017-08-28 21:09 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VoodooShield
2018-01-14 22:26 - 2017-08-28 21:09 - 000000000 ____D C:\Program Files\VoodooShield
2018-01-08 20:21 - 2017-08-10 06:06 - 000002199 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-01-08 20:21 - 2017-08-10 06:06 - 000002187 _____ C:\Users\Public\Desktop\Google Chrome.lnk
 
==================== Files in the root of some directories =======
 
2017-08-11 09:25 - 2017-08-11 09:25 - 000001099 _____ () C:\Program Files\installer_prefs.json
2017-08-11 09:25 - 2017-08-11 09:25 - 000001208 _____ () C:\Program Files\server_tracking_data
2016-01-15 20:34 - 2016-01-15 20:34 - 000012908 _____ () C:\Program Files (x86)\installation_status.xml
2016-01-15 20:34 - 2016-01-20 20:34 - 000000687 _____ () C:\Program Files (x86)\installer_prefs.json
2016-01-15 20:34 - 2015-10-23 05:01 - 000000317 _____ () C:\Program Files (x86)\launcher.visualelementsmanifest.xml
2016-01-15 20:34 - 2015-10-09 17:04 - 000003072 _____ () C:\Program Files (x86)\Resources.pri
2016-01-15 20:34 - 2016-01-15 20:33 - 000000849 _____ () C:\Program Files (x86)\server_tracking_data
2016-10-20 08:55 - 2016-11-28 06:34 - 000000100 _____ () C:\Users\Zar-Unityv4\AppData\Roaming\Camdata.ini
2016-10-20 08:55 - 2016-11-28 06:34 - 000000408 _____ () C:\Users\Zar-Unityv4\AppData\Roaming\CamLayout.ini
2016-10-20 08:55 - 2016-11-28 06:34 - 000000408 _____ () C:\Users\Zar-Unityv4\AppData\Roaming\CamShapes.ini
2016-10-20 08:55 - 2017-02-25 01:14 - 000004536 _____ () C:\Users\Zar-Unityv4\AppData\Roaming\CamStudio.cfg
2016-10-20 09:34 - 2016-10-20 09:57 - 000000098 _____ () C:\Users\Zar-Unityv4\AppData\Roaming\CamStudio.Producer.command
2016-10-20 09:34 - 2016-10-20 09:58 - 000000000 _____ () C:\Users\Zar-Unityv4\AppData\Roaming\CamStudio.Producer.Data.ini
2016-10-20 09:34 - 2016-10-20 09:58 - 000001206 _____ () C:\Users\Zar-Unityv4\AppData\Roaming\CamStudio.Producer.ini
2016-10-20 08:29 - 2017-02-25 01:05 - 000000096 _____ () C:\Users\Zar-Unityv4\AppData\Roaming\version2.xml
2017-11-07 02:54 - 2017-11-07 02:54 - 000000063 _____ () C:\Users\Zar-Unityv4\AppData\Local\emaildefaults
2017-11-07 02:54 - 2017-11-08 04:47 - 000000508 _____ () C:\Users\Zar-Unityv4\AppData\Local\karboncalligraphyrc
2017-11-13 10:18 - 2017-11-13 10:18 - 000000109 _____ () C:\Users\Zar-Unityv4\AppData\Local\kritadisplayrc
2017-11-07 02:49 - 2017-11-13 10:18 - 000021486 _____ () C:\Users\Zar-Unityv4\AppData\Local\kritarc
2017-11-10 07:21 - 2017-11-10 07:31 - 000000094 _____ () C:\Users\Zar-Unityv4\AppData\Local\kritashortcutsrc
2017-10-15 12:12 - 2017-10-15 12:12 - 000001613 _____ () C:\Users\Zar-Unityv4\AppData\Local\recently-used.xbel
2014-09-25 19:06 - 2018-01-23 18:08 - 000007598 _____ () C:\Users\Zar-Unityv4\AppData\Local\Resmon.ResmonCfg
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
ATTENTION: ==> Could not access BCD. 
 
LastRegBack: 2018-01-18 17:08
 
==================== End of FRST.txt ============================

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018

Ran by Zar-Unityv4 (26-01-2018 12:06:55)
Running from C:\Users\Zar-Unityv4\Documents\__The useful box__
Windows 7 Professional Service Pack 1 (X64) (2014-01-14 09:11:57)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-4291765073-3835710626-4147568939-500 - Administrator - Disabled)
Guest (S-1-5-21-4291765073-3835710626-4147568939-501 - Limited - Disabled)
Zar-Unityv4 (S-1-5-21-4291765073-3835710626-4147568939-1000 - Administrator - Enabled) => C:\Users\Zar-Unityv4
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Kaspersky Internet Security (Disabled - Up to date) {86367591-4BE4-AE08-2FD9-7FCB8259CD98}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Kaspersky Internet Security (Disabled - Up to date) {3D579475-6DDE-A186-1569-44B9F9DE8725}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}
FW: Avast Antivirus (Enabled) {B693136B-F6EE-DD1C-A0EF-229B8B0B29C4}
FW: Kaspersky Internet Security (Disabled) {BE0DF4B4-018B-AF50-0486-D6FE7C8A8AE3}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Accidental Damage Services Agreement (HKLM-x32\...\{EF85FEF4-EB92-4075-A6D2-5F519BB30A2C}) (Version: 2.0.0 - Dell Inc.)
Adblock Plus for IE (32-bit and 64-bit) (HKLM\...\{C23EE7CE-C1A3-4F94-A8F0-9E0AC9C6DE6E}) (Version: 1.1 - Eyeo GmbH)
Adblock Plus for IE (HKLM-x32\...\{fd97d1e2-368a-4cd9-af63-8eeff938044a}) (Version: 1.1 - )
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
Adobe Flash Player 26 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 26.0.0.131 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.137 - Adobe Systems Incorporated)
ALSee 6.22 (HKLM-x32\...\ALSee_is1) (Version: v6.22 - ESTsoft Corp.)
ALShow 2.01 (HKLM-x32\...\ALShow_is1) (Version: v2.01 - ESTsoft Corp.)
ALZip 8.51 (HKLM-x32\...\ALZip_is1) (Version: v8.51 - ESTsoft Corp.)
Amazon Music (HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\Amazon Amazon Music) (Version: 6.0.1.1166 - Amazon Services LLC)
Apple Application Support (32-bit) (HKLM-x32\...\{E92BB800-BCC5-4C25-8102-AC2C3B7C7C1E}) (Version: 5.5 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{9C912B1E-06DD-43EF-BB2B-45CB2C88BAAE}) (Version: 5.5 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{0A596141-97D5-45FA-9281-98DFAF48D579}) (Version: 10.3.2.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{52D87F32-70E4-4348-8148-C0B9F35B1314}) (Version: 2.3.0.177 - Apple Inc.)
Avast Internet Security (HKLM-x32\...\Avast Antivirus) (Version: 17.9.2322 - AVAST Software)
Avid License Control (HKLM-x32\...\{89A9B9EE-839E-4820-9450-2912C82F46AF}) (Version: 6.0.0 - Avid Technology, Inc.)
Avidemux 2.6 - 64bits (HKLM-x32\...\Avidemux 2.6 - 64bits (64-bit)) (Version: 2.6.7.8981 - )
Banctec Service Agreement (HKLM-x32\...\{42D68A86-DB1C-4256-B8C9-5D0D92919AF5}) (Version: 2.0.0 - Dell Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
BootDisk2BootStick 0.12 (HKLM-x32\...\BootDisk2BootStick) (Version: 0.12 - BooDaaLABs)
CamStudio 2.7.4 (HKLM\...\{04B83666-3A62-452B-85D3-70F8117F2329}_is1) (Version: 2.7.4 - CamStudio Open Source)
CCleaner (HKLM\...\CCleaner) (Version: 5.31 - Piriform)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
Complete Care Business Service Agreement (HKLM-x32\...\{0ECFCB07-9BFE-4970-ACA1-D568D982760B}) (Version: 2.0.0 - Dell Inc.)
Conexant SmartAudio HD (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.50.8.0 - Conexant)
Consumer In-Home Service Agreement (HKLM-x32\...\{F47C37A4-7189-430A-B81D-739FF8A7A554}) (Version: 2.0.0 - Dell Inc.)
CoolSoft VirtualMIDISynth 1.9.0 (HKLM-x32\...\CoolSoft VirtualMIDISynth) (Version: 1.9.0.0 - CoolSoft)
CyberGhost 6 (HKLM\...\CyberGhost 6_is1) (Version:  - CyberGhost S.R.L.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell Backup and Recovery - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 1.6.2.4 - Dell Inc.)
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.6.2.4 - Dell Inc.)
Dell Data Vault (HKLM\...\{2E55EEFD-2162-4A7D-9158-EDB0305603A6}) (Version: 4.3.4.0 - Dell Inc.) Hidden
Dell Digital Delivery (HKLM-x32\...\{693A23FB-F28B-4F7A-A720-4C1263F97F43}) (Version: 3.1.1002.0 - Dell Products, LP)
Dell Home Systems Service Agreement (HKLM-x32\...\{AB2FDE4F-6BED-4E9E-B676-3DCCEBB1FBFE}) (Version: 2.0.0 - Dell Inc.)
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.1.6664.93 - Dell)
Dell SupportAssistAgent (HKLM-x32\...\{3ED468C2-2235-4747-90AD-A7A34F0FE70A}) (Version: 1.2.2.8 - Dell)
Dell Update (HKLM-x32\...\{90437913-9D4D-4D9D-B438-B8664DF851E9}) (Version: 1.7.1007.0 - Dell Inc.)
Dell Wireless Driver Installation (HKLM-x32\...\{451517F1-7E41-400B-AA36-FB7E2563526D}) (Version: 9.0 - Dell)
foobar2000 v1.2.9 (HKLM-x32\...\foobar2000) (Version: 1.2.9 - Peter Pawlowski)
Free Video Editor 7.3.0 (HKLM-x32\...\{c23a3d87-c9c5-49cd-9632-42d7491c17a2}_is1) (Version: 7.3.0 - ThunderSoft International LLC.)
FreeFixer (HKLM-x32\...\FreeFixer1.13) (Version: 1.13 - Kephyr)
GIMP 2.8.22 (HKLM\...\GIMP-2_is1) (Version: 2.8.22 - The GIMP Team)
GlassWire 1.2 (remove only) (HKLM-x32\...\GlassWire 1.2) (Version: 1.2.1110 - SecureMix LLC)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.132 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.0.1351 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.4229 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.1.0.1006 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.4.220 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{6199B534-A1B6-46ED-873B-97B0ECF8F81E}) (Version: 1.23.216.0 - Intel Corporation)
IObit Uninstaller (HKLM-x32\...\IObitUninstall) (Version: 6.4.0.2119 - IObit)
iTunes (HKLM\...\{F0C7385A-9D20-45F3-8101-05D383885180}) (Version: 12.6.1.25 - Apple Inc.)
Java 7 Update 80 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F06417080FF}) (Version: 7.0.800 - Oracle)
Junk Mail filter update (HKLM-x32\...\{0BE9E708-5DC0-4963-9CFD-0AA519090E79}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Krita (x64) 3.3.2.1 (HKLM\...\Krita_x64) (Version: 3.3.2.1 - Krita Foundation)
Machete Lite 4.0 (HKLM-x32\...\{F95D23BF-7872-4B84-9BFC-DD2BF6A6F226}) (Version: 4.0.33 - MacheteSoft)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft .NET Framework 4.6 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.00081 - Microsoft Corporation)
Microsoft Expression Encoder 4 (HKLM-x32\...\Encoder_4.0.1651.0) (Version: 4.0.1651.0 - Microsoft Corporation)
Microsoft Expression Encoder 4 Screen Capture Codec (HKLM-x32\...\{952DCCD8-4039-46C8-BC8B-5C1EB6C8E130}) (Version: 4.0.1651.0 - Microsoft Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{38F03569-A636-4CF3-BDDE-032C8C251304}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{DD67BE4B-7E62-4215-AFA3-F123A800A389}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 57.0.4 (x64 en-US) (HKLM\...\Mozilla Firefox 57.0.4 (x64 en-US)) (Version: 57.0.4 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 53.0.3 - Mozilla)
Notation Composer 2.6.3 Trial (HKLM-x32\...\{9C20F41F-CD00-4EA9-BCC9-5D0855EF30C2}) (Version: 2.6.3 - Notation Software)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
Premium Service Agreement (HKLM-x32\...\{C33AA6D6-F5EC-48F3-AFDC-8141345D473A}) (Version: 2.0.0 - Dell Inc.)
PrivaZer (HKLM-x32\...\PrivaZer) (Version: 2.32.0.0 - Goversoft LLC)
qBittorrent 4.0.1 (HKLM-x32\...\qBittorrent) (Version: 4.0.1 - The qBittorrent project)
QualxServ Service Agreement (HKLM-x32\...\{903679E8-44C8-4C07-9600-05C92654FC50}) (Version: 2.0.0 - Dell Inc.)
QuickTime 7 (HKLM-x32\...\{80CEEB1E-0A6C-45B9-A312-37A1D25FDEBC}) (Version: 7.78.80.95 - Apple Inc.)
RogueKiller version 12.12.0.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.12.0.0 - Adlice Software)
Sandboxie 5.22 (64-bit) (HKLM\...\Sandboxie) (Version: 5.22 - Sandboxie Holdings, LLC)
sfArk (HKLM-x32\...\sfArk) (Version:  - )
SFPack (HKLM-x32\...\Megota Software SFPack Uninstall) (Version:  - )
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Sibelius 7 OpenType Fonts (HKLM-x32\...\{7325A8DF-C8C3-4425-B0CA-8CAEE5E6464B}) (Version: 7.0.1 - Avid)
Skype™ 7.40 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.40.151 - Skype Technologies S.A.)
Smart Defrag 5 (HKLM-x32\...\Smart Defrag_is1) (Version: 5.2.0 - IObit)
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.6 - Sophos Limited)
SoulseekQt (HKLM-x32\...\SoulseekQt) (Version:  - )
SoulseekQt version 2016.4.24 (HKLM-x32\...\{8A4E1646-488C-4E5B-AC31-F784400E8D2D}_is1) (Version: 2016.4.24 - Soulseek LLC)
Spotify (HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\Spotify) (Version: 0.9.15.27.g87efe634 - Spotify AB)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1250 - SUPERAntiSpyware.com)
SynthFont (HKLM-x32\...\SynthFont) (Version:  - )
System Requirements Lab Detection (HKLM-x32\...\{8112D57B-D1CD-4FC5-98DD-D40429782392}) (Version: 6.1.5.0 - Husdawg, LLC)
TAP-Windows 9.9.2 (HKLM\...\TAP-Windows) (Version: 9.9.2 - )
ThunderSoft Video to GIF Converter (1.5.1.0) (HKLM-x32\...\ThunderSoft Video to GIF Converter_is1) (Version: 1.5.1.0 - ThunderSoft)
VideoPad Video Editor (HKLM-x32\...\VideoPad) (Version: 3.36 - NCH Software)
VoodooShield version 4.15 (HKLM\...\{A8644328-A66F-490E-B8FA-901FF649189D}_is1) (Version: 4.15 - VoodooSoft, LLC)
VSDC Free Video Editor version 5.8.5.803 (HKLM\...\VSDC Free Video Editor_is1) (Version: 5.8.5.803 - Flash-Integro LLC)
WavePad Sound Editor (HKLM-x32\...\WavePad) (Version: 5.68 - NCH Software)
Wavpack4Wavelab6 (HKLM-x32\...\{AB5668B8-1428-460F-AE02-999A598D6883}) (Version: 1.0.1 - RIL)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST_Internet_Security\Avast\ashShA64.dll [2018-01-24] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST_Internet_Security\Avast\ashShA64.dll [2018-01-24] (AVAST Software)
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST_Internet_Security\Avast\ashShA64.dll [2018-01-24] (AVAST Software)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
ContextMenuHandlers1: [ALSee] -> {F4E6147B-C1F0-44AC-80EE-CE12622E421C} => C:\Program Files (x86)\ESTsoft\ALSee\ASSHLExt62_64.dll [2011-12-02] (ESTsoft Corp.)
ContextMenuHandlers1: [ALZip] -> {4EB37360-49E8-11D3-95B5-004033382980} => C:\Program Files (x86)\ESTsoft\ALZip\AZCTM64.dll [2017-09-14] (ESTsoft Corp.)
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST_Internet_Security\Avast\ashShA64.dll [2018-01-24] (AVAST Software)
ContextMenuHandlers1: [Baidu_Scan] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CB} =>  -> No File
ContextMenuHandlers1: [IObit Malware Fighter] -> {0BB81440-5F42-4480-A5F7-770A6F439FC8} =>  -> No File
ContextMenuHandlers1: [IObitUnstaler] -> {B19ED566-D419-470b-B111-3C89040BC027} => C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMenuRight.dll [2017-03-28] (IObit)
ContextMenuHandlers1: [Kaspersky Anti-Virus 16.0.0] -> {C845F70F-050A-4052-81DE-587D90C20FE8} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x64\shellex.dll [2016-05-10] (Kaspersky Lab ZAO)
ContextMenuHandlers1: [PhotoStreamsExt] -> {89D984B3-813B-406A-8298-118AFA3A22AE} => C:\Program Files\Common Files\Apple\Internet Services\ShellStreams64.dll [2015-04-26] (Apple Inc.)
ContextMenuHandlers1: [SmartDefragExtension] -> {189F1E63-33A7-404B-B2F6-8C76A452CC54} => C:\Windows\System32\IObitSmartDefragExtension.dll [2016-03-25] (IObit)
ContextMenuHandlers2: [ALZip] -> {4EB37360-49E8-11D3-95B5-004033382980} => C:\Program Files (x86)\ESTsoft\ALZip\AZCTM64.dll [2017-09-14] (ESTsoft Corp.)
ContextMenuHandlers2: [Kaspersky Anti-Virus 16.0.0] -> {C845F70F-050A-4052-81DE-587D90C20FE8} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x64\shellex.dll [2016-05-10] (Kaspersky Lab ZAO)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST_Internet_Security\Avast\ashShA64.dll [2018-01-24] (AVAST Software)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [ALSee] -> {F4E6147B-C1F0-44AC-80EE-CE12622E421C} => C:\Program Files (x86)\ESTsoft\ALSee\ASSHLExt62_64.dll [2011-12-02] (ESTsoft Corp.)
ContextMenuHandlers4: [ALZip] -> {4EB37360-49E8-11D3-95B5-004033382980} => C:\Program Files (x86)\ESTsoft\ALZip\AZCTM64.dll [2017-09-14] (ESTsoft Corp.)
ContextMenuHandlers4: [IObitUnstaler] -> {B19ED566-D419-470b-B111-3C89040BC027} => C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMenuRight.dll [2017-03-28] (IObit)
ContextMenuHandlers4: [Kaspersky Anti-Virus 16.0.0] -> {C845F70F-050A-4052-81DE-587D90C20FE8} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x64\shellex.dll [2016-05-10] (Kaspersky Lab ZAO)
ContextMenuHandlers5: [ALSee] -> {F4E6147B-C1F0-44AC-80EE-CE12622E421C} => C:\Program Files (x86)\ESTsoft\ALSee\ASSHLExt62_64.dll [2011-12-02] (ESTsoft Corp.)
ContextMenuHandlers5: [ALZip] -> {4EB37360-49E8-11D3-95B5-004033382980} => C:\Program Files (x86)\ESTsoft\ALZip\AZCTM64.dll [2017-09-14] (ESTsoft Corp.)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2015-07-28] (Intel Corporation)
ContextMenuHandlers6: [ALSee] -> {F4E6147B-C1F0-44AC-80EE-CE12622E421C} => C:\Program Files (x86)\ESTsoft\ALSee\ASSHLExt62_64.dll [2011-12-02] (ESTsoft Corp.)
ContextMenuHandlers6: [ALZip] -> {4EB37360-49E8-11D3-95B5-004033382980} => C:\Program Files (x86)\ESTsoft\ALZip\AZCTM64.dll [2017-09-14] (ESTsoft Corp.)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST_Internet_Security\Avast\ashShA64.dll [2018-01-24] (AVAST Software)
ContextMenuHandlers6: [IObitUnstaler] -> {B19ED566-D419-470b-B111-3C89040BC027} => C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMenuRight.dll [2017-03-28] (IObit)
ContextMenuHandlers6: [Kaspersky Anti-Virus 16.0.0] -> {C845F70F-050A-4052-81DE-587D90C20FE8} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x64\shellex.dll [2016-05-10] (Kaspersky Lab ZAO)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6: [SmartDefragExtension] -> {189F1E63-33A7-404B-B2F6-8C76A452CC54} => C:\Windows\System32\IObitSmartDefragExtension.dll [2016-03-25] (IObit)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {03A715ED-774A-4483-B2CA-61FC5B581AF4} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-06-13] (Piriform Ltd)
Task: {137FBA79-C59A-41B1-89A6-09531966981C} - System32\Tasks\{15727590-95BD-4CC1-9D7F-6A48E182B5E1} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\ESTsoft\ALPass\unins000.exe"
Task: {157390A4-5878-4321-AD55-2F38017A83E3} - \Norton Identity Safe\Norton Error Processor -> No File <==== ATTENTION
Task: {183DC3A7-8432-4A67-9F96-06D58D2502CA} - System32\Tasks\Uninstaller_SkipUac_Zar-Unityv4 => C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe [2017-05-26] (IObit)
Task: {1F0E2DE3-2545-409A-961A-BE7E276A16CC} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2017-02-14] (Apple Inc.)
Task: {5DA96001-30F9-46AD-BBF6-507FE209085D} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {7B99C03B-E530-4A08-8C01-B4A61FCBC107} - System32\Tasks\SmartDefrag_Update => C:\Program Files (x86)\IObit\Smart Defrag\AutoUpdate.exe [2016-07-22] (IObit)
Task: {82C35C2E-B941-431C-99A7-0FC60A649F46} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-08-10] (Google Inc.)
Task: {A6DFF720-7D27-4F57-9E82-6AF45F4C16E6} - System32\Tasks\SmartDefrag_AutoAnalyze => C:\Program Files (x86)\IObit\Smart Defrag\AutoDefrag.exe [2016-06-06] (IObit)
Task: {A7F69A40-BA25-4916-9B33-9DA3F777C161} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-01-15] (Adobe Systems Incorporated)
Task: {AAA34808-E932-4A68-9936-EC57F9767A37} - \AVAST Software\Avast settings backup -> No File <==== ATTENTION
Task: {B5DF3968-E9C7-4CC3-8397-5B23CDB88EDE} - System32\Tasks\Dell SupportAssistAgent AutoUpdate => C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe [2016-04-22] (Dell Inc.)
Task: {D789AFBC-069E-47CE-95BE-B8B872ABBA04} - \Norton Identity Safe\Norton Error Analyzer -> No File <==== ATTENTION
Task: {DFBA82AA-0DD7-403A-AE60-AA726F917989} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-08-10] (Google Inc.)
Task: {ECDCDBB2-3336-47B3-BF71-A8CD17B159B3} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST_Internet_Security\Avast\AvEmUpdate.exe [2018-01-24] (AVAST Software)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
Shortcut: C:\Users\Zar-Unityv4\Downloads\ВИА Гра - Shortcut.lnk -> C:\Users\Zar-Unityv4\Music\My music (last updated 1-22-14)\ВИА Гра () <==== Cyrillic
 
ShortcutWithArgument: C:\Users\Zar-Unityv4\Desktop\Chucklepower7 - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 1"
ShortcutWithArgument: C:\Users\Zar-Unityv4\Desktop\InstaGC - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 2"
ShortcutWithArgument: C:\Users\Zar-Unityv4\Desktop\Zar - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Default"
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-05-08 23:44 - 2017-05-08 23:44 - 001354040 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2017-05-08 23:44 - 2017-05-08 23:44 - 000092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2018-01-15 00:31 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-01-14 22:26 - 2017-12-25 09:52 - 000053584 _____ () C:\Program Files\VoodooShield\VoodooShield.API.dll
2017-08-28 21:09 - 2017-12-25 09:52 - 000327504 _____ () C:\Program Files\VoodooShield\Features.dll
2017-05-09 02:05 - 2017-05-09 02:05 - 001354040 _____ () C:\Program Files\iTunes\libxml2.dll
2017-05-09 02:05 - 2017-05-09 02:05 - 000092472 _____ () C:\Program Files\iTunes\zlib1.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000067920 _____ () c:\Program Files\AVAST_Internet_Security\Avast\x64\module_lifetime.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000067984 _____ () C:\Program Files\AVAST_Internet_Security\Avast\x64\dll_loader.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000236840 _____ () c:\Program Files\AVAST_Internet_Security\Avast\x64\vaarclient.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000902824 _____ () C:\Program Files\AVAST_Internet_Security\Avast\x64\ffl2.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000349568 _____ () c:\Program Files\AVAST_Internet_Security\Avast\x64\StreamBack.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000337096 _____ () C:\Program Files\AVAST_Internet_Security\Avast\x64\tasks_core.dll
2018-01-08 20:21 - 2018-01-03 04:20 - 004063064 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.132\libglesv2.dll
2018-01-08 20:21 - 2018-01-03 04:20 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.132\libegl.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000058016 _____ () C:\Program Files\AVAST_Internet_Security\Avast\module_lifetime.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000057504 _____ () C:\Program Files\AVAST_Internet_Security\Avast\dll_loader.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000206152 _____ () C:\Program Files\AVAST_Internet_Security\Avast\JsonRpcServer.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000289272 _____ () C:\Program Files\AVAST_Internet_Security\Avast\tasks_core.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000196248 _____ () C:\Program Files\AVAST_Internet_Security\Avast\network_notifications.dll
2018-01-24 19:44 - 2018-01-24 19:44 - 005779600 _____ () C:\Program Files\AVAST_Internet_Security\Avast\defs\18012404\algo.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000745408 _____ () C:\Program Files\AVAST_Internet_Security\Avast\ffl2.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000148936 _____ () C:\Program Files\AVAST_Internet_Security\Avast\hns_tools.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 000293944 _____ () C:\Program Files\AVAST_Internet_Security\Avast\streamback.dll
2018-01-25 07:19 - 2018-01-25 07:19 - 005779600 _____ () C:\Program Files\AVAST_Internet_Security\Avast\defs\18012502\algo.dll
2018-01-26 11:54 - 2018-01-26 11:54 - 005779088 _____ () C:\Program Files\AVAST_Internet_Security\Avast\defs\18012604\algo.dll
2017-07-25 08:13 - 2017-07-25 08:13 - 000178128 _____ () C:\Program Files (x86)\GlassWire\EasyHook32.dll
2018-01-24 19:42 - 2018-01-24 19:42 - 067109376 _____ () C:\Program Files\AVAST_Internet_Security\Avast\libcef.dll
2017-10-02 20:43 - 2017-10-02 20:43 - 000172032 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\af090eae04eb9e9104769a5c03783afc\IsdiInterop.ni.dll
2013-12-02 20:18 - 2012-02-01 17:25 - 000059904 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2013-12-02 20:17 - 2011-12-16 13:39 - 001198872 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
2016-04-14 19:48 - 2017-03-28 16:08 - 000442144 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madExcept_.bpl
2016-04-14 19:48 - 2017-03-28 16:08 - 000210720 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madBasic_.bpl
2016-04-14 19:48 - 2017-03-28 16:08 - 000059680 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madDisAsm_.bpl
2016-01-25 19:57 - 2017-03-28 16:09 - 000899872 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\webres.dll
2016-01-25 19:57 - 2017-05-10 12:19 - 000631584 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\ProductStatistics.dll
2013-05-04 06:57 - 2013-05-04 06:57 - 000095712 _____ () C:\Program Files (x86)\foobar2000\zlib1.dll
2013-07-10 07:45 - 2013-07-10 07:45 - 000156112 _____ () C:\Program Files (x86)\foobar2000\shared.dll
2013-07-10 07:45 - 2013-07-10 07:45 - 001492456 _____ () C:\Program Files (x86)\foobar2000\components\foo_input_std.dll
2013-07-10 07:45 - 2013-07-10 07:45 - 001598944 _____ () C:\Program Files (x86)\foobar2000\avcodec-fb2k-54.dll
2013-07-10 07:45 - 2013-07-10 07:45 - 000198112 _____ () C:\Program Files (x86)\foobar2000\avutil-fb2k-52.dll
2013-02-11 06:27 - 2013-02-11 06:27 - 000298496 _____ () C:\Program Files (x86)\foobar2000\components\foo_freedb2.dll
2013-02-11 06:28 - 2013-02-11 06:28 - 000281600 _____ () C:\Program Files (x86)\foobar2000\components\foo_fileops.dll
2013-02-11 06:28 - 2013-02-11 06:28 - 000198656 _____ () C:\Program Files (x86)\foobar2000\components\foo_dsp_eq.dll
2013-07-10 07:25 - 2013-07-10 07:25 - 000199680 _____ () C:\Program Files (x86)\foobar2000\components\foo_dsp_std.dll
2013-02-11 06:28 - 2013-02-11 06:28 - 000358912 _____ () C:\Program Files (x86)\foobar2000\components\foo_albumlist.dll
2013-07-10 07:25 - 2013-07-10 07:25 - 000291328 _____ () C:\Program Files (x86)\foobar2000\components\foo_rgscan.dll
2013-07-10 07:45 - 2013-07-10 07:45 - 000942056 _____ () C:\Program Files (x86)\foobar2000\components\foo_ui_std.dll
2013-07-10 07:25 - 2013-07-10 07:25 - 000500736 _____ () C:\Program Files (x86)\foobar2000\components\foo_converter.dll
2013-02-11 06:28 - 2013-02-11 06:28 - 000173056 _____ () C:\Program Files (x86)\foobar2000\components\foo_unpack.dll
2014-03-19 00:03 - 2014-03-19 00:03 - 000498176 _____ () C:\Users\Zar-Unityv4\AppData\Roaming\foobar2000\user-components\foo_discogs\foo_discogs.dll
2013-03-07 04:48 - 2013-03-07 04:48 - 000303104 _____ () C:\Program Files (x86)\foobar2000\components\foo_cdda.dll
2014-01-24 01:11 - 2013-09-03 14:01 - 000736768 _____ () C:\Program Files (x86)\Last.fm\unicorn.dll
2014-01-24 01:11 - 2013-09-03 14:01 - 000032768 _____ () C:\Program Files (x86)\Last.fm\logger.dll
2014-01-24 01:11 - 2013-09-03 10:54 - 000351232 _____ () C:\Program Files (x86)\Last.fm\lastfm.dll
2014-01-24 01:11 - 2013-09-03 14:01 - 000126976 _____ () C:\Program Files (x86)\Last.fm\listener.dll
2014-01-24 01:11 - 2013-01-18 12:39 - 000302592 _____ () C:\Program Files (x86)\Last.fm\phonon.dll
2014-01-24 01:11 - 2013-01-18 12:49 - 000182784 _____ () C:\Program Files (x86)\Last.fm\plugins\phonon_backend\phonon_vlc.dll
2014-01-24 01:11 - 2012-12-13 01:12 - 000111104 _____ () C:\Program Files (x86)\Last.fm\libvlc.dll
2014-01-24 01:11 - 2012-12-13 01:13 - 002286592 _____ () C:\Program Files (x86)\Last.fm\libvlccore.dll
2014-01-24 01:11 - 2012-12-13 01:13 - 000049664 _____ () C:\Program Files (x86)\Last.fm\plugins\audio_output\libaout_directx_plugin.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\autoexec.bat:$CmdTcID [64]
AlternateDataStreams: C:\ProgramData\TEMP:792D4CF1 [129]
AlternateDataStreams: C:\Users\Zar-Unityv4\Documents\MicrosoftFixit50267.msi:$CmdZnID [26]
AlternateDataStreams: C:\Users\Zar-Unityv4\Documents\Zone Alarm_SetupWeb_141_057_000.exe:$CmdTcID [64]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VipreEdgeProtection => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WebExaminer => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WebProxy => ""="service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\dell.com -> dell.com
IE restricted site: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\101lottery.com -> 101lottery.com
IE restricted site: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\...\123expressview.com -> 123expressview.com
 
 
There are 3515 more sites.
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2016-07-20 14:19 - 2017-07-17 21:12 - 000001054 ____R C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Zar-Unityv4\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 84.200.69.80 - 84.200.70.40
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Amazon Music => "C:\Users\Zar-Unityv4\AppData\Local\Amazon Music\Amazon Music Helper.exe"
MSCONFIG\startupreg: Amazon Music Helper => "C:\Users\Zar-Unityv4\AppData\Local\Amazon Music\Amazon Music Helper.exe"
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: CyberGhost => "c:\program files\cyberghost 5\cyberghost.exe" /autostart /min
MSCONFIG\startupreg: iCloudDrive => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe
MSCONFIG\startupreg: iCloudServices => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{E817676F-A5FA-4933-88BA-668BE555FA37}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{19569012-5B94-42D2-957D-671864486078}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{E5AAA507-021B-413A-AAF8-FFB99C4B44C5}C:\users\zar-unityv4\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\zar-unityv4\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{0D63D775-DF96-490E-A816-E413E79E3269}C:\users\zar-unityv4\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\zar-unityv4\appdata\roaming\spotify\spotify.exe
FirewallRules: [{7DB1F8B7-6704-4EAF-9CCE-A74064C24635}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{A3A6EC04-3730-4997-ABAE-D6F9EFCED1B3}] => (Allow) LPort=2869
FirewallRules: [{EA61DA85-0F2C-44C6-8A60-35FAB012CAA8}] => (Allow) LPort=1900
FirewallRules: [TCP Query User{35748454-D888-4896-8448-749627A612E7}C:\program files (x86)\soulseekqt\soulseekqt.exe] => (Allow) C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [UDP Query User{C94CDD04-525D-44A0-917E-62D865753CF7}C:\program files (x86)\soulseekqt\soulseekqt.exe] => (Allow) C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [{46B1A288-FC0F-42DE-B6B4-F8C484A35DB6}] => (Block) C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [{308E5EA2-B698-4D06-A85F-6801DED6D9FF}] => (Block) C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [{04A0FA2E-2E81-49F8-BA59-12517A949F20}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{4ACE9F6B-9A2B-4CB4-83A9-B247D7D34CDC}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{80C20388-1FBE-4ADB-9CE8-EC4E79D7B551}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{C91577E7-F19D-49F0-BADC-F0CB8A2EE503}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{E1388766-52DF-406C-835F-747F5EE10EA8}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{0F256AC4-65A7-445A-928A-B66E24F07E2B}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
FirewallRules: [{DEEDBD6F-AC34-4634-99FF-9AAA62436C76}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
FirewallRules: [{87A74092-CFB5-4D7A-9430-450F3453D49F}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{2C4450FF-64A1-4C26-8E4B-5CFBFFAD8EC0}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [TCP Query User{C7C267CD-8BE1-4E0D-8C2B-43FA7013FF1E}C:\users\zar-unityv4\appdata\local\amazon music\amazon music helper.exe] => (Allow) C:\users\zar-unityv4\appdata\local\amazon music\amazon music helper.exe
FirewallRules: [UDP Query User{2D80DF12-4782-4560-ACD7-401797AB5945}C:\users\zar-unityv4\appdata\local\amazon music\amazon music helper.exe] => (Allow) C:\users\zar-unityv4\appdata\local\amazon music\amazon music helper.exe
FirewallRules: [{DB66EB3F-7062-4BBF-9FD2-79543AF4A75C}] => (Block) C:\users\zar-unityv4\appdata\local\amazon music\amazon music helper.exe
FirewallRules: [{E83653EF-BFB0-4174-AE8A-1E49847E8FD6}] => (Block) C:\users\zar-unityv4\appdata\local\amazon music\amazon music helper.exe
FirewallRules: [{A533BDCD-F008-4382-8A63-49ABF3F36D50}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{38F0BC92-D2EB-47DA-BEF8-09AC19FB85B7}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{6E2D5171-4E74-45AC-AFF7-BB80C884E828}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{9FD6A4E3-D9E9-416A-BDB1-0B1933568083}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{194DE3FB-ED06-4ECC-B843-014EE4261BC1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Turok - Dinosaur Hunter\sobek.exe
FirewallRules: [{95A6ED5E-4EBB-45AF-98F0-C2CCC01483B2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Turok - Dinosaur Hunter\sobek.exe
FirewallRules: [{365D8AF0-1940-414D-A92D-FB03E90026E1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Turok - Dinosaur Hunter\editor.exe
FirewallRules: [{E9CCA826-17C2-49A3-A670-B47CC9EA3BF3}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Turok - Dinosaur Hunter\editor.exe
FirewallRules: [{0CDCE3D2-5FBE-415F-AE3D-FEA7E4D3E732}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{98707CB5-F911-4903-8064-0F76D418AB7A}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{53136A10-22AE-46FC-88DF-CAF8728FC8D9}] => (Block) LPort=445
FirewallRules: [{3006F7E0-801F-4A54-B5F8-5C0B9995B849}] => (Block) LPort=445
FirewallRules: [{178F256C-F509-48D8-A09A-8C77CD8CEC08}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{D47F7A0C-7B8E-4D98-ABC6-8E57875A50B4}] => (Block) %ProgramFiles%\CCleaner\CCleaner64.exe
FirewallRules: [{8C0EAF4A-5BDA-4E14-9F66-822FD7FB29F2}] => (Block) %ProgramFiles%\CCleaner\CCleaner64.exe
FirewallRules: [{C2FE8B80-2B8B-4281-937C-17A047F68E34}] => (Block) %ProgramFiles%\Malwarebytes\Anti-Malware\mbam.exe
FirewallRules: [{1CAD712D-D77F-4A9E-9B98-2D813B3CC246}] => (Block) %ProgramFiles%\Malwarebytes\Anti-Malware\MBAMWsc.exe
FirewallRules: [{C73C820C-6F78-429D-9ED2-65CF7BE539AD}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe
FirewallRules: [{213CE0E4-2197-4C2C-BC87-79095E6D1B94}] => (Block) %SystemDrive%\Sandbox\Zar-Unityv4\InstaGC2\drive\C\Program Files (x86)\DearMob\5KPlayer\5KPlayer.exe
FirewallRules: [{0875A179-F93A-4266-BA80-31678CD87785}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{D967BC58-7878-45A7-9EBA-401F441F98C7}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\VideoEditor.exe
FirewallRules: [{76F09763-8394-44CA-9B74-58148928F2C0}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\VideoEditor.exe
FirewallRules: [{2A9C58F6-C245-4E84-B297-025B32EB276C}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\Activation.exe
FirewallRules: [{C948C27F-689F-4CEF-B4F9-A1CFC0A1D71C}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\Activation.exe
FirewallRules: [{C06165B3-B1BF-4F37-9D80-426E427A1486}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\Updater.exe
FirewallRules: [{D219844D-EB5B-43DF-9163-1A18B0D0E5C0}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\Updater.exe
 
==================== Restore Points =========================
 
16-01-2018 00:55:05 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
16-01-2018 03:43:03 Restore Operation
16-01-2018 04:35:40 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
 
==================== Faulty Device Manager Devices =============
 
Name: VPN Client Adapter - VPN-Zar
Description: VPN Client Adapter - VPN-Zar
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: SoftEther VPN Project
Service: Neo_VPN-Zar
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: ZAM Helper Driver
Description: ZAM Helper Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: ZAM
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: ZAM Guard Driver
Description: ZAM Guard Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: ZAM_Guard
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/25/2018 09:38:11 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program wminmi75 (Gmer rootkit finder).exe version 2.2.19882.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 1d54
 
Start Time: 01d395e9e3628172
 
Termination Time: 16
 
Application Path: C:\Users\Zar-Unityv4\Documents\__The useful box__\wminmi75 (Gmer rootkit finder).exe
 
Report Id: 5adad3a9-01dd-11e8-a416-c81f66248005
 
Error: (01/25/2018 09:29:44 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: aswmbr (MBR scan).exe, version: 1.0.1.2290, time stamp: 0x54b4df14
Faulting module name: ntdll.dll, version: 6.1.7601.23889, time stamp: 0x598d4c81
Exception code: 0xc0000005
Fault offset: 0x0002e49b
Faulting process id: 0x1028
Faulting application start time: 0x01d395e616886152
Faulting application path: C:\Users\Zar-Unityv4\Documents\__The useful box__\aswmbr (MBR scan).exe
Faulting module path: C:\Windows\SysWOW64\ntdll.dll
Report Id: 2f8cffb0-01dc-11e8-a416-c81f66248005
 
Error: (01/24/2018 08:14:29 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (01/24/2018 07:23:08 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (01/23/2018 03:54:08 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1045
 
Error: (01/23/2018 03:54:08 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1045
 
Error: (01/23/2018 03:54:08 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (01/20/2018 03:11:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 8986
 
Error: (01/20/2018 03:11:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 8986
 
Error: (01/20/2018 03:11:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
 
System errors:
=============
Error: (01/23/2018 03:47:55 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (01/23/2018 03:47:54 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (01/20/2018 02:09:24 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (01/17/2018 08:50:14 AM) (Source: HTTP) (EventID: 15005) (User: )
Description: Unable to bind to the underlying transport for [::]:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine.  The data field contains the error number.
 
Error: (01/17/2018 08:50:05 AM) (Source: HTTP) (EventID: 15005) (User: )
Description: Unable to bind to the underlying transport for [::]:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine.  The data field contains the error number.
 
Error: (01/17/2018 08:49:56 AM) (Source: HTTP) (EventID: 15005) (User: )
Description: Unable to bind to the underlying transport for [::]:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine.  The data field contains the error number.
 
Error: (01/17/2018 03:50:13 AM) (Source: HTTP) (EventID: 15005) (User: )
Description: Unable to bind to the underlying transport for [::]:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine.  The data field contains the error number.
 
Error: (01/17/2018 03:50:04 AM) (Source: HTTP) (EventID: 15005) (User: )
Description: Unable to bind to the underlying transport for [::]:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine.  The data field contains the error number.
 
Error: (01/17/2018 03:49:55 AM) (Source: HTTP) (EventID: 15005) (User: )
Description: Unable to bind to the underlying transport for [::]:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine.  The data field contains the error number.
 
Error: (01/16/2018 03:37:04 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {9B1F122C-2982-4E91-AA8B-E071D54F2A4D} did not register with DCOM within the required timeout.
 
 
CodeIntegrity:
===================================
  Date: 2014-04-26 00:31:52.150
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-26 00:31:52.149
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-26 00:31:52.147
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-26 00:31:52.132
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-26 00:31:52.129
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-26 00:31:52.128
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-26 00:31:52.111
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-26 00:31:52.109
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-26 00:31:52.106
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-23 05:30:47.852
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-3340 CPU @ 3.10GHz
Percentage of memory in use: 44%
Total physical RAM: 8066 MB
Available physical RAM: 4443.18 MB
Total Virtual: 16130.18 MB
Available Virtual: 11272.65 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:909.81 GB) (Free:178.36 GB) NTFS
Drive e: (My Bkup Drive (700 gb)) (Fixed) (Total:698.64 GB) (Free:407.06 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: C422731E)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=21.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=909.8 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 698.6 GB) (Disk ID: 60371C84)
Partition 1: (Not Active) - (Size=698.6 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================


#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:02 PM

Posted 28 January 2018 - 10:45 PM

Greetings and welcome.

I will be ending for the evening soon but wanted to let you know I am aware of your reply and will be posting something for you tomorrow, probably in the morning.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:02 PM

Posted 29 January 2018 - 11:11 AM

Greetings.

The aswMBR report is normal and is not indicative of a rootkit. Kaspersky is protecting itself, as it is designed to do.

-----

Do you know what this is?
 

ВИА Гра


-----

Please consider and do this.

===================================================

Peer to Peer (P2P) Warning

--------------------

Going over your logs I noticed that you have Peer 2 Peer (torrent) program(s) installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall Peer 2 Peer programs, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about CryptoLocker Ransomware, a type of Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities.

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

Multiple Antivirus Programs

-------------------

I do not recommend that you have more than one anti virus product installed on your computer at a time for the below reasons.
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please remove all but one of the Antivirus programs currently on your computer, even if only one is running. You can uninstall the program(s) via Add/Remove Programs, or Programs and Features in the Control Panel.
 

Avast Antivirus
Kaspersky Internet Security


===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
Start::
CreateRestorePoint:
CloseProcesses:
SearchScopes: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000 -> {B689767B-A433-421B-A274-EA7DA2D126DB} URL = 
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} -  No File
Toolbar: HKLM-x32 - No Name - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} -  No File
Handler: vipresg - No CLSID Value
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
S3 FileMonitor; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [X]
U0 Partizan; system32\drivers\Partizan.sys [X]
S3 RegFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [X]
U2 TMAgent; no ImagePath
S3 UrlFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
U1 aswbdisk; no ImagePath
Task: {157390A4-5878-4321-AD55-2F38017A83E3} - \Norton Identity Safe\Norton Error Processor
Task: {AAA34808-E932-4A68-9936-EC57F9767A37} - \AVAST Software\Avast settings backup
Task: {D789AFBC-069E-47CE-95BE-B8B872ABBA04} - \Norton Identity Safe\Norton Error Analyzer
AlternateDataStreams: C:\autoexec.bat:$CmdTcID [64]
AlternateDataStreams: C:\ProgramData\TEMP:792D4CF1 [129]
AlternateDataStreams: C:\Users\Zar-Unityv4\Documents\MicrosoftFixit50267.msi:$CmdZnID [26]
AlternateDataStreams: C:\Users\Zar-Unityv4\Documents\Zone Alarm_SetupWeb_141_057_000.exe:$CmdTcID [64]
emptytemp:
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • AV uninstalled?
  • Fixlog
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 31 January 2018 - 12:12 PM

Sorry for the late reply, I've been very busy with other matters..

 

Oh good! I'm now pretty relieved about the aswMBR report on the Kaspersky system drivers.

I guess I never fully uninstalled Kaspersky. I will look into what I can do to fully uninstall Kaspersky

without any traces of the program coming back.

 

ВИА Гра is a Ukrainian pop band. Just one of my artist folders in my music folder. Nothing to be alarmed about. 

 

Thank you very much for the p2p warning! I feel pretty safe using the torrent client that I've been using, and I don't 

download anything illegal with it, only legit, safe downloads from official servers (like a authors software downloading site), so I 

want to keep using Qbitorrent. Utorrent has built in spyware and possibly some malware as well, so I started avoiding that one

a while ago. But as far as I know, Qbittorrent is a reliable and safe torrent client to use, with nothing nasty like that in the software.

 

I will still read about the scary ransomware threats on p2p sharing, thank you for the link!

 

I have a problem, Kaspersky is not on the Windows add/remove list, nor on Iobit's

uninstaller list..but there is a folder in my 32 bit programs folder named "Kaspersky Lab", which

looks like it includes lots of system files for the software. How do I properly remove Kaspersky?

 

Kasprsky does not have a folder in my 64 bit programs folder. 

 

After starting Farbar, I had a issue..

 

 

What is erunt.exe? It tried to execute itself when I started Farbar. Voodoosheild blocked it

as an extreme threat. Is this just a false positive??

 

Also, I do not have a FRST icon on my desktop, or in the folder where I downloaded Farbar to.

 

I opened Farbar, and I see no such option to paste any code, only a search bar and some other program options..

I have attached a image so you can help direct me on what to do next.

 

Otherwise, my computer has been running normally, no major issues to report. Thank you!

 

 

 



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:02 PM

Posted 31 January 2018 - 01:51 PM

Greetings.
 

What is erunt.exe?

This is a legitimate program used by FRST to back up your registry as a safety measure before manipulating your system. It is a false positive.

Once you highlight the listed entries and hit Ctrl + C the information is copied to the clipboard which is hidden. When you open FRST and click Fix the tool knows to pull the information from the clipboard and run the program. There is no pasting of the information required.

Please do this to see if we can clean up leftover Kaspersky entries.

===================================================

Kaspersky Lab Products Removal Tool

--------------------
  • Visit this site and follow the steps to run the Kaspersky Antivirus Removal Tool
  • If not done automatically reboot your computer
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Kaspersky removed?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:02 PM

Posted 03 February 2018 - 10:12 AM

Greetings,

===================================================

Do You Still Need Help?

It has been 3 days since my last post.
  • Do you still need help with this?
  • If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 04 February 2018 - 08:28 PM

Hello, I have ran the Farbar tool and copy and pasted like you said. Here is my FRST log..

Sorry again for the late reply, I got swamped the last few day's, but now I'm free.

 

The Farbar process seemed to help clear some stuff up on my computer, but it

looks like there were some errors in the cleaning process. 

 

SHould I also still go ahead and run the Kaspersky removal tool as well?

 

 

===================

Fix result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by Zar-Unityv4 (03-02-2018 14:38:33) Run:1
Running from C:\Users\Zar-Unityv4\Documents\__The useful box__
Loaded Profiles: Zar-Unityv4 (Available Profiles: Zar-Unityv4)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
SearchScopes: HKU\S-1-5-21-4291765073-3835710626-4147568939-1000 -> {B689767B-A433-421B-A274-EA7DA2D126DB} URL = 
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} -  No File
Toolbar: HKLM-x32 - No Name - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} -  No File
Handler: vipresg - No CLSID Value
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
S3 FileMonitor; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [X]
U0 Partizan; system32\drivers\Partizan.sys [X]
S3 RegFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [X]
U2 TMAgent; no ImagePath
S3 UrlFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
U1 aswbdisk; no ImagePath
Task: {157390A4-5878-4321-AD55-2F38017A83E3} - \Norton Identity Safe\Norton Error Processor
Task: {AAA34808-E932-4A68-9936-EC57F9767A37} - \AVAST Software\Avast settings backup
Task: {D789AFBC-069E-47CE-95BE-B8B872ABBA04} - \Norton Identity Safe\Norton Error Analyzer
AlternateDataStreams: C:\autoexec.bat:$CmdTcID [64]
AlternateDataStreams: C:\ProgramData\TEMP:792D4CF1 [129]
AlternateDataStreams: C:\Users\Zar-Unityv4\Documents\MicrosoftFixit50267.msi:$CmdZnID [26]
AlternateDataStreams: C:\Users\Zar-Unityv4\Documents\Zone Alarm_SetupWeb_141_057_000.exe:$CmdTcID [64]
emptytemp:
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-4291765073-3835710626-4147568939-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B689767B-A433-421B-A274-EA7DA2D126DB}" => removed successfully
HKLM\Software\Classes\CLSID\{B689767B-A433-421B-A274-EA7DA2D126DB} => key not found
"HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}" => removed successfully
HKLM\Software\Classes\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => key not found
"HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{A924C17A-5E94-4E02-BED5-49720BA6F7FA}" => removed successfully
HKLM\Software\Classes\CLSID\{A924C17A-5E94-4E02-BED5-49720BA6F7FA} => key not found
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{A924C17A-5E94-4E02-BED5-49720BA6F7FA}" => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{A924C17A-5E94-4E02-BED5-49720BA6F7FA} => key not found
"HKLM\Software\Classes\PROTOCOLS\Handler\vipresg" => removed successfully
"HKLM\Software\Mozilla\Thunderbird\Extensions\\eplgTb@eset.com" => removed successfully
"HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\eplgTb@eset.com" => removed successfully
"HKLM\System\CurrentControlSet\Services\FileMonitor" => removed successfully
FileMonitor => service removed successfully
"HKLM\System\CurrentControlSet\Services\Partizan" => removed successfully
Partizan => service removed successfully
"HKLM\System\CurrentControlSet\Services\RegFilter" => removed successfully
RegFilter => service removed successfully
"HKLM\System\CurrentControlSet\Services\TMAgent" => removed successfully
TMAgent => service removed successfully
"HKLM\System\CurrentControlSet\Services\UrlFilter" => removed successfully
UrlFilter => service removed successfully
"HKLM\System\CurrentControlSet\Services\ZAM" => removed successfully
ZAM => service removed successfully
"HKLM\System\CurrentControlSet\Services\ZAM_Guard" => removed successfully
ZAM_Guard => service removed successfully
HKLM\System\CurrentControlSet\Services\aswbdisk => key could not remove, key could be protected
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{157390A4-5878-4321-AD55-2F38017A83E3} => could not remove key. ErrorCode1: 0x00000002
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{157390A4-5878-4321-AD55-2F38017A83E3}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{AAA34808-E932-4A68-9936-EC57F9767A37}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AAA34808-E932-4A68-9936-EC57F9767A37}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D789AFBC-069E-47CE-95BE-B8B872ABBA04}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D789AFBC-069E-47CE-95BE-B8B872ABBA04}" => removed successfully
C:\autoexec.bat => ":$CmdTcID" ADS removed successfully
C:\ProgramData\TEMP => ":792D4CF1" ADS removed successfully
C:\Users\Zar-Unityv4\Documents\MicrosoftFixit50267.msi => ":$CmdZnID" ADS removed successfully
C:\Users\Zar-Unityv4\Documents\Zone Alarm_SetupWeb_141_057_000.exe => ":$CmdTcID" ADS removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 20813194 B
Java, Flash, Steam htmlcache => 195456254 B
Windows/system/drivers => 405854340 B
Edge => 0 B
Chrome => 416669641 B
Firefox => 17962603 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 16802 B
systemprofile32 => 314811 B
LocalService => 53578 B
NetworkService => 36136 B
Zar-Unityv4 => 14763383 B
 
RecycleBin => 7347788 B
EmptyTemp: => 1 GB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 03-02-2018 14:42:21)
 
 
Result of scheduled keys to remove after reboot:
 
HKLM\System\CurrentControlSet\Services\aswbdisk => key could not remove, key could be protected
 
==== End of Fixlog 14:42:21 ====


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:02 PM

Posted 04 February 2018 - 08:44 PM

Thank you for the information.

Some of those "errors" are not errors. There are 2 entries I would like to try to delete.

Yes, please run the Kaspersky Tool and do this.

===================================================

Farbar's MiniRegTool

--------------------
  • Please download MiniRegTool64.zip and save it to your desktop
  • Unzip the folder and double click the icon
  • Copy and paste the following into the white box:

HKLM\System\CurrentControlSet\Services\aswbdisk
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{157390A4-5878-4321-AD55-2F38017A83E3}

  • Check the Delete Keys/Values including Locked/Null embedded radio button.
  • Press the Go button and post the result.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • MiniRegTool report
  • Kaspersky tool?
  • Update on computer behavior

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 05 February 2018 - 07:18 PM

Hello, I did what you said with the Minireg tool, but it looks like only one of the two

registry entries could be deleted. Isn't the "aswbdisk" part of the Avast rootkit scanner

tool that I used recently? (Aswmbr.exe)

 

My report:

 

MiniRegTool64 by Farbar Version:21-07-2014
Ran by Zar-Unityv4 (administrator) on 2018-02-05 19:11:22
 
====================================
"HKLM\System\CurrentControlSet\Services\aswbdisk" could not be deleted.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{157390A4-5878-4321-AD55-2F38017A83E3}" deleted successfully.
 
========
 
Next, I will be running the Kaspersky tool and then I will tell you
how my computer is looking afterwards. Later tonight or tomorrow, 
since a reboot will be required.


#13 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 07 February 2018 - 02:45 AM

Hello, I'm on the Kaspersky removal tool now, ready to reboot after removal, but I am unable to identify which Kaspersky product I have to start the removal process. 

 

I know that I have some version of Kaspersky Internet security in my x86 program files folder, within a Kaspersky Lab's folder, but I don't know which version of Kaspersky Internet security it is. I'll I can find is the version number 16.0.0. From a search, this might indicate the 2016 version of Kaspersky Internet security, but it is not on the list to choose from.


Edited by Dell_User7, 07 February 2018 - 02:47 AM.


#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:02 PM

Posted 07 February 2018 - 10:36 AM

Select Kaspersky Anti-Virus/Internet Security 2014.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 07 February 2018 - 06:14 PM

Hello, I selected the one you mentioned and ran the tool. A whole bunch of dll files relating to Kaspersky initiated command lines, which I let all through.

 

Then towards the end of the removal process, two suspicious files were allowed to run, one of them was "unkis.vbs".

 

I had to restart my computer myself, it was not automatic.

 

Everything appears to be normal, except for a file "msi250.tmp" trying to run after start up, it was blocked.

 

I checked the Kaspersky Lab folder and its still there, including all or most of the files. 

Looks like it didn't remove it. What do I do now?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users