Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UDISKMGR Infection and undeletable folders / detections


  • This topic is locked This topic is locked
19 replies to this topic

#1 heathconn

heathconn

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 30 January 2018 - 03:47 AM

I have done various scans with Malwarebytes and it keeps detecting UDISKMGR and seems unable to delete it.

I also have various unrecognizable scambled names of folders that have denied me access to view or delete them.

 

I have included the FRST scan results with Addition results.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 27.01.2018
Ran by Mick (administrator) on MICK (30-01-2018 19:26:10)
Running from C:\Users\Mick\Desktop
Loaded Profiles: Mick (Available Profiles: Mick)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(TOSHIBA CORPORATION) C:\Windows\System32\spidbkzsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(arvato digital services llc) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
() C:\Users\Mick\AppData\Local\igfxmtc\igfxmtc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
() C:\Users\Mick\AppData\Local\cshdktv\cshdktv.exe
() C:\Users\Mick\AppData\Local\cshdktv\comxazr.exe
() C:\Users\Mick\AppData\Local\cshdktv\comxazr.exe
() C:\Users\Mick\AppData\Local\cshdktv\comxazr.exe
() C:\Users\Mick\AppData\Local\cshdktv\comxazr.exe
() C:\Users\Mick\AppData\Local\cshdktv\comxazr.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8447192 2015-02-05] (Realtek Semiconductor)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161728 2015-08-09] (IvoSoft)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-12-06] (Apple Inc.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [235624 2015-01-09] (CANON INC.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [10257872 2018-01-10] (Piriform Ltd)
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [143360 2006-12-23] (Nero AG)
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\MountPoints2: {7c61ee62-e159-11e7-8475-8cdcd4555fce} - "F:\Setup.exe" /s
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\MountPoints2: {96b068e5-d3c2-11e7-8474-8cdcd4555fce} - "G:\Setup.exe" /s
GroupPolicy: Restriction - Windows Defender <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
Tcpip\..\Interfaces\{5D304D4D-ED88-489E-8F9F-D6026D83B6DB}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{B12D8D3D-3CA3-4F3E-A23F-06C77CCB2D42}: [DhcpNameServer] 192.168.2.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131609716104882950&GUID=58169A0A-F174-7B09-8752-6152DBC09BEE
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131609716105069159&GUID=58169A0A-F174-7B09-8752-6152DBC09BEE
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.au
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2018-01-21] (Microsoft Corporation)
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-08-09] (IvoSoft)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2018-01-21] (Microsoft Corporation)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2015-08-09] (IvoSoft)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2018-01-21] (Microsoft Corporation)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-08-09] (IvoSoft)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2015-12-06] (Oracle Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2018-01-21] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-12-06] (Oracle Corporation)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2015-08-09] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-08-09] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-08-09] (IvoSoft)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-01-21] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-01-21] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-01-21] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-01-21] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: 7r3fd6eu.default
FF ProfilePath: C:\Users\Mick\AppData\Roaming\Mozilla\Firefox\Profiles\7r3fd6eu.default [2018-01-30]
FF Homepage: Mozilla\Firefox\Profiles\7r3fd6eu.default -> hxxps://www.google.com.au/
FF NewTab: Mozilla\Firefox\Profiles\7r3fd6eu.default -> about:newtab
FF NewTabOverride: Mozilla\Firefox\Profiles\7r3fd6eu.default -> Enabled: "id":"{66E978CD-981F-47DF-AC42-E3CF417C1467
FF Extension: (New Tab Homepage) - C:\Users\Mick\AppData\Roaming\Mozilla\Firefox\Profiles\7r3fd6eu.default\Extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}.xpi [2017-11-18]
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_28_0_0_137.dll [2018-01-10] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_137.dll [2018-01-10] ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2015-10-29] (CANON INC.)
FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-12-06] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-12-06] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2018-01-21] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-01-21] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-14] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-05] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

HKLM\SYSTEM\CurrentControlSet\Services\excmalgd <==== ATTENTION (Rootkit!)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7780528 2018-01-15] (Microsoft Corporation)
R2 igfxCUIService1.0.0.0; C:\windows\system32\igfxCUIService.exe [319376 2014-12-03] (Intel Corporation)
R2 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [61440 2006-12-14] (Hewlett-Packard Company) [File not signed]
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [262144 2006-12-23] (Nero AG) [File not signed]
R2 PSI_SVC_2; c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2014-04-30] (arvato digital services llc)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [293080 2015-02-05] (Realtek Semiconductor)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-13] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 dg_ssudbus; C:\windows\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
R1 MBAMSwissArmy; C:\windows\System32\Drivers\mbamswissarmy.sys [253880 2018-01-26] (Malwarebytes)
S4 pkjrfb; C:\windows\System32\drivers\gvbybhmp.sys [79064 2018-01-17] (Malwarebytes)
R3 RTWlanE; C:\windows\system32\DRIVERS\rtwlane.sys [6393856 2016-12-29] (Realtek Semiconductor Corporation )
S4 sasgs; C:\windows\System32\drivers\weouusuw.sys [79064 2018-01-20] (Malwarebytes)
S3 ssudmdm; C:\windows\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2018-01-26] ()
R3 TXEIx64; C:\windows\System32\drivers\TXEIx64.sys [88592 2014-03-29] (Intel Corporation)
S4 unpariv; C:\windows\System32\drivers\dcuq.sys [79064 2018-01-20] (Malwarebytes)
S3 USBAAPL64; C:\windows\System32\Drivers\usbaapl64.sys [54784 2016-03-28] (Apple, Inc.) [File not signed]
S3 usbrndis6; C:\windows\system32\DRIVERS\usb80236.sys [20992 2015-04-25] (Microsoft Corporation)
S0 WdBoot; C:\windows\System32\drivers\WdBoot.sys [46600 2017-02-11] (Microsoft Corporation)
R0 WdFilter; C:\windows\System32\drivers\WdFilter.sys [274776 2017-01-13] (Microsoft Corporation)
S3 WdNisDrv; C:\windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-13] (Microsoft Corporation)
R3 WUDFWpdComp; C:\windows\system32\DRIVERS\WUDFRd.sys [226304 2014-10-29] (Microsoft Corporation)
S4 ylefg; C:\windows\System32\drivers\daos.sys [79064 2018-01-20] (Malwarebytes)
S4 ymnfffx; C:\windows\System32\drivers\keuha.sys [79064 2018-01-18] (Malwarebytes)
S4 ypdl; C:\windows\System32\drivers\yaxe.sys [79064 2018-01-12] (Malwarebytes)
S3 intaud_WaveExtensible; \SystemRoot\system32\drivers\intelaud.sys [X]
S3 iwdbus; \SystemRoot\System32\drivers\iwdbus.sys [X]
U4 orwgdx; system32\drivers\dskhhloo.sys [X]
R3 udiskMgr; system32\drivers\xadhkn.sys [X] <==== ATTENTION

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-30 19:26 - 2018-01-30 19:26 - 000014105 _____ C:\Users\Mick\Desktop\FRST.txt
2018-01-30 19:04 - 2018-01-30 19:21 - 000000000 ____D C:\Users\Mick\Desktop\New folder (2)
2018-01-26 14:32 - 2018-01-26 14:32 - 000000000 ____D C:\ProgramData\LHService
2018-01-26 14:31 - 2018-01-26 14:31 - 000142160 ____N C:\windows\system32\Drivers\tirxaehk.sys
2018-01-26 14:27 - 2018-01-26 14:27 - 000000000 ____D C:\ProgramData\LockHunter
2018-01-26 14:06 - 2018-01-26 14:06 - 000000000 ____D C:\Users\Mick\AppData\Roaming\LockHunter
2018-01-26 14:06 - 2018-01-26 14:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LockHunter
2018-01-26 14:06 - 2018-01-26 14:06 - 000000000 ____D C:\Program Files\LockHunter
2018-01-26 13:48 - 2018-01-26 13:48 - 000501784 _____ C:\windows\system32\FNTCACHE.DAT
2018-01-26 13:41 - 2018-01-26 13:41 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN
2018-01-26 13:41 - 2018-01-26 13:41 - 000000000 ____D C:\Program Files (x86)\FileASSASSIN
2018-01-26 12:23 - 2018-01-26 12:23 - 000000000 ____D C:\Users\Mick\AppData\Local\igfxmtc
2018-01-26 12:22 - 2018-01-26 12:22 - 000000300 ____H C:\windows\Tasks\CCleaner Update.job
2018-01-26 12:22 - 2018-01-26 12:22 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2018-01-26 12:21 - 2018-01-30 19:24 - 000000000 ____D C:\Users\Mick\AppData\Local\msrtzdb
2018-01-26 12:18 - 2018-01-26 14:32 - 002884096 _____ (TOSHIBA CORPORATION) C:\windows\system32\spidbkzsvc.exe
2018-01-26 12:18 - 2018-01-26 12:18 - 000000000 ____D C:\windows\SysWOW64\pcixsoh
2018-01-26 12:18 - 2018-01-26 12:18 - 000000000 ____D C:\windows\system32\pcixsoh
2018-01-25 19:15 - 2018-01-25 19:19 - 000000000 ____D C:\AdwCleaner
2018-01-25 18:52 - 2018-01-25 19:07 - 000015548 _____ C:\TDSSKiller.3.1.0.15_25.01.2018_18.52.48_log.txt
2018-01-25 14:52 - 2018-01-30 19:26 - 000000000 ____D C:\FRST
2018-01-24 21:00 - 2018-01-26 12:43 - 000028272 _____ C:\windows\system32\Drivers\TrueSight.sys
2018-01-24 20:59 - 2018-01-30 19:22 - 002393088 _____ (Farbar) C:\Users\Mick\Desktop\FRST64.exe
2018-01-24 20:59 - 2018-01-24 22:12 - 000000000 ____D C:\ProgramData\RogueKiller
2018-01-24 20:59 - 2018-01-24 20:59 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2018-01-24 20:59 - 2018-01-24 20:59 - 000000000 ____D C:\Program Files\RogueKiller
2018-01-24 20:41 - 2018-01-24 20:41 - 000000000 ____D C:\windows\pss
2018-01-24 19:57 - 2018-01-26 12:19 - 000253880 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamswissarmy.sys
2018-01-21 18:38 - 2018-01-21 18:39 - 000000000 ____D C:\Users\Mick\Desktop\New folder
2018-01-21 12:09 - 2018-01-21 12:09 - 000000146 _____ C:\Users\Mick\Desktop\Windows Defender.lnk
2018-01-21 12:06 - 2018-01-24 05:58 - 000548000 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2018-01-21 12:02 - 2018-01-25 19:36 - 000002047 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-01-21 12:02 - 2018-01-21 12:02 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-01-21 12:02 - 2017-11-29 09:11 - 000077432 _____ C:\windows\system32\Drivers\mbae64.sys
2018-01-21 12:01 - 2018-01-21 12:01 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-01-21 12:01 - 2018-01-21 12:01 - 000000000 ____D C:\Program Files\Malwarebytes
2018-01-20 13:47 - 2018-01-20 13:47 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\dcuq.sys
2018-01-20 12:43 - 2018-01-20 12:43 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\daos.sys
2018-01-20 11:02 - 2018-01-20 11:02 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\weouusuw.sys
2018-01-18 18:30 - 2018-01-18 18:30 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\keuha.sys
2018-01-18 11:30 - 2017-10-04 19:21 - 000029352 _____ (Microsoft Corporation) C:\windows\SysWOW64\aspnet_counters.dll
2018-01-18 11:30 - 2017-10-04 19:21 - 000019088 _____ (Microsoft Corporation) C:\windows\SysWOW64\msvcr100_clr0400.dll
2018-01-18 11:30 - 2017-10-04 14:45 - 000030888 _____ (Microsoft Corporation) C:\windows\system32\aspnet_counters.dll
2018-01-18 11:30 - 2017-10-04 14:45 - 000019088 _____ (Microsoft Corporation) C:\windows\system32\msvcr100_clr0400.dll
2018-01-17 20:34 - 2018-01-17 20:34 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\gvbybhmp.sys
2018-01-17 20:34 - 2018-01-17 20:34 - 000002096 _____ C:\windows\system32\dswmr
2018-01-17 13:45 - 2018-01-17 13:45 - 000000000 ____D C:\Users\Mick\AppData\Roaming\17527
2018-01-17 12:15 - 2018-01-26 12:58 - 000001257 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2018-01-17 12:15 - 2018-01-17 12:15 - 000000000 ____D C:\Users\Mick\AppData\Local\VS Revo Group
2018-01-17 12:15 - 2018-01-17 12:15 - 000000000 ____D C:\ProgramData\VS Revo Group
2018-01-17 12:15 - 2018-01-17 12:15 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2018-01-17 12:15 - 2018-01-17 12:15 - 000000000 ____D C:\Program Files\VS Revo Group
2018-01-17 12:15 - 2016-12-16 08:53 - 000040984 _____ (VS Revo Group) C:\windows\system32\Drivers\revoflt.sys
2018-01-16 10:41 - 2018-01-16 10:41 - 000000000 ____D C:\Users\Mick\AppData\Roaming\26973
2018-01-14 21:16 - 2018-01-14 21:16 - 000000304 _____ C:\Users\Mick\AppData\Roaming\4e93aa11-2d46-4980-a421-0a4ac759e5bf
2018-01-14 21:16 - 2018-01-14 21:16 - 000000175 _____ C:\Users\Mick\AppData\Roaming\fc19ece2-6b3f-4f22-8758-9651ab9ca388
2018-01-14 21:16 - 2018-01-14 21:16 - 000000171 _____ C:\Users\Mick\AppData\Roaming\1eb766f2-fed1-4d33-9c39-2c8a972fd11f
2018-01-12 13:09 - 2018-01-12 13:09 - 000554656 _____ C:\Users\Mick\Documents\IMG_20180112_0004.pdf
2018-01-12 12:09 - 2018-01-12 12:09 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\yaxe.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-30 19:27 - 2017-12-22 12:10 - 000000000 ____D C:\Users\Mick\AppData\Local\cshdktv
2018-01-30 19:23 - 2015-12-12 12:08 - 000000000 ____D C:\Users\Mick\Documents\Outlook Files
2018-01-30 18:43 - 2015-09-20 17:01 - 000000000 __SHD C:\Users\Mick\IntelGraphicsProfiles
2018-01-30 14:18 - 2015-10-18 14:43 - 000000000 ____D C:\Users\Mick\AppData\Local\ClassicShell
2018-01-30 14:12 - 2013-08-23 02:20 - 000000000 ____D C:\windows\CbsTemp
2018-01-26 14:37 - 2014-03-18 20:53 - 000902088 _____ C:\windows\system32\PerfStringBackup.INI
2018-01-26 14:37 - 2013-08-23 00:36 - 000000000 ____D C:\windows\Inf
2018-01-26 14:32 - 2013-08-23 01:45 - 000000006 ____H C:\windows\Tasks\SA.DAT
2018-01-26 14:31 - 2013-08-23 00:25 - 011272192 _____ C:\windows\system32\config\HARDWARE
2018-01-26 14:23 - 2015-09-20 17:07 - 000003600 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1111182159-1481868987-2492049145-1001
2018-01-26 13:18 - 2015-12-05 19:30 - 000000998 _____ C:\Users\Public\Desktop\CCleaner.lnk
2018-01-26 12:26 - 2015-12-05 19:30 - 000000000 ____D C:\Program Files\CCleaner
2018-01-25 19:34 - 2017-12-22 12:07 - 002884096 _____ C:\windows\system32\lshoxvesvc.exe
2018-01-24 18:21 - 2015-12-30 11:21 - 000000000 ____D C:\Users\Mick\AppData\Roaming\Vso
2018-01-23 11:08 - 2013-08-23 02:36 - 000000000 ____D C:\windows\system32\FxsTmp
2018-01-23 09:39 - 2016-01-07 17:14 - 000000000 ____D C:\Users\Mick\AppData\Roaming\vlc
2018-01-22 11:48 - 2016-01-07 17:14 - 000000000 ____D C:\Users\Mick\AppData\Roaming\dvdcss
2018-01-22 11:44 - 2015-12-30 12:53 - 000001057 _____ C:\Users\Mick\AppData\Roaming\vso_ts_preview.xml
2018-01-22 11:38 - 2013-08-23 02:36 - 000000000 ____D C:\windows\rescache
2018-01-21 20:00 - 2013-08-23 00:25 - 000262144 ___SH C:\windows\system32\config\BBI
2018-01-21 18:32 - 2013-08-23 02:36 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-01-21 18:26 - 2015-12-08 20:11 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2018-01-21 12:26 - 2015-09-20 17:02 - 000001061 ____H C:\Users\Mick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-01-21 12:14 - 2015-12-05 17:37 - 000001118 ____H C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2018-01-21 11:18 - 2015-09-20 16:59 - 000000000 ____D C:\Users\Mick
2018-01-21 11:13 - 2015-12-05 19:06 - 000000000 ____D C:\Users\Mick\Documents\Camera
2018-01-20 19:05 - 2015-12-30 10:36 - 000000000 ____D C:\Users\Mick\Documents\DVDFab9
2018-01-20 13:47 - 2013-08-23 02:36 - 000000000 ____D C:\windows\Globalization
2018-01-20 12:43 - 2013-08-23 02:36 - 000000000 ____D C:\windows\Help
2018-01-17 20:43 - 2015-09-20 17:01 - 000000000 ____D C:\Users\Mick\AppData\Local\Packages
2018-01-17 12:35 - 2017-03-08 13:35 - 000000000 ____D C:\Users\Mick\Documents\DVDFab Passkey
2018-01-17 12:35 - 2016-02-08 16:41 - 000000000 ___RD C:\Users\Mick\Documents\Scanned Documents
2018-01-17 12:35 - 2015-12-05 19:46 - 000000000 ____D C:\Users\Mick\Documents\PHOTOS
2018-01-17 12:35 - 2015-12-05 19:08 - 000000000 ____D C:\Users\Mick\Documents\LOGIES bleep
2018-01-17 12:35 - 2015-12-05 19:07 - 000000000 ____D C:\Users\Mick\Documents\emails from desktop
2018-01-15 13:50 - 2017-12-22 13:13 - 000000000 ____D C:\Program Files (x86)\Your Uninstaller! 7
2018-01-15 13:49 - 2017-01-07 13:22 - 000000000 ____D C:\Program Files (x86)\Anvsoft
2018-01-15 13:01 - 2017-12-22 15:48 - 000000000 ____D C:\windows\Minidump
2018-01-15 13:01 - 2015-03-16 13:47 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2018-01-12 15:43 - 2017-06-30 12:58 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-01-12 15:43 - 2015-12-05 17:37 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-01-12 12:09 - 2013-08-23 02:36 - 000000000 ___HD C:\windows\ELAMBKUP
2018-01-12 10:10 - 2017-12-22 12:17 - 000000000 ____D C:\Users\Mick\AppData\Local\cwrxoit
2018-01-10 14:30 - 2015-10-18 16:26 - 000000000 ____D C:\windows\system32\MRT
2018-01-10 14:26 - 2017-10-12 21:26 - 129365736 ____C (Microsoft Corporation) C:\windows\system32\MRT-KB890830.exe
2018-01-10 14:25 - 2015-10-18 16:26 - 129365736 ____C (Microsoft Corporation) C:\windows\system32\MRT.exe
2018-01-10 14:09 - 2017-07-26 19:28 - 000003162 _____ C:\windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1111182159-1481868987-2492049145-1001
2018-01-10 14:01 - 2015-12-06 15:35 - 000004288 _____ C:\windows\System32\Tasks\Adobe Flash Player Updater
2018-01-10 14:01 - 2013-08-23 02:36 - 000000000 ____D C:\windows\SysWOW64\Macromed
2018-01-10 14:01 - 2013-08-23 02:36 - 000000000 ____D C:\windows\system32\Macromed

==================== Files in the root of some directories =======

2018-01-14 21:16 - 2018-01-14 21:16 - 000000171 _____ () C:\Users\Mick\AppData\Roaming\1eb766f2-fed1-4d33-9c39-2c8a972fd11f
2018-01-14 21:16 - 2018-01-14 21:16 - 000000304 _____ () C:\Users\Mick\AppData\Roaming\4e93aa11-2d46-4980-a421-0a4ac759e5bf
2018-01-14 21:16 - 2018-01-14 21:16 - 000000175 _____ () C:\Users\Mick\AppData\Roaming\fc19ece2-6b3f-4f22-8758-9651ab9ca388
2015-12-30 11:21 - 2015-12-30 12:54 - 000099384 _____ () C:\Users\Mick\AppData\Roaming\inst.exe
2015-12-30 11:21 - 2015-12-30 12:54 - 000007859 _____ () C:\Users\Mick\AppData\Roaming\pcouffin.cat
2015-12-30 11:21 - 2015-12-30 12:54 - 000001167 _____ () C:\Users\Mick\AppData\Roaming\pcouffin.inf
2015-12-30 11:21 - 2015-12-30 12:54 - 000000055 _____ () C:\Users\Mick\AppData\Roaming\pcouffin.log
2015-12-30 11:21 - 2015-12-30 12:54 - 000082816 _____ (VSO Software) C:\Users\Mick\AppData\Roaming\pcouffin.sys
2015-12-30 12:53 - 2018-01-22 11:44 - 000001057 _____ () C:\Users\Mick\AppData\Roaming\vso_ts_preview.xml
2017-12-22 12:11 - 2017-12-22 12:11 - 000140800 _____ () C:\Users\Mick\AppData\Local\installer.dat

Some files in TEMP:
====================
2018-01-26 12:28 - 2018-01-26 12:28 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\Mick\AppData\Local\Temp\230C.tmp.exe
2018-01-26 12:18 - 2018-01-26 12:18 - 011205832 _____ (Piriform Ltd) C:\Users\Mick\AppData\Local\Temp\288.tmp.exe
2018-01-26 12:36 - 2018-01-26 12:36 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\Mick\AppData\Local\Temp\2D2C.tmp.exe
2018-01-26 12:36 - 2018-01-26 12:36 - 000983168 _____ (Bleeping Computer, LLC) C:\Users\Mick\AppData\Local\Temp\2D2C.tmp64.exe
2018-01-25 19:26 - 2018-01-25 19:26 - 001790024 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\4AA6.tmp.exe
2018-01-26 12:21 - 2018-01-26 12:21 - 011205832 _____ (Piriform Ltd) C:\Users\Mick\AppData\Local\Temp\58E4.tmp.exe
2018-01-25 19:25 - 2018-01-25 19:25 - 001790024 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\6680.tmp.exe
2018-01-26 14:06 - 2018-01-26 14:06 - 003133480 _____ (Crystal Rich Ltd                                            ) C:\Users\Mick\AppData\Local\Temp\7050.tmp.exe
2018-01-30 19:21 - 2018-01-30 19:21 - 002393088 _____ (Farbar) C:\Users\Mick\AppData\Local\Temp\765F.tmp.exe
2018-01-25 19:26 - 2018-01-25 19:26 - 001790024 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\99F4.tmp.exe
2018-01-25 19:15 - 2018-01-25 19:15 - 008206624 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\9B2B.tmp.exe
2018-01-30 19:21 - 2018-01-30 19:22 - 002393088 _____ (Farbar) C:\Users\Mick\AppData\Local\Temp\D9CD.tmp.exe
2018-01-26 12:42 - 2017-09-15 06:30 - 001737600 _____ (Microsoft Corporation) C:\Users\Mick\AppData\Local\Temp\dllnt_dump.dll
2018-01-25 19:26 - 2018-01-25 19:26 - 001790024 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\E758.tmp.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
C:\windows\system32\drivers\tirxaehk.sys -> Access Denied <======= ATTENTION

LastRegBack: 2018-01-23 09:54

==================== End of FRST.txt ============================

 

 

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by Mick (30-01-2018 19:27:33)
Running from C:\Users\Mick\Desktop
Windows 8.1 (Update) (X64) (2015-09-20 06:00:48)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1111182159-1481868987-2492049145-500 - Administrator - Disabled)
Guest (S-1-5-21-1111182159-1481868987-2492049145-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1111182159-1481868987-2492049145-1003 - Limited - Enabled)
Mick (S-1-5-21-1111182159-1481868987-2492049145-1001 - Administrator - Enabled) => C:\Users\Mick

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.137 - Adobe Systems Incorporated)
Alcor Micro USB Card Reader Driver  (HKLM-x32\...\{7F28165B-148D-4672-AA21-469D9E6E3CB6}) (Version: 20.21.3317.03861 - Alcor Micro Corp.) Hidden
Alcor Micro USB Card Reader Driver  (HKLM-x32\...\AmUStor) (Version: 20.21.3317.03861 - Alcor Micro Corp.)
Apple Application Support (32-bit) (HKLM-x32\...\{9BA1A894-B42F-4805-BC8C-349C905A3930}) (Version: 5.3.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{7EAC8A42-9FAC-4F6B-AABF-C08C9F2E0F13}) (Version: 5.3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{55BB2110-FB43-49B3-93F4-945A0CFB0A6C}) (Version: 10.0.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
BlackVue HD (HKLM-x32\...\BlackVueHD) (Version:  - )
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Canon IJ Network Scanner Selector EX (HKLM-x32\...\Canon_IJ_Network_Scanner_Selector_EX) (Version: 1.5.4.4 - Canon Inc.)
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version: 3.7.0 - Canon Inc.)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: 1.1.20.13 - Canon Inc.)
Canon MG7700 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG7700_series) (Version: 1.00 - Canon Inc.)
Canon MG7700 series On-screen Manual (HKLM-x32\...\Canon MG7700 series On-screen Manual) (Version: 7.8.0 - Canon Inc.)
Canon MP Navigator EX 3.0 (HKLM-x32\...\MP Navigator EX 3.0) (Version:  - )
Canon MP Navigator EX 5.1 (HKLM-x32\...\MP Navigator EX 5.1) (Version:  - )
Canon My Image Garden (HKLM-x32\...\Canon My Image Garden) (Version: 3.5.1 - Canon Inc.)
Canon My Image Garden Design Files (HKLM-x32\...\Canon My Image Garden Design Files) (Version: 3.5.0 - Canon Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.39 - Piriform)
CD-LabelPrint (HKLM-x32\...\MediaNavigation.CDLabelPrint) (Version:  - )
Classic Shell (HKLM\...\{E289B7DD-6732-4333-A47A-75A145D23EE3}) (Version: 4.2.4 - IvoSoft)
ConvertXtoDVD 4.1.4.338 (HKLM-x32\...\{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1) (Version: 4.1.4.338 - )
Corel PaintShop Pro X8 (HKLM-x32\...\_{85C69B9B-F9BD-4A60-BD83-F2B7E081ED39}) (Version: 18.0.0.124 - Corel Corporation)
Corel PaintShop Pro X8 (HKLM-x32\...\{8239357B-E792-4EEB-9F8B-F2535730A315}) (Version: 18.0.0.124 - Corel Corporation) Hidden
DVD Shrink 3.2 (HKLM-x32\...\DVD Shrink_is1) (Version:  - DVD Shrink)
FileASSASSIN (HKLM-x32\...\FileASSASSIN) (Version: 1.06 - Malwarebytes)
Hewlett-Packard ACLM.NET v1.2.2.3 (HKLM-x32\...\{6F340107-F9AA-47C6-B54C-C3A19F11553F}) (Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7745.4851 - Hewlett-Packard)
HP Support Information (HKLM-x32\...\{B2B7B1C8-7C8B-476C-BE2C-049731C55992}) (Version: 13.00.0000 - Hewlett-Packard)
ICA (HKLM-x32\...\{85C69B9B-F9BD-4A60-BD83-F2B7E081ED39}) (Version: 18.0.0.124 - Corel Corporation) Hidden
iCloud (HKLM\...\{0493048C-CB1A-44B7-8BB3-8467AF7BA9E4}) (Version: 6.1.2.13 - Apple Inc.)
Intel® Chipset Device Software (HKLM-x32\...\{d370215a-d003-43ae-a3b6-1028af64d5a1}) (Version: 10.0.20 - Intel® Corporation) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3993 - Intel Corporation)
Intel® Trusted Execution Engine (HKLM\...\{176E2755-0A17-42C6-88E2-192AB2131278}) (Version: 1.0.0.1064 - Intel Corporation)
IPM_PSP_COM (HKLM-x32\...\{80A28CA4-189A-4EB2-9F76-7845A0A83D2A}) (Version: 18.0.0.124 - Corel Corporation) Hidden
iTunes (HKLM\...\{81C96689-EA5B-4B7D-A04F-16326EC51BC2}) (Version: 12.5.4.42 - Apple Inc.)
Java 8 Update 66 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.18 - Oracle Corporation)
LightScribe  1.4.136.1 (HKLM-x32\...\{A87B11AC-4344-4E5D-8B12-8F471A87DAD9}) (Version: 1.4.136.1 - hxxp://www.lightscribe.com) Hidden
LockHunter 3.2, 32/64 bit (HKLM\...\LockHunter_is1) (Version:  - Crystal Rich Ltd)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft Office Professional Plus 2016 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 16.0.8827.2148 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\OneDriveSetup.exe) (Version: 17.3.7131.1115 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Mozilla Firefox 57.0.4 (x64 en-US) (HKLM\...\Mozilla Firefox 57.0.4 (x64 en-US)) (Version: 57.0.4 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 57.0.4.6577 - Mozilla)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Nero 7 Essentials (HKLM-x32\...\{B28B351F-1232-46EA-85EF-B8EA91641033}) (Version: 7.02.5017 - Nero AG)
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8827.2148 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8827.2148 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8827.2148 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.8827.2148 - Microsoft Corporation) Hidden
OLYMPUS Master 2 (HKLM-x32\...\{3A1AB8E6-748E-4B95-AA2D-FE9952EB3106}) (Version: 1.0.13 - OLYMPUS IMAGING CORP.)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
PSPPContent (HKLM-x32\...\{89E018D8-558F-4051-BB26-64DD9B90DF68}) (Version: 18.0.0.124 - Corel Corporation) Hidden
PSPPHelp (HKLM-x32\...\{88340123-2A5C-48D4-98C1-58C18D12F09C}) (Version: 18.0.0.124 - Corel Corporation) Hidden
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.30164 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7443 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{A5107464-AA9B-4177-8129-5FF2F42DD322}) (Version: 1.0.0.37 - REALTEK Semiconductor Corp.)
Revo Uninstaller Pro 3.1.8 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.8 - VS Revo Group, Ltd.)
RogueKiller version 12.12.1.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.12.1.0 - Adlice Software)
Setup (HKLM-x32\...\{8BFA76B5-47DD-4C88-9C9B-7407019F0E13}) (Version: 18.0.0.124 - Corel Corporation) Hidden
TomTom MyDrive Connect 4.1.6.3253 (HKLM-x32\...\MyDriveConnect) (Version: 4.1.6.3253 - TomTom)
USB Programmable remote control (HKLM-x32\...\USB Programmable remote control) (Version:  - )
Visual Studio C++ 10.0 Runtime (HKLM-x32\...\{4412F224-3849-4461-A3E9-DEEF8D252790}) (Version: 10.0.0 - TomTom International B.V.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Windows Driver Package - Google, Inc. (WinUSB) AndroidUsbDeviceClass  (11/28/2013 2.0.0018.00000) (HKLM\...\724A5661585DAD3C707B84BACF43F64B5E070CE5) (Version: 11/28/2013 2.0.0018.00000 - Google, Inc.)
WinRAR 5.30 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.30.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\windows\system32\igfxEM.exe (Intel Corporation)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-08-09] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-08-09] (IvoSoft)
ContextMenuHandlers1: [LockHunterShellExt] -> {0BB27CDA-7029-4C0E-9C56-D922B229F0EB} => C:\Program Files\LockHunter\LHShellExt64.dll [2017-07-20] (Crystal Rich Ltd)
ContextMenuHandlers1: [PhotoStreamsExt] -> [CC]{89D984B3-813B-406A-8298-118AFA3A22AE} =>  -> No File
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2015-11-18] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2015-11-18] (Alexander Roshal)
ContextMenuHandlers2: [LockHunterShellExt] -> {0BB27CDA-7029-4C0E-9C56-D922B229F0EB} => C:\Program Files\LockHunter\LHShellExt64.dll [2017-07-20] (Crystal Rich Ltd)
ContextMenuHandlers3-x32: [FAExt] -> {05672D66-9736-42F5-8BEB-FA1DD3CA51C4} => C:\Program Files (x86)\FileASSASSIN\FileASSASSINExt.dll [2007-03-31] (Malwarebytes)
ContextMenuHandlers3-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [LockHunterShellExt] -> {0BB27CDA-7029-4C0E-9C56-D922B229F0EB} => C:\Program Files\LockHunter\LHShellExt64.dll [2017-07-20] (Crystal Rich Ltd)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\windows\system32\igfxDTCM.dll [2014-12-03] (Intel Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6: [RUShellExt] -> {2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} => C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll [2016-12-15] (VS Revo Group)
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\windows\system32\StartMenuHelper64.dll [2015-08-09] (IvoSoft)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2015-11-18] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2015-11-18] (Alexander Roshal)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {00B7CD01-1D06-476B-B3C4-B6CFB9A34498} - System32\Tasks\Intel® Iditt TR ( Appointme) => C:\windows\system32\rundll32.exe "C:\Program Files\Intel® Iditt TR ( Appointme)\Intel® Iditt TR ( Appointme).dll",mOaEUQz
Task: {06498AF1-205F-4386-AC0A-9BB794E4D503} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\Program Files\Windows Defender\\MpCmdRun.exe [2017-01-13] (Microsoft Corporation)
Task: {0928850D-E2BC-4923-AB3C-BCF232EC8C70} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {09E0BB3A-36A6-4789-9FA7-9B93C22B1EB0} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-01-10] (Adobe Systems Incorporated)
Task: {146A1DAE-CFE2-4690-B56D-BDCDF25039CF} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2018-01-21] (Microsoft Corporation)
Task: {1E3983A5-FE4F-455B-B5CF-8EC353C4E8DD} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2018-01-21] (Microsoft Corporation)
Task: {560E38F3-4FF6-48E5-8E69-0B2EBB464B23} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\Program Files\Windows Defender\\MpCmdRun.exe [2017-01-13] (Microsoft Corporation)
Task: {7CC372F9-CBFF-4D9A-8981-451E791A18BF} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2018-01-10] (Piriform Ltd)
Task: {7E81CB51-90E3-492E-ACBE-ED33C6A1F4BC} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-01-21] (Microsoft Corporation)
Task: {85E7D6FE-62F1-454D-A424-78DC6807AD97} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-01-15] (Microsoft Corporation)
Task: {8606F6E0-E3BA-49BD-95F0-6DA113CCC545} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\Program Files\Windows Defender\\MpCmdRun.exe [2017-01-13] (Microsoft Corporation)
Task: {97F1E15C-673F-442B-B089-B12B756A4C75} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {9B74F0A7-3662-45F5-B341-485C4BA892A5} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {A6218664-F47F-45BB-849D-D268276E5846} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
Task: {B697B269-47E3-4B67-96EA-BABBB90F493D} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-01-21] (Microsoft Corporation)
Task: {CC18A0E6-B0B0-4B8B-9DFE-896517CC46F6} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe
Task: {DE4E4C0C-386C-47A0-919F-3E148B3EB0BD} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-01-15] (Microsoft Corporation)
Task: {E7CFA66B-6214-49C5-8981-D51C63C14450} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\Program Files\Windows Defender\\MpCmdRun.exe [2017-01-13] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\windows\Tasks\CCleaner Update.job => C:\Program Files\CCleaner\CCUpdate.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2016-10-05 18:17 - 2016-10-05 18:17 - 000092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2017-01-13 13:56 - 2017-01-13 13:56 - 001353528 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2018-01-21 12:02 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2017-07-15 12:39 - 2018-01-21 18:24 - 008934568 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Temp:1CE11B51 [106]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7867 more sites.

IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\123simsen.com -> www.123simsen.com

There are 7867 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-23 00:25 - 2015-12-12 15:40 - 000450831 ____R C:\windows\system32\Drivers\etc\hosts

127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-2005-search.com
127.0.0.1    123fporn.info
127.0.0.1    www.123fporn.info
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com
127.0.0.1    123moviedownload.com
127.0.0.1    www.123moviedownload.com

There are 15467 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\Control Panel\Desktop\\Wallpaper -> J:\Judys Folder\Photos\pets\DSC00371.JPG
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run32: => "OM2_Monitor"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\StartupApproved\Run: => "OM2_Monitor"
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\StartupApproved\Run: => "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{50D1103E-69D1-4857-95AD-8E7CA8587A5E}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{3E3D692A-F462-4950-A93A-1D26ED1CE748}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{6CF67341-45C4-403D-A24C-B209BDDE328F}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{D52B39B6-7A1B-4887-905C-BE7DE72F7245}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{59E4B02C-E3F0-44FE-BC88-3FB5C6B25BB3}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe

==================== Restore Points =========================


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/26/2018 01:46:14 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"  /forcedfolder "C:\Users\Mick\AppData\Local\cshdktv"; Description = Revo Uninstaller Pro's restore point - cshdktv; Error = 0x8007043c).

Error: (01/26/2018 04:19:24 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files\Windows Defender\MsMpEng.exe Files\Windows Defender\MsMpEng.exe"; Description = Windows Defender Checkpoint; Error = 0x8007043c).

Error: (01/25/2018 07:27:03 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Mick\AppData\Local\Temp\jrt\CreateRestorePoint.exe  "JRT Pre-Junkware Removal"; Description = JRT Pre-Junkware Removal; Error = 0x8007043c).

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "select * from __InstanceModificationEvent where targetinstance isa '__ArbitratorConfiguration'" could not be reactivated in namespace "//./root" because of error 0x80041033. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root namespace does not exist. The query will be ignored.

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __SystemEvent" whose target class "__SystemEvent" in //./root namespace does not exist. The query will be ignored.

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __NamespaceOperationEvent" whose target class "__NamespaceOperationEvent" in //./root namespace does not exist. The query will be ignored.

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __ClassOperationEvent" whose target class "__ClassOperationEvent" in //./root namespace does not exist. The query will be ignored.

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root/subscription namespace does not exist. The query will be ignored.

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root/cimv2 namespace does not exist. The query will be ignored.


System errors:
=============
Error: (01/30/2018 07:23:04 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/30/2018 07:23:04 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/30/2018 07:23:04 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/30/2018 07:23:04 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/30/2018 07:23:04 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/30/2018 07:14:36 PM) (Source: volsnap) (EventID: 14) (User: )
Description: The shadow copies of volume C: were aborted because of an IO failure on volume C:.

Error: (01/30/2018 07:14:36 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/30/2018 07:14:36 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/30/2018 07:14:36 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/30/2018 07:14:36 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.


CodeIntegrity:
===================================
  Date: 2018-01-20 18:51:32.146
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2018-01-20 18:21:29.524
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2018-01-20 18:19:28.616
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2018-01-20 18:11:50.197
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Celeron® CPU J1800 @ 2.41GHz
Percentage of memory in use: 74%
Total physical RAM: 3976.88 MB
Available physical RAM: 1005.98 MB
Total Virtual: 4680.88 MB
Available Virtual: 1557.96 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:512.79 GB) (Free:412.07 GB) NTFS
Drive d: (Recovery Image) (Fixed) (Total:17.25 GB) (Free:2.17 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive j: (Judys Drive) (Fixed) (Total:400 GB) (Free:359.37 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 0B8AC212)

Partition: GPT.

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 30 January 2018 - 08:01 AM

Hi heathconn :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Copy/paste the following inside the text area:
    Start::
    CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
    CMD: bcdedit.exe /set {default} recoveryenabled yes
    End::
    
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 heathconn

heathconn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 31 January 2018 - 02:22 AM

Thanks Aura.

I ran the fix as followed.

Results attached.

 

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by Mick (31-01-2018 18:20:43) Run:2
Running from C:\Users\Mick\Desktop
Loaded Profiles: Mick (Available Profiles: Mick)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes

*****************


========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========


==== End of Fixlog 18:20:45 ====



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 31 January 2018 - 08:08 AM

For the next part, you'll need to download the FRST executable a clean computer, and move them on your USB Flash Drive. That USB can only be inserted in the infected computer if it is either shutdown, or in the Windows RE. Otherwise, the infection will mess with the files on the USB and you'll have to restart.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:
  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • Another computer (clean of infection)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
Preparing the USB Flash Drive
  • Download the right version of FRST for your system from a clean computer:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
Boot in the Recovery Environment
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
  • Once in the Windows RE, plug the USB Flash Drive in the computer
Once in the command prompt
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Scan button and wait for the scan to complete
  • A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 heathconn

heathconn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 01 February 2018 - 04:11 AM

Log attached as requested.

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 27.01.2018
Ran by SYSTEM on MININT-NL9N7EI (01-02-2018 20:03:31)
Running from j:\
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8447192 2015-02-04] (Realtek Semiconductor)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161728 2015-08-08] (IvoSoft)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-12-05] (Apple Inc.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [235624 2015-01-08] (CANON INC.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\Mick\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [10257872 2018-01-09] (Piriform Ltd)
HKU\Mick\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [143360 2006-12-23] (Nero AG)
GroupPolicy: Restriction - Windows Defender <==== ATTENTION

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

"HKLM\System\ControlSet001\Services\excmalgd" => removed successfully
C:\Windows\System32\drivers\tirruxbe.sys => moved successfully
"HKLM\System\ControlSet001\Services\udiskMgr" => removed successfully
C:\Users\Mick\AppData\Local\cshdktv\comxazr.exe => moved successfully
C:\Users\Mick\AppData\Local\cshdktv\cshdktv.exe => moved successfully
C:\Users\Mick\AppData\Local\igfxmtc\igfxmtc.exe => moved successfully
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-21] (Apple Inc.)
S2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7780528 2018-01-14] (Microsoft Corporation)
S2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319376 2014-12-02] (Intel Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-10-31] (Malwarebytes)
S3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [262144 2006-12-22] (Nero AG)
S2 PSI_SVC_2; c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2014-04-29] (arvato digital services llc)
S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [293080 2015-02-04] (Realtek Semiconductor)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
S1 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2018-01-25] (Malwarebytes)
S4 pkjrfb; C:\Windows\System32\drivers\gvbybhmp.sys [79064 2018-01-17] (Malwarebytes)
S3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [6393856 2016-12-28] (Realtek Semiconductor Corporation )
S4 sasgs; C:\Windows\System32\drivers\weouusuw.sys [79064 2018-01-19] (Malwarebytes)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
S3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2018-01-25] ()
S3 TXEIx64; C:\Windows\System32\drivers\TXEIx64.sys [88592 2014-03-29] (Intel Corporation)
S4 unpariv; C:\Windows\System32\drivers\dcuq.sys [79064 2018-01-19] (Malwarebytes)
S3 usbrndis6; C:\Windows\system32\DRIVERS\usb80236.sys [20992 2015-04-24] (Microsoft Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
S0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [274776 2017-01-12] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (Microsoft Corporation)
S3 WUDFWpdComp; C:\Windows\system32\DRIVERS\WUDFRd.sys [226304 2014-10-28] (Microsoft Corporation)
S4 ylefg; C:\Windows\System32\drivers\daos.sys [79064 2018-01-19] (Malwarebytes)
S4 ymnfffx; C:\Windows\System32\drivers\keuha.sys [79064 2018-01-17] (Malwarebytes)
S4 ypdl; C:\Windows\System32\drivers\yaxe.sys [79064 2018-01-11] (Malwarebytes)
S3 intaud_WaveExtensible; \SystemRoot\system32\drivers\intelaud.sys [X]
S3 iwdbus; \SystemRoot\System32\drivers\iwdbus.sys [X]
S4 orwgdx; system32\drivers\dskhhloo.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-30 23:20 - 2018-01-30 23:25 - 000000759 _____ C:\Users\Mick\Desktop\Fixlog.txt
2018-01-30 17:16 - 2018-01-30 17:43 - 000000000 ____D C:\BLADE_RUNNER_2049
2018-01-30 13:56 - 2018-01-30 14:21 - 000000000 ____D C:\NOVEMBER_CRIMINALS
2018-01-30 13:04 - 2018-01-30 13:40 - 000000000 ____D C:\THE_SNOWMAN
2018-01-30 00:27 - 2018-01-30 00:30 - 000034411 _____ C:\Users\Mick\Desktop\Addition.txt
2018-01-30 00:26 - 2018-01-30 23:25 - 000010581 _____ C:\Users\Mick\Desktop\FRST.txt
2018-01-30 00:04 - 2018-01-30 23:27 - 000000000 ____D C:\Users\Mick\Desktop\New folder
2018-01-25 19:32 - 2018-01-25 19:32 - 000000000 ____D C:\ProgramData\LHService
2018-01-25 19:27 - 2018-01-25 19:27 - 000000000 ____D C:\ProgramData\LockHunter
2018-01-25 19:06 - 2018-01-25 19:06 - 000000000 ____D C:\Users\Mick\AppData\Roaming\LockHunter
2018-01-25 19:06 - 2018-01-25 19:06 - 000000000 ____D C:\Program Files\LockHunter
2018-01-25 18:48 - 2018-01-25 18:48 - 000501784 _____ C:\Windows\System32\FNTCACHE.DAT
2018-01-25 18:41 - 2018-01-25 18:41 - 000000000 ____D C:\Program Files (x86)\FileASSASSIN
2018-01-25 17:23 - 2018-02-01 20:03 - 000000000 ____D C:\Users\Mick\AppData\Local\igfxmtc
2018-01-25 17:22 - 2018-01-25 17:22 - 000000300 ____H C:\Windows\Tasks\CCleaner Update.job
2018-01-25 17:21 - 2018-02-01 00:55 - 000000000 ____D C:\Users\Mick\AppData\Local\msrtzdb
2018-01-25 17:18 - 2018-01-31 01:39 - 002884096 _____ C:\Windows\System32\spidbkzsvc.exe
2018-01-25 17:18 - 2018-01-25 17:18 - 000000000 ____D C:\Windows\SysWOW64\pcixsoh
2018-01-25 17:18 - 2018-01-25 17:18 - 000000000 ____D C:\Windows\System32\pcixsoh
2018-01-25 00:15 - 2018-01-25 00:19 - 000000000 ____D C:\AdwCleaner
2018-01-24 23:52 - 2018-01-25 00:07 - 000015548 _____ C:\TDSSKiller.3.1.0.15_25.01.2018_18.52.48_log.txt
2018-01-24 19:52 - 2018-01-30 23:25 - 000000000 ____D C:\FRST
2018-01-24 02:00 - 2018-01-25 17:43 - 000028272 _____ C:\Windows\System32\Drivers\TrueSight.sys
2018-01-24 01:59 - 2018-01-30 00:22 - 002393088 _____ (Farbar) C:\Users\Mick\Desktop\FRST64.exe
2018-01-24 01:59 - 2018-01-24 03:12 - 000000000 ____D C:\ProgramData\RogueKiller
2018-01-24 01:59 - 2018-01-24 01:59 - 000000000 ____D C:\Program Files\RogueKiller
2018-01-24 01:41 - 2018-01-24 01:41 - 000000000 ____D C:\Windows\pss
2018-01-24 00:57 - 2018-01-25 17:19 - 000253880 _____ (Malwarebytes) C:\Windows\System32\Drivers\mbamswissarmy.sys
2018-01-20 17:09 - 2018-01-20 17:09 - 000000146 _____ C:\Users\Mick\Desktop\Windows Defender.lnk
2018-01-20 17:06 - 2018-01-23 10:58 - 000548000 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2018-01-20 17:02 - 2018-01-25 00:36 - 000002047 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-01-20 17:02 - 2017-11-28 14:11 - 000077432 _____ C:\Windows\System32\Drivers\mbae64.sys
2018-01-20 17:01 - 2018-01-20 17:01 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-01-20 17:01 - 2018-01-20 17:01 - 000000000 ____D C:\Program Files\Malwarebytes
2018-01-19 18:47 - 2018-01-19 18:47 - 000079064 _____ (Malwarebytes) C:\Windows\System32\Drivers\dcuq.sys
2018-01-19 17:43 - 2018-01-19 17:43 - 000079064 _____ (Malwarebytes) C:\Windows\System32\Drivers\daos.sys
2018-01-19 16:02 - 2018-01-19 16:02 - 000079064 _____ (Malwarebytes) C:\Windows\System32\Drivers\weouusuw.sys
2018-01-17 23:30 - 2018-01-17 23:30 - 000079064 _____ (Malwarebytes) C:\Windows\System32\Drivers\keuha.sys
2018-01-17 16:30 - 2017-10-04 00:21 - 000029352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aspnet_counters.dll
2018-01-17 16:30 - 2017-10-04 00:21 - 000019088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr100_clr0400.dll
2018-01-17 16:30 - 2017-10-03 19:45 - 000030888 _____ (Microsoft Corporation) C:\Windows\System32\aspnet_counters.dll
2018-01-17 16:30 - 2017-10-03 19:45 - 000019088 _____ (Microsoft Corporation) C:\Windows\System32\msvcr100_clr0400.dll
2018-01-17 01:34 - 2018-01-17 01:34 - 000079064 _____ (Malwarebytes) C:\Windows\System32\Drivers\gvbybhmp.sys
2018-01-17 01:34 - 2018-01-17 01:34 - 000002096 _____ C:\Windows\System32\dswmr
2018-01-16 18:45 - 2018-01-16 18:45 - 000000000 ____D C:\Users\Mick\AppData\Roaming\17527
2018-01-16 17:15 - 2018-01-25 17:58 - 000001257 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2018-01-16 17:15 - 2018-01-16 17:15 - 000000000 ____D C:\Users\Mick\AppData\Local\VS Revo Group
2018-01-16 17:15 - 2018-01-16 17:15 - 000000000 ____D C:\ProgramData\VS Revo Group
2018-01-16 17:15 - 2018-01-16 17:15 - 000000000 ____D C:\Program Files\VS Revo Group
2018-01-16 17:15 - 2016-12-15 13:53 - 000040984 _____ (VS Revo Group) C:\Windows\System32\Drivers\revoflt.sys
2018-01-15 15:41 - 2018-01-15 15:41 - 000000000 ____D C:\Users\Mick\AppData\Roaming\26973
2018-01-14 02:16 - 2018-01-14 02:16 - 000000304 _____ C:\Users\Mick\AppData\Roaming\4e93aa11-2d46-4980-a421-0a4ac759e5bf
2018-01-14 02:16 - 2018-01-14 02:16 - 000000175 _____ C:\Users\Mick\AppData\Roaming\fc19ece2-6b3f-4f22-8758-9651ab9ca388
2018-01-14 02:16 - 2018-01-14 02:16 - 000000171 _____ C:\Users\Mick\AppData\Roaming\1eb766f2-fed1-4d33-9c39-2c8a972fd11f
2018-01-11 18:09 - 2018-01-11 18:09 - 000554656 _____ C:\Users\Mick\Documents\IMG_20180112_0004.pdf
2018-01-11 17:09 - 2018-01-11 17:09 - 000079064 _____ (Malwarebytes) C:\Windows\System32\Drivers\yaxe.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-02-01 20:03 - 2017-12-21 17:10 - 000000000 ____D C:\Users\Mick\AppData\Local\cshdktv
2018-02-01 00:59 - 2015-10-17 19:43 - 000000000 ____D C:\Users\Mick\AppData\Local\ClassicShell
2018-02-01 00:59 - 2013-08-22 06:45 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-02-01 00:59 - 2013-08-22 05:25 - 011272192 _____ C:\Windows\System32\config\HARDWARE
2018-02-01 00:59 - 2013-08-22 05:25 - 000262144 ___SH C:\Windows\System32\config\BBI
2018-02-01 00:54 - 2015-09-19 22:01 - 000000000 __SHD C:\Users\Mick\IntelGraphicsProfiles
2018-01-31 03:59 - 2013-08-22 07:36 - 000000000 ____D C:\Windows\System32\FxsTmp
2018-01-31 03:45 - 2015-09-19 22:07 - 000003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1111182159-1481868987-2492049145-1001
2018-01-31 02:10 - 2015-09-19 21:59 - 000000000 ____D C:\users\Mick
2018-01-31 02:06 - 2016-11-17 15:56 - 000000000 ____D C:\Users\Mick\AppData\LocalLow\Mozilla
2018-01-31 01:55 - 2016-02-14 19:29 - 000000000 ___HD C:\ProgramData\CanonIJScan
2018-01-31 01:51 - 2014-03-18 01:53 - 000902088 _____ C:\Windows\System32\PerfStringBackup.INI
2018-01-31 01:51 - 2013-08-22 05:36 - 000000000 ____D C:\Windows\Inf
2018-01-31 00:03 - 2013-08-22 07:20 - 000000000 ____D C:\Windows\CbsTemp
2018-01-30 23:14 - 2017-06-29 17:58 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-01-30 23:14 - 2015-12-04 22:37 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-01-30 17:43 - 2016-06-07 18:51 - 000000000 ____D C:\ProgramData\DVD Shrink
2018-01-30 00:23 - 2015-12-11 17:08 - 000000000 ____D C:\Users\Mick\Documents\Outlook Files
2018-01-25 18:18 - 2015-12-05 00:30 - 000000998 _____ C:\Users\Public\Desktop\CCleaner.lnk
2018-01-25 17:26 - 2015-12-05 00:30 - 000000000 ____D C:\Program Files\CCleaner
2018-01-25 00:34 - 2017-12-21 17:07 - 002884096 _____ C:\Windows\System32\lshoxvesvc.exe
2018-01-23 23:21 - 2015-12-29 16:21 - 000000000 ____D C:\Users\Mick\AppData\Roaming\Vso
2018-01-22 14:39 - 2016-01-06 22:14 - 000000000 ____D C:\Users\Mick\AppData\Roaming\vlc
2018-01-21 16:48 - 2016-01-06 22:14 - 000000000 ____D C:\Users\Mick\AppData\Roaming\dvdcss
2018-01-21 16:44 - 2015-12-29 17:53 - 000001057 _____ C:\Users\Mick\AppData\Roaming\vso_ts_preview.xml
2018-01-21 16:38 - 2013-08-22 07:36 - 000000000 ____D C:\Windows\rescache
2018-01-20 23:32 - 2013-08-22 07:36 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-01-20 23:26 - 2015-12-08 01:11 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2018-01-20 16:13 - 2015-12-05 00:06 - 000000000 ____D C:\Users\Mick\Documents\Camera
2018-01-20 00:05 - 2015-12-29 15:36 - 000000000 ____D C:\Users\Mick\Documents\DVDFab9
2018-01-19 18:47 - 2013-08-22 07:36 - 000000000 ____D C:\Windows\Globalization
2018-01-19 17:43 - 2013-08-22 07:36 - 000000000 ____D C:\Windows\Help
2018-01-17 01:43 - 2015-09-19 22:01 - 000000000 ____D C:\Users\Mick\AppData\Local\Packages
2018-01-16 17:35 - 2017-03-07 18:35 - 000000000 ____D C:\Users\Mick\Documents\DVDFab Passkey
2018-01-16 17:35 - 2016-02-07 21:41 - 000000000 ___RD C:\Users\Mick\Documents\Scanned Documents
2018-01-16 17:35 - 2015-12-05 00:46 - 000000000 ____D C:\Users\Mick\Documents\PHOTOS
2018-01-16 17:35 - 2015-12-05 00:08 - 000000000 ____D C:\Users\Mick\Documents\LOGIES bleep
2018-01-16 17:35 - 2015-12-05 00:07 - 000000000 ____D C:\Users\Mick\Documents\emails from desktop
2018-01-14 18:50 - 2017-12-21 18:13 - 000000000 ____D C:\Program Files (x86)\Your Uninstaller! 7
2018-01-14 18:49 - 2017-01-06 18:22 - 000000000 ____D C:\Program Files (x86)\Anvsoft
2018-01-14 18:01 - 2017-12-21 20:48 - 000000000 ____D C:\Windows\Minidump
2018-01-11 17:09 - 2013-08-22 07:36 - 000000000 ___HD C:\Windows\ELAMBKUP
2018-01-11 15:10 - 2017-12-21 17:17 - 000000000 ____D C:\Users\Mick\AppData\Local\cwrxoit
2018-01-09 19:30 - 2015-10-17 21:26 - 000000000 ____D C:\Windows\System32\MRT
2018-01-09 19:26 - 2017-10-12 02:26 - 129365736 ____C (Microsoft Corporation) C:\Windows\System32\MRT-KB890830.exe
2018-01-09 19:25 - 2015-10-17 21:26 - 129365736 ____C (Microsoft Corporation) C:\Windows\System32\MRT.exe
2018-01-09 19:09 - 2017-07-26 00:28 - 000003162 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1111182159-1481868987-2492049145-1001
2018-01-09 19:01 - 2015-12-05 20:35 - 000004288 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2018-01-09 19:01 - 2013-08-22 07:36 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-01-09 19:01 - 2013-08-22 07:36 - 000000000 ____D C:\Windows\System32\Macromed

Some files in TEMP:
====================
2018-01-25 17:28 - 2018-01-25 17:28 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\Mick\AppData\Local\Temp\230C.tmp.exe
2018-01-25 17:18 - 2018-01-25 17:18 - 011205832 _____ (Piriform Ltd) C:\Users\Mick\AppData\Local\Temp\288.tmp.exe
2018-01-25 17:36 - 2018-01-25 17:36 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\Mick\AppData\Local\Temp\2D2C.tmp.exe
2018-01-25 17:36 - 2018-01-25 17:36 - 000983168 _____ (Bleeping Computer, LLC) C:\Users\Mick\AppData\Local\Temp\2D2C.tmp64.exe
2018-01-25 00:26 - 2018-01-25 00:26 - 001790024 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\4AA6.tmp.exe
2018-01-25 17:21 - 2018-01-25 17:21 - 011205832 _____ (Piriform Ltd) C:\Users\Mick\AppData\Local\Temp\58E4.tmp.exe
2018-01-25 00:25 - 2018-01-25 00:25 - 001790024 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\6680.tmp.exe
2018-01-25 19:06 - 2018-01-25 19:06 - 003133480 _____ (Crystal Rich Ltd                                            ) C:\Users\Mick\AppData\Local\Temp\7050.tmp.exe
2018-01-30 00:21 - 2018-01-30 00:21 - 002393088 _____ (Farbar) C:\Users\Mick\AppData\Local\Temp\765F.tmp.exe
2018-01-25 00:26 - 2018-01-25 00:26 - 001790024 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\99F4.tmp.exe
2018-01-25 00:15 - 2018-01-25 00:15 - 008206624 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\9B2B.tmp.exe
2018-01-30 00:21 - 2018-01-30 00:22 - 002393088 _____ (Farbar) C:\Users\Mick\AppData\Local\Temp\D9CD.tmp.exe
2018-01-25 17:42 - 2017-09-14 11:30 - 001737600 _____ (Microsoft Corporation) C:\Users\Mick\AppData\Local\Temp\dllnt_dump.dll
2018-01-25 00:26 - 2018-01-25 00:26 - 001790024 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\E758.tmp.exe

==================== Known DLLs (Whitelisted) =========================


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2017-05-09 17:42] - [2017-04-15 23:22] - 000817664 _____ (Microsoft Corporation) 20CC6E9FE25ACD34BE4FCDDB7B08364D

C:\Windows\System32\dnsapi.dll
[2017-10-10 22:46] - [2017-09-07 12:08] - 000656896 _____ (Microsoft Corporation) 764E397D1664C3CE690AC35D3DD7085A

C:\Windows\SysWOW64\dnsapi.dll
[2017-10-10 22:46] - [2017-09-07 10:24] - 000499200 _____ (Microsoft Corporation) 19992FFEC28B2CE8BDFCE1E7F51C4FAF

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Association (Whitelisted) =============


==================== Restore Points  =========================


==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 3976.88 MB
Available physical RAM: 3184 MB
Total Virtual: 3976.88 MB
Available Virtual: 3207.6 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:512.79 GB) (Free:386.61 GB) NTFS
Drive d: (Judys Drive) (Fixed) (Total:400 GB) (Free:359.37 GB) NTFS
Drive e: (Recovery Image) (Fixed) (Total:17.25 GB) (Free:2.17 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive i: (Windows RE tools ) (Fixed) (Total:1 GB) (Free:0.65 GB) NTFS
Drive j: (8GB FLASH) (Removable) (Total:7.19 GB) (Free:7.19 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.49 GB) (Free:0.49 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 0B8AC212)

Partition: GPT.

========================================================
Disk: 3 (MBR Code: Windows XP) (Size: 7.2 GB) (Disk ID: 584FF368)
Partition 1: (Not Active) - (Size=7.2 GB) - (Type=0B)

LastRegBack: 2018-01-22 14:54

==================== End of FRST.txt ============================



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 01 February 2018 - 08:09 AM

Good :) Now you should be able to install and run a scan with Malwarebytes.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 heathconn

heathconn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 02 February 2018 - 07:16 PM

I completed the scan and this time it didn't pick up UDISKMGR but did find some others.

I also noticed that after the reboot there is nothing listed in quarantine.

 

Summary as follows.

 

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/2/18
Scan Time: 11:53 PM
Log File: 0caee28a-0818-11e8-9f90-8cdcd4555fce.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3851
License: Free

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Mick\Mick

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 287995
Threats Detected: 8
Threats Quarantined: 8
Time Elapsed: 21 min, 57 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 8
Trojan.Yelloader, C:\USERS\MICK\APPDATA\LOCAL\TEMP\5C5.TMP, Delete-on-Reboot, [1310], [475428],1.0.3851
Trojan.Yelloader, C:\USERS\MICK\APPDATA\LOCAL\TEMP\76AF.TMP, Delete-on-Reboot, [1310], [475428],1.0.3851
Trojan.Yelloader, C:\USERS\MICK\APPDATA\LOCAL\TEMP\5962.TMP, Delete-on-Reboot, [1310], [475428],1.0.3851
Trojan.Yelloader, C:\USERS\MICK\APPDATA\LOCAL\TEMP\233C.TMP, Delete-on-Reboot, [1310], [475428],1.0.3851
Trojan.Yelloader, C:\USERS\MICK\APPDATA\LOCAL\TEMP\2D4C.TMP, Delete-on-Reboot, [1310], [475428],1.0.3851
Trojan.Yelloader, C:\USERS\MICK\APPDATA\LOCAL\TEMP\DA5A.TMP, Delete-on-Reboot, [1310], [475428],1.0.3851
Trojan.Yelloader, C:\USERS\MICK\APPDATA\LOCAL\TEMP\708F.TMP, Delete-on-Reboot, [1310], [483773],1.0.3851
Trojan.Crypt, C:\USERS\MICK\DESKTOP\NEW FOLDER\FILEASSASSIN-SETUP-1.06.EXE, Delete-on-Reboot, [23], [468927],1.0.3851

Physical Sector: 0
(No malicious items detected)


(end)



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 04 February 2018 - 04:32 PM

It's fine, the main infection (SmartService) was removed when you ran the FRST scan in the Windows RE. Now we're removing the rest.

RQKuhw1.pngRogueKiller
  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
Your next reply(ies) should therefore contain:
  • Copy/pasted RogueKiller clean log
  • Copy/pasted AdwCleaner clean log

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 heathconn

heathconn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 06 February 2018 - 04:53 AM

Scans completed.

Results as follows.

 

RogueKiller V12.12.2.0 (x64) [Jan 29 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Mick [Administrator]
Started from : C:\Users\Mick\Desktop\RogueKiller_portable64.exe
Mode : Scan -- Date : 02/05/2018 22:26:16 (Duration : 10:36:30)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1ER162 +++++
--- User ---
[MBR] e4aa440a821605377576463238497e26
[BSP] bd91c98676762018fb1887ee46d9553a : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1023 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2097152 | Size: 360 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2834432 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 3096576 | Size: 525092 MB
4 - Basic data partition | Offset (sectors): 1078484992 | Size: 409599 MB
5 - [SYSTEM] Basic data partition | Offset (sectors): 1917345792 | Size: 17665 MB
User = LL1 ... OK
User = LL2 ... OK

 

 

 

 

# AdwCleaner 7.0.7.0 - Logfile created on Tue Feb 06 09:47:09 2018
# Updated on 2018/18/01 by Malwarebytes
# Database: 02-02-2018.4
# Running on Windows 8.1 (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [1178 B] - [2018/1/25 8:22:51]
C:/AdwCleaner/AdwCleaner[S0].txt - [1006 B] - [2018/1/25 8:19:55]


########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ##########



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 06 February 2018 - 08:43 AM

Good! Now please run a new scan with FRST and provide me a fresh set of logs. I'll look for remnants.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 heathconn

heathconn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 06 February 2018 - 03:46 PM

Scan completed in windows in a normal boot up this time.

Is that correct?

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 27.01.2018
Ran by Mick (administrator) on MICK (07-02-2018 07:32:31)
Running from C:\Users\Mick\Desktop
Loaded Profiles: Mick (Available Profiles: Mick)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(arvato digital services llc) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8447192 2015-02-05] (Realtek Semiconductor)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161728 2015-08-09] (IvoSoft)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-12-06] (Apple Inc.)
HKLM\...\Run: [WindowsDefender] => "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [235624 2015-01-09] (CANON INC.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [10257872 2018-01-10] (Piriform Ltd)
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [143360 2006-12-23] (Nero AG)
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\MountPoints2: {7c61ee62-e159-11e7-8475-8cdcd4555fce} - "F:\Setup.exe" /s
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\MountPoints2: {96b068e5-d3c2-11e7-8474-8cdcd4555fce} - "G:\Setup.exe" /s
GroupPolicy: Restriction - Windows Defender <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
Tcpip\..\Interfaces\{5D304D4D-ED88-489E-8F9F-D6026D83B6DB}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{B12D8D3D-3CA3-4F3E-A23F-06C77CCB2D42}: [DhcpNameServer] 192.168.2.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131609716104882950&GUID=58169A0A-F174-7B09-8752-6152DBC09BEE
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131609716105069159&GUID=58169A0A-F174-7B09-8752-6152DBC09BEE
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.au
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2018-02-05] (Microsoft Corporation)
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-08-09] (IvoSoft)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2018-02-05] (Microsoft Corporation)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2015-08-09] (IvoSoft)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2018-02-05] (Microsoft Corporation)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-08-09] (IvoSoft)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2015-12-06] (Oracle Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2018-02-05] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-12-06] (Oracle Corporation)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2015-08-09] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-08-09] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-08-09] (IvoSoft)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-02-05] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-02-05] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-02-05] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-02-05] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: 7r3fd6eu.default
FF ProfilePath: C:\Users\Mick\AppData\Roaming\Mozilla\Firefox\Profiles\7r3fd6eu.default [2018-02-06]
FF Homepage: Mozilla\Firefox\Profiles\7r3fd6eu.default -> hxxps://www.google.com.au/
FF NewTab: Mozilla\Firefox\Profiles\7r3fd6eu.default -> about:newtab
FF NewTabOverride: Mozilla\Firefox\Profiles\7r3fd6eu.default -> Enabled: "id":"{66E978CD-981F-47DF-AC42-E3CF417C1467
FF Extension: (New Tab Homepage) - C:\Users\Mick\AppData\Roaming\Mozilla\Firefox\Profiles\7r3fd6eu.default\Extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}.xpi [2017-11-18]
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_28_0_0_161.dll [2018-02-06] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_161.dll [2018-02-06] ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2015-10-29] (CANON INC.)
FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-12-06] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-12-06] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2018-01-21] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-01-21] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-14] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-05] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7968432 2018-01-30] (Microsoft Corporation)
R2 igfxCUIService1.0.0.0; C:\windows\system32\igfxCUIService.exe [319376 2014-12-03] (Intel Corporation)
R2 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [61440 2006-12-14] (Hewlett-Packard Company) [File not signed]
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [262144 2006-12-23] (Nero AG) [File not signed]
R2 PSI_SVC_2; c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2014-04-30] (arvato digital services llc)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [293080 2015-02-05] (Realtek Semiconductor)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-13] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 dg_ssudbus; C:\windows\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
R0 MBAMSwissArmy; C:\windows\System32\Drivers\mbamswissarmy.sys [253880 2018-01-26] (Malwarebytes)
R1 MpKsla0f589c1; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{51FEB807-9D5C-4CFA-9131-AE69FA70E938}\MpKsla0f589c1.sys [58120 2018-02-06] (Microsoft Corporation)
S4 pkjrfb; C:\windows\System32\drivers\gvbybhmp.sys [79064 2018-01-17] (Malwarebytes)
R3 RTWlanE; C:\windows\system32\DRIVERS\rtwlane.sys [6393856 2016-12-29] (Realtek Semiconductor Corporation )
S4 sasgs; C:\windows\System32\drivers\weouusuw.sys [79064 2018-01-20] (Malwarebytes)
S3 ssudmdm; C:\windows\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
R3 TXEIx64; C:\windows\System32\drivers\TXEIx64.sys [88592 2014-03-29] (Intel Corporation)
S4 unpariv; C:\windows\System32\drivers\dcuq.sys [79064 2018-01-20] (Malwarebytes)
S3 USBAAPL64; C:\windows\System32\Drivers\usbaapl64.sys [54784 2016-03-28] (Apple, Inc.) [File not signed]
S3 usbrndis6; C:\windows\system32\DRIVERS\usb80236.sys [20992 2015-04-25] (Microsoft Corporation)
S0 WdBoot; C:\windows\System32\drivers\WdBoot.sys [46600 2017-02-11] (Microsoft Corporation)
R0 WdFilter; C:\windows\System32\drivers\WdFilter.sys [274776 2017-01-13] (Microsoft Corporation)
R3 WdNisDrv; C:\windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-13] (Microsoft Corporation)
R3 WUDFWpdComp; C:\windows\system32\DRIVERS\WUDFRd.sys [226304 2014-10-29] (Microsoft Corporation)
S4 ylefg; C:\windows\System32\drivers\daos.sys [79064 2018-01-20] (Malwarebytes)
S4 ymnfffx; C:\windows\System32\drivers\keuha.sys [79064 2018-01-18] (Malwarebytes)
S4 ypdl; C:\windows\System32\drivers\yaxe.sys [79064 2018-01-12] (Malwarebytes)
S3 intaud_WaveExtensible; \SystemRoot\system32\drivers\intelaud.sys [X]
S3 iwdbus; \SystemRoot\System32\drivers\iwdbus.sys [X]
U4 orwgdx; system32\drivers\dskhhloo.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-02-06 20:50 - 2018-02-06 20:50 - 000001075 _____ C:\Users\Mick\Desktop\AdwCleaner[S1].txt
2018-02-05 22:20 - 2018-02-05 22:23 - 008206624 _____ (Malwarebytes) C:\Users\Mick\Desktop\AdwCleaner.exe
2018-02-05 22:16 - 2018-02-05 22:19 - 026917960 _____ (Adlice Software) C:\Users\Mick\Desktop\RogueKiller_portable64.exe
2018-02-03 10:56 - 2018-02-03 10:56 - 000001982 _____ C:\Users\Mick\Desktop\Malware Summary.txt
2018-02-01 20:24 - 2018-01-02 18:56 - 000136536 _____ (Microsoft Corporation) C:\windows\system32\Drivers\wfplwfs.sys
2018-02-01 20:24 - 2018-01-02 17:39 - 000418648 _____ (Microsoft Corporation) C:\windows\system32\hal.dll
2018-02-01 20:24 - 2018-01-02 16:39 - 000686080 _____ (Microsoft Corporation) C:\windows\system32\Drivers\srv2.sys
2018-02-01 20:24 - 2018-01-02 16:39 - 000072192 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ndproxy.sys
2018-02-01 20:24 - 2018-01-02 16:39 - 000048128 _____ (Microsoft Corporation) C:\windows\system32\Drivers\netbios.sys
2018-02-01 20:24 - 2018-01-02 16:38 - 000559616 _____ (Microsoft Corporation) C:\windows\system32\Drivers\afd.sys
2018-02-01 20:24 - 2018-01-02 16:38 - 000416256 _____ (Microsoft Corporation) C:\windows\system32\Drivers\srv.sys
2018-02-01 20:24 - 2018-01-02 16:38 - 000401408 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb.sys
2018-02-01 20:24 - 2018-01-02 16:38 - 000243200 _____ (Microsoft Corporation) C:\windows\system32\Drivers\srvnet.sys
2018-02-01 20:24 - 2018-01-02 16:38 - 000151040 _____ (Microsoft Corporation) C:\windows\system32\Drivers\pacer.sys
2018-02-01 20:24 - 2018-01-02 16:37 - 000080384 _____ (Microsoft Corporation) C:\windows\system32\Drivers\wanarp.sys
2018-02-01 20:24 - 2018-01-02 16:18 - 000615936 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2018-02-01 20:24 - 2018-01-02 16:06 - 000489984 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2018-02-01 20:24 - 2018-01-02 15:59 - 000014336 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntvdm64.dll
2018-02-01 20:24 - 2018-01-02 15:53 - 000315392 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2018-02-01 20:24 - 2018-01-02 15:44 - 000476160 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2018-02-01 20:24 - 2018-01-02 15:34 - 000416256 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2018-02-01 20:24 - 2018-01-02 15:33 - 000086016 _____ (Microsoft Corporation) C:\windows\system32\nlaapi.dll
2018-02-01 20:24 - 2018-01-02 15:29 - 000817664 _____ (Microsoft Corporation) C:\windows\system32\rpcss.dll
2018-02-01 20:24 - 2018-01-02 15:25 - 000279040 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2018-02-01 20:24 - 2018-01-02 15:21 - 000391680 _____ (Microsoft Corporation) C:\windows\system32\nlasvc.dll
2018-02-01 20:24 - 2018-01-02 15:11 - 000065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\nlaapi.dll
2018-02-01 20:24 - 2018-01-02 15:08 - 000110080 _____ (Microsoft Corporation) C:\windows\system32\icfupgd.dll
2018-02-01 20:24 - 2017-12-15 10:26 - 000374096 _____ (Adobe Systems Incorporated) C:\windows\system32\atmfd.dll
2018-02-01 20:24 - 2017-12-15 08:39 - 000315736 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\atmfd.dll
2018-02-01 20:24 - 2017-12-14 21:19 - 000096256 _____ (Microsoft Corporation) C:\windows\system32\fontsub.dll
2018-02-01 20:24 - 2017-12-14 21:17 - 000044032 _____ (Adobe Systems) C:\windows\system32\atmlib.dll
2018-02-01 20:24 - 2017-12-11 00:58 - 000035840 _____ (Adobe Systems) C:\windows\SysWOW64\atmlib.dll
2018-02-01 20:23 - 2018-01-02 16:38 - 000445952 _____ (Microsoft Corporation) C:\windows\system32\Drivers\nwifi.sys
2018-02-01 20:23 - 2018-01-02 16:37 - 000110080 _____ (Microsoft Corporation) C:\windows\system32\appinfo.dll
2018-02-01 20:23 - 2018-01-02 16:34 - 000360448 _____ (Microsoft Corporation) C:\windows\system32\ncsi.dll
2018-02-01 20:23 - 2018-01-02 16:31 - 000040448 _____ (Microsoft Corporation) C:\windows\system32\rfxvmt.dll
2018-02-01 20:23 - 2018-01-02 16:28 - 000013312 _____ (Microsoft Corporation) C:\windows\system32\pcalua.exe
2018-02-01 20:23 - 2018-01-02 16:19 - 000108544 _____ (Microsoft Corporation) C:\windows\system32\fdWCN.dll
2018-02-01 20:23 - 2018-01-02 16:16 - 000814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2018-02-01 20:23 - 2018-01-02 15:57 - 000025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\setup16.exe
2018-02-01 20:23 - 2018-01-02 15:48 - 001033216 _____ (Microsoft Corporation) C:\windows\system32\inetcomm.dll
2018-02-01 20:23 - 2018-01-02 15:34 - 001217536 _____ (Microsoft Corporation) C:\windows\system32\sysmain.dll
2018-02-01 20:23 - 2018-01-02 15:33 - 001080320 _____ (Microsoft Corporation) C:\windows\system32\IKEEXT.DLL
2018-02-01 20:23 - 2018-01-02 15:32 - 000571392 _____ (Microsoft Corporation) C:\windows\system32\winlogon.exe
2018-02-01 20:23 - 2018-01-02 15:29 - 000754176 _____ (Microsoft Corporation) C:\windows\system32\FirewallAPI.dll
2018-02-01 20:23 - 2018-01-02 15:27 - 001696256 _____ (Microsoft Corporation) C:\windows\system32\wevtsvc.dll
2018-02-01 20:23 - 2018-01-02 15:25 - 000795648 _____ (Microsoft Corporation) C:\windows\system32\winhttp.dll
2018-02-01 20:23 - 2018-01-02 15:22 - 000880640 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcomm.dll
2018-02-01 20:23 - 2018-01-02 15:22 - 000129536 _____ (Microsoft Corporation) C:\windows\system32\WcnApi.dll
2018-02-01 20:23 - 2018-01-02 15:17 - 000465920 _____ (Microsoft Corporation) C:\windows\system32\wcncsvc.dll
2018-02-01 20:23 - 2018-01-02 15:16 - 000464384 _____ (Microsoft Corporation) C:\windows\system32\pcasvc.dll
2018-02-01 20:23 - 2018-01-02 15:15 - 001545728 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2018-02-01 20:23 - 2018-01-02 15:11 - 000185856 _____ (Microsoft Corporation) C:\windows\system32\rascfg.dll
2018-02-01 20:23 - 2018-01-02 15:09 - 000713216 _____ (Microsoft Corporation) C:\windows\system32\nshwfp.dll
2018-02-01 20:23 - 2018-01-02 15:09 - 000543232 _____ (Microsoft Corporation) C:\windows\SysWOW64\FirewallAPI.dll
2018-02-01 20:23 - 2018-01-02 15:06 - 000626176 _____ (Microsoft Corporation) C:\windows\SysWOW64\winhttp.dll
2018-02-01 20:23 - 2018-01-02 14:59 - 000177664 _____ (Microsoft Corporation) C:\windows\SysWOW64\P2P.dll
2018-02-01 20:23 - 2018-01-02 14:57 - 000164864 _____ (Microsoft Corporation) C:\windows\SysWOW64\rascfg.dll
2018-02-01 20:23 - 2018-01-02 14:56 - 000562176 _____ (Microsoft Corporation) C:\windows\SysWOW64\nshwfp.dll
2018-02-01 20:23 - 2018-01-02 14:54 - 001313792 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2018-02-01 20:23 - 2017-12-11 00:59 - 000077824 _____ (Microsoft Corporation) C:\windows\SysWOW64\fontsub.dll
2018-02-01 20:22 - 2018-01-02 19:00 - 000590680 _____ (Microsoft Corporation) C:\windows\system32\Drivers\fvevol.sys
2018-02-01 20:22 - 2018-01-02 19:00 - 000242520 _____ (Microsoft Corporation) C:\windows\system32\Drivers\rdyboost.sys
2018-02-01 20:22 - 2018-01-02 19:00 - 000214392 _____ (Microsoft Corporation) C:\windows\system32\Windows.Storage.ApplicationData.dll
2018-02-01 20:22 - 2018-01-02 18:56 - 000567656 _____ (Microsoft Corporation) C:\windows\system32\Drivers\cng.sys
2018-02-01 20:22 - 2018-01-02 18:56 - 000397224 _____ (Microsoft Corporation) C:\windows\system32\bcryptprimitives.dll
2018-02-01 20:22 - 2018-01-02 17:39 - 022374248 _____ (Microsoft Corporation) C:\windows\system32\shell32.dll
2018-02-01 20:22 - 2018-01-02 17:39 - 000354648 _____ (Microsoft Corporation) C:\windows\system32\Drivers\fltMgr.sys
2018-02-01 20:22 - 2018-01-02 17:35 - 001307840 _____ (Microsoft Corporation) C:\windows\system32\rpcrt4.dll
2018-02-01 20:22 - 2018-01-02 17:35 - 000989528 _____ (Microsoft Corporation) C:\windows\system32\Drivers\http.sys
2018-02-01 20:22 - 2018-01-02 17:05 - 000164296 _____ (Microsoft Corporation) C:\windows\SysWOW64\Windows.Storage.ApplicationData.dll
2018-02-01 20:22 - 2018-01-02 17:03 - 000341384 _____ (Microsoft Corporation) C:\windows\SysWOW64\bcryptprimitives.dll
2018-02-01 20:22 - 2018-01-02 16:40 - 000284672 _____ (Microsoft Corporation) C:\windows\system32\wow64.dll
2018-02-01 20:22 - 2018-01-02 16:39 - 000402432 _____ (Microsoft Corporation) C:\windows\system32\Drivers\rdbss.sys
2018-02-01 20:22 - 2018-01-02 16:38 - 000138752 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dfsc.sys
2018-02-01 20:22 - 2018-01-02 16:28 - 005796352 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2018-02-01 20:22 - 2018-01-02 16:28 - 000577024 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2018-02-01 20:22 - 2018-01-02 16:28 - 000417280 _____ (Microsoft Corporation) C:\windows\system32\html.iec
2018-02-01 20:22 - 2018-01-02 16:28 - 000048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2018-02-01 20:22 - 2018-01-02 16:17 - 000817152 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2018-02-01 20:22 - 2018-01-02 16:09 - 000445440 _____ (Microsoft Corporation) C:\windows\system32\certcli.dll
2018-02-01 20:22 - 2018-01-02 15:59 - 000005632 _____ (Microsoft Corporation) C:\windows\SysWOW64\wow32.dll
2018-02-01 20:22 - 2018-01-02 15:56 - 000199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2018-02-01 20:22 - 2018-01-02 15:54 - 000145408 _____ (Microsoft Corporation) C:\windows\system32\iepeers.dll
2018-02-01 20:22 - 2018-01-02 15:52 - 000499712 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2018-02-01 20:22 - 2018-01-02 15:51 - 000341504 _____ (Microsoft Corporation) C:\windows\SysWOW64\html.iec
2018-02-01 20:22 - 2018-01-02 15:45 - 000091136 _____ (Microsoft Corporation) C:\windows\SysWOW64\fdWCN.dll
2018-02-01 20:22 - 2018-01-02 15:43 - 000662528 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2018-02-01 20:22 - 2018-01-02 15:42 - 000620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2018-02-01 20:22 - 2018-01-02 15:42 - 000262144 _____ (Microsoft Corporation) C:\windows\system32\webcheck.dll
2018-02-01 20:22 - 2018-01-02 15:41 - 000380416 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2018-02-01 20:22 - 2018-01-02 15:40 - 000807936 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2018-02-01 20:22 - 2018-01-02 15:40 - 000726528 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2018-02-01 20:22 - 2018-01-02 15:38 - 002134528 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2018-02-01 20:22 - 2018-01-02 15:37 - 000324096 _____ (Microsoft Corporation) C:\windows\SysWOW64\certcli.dll
2018-02-01 20:22 - 2018-01-02 15:27 - 000168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2018-02-01 20:22 - 2018-01-02 15:26 - 003241472 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2018-02-01 20:22 - 2018-01-02 15:25 - 000128000 _____ (Microsoft Corporation) C:\windows\SysWOW64\iepeers.dll
2018-02-01 20:22 - 2018-01-02 15:23 - 004508160 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2018-02-01 20:22 - 2018-01-02 15:18 - 000380416 _____ (Microsoft Corporation) C:\windows\system32\pnrpsvc.dll
2018-02-01 20:22 - 2018-01-02 15:18 - 000230400 _____ (Microsoft Corporation) C:\windows\SysWOW64\webcheck.dll
2018-02-01 20:22 - 2018-01-02 15:17 - 000694272 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2018-02-01 20:22 - 2018-01-02 15:17 - 000331776 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2018-02-01 20:22 - 2018-01-02 15:16 - 002058752 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2018-02-01 20:22 - 2018-01-02 15:16 - 000881152 _____ (Microsoft Corporation) C:\windows\system32\MPSSVC.dll
2018-02-01 20:22 - 2018-01-02 15:16 - 000747520 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpcrt4.dll
2018-02-01 20:22 - 2018-01-02 15:13 - 000216576 _____ (Microsoft Corporation) C:\windows\system32\P2P.dll
2018-02-01 20:22 - 2018-01-02 15:09 - 000827392 _____ (Microsoft Corporation) C:\windows\system32\spoolsv.exe
2018-02-01 20:22 - 2018-01-02 15:07 - 001265664 _____ (Microsoft Corporation) C:\windows\system32\schedsvc.dll
2018-02-01 20:22 - 2018-01-02 15:07 - 000440832 _____ (Microsoft Corporation) C:\windows\system32\p2psvc.dll
2018-02-01 20:22 - 2018-01-02 15:05 - 000097280 _____ (Microsoft Corporation) C:\windows\SysWOW64\WcnApi.dll
2018-02-01 20:22 - 2018-01-02 15:04 - 000800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2018-02-01 20:22 - 2018-01-02 14:58 - 002767872 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2018-02-01 20:22 - 2018-01-02 14:53 - 000710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2018-02-01 20:22 - 2017-12-29 19:21 - 000107520 _____ (Microsoft Corporation) C:\windows\system32\inseng.dll
2018-02-01 20:21 - 2018-01-02 18:56 - 002530400 _____ (Microsoft Corporation) C:\windows\system32\msxml6.dll
2018-02-01 20:21 - 2018-01-02 17:39 - 002013016 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ntfs.sys
2018-02-01 20:21 - 2018-01-02 17:38 - 002176064 _____ (Microsoft Corporation) C:\windows\system32\combase.dll
2018-02-01 20:21 - 2018-01-02 17:38 - 001662096 _____ (Microsoft Corporation) C:\windows\system32\ole32.dll
2018-02-01 20:21 - 2018-01-02 17:38 - 001063464 _____ (Microsoft Corporation) C:\windows\system32\WinTypes.dll
2018-02-01 20:21 - 2018-01-02 17:37 - 001737600 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2018-02-01 20:21 - 2018-01-02 17:37 - 001500432 _____ (Microsoft Corporation) C:\windows\system32\winresume.efi
2018-02-01 20:21 - 2018-01-02 17:37 - 001371352 _____ (Microsoft Corporation) C:\windows\system32\winresume.exe
2018-02-01 20:21 - 2018-01-02 17:37 - 001135280 _____ (Microsoft Corporation) C:\windows\system32\KernelBase.dll
2018-02-01 20:21 - 2018-01-02 17:37 - 000685440 _____ (Microsoft Corporation) C:\windows\system32\advapi32.dll
2018-02-01 20:21 - 2018-01-02 17:01 - 001902328 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml6.dll
2018-02-01 20:21 - 2018-01-02 16:59 - 001565520 _____ (Microsoft Corporation) C:\windows\SysWOW64\combase.dll
2018-02-01 20:21 - 2018-01-02 16:59 - 001213784 _____ (Microsoft Corporation) C:\windows\SysWOW64\ole32.dll
2018-02-01 20:21 - 2018-01-02 16:58 - 001502000 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll
2018-02-01 20:21 - 2018-01-02 16:48 - 000507176 _____ (Microsoft Corporation) C:\windows\SysWOW64\advapi32.dll
2018-02-01 20:21 - 2018-01-02 16:30 - 002900480 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2018-02-01 20:21 - 2018-01-02 16:17 - 000116224 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2018-02-01 20:21 - 2018-01-02 16:02 - 000862720 _____ (Microsoft Corporation) C:\windows\SysWOW64\KernelBase.dll
2018-02-01 20:21 - 2018-01-02 15:49 - 002294272 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2018-02-01 20:21 - 2018-01-02 15:40 - 001436672 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2018-02-01 20:21 - 2018-01-02 15:33 - 000845312 _____ (Microsoft Corporation) C:\windows\system32\BFE.DLL
2018-02-01 20:21 - 2018-01-02 15:23 - 002882048 _____ (Microsoft Corporation) C:\windows\system32\actxprxy.dll
2018-02-01 20:21 - 2018-01-02 15:17 - 001547264 _____ (Microsoft Corporation) C:\windows\system32\wlansvc.dll
2018-02-01 20:21 - 2018-01-02 14:55 - 003548160 _____ (Microsoft Corporation) C:\windows\system32\rdpcorets.dll
2018-02-01 20:20 - 2018-01-02 17:39 - 007408984 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2018-02-01 20:20 - 2018-01-02 17:37 - 001676056 _____ (Microsoft Corporation) C:\windows\system32\winload.efi
2018-02-01 20:20 - 2018-01-02 17:37 - 001536120 _____ (Microsoft Corporation) C:\windows\system32\winload.exe
2018-02-01 20:20 - 2018-01-02 17:03 - 025739264 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2018-02-01 20:20 - 2018-01-02 17:00 - 019790760 _____ (Microsoft Corporation) C:\windows\SysWOW64\shell32.dll
2018-02-01 20:20 - 2018-01-02 16:20 - 020275200 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2018-02-01 20:20 - 2018-01-02 15:44 - 015284224 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2018-02-01 20:20 - 2018-01-02 15:20 - 013680128 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2018-02-01 20:20 - 2017-12-11 00:46 - 007079424 _____ (Microsoft Corporation) C:\windows\system32\glcndFilter.dll
2018-02-01 20:20 - 2017-12-11 00:24 - 005275136 _____ (Microsoft Corporation) C:\windows\SysWOW64\glcndFilter.dll
2018-02-01 20:20 - 2017-12-11 00:06 - 007797760 _____ (Microsoft Corporation) C:\windows\system32\Windows.Data.Pdf.dll
2018-02-01 20:20 - 2017-12-10 23:59 - 005270528 _____ (Microsoft Corporation) C:\windows\SysWOW64\Windows.Data.Pdf.dll
2018-02-01 20:20 - 2017-12-06 15:42 - 002452816 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tcpip.sys
2018-02-01 20:20 - 2017-12-06 03:58 - 004168192 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2018-01-31 18:20 - 2018-01-31 18:25 - 000000759 _____ C:\Users\Mick\Desktop\Fixlog.txt
2018-01-31 12:16 - 2018-01-31 12:43 - 000000000 ____D C:\BLADE_RUNNER_2049
2018-01-31 08:56 - 2018-01-31 09:21 - 000000000 ____D C:\NOVEMBER_CRIMINALS
2018-01-31 08:04 - 2018-01-31 08:40 - 000000000 ____D C:\THE_SNOWMAN
2018-01-30 19:27 - 2018-01-30 19:30 - 000034411 _____ C:\Users\Mick\Desktop\Addition.txt
2018-01-30 19:26 - 2018-02-07 07:33 - 000013794 _____ C:\Users\Mick\Desktop\FRST.txt
2018-01-26 14:32 - 2018-01-26 14:32 - 000000000 ____D C:\ProgramData\LHService
2018-01-26 14:27 - 2018-01-26 14:27 - 000000000 ____D C:\ProgramData\LockHunter
2018-01-26 14:06 - 2018-01-26 14:06 - 000000000 ____D C:\Users\Mick\AppData\Roaming\LockHunter
2018-01-26 14:06 - 2018-01-26 14:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LockHunter
2018-01-26 14:06 - 2018-01-26 14:06 - 000000000 ____D C:\Program Files\LockHunter
2018-01-26 13:48 - 2018-02-03 11:00 - 000501784 _____ C:\windows\system32\FNTCACHE.DAT
2018-01-26 13:41 - 2018-01-26 13:41 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN
2018-01-26 13:41 - 2018-01-26 13:41 - 000000000 ____D C:\Program Files (x86)\FileASSASSIN
2018-01-26 12:23 - 2018-02-02 15:03 - 000000000 ____D C:\Users\Mick\AppData\Local\igfxmtc
2018-01-26 12:22 - 2018-01-26 12:22 - 000000300 ____H C:\windows\Tasks\CCleaner Update.job
2018-01-26 12:22 - 2018-01-26 12:22 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2018-01-26 12:21 - 2018-02-01 19:55 - 000000000 ____D C:\Users\Mick\AppData\Local\msrtzdb
2018-01-26 12:18 - 2018-01-31 20:39 - 002884096 _____ C:\windows\system32\spidbkzsvc.exe
2018-01-26 12:18 - 2018-01-26 12:18 - 000000000 ____D C:\windows\SysWOW64\pcixsoh
2018-01-26 12:18 - 2018-01-26 12:18 - 000000000 ____D C:\windows\system32\pcixsoh
2018-01-25 19:15 - 2018-02-06 20:47 - 000000000 ____D C:\AdwCleaner
2018-01-25 18:52 - 2018-01-25 19:07 - 000015548 _____ C:\TDSSKiller.3.1.0.15_25.01.2018_18.52.48_log.txt
2018-01-25 14:52 - 2018-02-07 07:32 - 000000000 ____D C:\FRST
2018-01-24 21:00 - 2018-02-05 22:25 - 000028272 _____ C:\windows\system32\Drivers\TrueSight.sys
2018-01-24 20:59 - 2018-01-30 19:22 - 002393088 _____ (Farbar) C:\Users\Mick\Desktop\FRST64.exe
2018-01-24 20:59 - 2018-01-24 22:12 - 000000000 ____D C:\ProgramData\RogueKiller
2018-01-24 20:59 - 2018-01-24 20:59 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2018-01-24 20:59 - 2018-01-24 20:59 - 000000000 ____D C:\Program Files\RogueKiller
2018-01-24 20:41 - 2018-01-24 20:41 - 000000000 ____D C:\windows\pss
2018-01-24 19:57 - 2018-01-26 12:19 - 000253880 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamswissarmy.sys
2018-01-21 12:09 - 2018-01-21 12:09 - 000000146 _____ C:\Users\Mick\Desktop\Windows Defender.lnk
2018-01-21 12:06 - 2018-01-24 05:58 - 000548000 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2018-01-21 12:02 - 2018-01-25 19:36 - 000002047 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-01-21 12:02 - 2018-01-21 12:02 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-01-21 12:02 - 2017-11-29 09:11 - 000077432 _____ C:\windows\system32\Drivers\mbae64.sys
2018-01-21 12:01 - 2018-01-21 12:01 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-01-21 12:01 - 2018-01-21 12:01 - 000000000 ____D C:\Program Files\Malwarebytes
2018-01-20 13:47 - 2018-01-20 13:47 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\dcuq.sys
2018-01-20 12:43 - 2018-01-20 12:43 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\daos.sys
2018-01-20 11:02 - 2018-01-20 11:02 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\weouusuw.sys
2018-01-18 18:30 - 2018-01-18 18:30 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\keuha.sys
2018-01-18 11:30 - 2017-10-04 19:21 - 000029352 _____ (Microsoft Corporation) C:\windows\SysWOW64\aspnet_counters.dll
2018-01-18 11:30 - 2017-10-04 19:21 - 000019088 _____ (Microsoft Corporation) C:\windows\SysWOW64\msvcr100_clr0400.dll
2018-01-18 11:30 - 2017-10-04 14:45 - 000030888 _____ (Microsoft Corporation) C:\windows\system32\aspnet_counters.dll
2018-01-18 11:30 - 2017-10-04 14:45 - 000019088 _____ (Microsoft Corporation) C:\windows\system32\msvcr100_clr0400.dll
2018-01-17 20:34 - 2018-01-17 20:34 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\gvbybhmp.sys
2018-01-17 20:34 - 2018-01-17 20:34 - 000002096 _____ C:\windows\system32\dswmr
2018-01-17 13:45 - 2018-01-17 13:45 - 000000000 ____D C:\Users\Mick\AppData\Roaming\17527
2018-01-17 12:15 - 2018-01-26 12:58 - 000001257 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2018-01-17 12:15 - 2018-01-17 12:15 - 000000000 ____D C:\Users\Mick\AppData\Local\VS Revo Group
2018-01-17 12:15 - 2018-01-17 12:15 - 000000000 ____D C:\ProgramData\VS Revo Group
2018-01-17 12:15 - 2018-01-17 12:15 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2018-01-17 12:15 - 2018-01-17 12:15 - 000000000 ____D C:\Program Files\VS Revo Group
2018-01-17 12:15 - 2016-12-16 08:53 - 000040984 _____ (VS Revo Group) C:\windows\system32\Drivers\revoflt.sys
2018-01-16 10:41 - 2018-01-16 10:41 - 000000000 ____D C:\Users\Mick\AppData\Roaming\26973
2018-01-14 21:16 - 2018-01-14 21:16 - 000000304 _____ C:\Users\Mick\AppData\Roaming\4e93aa11-2d46-4980-a421-0a4ac759e5bf
2018-01-14 21:16 - 2018-01-14 21:16 - 000000175 _____ C:\Users\Mick\AppData\Roaming\fc19ece2-6b3f-4f22-8758-9651ab9ca388
2018-01-14 21:16 - 2018-01-14 21:16 - 000000171 _____ C:\Users\Mick\AppData\Roaming\1eb766f2-fed1-4d33-9c39-2c8a972fd11f
2018-01-12 13:09 - 2018-01-12 13:09 - 000554656 _____ C:\Users\Mick\Documents\IMG_20180112_0004.pdf
2018-01-12 12:09 - 2018-01-12 12:09 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\yaxe.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-02-07 07:27 - 2015-09-20 17:01 - 000000000 __SHD C:\Users\Mick\IntelGraphicsProfiles
2018-02-06 20:53 - 2016-11-18 10:56 - 000000000 ____D C:\Users\Mick\AppData\LocalLow\Mozilla
2018-02-06 20:53 - 2015-10-18 14:43 - 000000000 ____D C:\Users\Mick\AppData\Local\ClassicShell
2018-02-06 20:50 - 2013-08-23 00:36 - 000000000 ____D C:\windows\Inf
2018-02-06 20:48 - 2015-12-06 15:35 - 000004288 _____ C:\windows\System32\Tasks\Adobe Flash Player Updater
2018-02-06 20:48 - 2013-08-23 02:36 - 000000000 ____D C:\windows\SysWOW64\Macromed
2018-02-06 20:48 - 2013-08-23 02:36 - 000000000 ____D C:\windows\system32\Macromed
2018-02-06 14:04 - 2015-12-12 12:08 - 000000000 ____D C:\Users\Mick\Documents\Outlook Files
2018-02-06 14:04 - 2015-09-20 17:01 - 000000000 ____D C:\Users\Mick\AppData\Local\Packages
2018-02-05 23:11 - 2013-08-23 02:36 - 000000000 ____D C:\windows\rescache
2018-02-05 23:03 - 2015-09-20 17:07 - 000003600 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1111182159-1481868987-2492049145-1001
2018-02-05 22:10 - 2014-03-18 20:53 - 000902088 _____ C:\windows\system32\PerfStringBackup.INI
2018-02-05 15:48 - 2013-08-23 02:36 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-02-05 15:45 - 2015-12-08 20:11 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2018-02-03 11:00 - 2013-08-23 01:45 - 000000006 ____H C:\windows\Tasks\SA.DAT
2018-02-03 10:56 - 2013-08-23 02:36 - 000000000 ___RD C:\windows\ToastData
2018-02-02 15:03 - 2017-12-22 12:10 - 000000000 ____D C:\Users\Mick\AppData\Local\cshdktv
2018-02-01 20:31 - 2013-08-23 02:20 - 000000000 ____D C:\windows\CbsTemp
2018-02-01 20:13 - 2017-07-26 19:28 - 000003162 _____ C:\windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1111182159-1481868987-2492049145-1001
2018-02-01 19:59 - 2013-08-23 00:25 - 011272192 _____ C:\windows\system32\config\HARDWARE
2018-02-01 19:59 - 2013-08-23 00:25 - 000262144 ___SH C:\windows\system32\config\BBI
2018-01-31 22:59 - 2013-08-23 02:36 - 000000000 ____D C:\windows\system32\FxsTmp
2018-01-31 21:10 - 2015-09-20 16:59 - 000000000 ____D C:\Users\Mick
2018-01-31 20:55 - 2016-02-15 14:29 - 000000000 ___HD C:\ProgramData\CanonIJScan
2018-01-31 18:14 - 2017-06-30 12:58 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-01-31 18:14 - 2015-12-05 17:37 - 000001118 ____H C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2018-01-31 18:14 - 2015-12-05 17:37 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-01-31 12:43 - 2016-06-08 13:51 - 000000000 ____D C:\ProgramData\DVD Shrink
2018-01-26 13:18 - 2015-12-05 19:30 - 000000998 _____ C:\Users\Public\Desktop\CCleaner.lnk
2018-01-26 12:26 - 2015-12-05 19:30 - 000000000 ____D C:\Program Files\CCleaner
2018-01-25 19:34 - 2017-12-22 12:07 - 002884096 _____ C:\windows\system32\lshoxvesvc.exe
2018-01-24 18:21 - 2015-12-30 11:21 - 000000000 ____D C:\Users\Mick\AppData\Roaming\Vso
2018-01-23 09:39 - 2016-01-07 17:14 - 000000000 ____D C:\Users\Mick\AppData\Roaming\vlc
2018-01-22 11:48 - 2016-01-07 17:14 - 000000000 ____D C:\Users\Mick\AppData\Roaming\dvdcss
2018-01-22 11:44 - 2015-12-30 12:53 - 000001057 _____ C:\Users\Mick\AppData\Roaming\vso_ts_preview.xml
2018-01-21 12:26 - 2015-09-20 17:02 - 000001061 ____H C:\Users\Mick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-01-21 11:13 - 2015-12-05 19:06 - 000000000 ____D C:\Users\Mick\Documents\Camera
2018-01-20 19:05 - 2015-12-30 10:36 - 000000000 ____D C:\Users\Mick\Documents\DVDFab9
2018-01-20 13:47 - 2013-08-23 02:36 - 000000000 ____D C:\windows\Globalization
2018-01-20 12:43 - 2013-08-23 02:36 - 000000000 ____D C:\windows\Help
2018-01-17 12:35 - 2017-03-08 13:35 - 000000000 ____D C:\Users\Mick\Documents\DVDFab Passkey
2018-01-17 12:35 - 2016-02-08 16:41 - 000000000 ___RD C:\Users\Mick\Documents\Scanned Documents
2018-01-17 12:35 - 2015-12-05 19:46 - 000000000 ____D C:\Users\Mick\Documents\PHOTOS
2018-01-17 12:35 - 2015-12-05 19:08 - 000000000 ____D C:\Users\Mick\Documents\LOGIES bleep
2018-01-17 12:35 - 2015-12-05 19:07 - 000000000 ____D C:\Users\Mick\Documents\emails from desktop
2018-01-15 13:50 - 2017-12-22 13:13 - 000000000 ____D C:\Program Files (x86)\Your Uninstaller! 7
2018-01-15 13:49 - 2017-01-07 13:22 - 000000000 ____D C:\Program Files (x86)\Anvsoft
2018-01-15 13:01 - 2017-12-22 15:48 - 000000000 ____D C:\windows\Minidump
2018-01-15 13:01 - 2015-03-16 13:47 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2018-01-12 12:09 - 2013-08-23 02:36 - 000000000 ___HD C:\windows\ELAMBKUP
2018-01-12 10:10 - 2017-12-22 12:17 - 000000000 ____D C:\Users\Mick\AppData\Local\cwrxoit
2018-01-10 14:30 - 2015-10-18 16:26 - 000000000 ____D C:\windows\system32\MRT
2018-01-10 14:26 - 2017-10-12 21:26 - 129365736 ____C (Microsoft Corporation) C:\windows\system32\MRT-KB890830.exe
2018-01-10 14:25 - 2015-10-18 16:26 - 129365736 ____C (Microsoft Corporation) C:\windows\system32\MRT.exe

==================== Files in the root of some directories =======

2018-01-14 21:16 - 2018-01-14 21:16 - 000000171 _____ () C:\Users\Mick\AppData\Roaming\1eb766f2-fed1-4d33-9c39-2c8a972fd11f
2018-01-14 21:16 - 2018-01-14 21:16 - 000000304 _____ () C:\Users\Mick\AppData\Roaming\4e93aa11-2d46-4980-a421-0a4ac759e5bf
2018-01-14 21:16 - 2018-01-14 21:16 - 000000175 _____ () C:\Users\Mick\AppData\Roaming\fc19ece2-6b3f-4f22-8758-9651ab9ca388
2015-12-30 11:21 - 2015-12-30 12:54 - 000099384 _____ () C:\Users\Mick\AppData\Roaming\inst.exe
2015-12-30 11:21 - 2015-12-30 12:54 - 000007859 _____ () C:\Users\Mick\AppData\Roaming\pcouffin.cat
2015-12-30 11:21 - 2015-12-30 12:54 - 000001167 _____ () C:\Users\Mick\AppData\Roaming\pcouffin.inf
2015-12-30 11:21 - 2015-12-30 12:54 - 000000055 _____ () C:\Users\Mick\AppData\Roaming\pcouffin.log
2015-12-30 11:21 - 2015-12-30 12:54 - 000082816 _____ (VSO Software) C:\Users\Mick\AppData\Roaming\pcouffin.sys
2015-12-30 12:53 - 2018-01-22 11:44 - 000001057 _____ () C:\Users\Mick\AppData\Roaming\vso_ts_preview.xml
2017-12-22 12:11 - 2017-12-22 12:11 - 000140800 _____ () C:\Users\Mick\AppData\Local\installer.dat

Some files in TEMP:
====================
2018-01-26 12:28 - 2018-01-26 12:28 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\Mick\AppData\Local\Temp\230C.tmp.exe
2018-01-26 12:18 - 2018-01-26 12:18 - 011205832 _____ (Piriform Ltd) C:\Users\Mick\AppData\Local\Temp\288.tmp.exe
2018-01-26 12:36 - 2018-01-26 12:36 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\Mick\AppData\Local\Temp\2D2C.tmp.exe
2018-01-26 12:36 - 2018-01-26 12:36 - 000983168 _____ (Bleeping Computer, LLC) C:\Users\Mick\AppData\Local\Temp\2D2C.tmp64.exe
2018-01-25 19:26 - 2018-01-25 19:26 - 001790024 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\4AA6.tmp.exe
2018-01-26 12:21 - 2018-01-26 12:21 - 011205832 _____ (Piriform Ltd) C:\Users\Mick\AppData\Local\Temp\58E4.tmp.exe
2018-01-25 19:25 - 2018-01-25 19:25 - 001790024 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\6680.tmp.exe
2018-01-26 14:06 - 2018-01-26 14:06 - 003133480 _____ (Crystal Rich Ltd                                            ) C:\Users\Mick\AppData\Local\Temp\7050.tmp.exe
2018-01-30 19:21 - 2018-01-30 19:21 - 002393088 _____ (Farbar) C:\Users\Mick\AppData\Local\Temp\765F.tmp.exe
2018-01-25 19:26 - 2018-01-25 19:26 - 001790024 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\99F4.tmp.exe
2018-01-25 19:15 - 2018-01-25 19:15 - 008206624 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\9B2B.tmp.exe
2018-01-30 19:21 - 2018-01-30 19:22 - 002393088 _____ (Farbar) C:\Users\Mick\AppData\Local\Temp\D9CD.tmp.exe
2018-01-26 12:42 - 2018-01-02 17:37 - 001737600 _____ (Microsoft Corporation) C:\Users\Mick\AppData\Local\Temp\dllnt_dump.dll
2018-01-25 19:26 - 2018-01-25 19:26 - 001790024 _____ (Malwarebytes) C:\Users\Mick\AppData\Local\Temp\E758.tmp.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-02-02 23:49

==================== End of FRST.txt ============================

 

 

 

 

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by Mick (07-02-2018 07:34:09)
Running from C:\Users\Mick\Desktop
Windows 8.1 (Update) (X64) (2015-09-20 06:00:48)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1111182159-1481868987-2492049145-500 - Administrator - Disabled)
Guest (S-1-5-21-1111182159-1481868987-2492049145-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1111182159-1481868987-2492049145-1003 - Limited - Enabled)
Mick (S-1-5-21-1111182159-1481868987-2492049145-1001 - Administrator - Enabled) => C:\Users\Mick

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.161 - Adobe Systems Incorporated)
Alcor Micro USB Card Reader Driver  (HKLM-x32\...\{7F28165B-148D-4672-AA21-469D9E6E3CB6}) (Version: 20.21.3317.03861 - Alcor Micro Corp.) Hidden
Alcor Micro USB Card Reader Driver  (HKLM-x32\...\AmUStor) (Version: 20.21.3317.03861 - Alcor Micro Corp.)
Apple Application Support (32-bit) (HKLM-x32\...\{9BA1A894-B42F-4805-BC8C-349C905A3930}) (Version: 5.3.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{7EAC8A42-9FAC-4F6B-AABF-C08C9F2E0F13}) (Version: 5.3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{55BB2110-FB43-49B3-93F4-945A0CFB0A6C}) (Version: 10.0.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
BlackVue HD (HKLM-x32\...\BlackVueHD) (Version:  - )
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Canon IJ Network Scanner Selector EX (HKLM-x32\...\Canon_IJ_Network_Scanner_Selector_EX) (Version: 1.5.4.4 - Canon Inc.)
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version: 3.7.0 - Canon Inc.)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: 1.1.20.13 - Canon Inc.)
Canon MG7700 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG7700_series) (Version: 1.00 - Canon Inc.)
Canon MG7700 series On-screen Manual (HKLM-x32\...\Canon MG7700 series On-screen Manual) (Version: 7.8.0 - Canon Inc.)
Canon MP Navigator EX 3.0 (HKLM-x32\...\MP Navigator EX 3.0) (Version:  - )
Canon MP Navigator EX 5.1 (HKLM-x32\...\MP Navigator EX 5.1) (Version:  - )
Canon My Image Garden (HKLM-x32\...\Canon My Image Garden) (Version: 3.5.1 - Canon Inc.)
Canon My Image Garden Design Files (HKLM-x32\...\Canon My Image Garden Design Files) (Version: 3.5.0 - Canon Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.39 - Piriform)
CD-LabelPrint (HKLM-x32\...\MediaNavigation.CDLabelPrint) (Version:  - )
Classic Shell (HKLM\...\{E289B7DD-6732-4333-A47A-75A145D23EE3}) (Version: 4.2.4 - IvoSoft)
ConvertXtoDVD 4.1.4.338 (HKLM-x32\...\{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1) (Version: 4.1.4.338 - )
Corel PaintShop Pro X8 (HKLM-x32\...\_{85C69B9B-F9BD-4A60-BD83-F2B7E081ED39}) (Version: 18.0.0.124 - Corel Corporation)
Corel PaintShop Pro X8 (HKLM-x32\...\{8239357B-E792-4EEB-9F8B-F2535730A315}) (Version: 18.0.0.124 - Corel Corporation) Hidden
DVD Shrink 3.2 (HKLM-x32\...\DVD Shrink_is1) (Version:  - DVD Shrink)
FileASSASSIN (HKLM-x32\...\FileASSASSIN) (Version: 1.06 - Malwarebytes)
Hewlett-Packard ACLM.NET v1.2.2.3 (HKLM-x32\...\{6F340107-F9AA-47C6-B54C-C3A19F11553F}) (Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7745.4851 - Hewlett-Packard)
HP Support Information (HKLM-x32\...\{B2B7B1C8-7C8B-476C-BE2C-049731C55992}) (Version: 13.00.0000 - Hewlett-Packard)
ICA (HKLM-x32\...\{85C69B9B-F9BD-4A60-BD83-F2B7E081ED39}) (Version: 18.0.0.124 - Corel Corporation) Hidden
iCloud (HKLM\...\{0493048C-CB1A-44B7-8BB3-8467AF7BA9E4}) (Version: 6.1.2.13 - Apple Inc.)
Intel® Chipset Device Software (HKLM-x32\...\{d370215a-d003-43ae-a3b6-1028af64d5a1}) (Version: 10.0.20 - Intel® Corporation) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3993 - Intel Corporation)
Intel® Trusted Execution Engine (HKLM\...\{176E2755-0A17-42C6-88E2-192AB2131278}) (Version: 1.0.0.1064 - Intel Corporation)
IPM_PSP_COM (HKLM-x32\...\{80A28CA4-189A-4EB2-9F76-7845A0A83D2A}) (Version: 18.0.0.124 - Corel Corporation) Hidden
iTunes (HKLM\...\{81C96689-EA5B-4B7D-A04F-16326EC51BC2}) (Version: 12.5.4.42 - Apple Inc.)
Java 8 Update 66 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.18 - Oracle Corporation)
LightScribe  1.4.136.1 (HKLM-x32\...\{A87B11AC-4344-4E5D-8B12-8F471A87DAD9}) (Version: 1.4.136.1 - hxxp://www.lightscribe.com) Hidden
LockHunter 3.2, 32/64 bit (HKLM\...\LockHunter_is1) (Version:  - Crystal Rich Ltd)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft Office Professional Plus 2016 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 16.0.9001.2138 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\OneDriveSetup.exe) (Version: 17.3.7294.0108 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Mozilla Firefox 58.0.1 (x64 en-US) (HKLM\...\Mozilla Firefox 58.0.1 (x64 en-US)) (Version: 58.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 58.0.1.6602 - Mozilla)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Nero 7 Essentials (HKLM-x32\...\{B28B351F-1232-46EA-85EF-B8EA91641033}) (Version: 7.02.5017 - Nero AG)
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.9001.2138 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.9001.2138 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.9001.2138 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.9001.2138 - Microsoft Corporation) Hidden
OLYMPUS Master 2 (HKLM-x32\...\{3A1AB8E6-748E-4B95-AA2D-FE9952EB3106}) (Version: 1.0.13 - OLYMPUS IMAGING CORP.)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
PSPPContent (HKLM-x32\...\{89E018D8-558F-4051-BB26-64DD9B90DF68}) (Version: 18.0.0.124 - Corel Corporation) Hidden
PSPPHelp (HKLM-x32\...\{88340123-2A5C-48D4-98C1-58C18D12F09C}) (Version: 18.0.0.124 - Corel Corporation) Hidden
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.30164 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7443 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{A5107464-AA9B-4177-8129-5FF2F42DD322}) (Version: 1.0.0.37 - REALTEK Semiconductor Corp.)
Revo Uninstaller Pro 3.1.8 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.8 - VS Revo Group, Ltd.)
RogueKiller version 12.12.1.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.12.1.0 - Adlice Software)
Setup (HKLM-x32\...\{8BFA76B5-47DD-4C88-9C9B-7407019F0E13}) (Version: 18.0.0.124 - Corel Corporation) Hidden
TomTom MyDrive Connect 4.1.6.3253 (HKLM-x32\...\MyDriveConnect) (Version: 4.1.6.3253 - TomTom)
USB Programmable remote control (HKLM-x32\...\USB Programmable remote control) (Version:  - )
Visual Studio C++ 10.0 Runtime (HKLM-x32\...\{4412F224-3849-4461-A3E9-DEEF8D252790}) (Version: 10.0.0 - TomTom International B.V.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Windows Driver Package - Google, Inc. (WinUSB) AndroidUsbDeviceClass  (11/28/2013 2.0.0018.00000) (HKLM\...\724A5661585DAD3C707B84BACF43F64B5E070CE5) (Version: 11/28/2013 2.0.0018.00000 - Google, Inc.)
WinRAR 5.30 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.30.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\windows\system32\igfxEM.exe (Intel Corporation)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-08-09] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-08-09] (IvoSoft)
ContextMenuHandlers1: [LockHunterShellExt] -> {0BB27CDA-7029-4C0E-9C56-D922B229F0EB} => C:\Program Files\LockHunter\LHShellExt64.dll [2017-07-20] (Crystal Rich Ltd)
ContextMenuHandlers1: [PhotoStreamsExt] -> [CC]{89D984B3-813B-406A-8298-118AFA3A22AE} =>  -> No File
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2015-11-18] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2015-11-18] (Alexander Roshal)
ContextMenuHandlers2: [LockHunterShellExt] -> {0BB27CDA-7029-4C0E-9C56-D922B229F0EB} => C:\Program Files\LockHunter\LHShellExt64.dll [2017-07-20] (Crystal Rich Ltd)
ContextMenuHandlers3-x32: [FAExt] -> {05672D66-9736-42F5-8BEB-FA1DD3CA51C4} => C:\Program Files (x86)\FileASSASSIN\FileASSASSINExt.dll [2007-03-31] (Malwarebytes)
ContextMenuHandlers3-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [LockHunterShellExt] -> {0BB27CDA-7029-4C0E-9C56-D922B229F0EB} => C:\Program Files\LockHunter\LHShellExt64.dll [2017-07-20] (Crystal Rich Ltd)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\windows\system32\igfxDTCM.dll [2014-12-03] (Intel Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6: [RUShellExt] -> {2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} => C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll [2016-12-15] (VS Revo Group)
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\windows\system32\StartMenuHelper64.dll [2015-08-09] (IvoSoft)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2015-11-18] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2015-11-18] (Alexander Roshal)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {00B7CD01-1D06-476B-B3C4-B6CFB9A34498} - System32\Tasks\Intel® Iditt TR ( Appointme) => C:\windows\system32\rundll32.exe "C:\Program Files\Intel® Iditt TR ( Appointme)\Intel® Iditt TR ( Appointme).dll",mOaEUQz
Task: {06498AF1-205F-4386-AC0A-9BB794E4D503} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\Program Files\Windows Defender\\MpCmdRun.exe [2017-01-13] (Microsoft Corporation)
Task: {0928850D-E2BC-4923-AB3C-BCF232EC8C70} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {09E0BB3A-36A6-4789-9FA7-9B93C22B1EB0} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-02-06] (Adobe Systems Incorporated)
Task: {0A15ADCE-1AB1-4E3A-AF23-09F5B1DE6CEF} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-01-30] (Microsoft Corporation)
Task: {27010054-B35D-451B-AD1D-B33551817BB2} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-01-30] (Microsoft Corporation)
Task: {560E38F3-4FF6-48E5-8E69-0B2EBB464B23} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\Program Files\Windows Defender\\MpCmdRun.exe [2017-01-13] (Microsoft Corporation)
Task: {7CC372F9-CBFF-4D9A-8981-451E791A18BF} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2018-01-10] (Piriform Ltd)
Task: {8606F6E0-E3BA-49BD-95F0-6DA113CCC545} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\Program Files\Windows Defender\\MpCmdRun.exe [2017-01-13] (Microsoft Corporation)
Task: {897AEA46-C2F2-463D-9830-3261C5EB3CAA} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-02-05] (Microsoft Corporation)
Task: {97F1E15C-673F-442B-B089-B12B756A4C75} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {9B74F0A7-3662-45F5-B341-485C4BA892A5} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {A1B70161-7317-45AA-8DC9-C65D31F9A5A6} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-02-05] (Microsoft Corporation)
Task: {A6218664-F47F-45BB-849D-D268276E5846} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
Task: {C39113E0-1CD0-4FC0-BAF4-943EA87A87F2} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2018-02-05] (Microsoft Corporation)
Task: {CC18A0E6-B0B0-4B8B-9DFE-896517CC46F6} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe
Task: {DCD7F36F-9481-48DF-A8E4-CA3F605AA115} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2018-02-05] (Microsoft Corporation)
Task: {E7CFA66B-6214-49C5-8981-D51C63C14450} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\Program Files\Windows Defender\\MpCmdRun.exe [2017-01-13] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\windows\Tasks\CCleaner Update.job => C:\Program Files\CCleaner\CCUpdate.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2016-10-05 18:17 - 2016-10-05 18:17 - 000092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2017-01-13 13:56 - 2017-01-13 13:56 - 001353528 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2018-01-21 12:02 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2017-07-15 12:39 - 2018-02-05 15:39 - 008932016 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Temp:1CE11B51 [106]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7867 more sites.

IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\123simsen.com -> www.123simsen.com

There are 7867 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-23 00:25 - 2015-12-12 15:40 - 000450831 ____R C:\windows\system32\Drivers\etc\hosts

127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-2005-search.com
127.0.0.1    123fporn.info
127.0.0.1    www.123fporn.info
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com
127.0.0.1    123moviedownload.com
127.0.0.1    www.123moviedownload.com

There are 15467 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\Control Panel\Desktop\\Wallpaper -> J:\Judys Folder\Photos\pets\DSC00371.JPG
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run32: => "OM2_Monitor"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\StartupApproved\Run: => "OM2_Monitor"
HKU\S-1-5-21-1111182159-1481868987-2492049145-1001\...\StartupApproved\Run: => "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{3E3D692A-F462-4950-A93A-1D26ED1CE748}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{6CF67341-45C4-403D-A24C-B209BDDE328F}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{D52B39B6-7A1B-4887-905C-BE7DE72F7245}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{59E4B02C-E3F0-44FE-BC88-3FB5C6B25BB3}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{2023DEC5-3B0E-416D-8CF4-4C968A6E4AD4}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe

==================== Restore Points =========================

01-02-2018 20:19:02 Windows Update
03-02-2018 00:16:35 Windows Defender Checkpoint

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (02/05/2018 04:48:02 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_stisvc, version: 6.3.9600.17415, time stamp: 0x54504177
Faulting module name: ntdll.dll, version: 6.3.9600.18895, time stamp: 0x5a4b1b67
Exception code: 0xc0000008
Fault offset: 0x000000000009269a
Faulting process id: 0x75c
Faulting application start time: 0x01d39c82144f1b13
Faulting application path: C:\windows\system32\svchost.exe
Faulting module path: C:\windows\SYSTEM32\ntdll.dll
Report Id: 2065bd59-0a38-11e8-84c9-8cdcd4555fce
Faulting package full name:
Faulting package-relative application ID:

Error: (01/26/2018 01:46:14 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"  /forcedfolder "C:\Users\Mick\AppData\Local\cshdktv"; Description = Revo Uninstaller Pro's restore point - cshdktv; Error = 0x8007043c).

Error: (01/26/2018 04:19:24 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files\Windows Defender\MsMpEng.exe Files\Windows Defender\MsMpEng.exe"; Description = Windows Defender Checkpoint; Error = 0x8007043c).

Error: (01/25/2018 07:27:03 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Mick\AppData\Local\Temp\jrt\CreateRestorePoint.exe  "JRT Pre-Junkware Removal"; Description = JRT Pre-Junkware Removal; Error = 0x8007043c).

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "select * from __InstanceModificationEvent where targetinstance isa '__ArbitratorConfiguration'" could not be reactivated in namespace "//./root" because of error 0x80041033. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root namespace does not exist. The query will be ignored.

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __SystemEvent" whose target class "__SystemEvent" in //./root namespace does not exist. The query will be ignored.

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __NamespaceOperationEvent" whose target class "__NamespaceOperationEvent" in //./root namespace does not exist. The query will be ignored.

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __ClassOperationEvent" whose target class "__ClassOperationEvent" in //./root namespace does not exist. The query will be ignored.

Error: (01/24/2018 07:39:46 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root/subscription namespace does not exist. The query will be ignored.


System errors:
=============
Error: (02/06/2018 02:06:50 AM) (Source: DCOM) (EventID: 10010) (User: Mick)
Description: The server {1B1F472E-3221-4826-97DB-2C2324D389AE} did not register with DCOM within the required timeout.

Error: (02/06/2018 02:06:20 AM) (Source: DCOM) (EventID: 10010) (User: Mick)
Description: The server {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} did not register with DCOM within the required timeout.

Error: (02/05/2018 11:04:41 PM) (Source: DCOM) (EventID: 10010) (User: Mick)
Description: The server {1B1F472E-3221-4826-97DB-2C2324D389AE} did not register with DCOM within the required timeout.

Error: (02/05/2018 11:04:11 PM) (Source: DCOM) (EventID: 10010) (User: Mick)
Description: The server {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} did not register with DCOM within the required timeout.

Error: (02/05/2018 10:10:01 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Image Acquisition (WIA) service terminated unexpectedly.  It has done this 1 time(s).

Error: (02/05/2018 03:17:18 PM) (Source: DCOM) (EventID: 10010) (User: Mick)
Description: The server {1B1F472E-3221-4826-97DB-2C2324D389AE} did not register with DCOM within the required timeout.

Error: (02/05/2018 03:16:48 PM) (Source: DCOM) (EventID: 10010) (User: Mick)
Description: The server {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} did not register with DCOM within the required timeout.

Error: (02/03/2018 04:12:04 AM) (Source: DCOM) (EventID: 10010) (User: Mick)
Description: The server {1B1F472E-3221-4826-97DB-2C2324D389AE} did not register with DCOM within the required timeout.

Error: (02/03/2018 04:11:33 AM) (Source: DCOM) (EventID: 10010) (User: Mick)
Description: The server {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} did not register with DCOM within the required timeout.

Error: (02/03/2018 12:25:31 AM) (Source: DCOM) (EventID: 10010) (User: Mick)
Description: The server {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} did not register with DCOM within the required timeout.


CodeIntegrity:
===================================
  Date: 2018-01-20 18:51:32.146
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2018-01-20 18:21:29.524
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2018-01-20 18:19:28.616
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2018-01-20 18:11:50.197
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Celeron® CPU J1800 @ 2.41GHz
Percentage of memory in use: 47%
Total physical RAM: 3976.88 MB
Available physical RAM: 2103.27 MB
Total Virtual: 4680.88 MB
Available Virtual: 2947.31 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:512.79 GB) (Free:381.91 GB) NTFS
Drive d: (Recovery Image) (Fixed) (Total:17.25 GB) (Free:2.17 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive j: (Judys Drive) (Fixed) (Total:400 GB) (Free:359.36 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 0B8AC212)

Partition: GPT.

==================== End of Addition.txt ============================



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 07 February 2018 - 08:56 AM

Almost done!

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply
How's your system behaving? Are there any other issues to address?

Attached Files


animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 heathconn

heathconn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 09 February 2018 - 03:47 AM

Fix completed.

 

FRST appears to be a pretty powerful tool.

 

The suspicious folders have successfully been removed.

I noticed the fixlog stated the folders have been "moved" and not deleted.

Why is this and where did they go?

 

Results attached below.

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 08.02.2018
Ran by Mick (09-02-2018 19:01:32) Run:4
Running from C:\Users\Mick\Desktop
Loaded Profiles: Mick (Available Profiles: Mick)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

GroupPolicy: Restriction - Windows Defender <==== ATTENTION

S4 pkjrfb; C:\windows\System32\drivers\gvbybhmp.sys [79064 2018-01-17] (Malwarebytes)
S4 sasgs; C:\windows\System32\drivers\weouusuw.sys [79064 2018-01-20] (Malwarebytes)
S4 unpariv; C:\windows\System32\drivers\dcuq.sys [79064 2018-01-20] (Malwarebytes)
S4 ylefg; C:\windows\System32\drivers\daos.sys [79064 2018-01-20] (Malwarebytes)
S4 ymnfffx; C:\windows\System32\drivers\keuha.sys [79064 2018-01-18] (Malwarebytes)
S4 ypdl; C:\windows\System32\drivers\yaxe.sys [79064 2018-01-12] (Malwarebytes)
S3 intaud_WaveExtensible; \SystemRoot\system32\drivers\intelaud.sys [X]
S3 iwdbus; \SystemRoot\System32\drivers\iwdbus.sys [X]
U4 orwgdx; system32\drivers\dskhhloo.sys [X]

AlternateDataStreams: C:\ProgramData\Temp:1CE11B51 [106]

C:\Users\Mick\AppData\Local\cshdktv
C:\Users\Mick\AppData\Local\igfxmtc
C:\Users\Mick\AppData\Local\msrtzdb
C:\Users\Mick\AppData\Local\cwrxoit
C:\Users\Mick\AppData\Local\installer.dat
C:\Users\Mick\AppData\Roaming\17527
C:\Users\Mick\AppData\Roaming\26973
C:\Users\Mick\AppData\Roaming\4e93aa11-2d46-4980-a421-0a4ac759e5bf
C:\Users\Mick\AppData\Roaming\fc19ece2-6b3f-4f22-8758-9651ab9ca388
C:\Users\Mick\AppData\Roaming\1eb766f2-fed1-4d33-9c39-2c8a972fd11f
C:\windows\system32\dswmr
C:\windows\system32\pcixsoh
C:\windows\system32\spidbkzsvc.exe
C:\windows\system32\lshoxvesvc.exe
2018-01-20 13:47 - 2018-01-20 13:47 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\dcuq.sys
2018-01-20 12:43 - 2018-01-20 12:43 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\daos.sys
2018-01-20 11:02 - 2018-01-20 11:02 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\weouusuw.sys
2018-01-18 18:30 - 2018-01-18 18:30 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\keuha.sys
2018-01-17 20:34 - 2018-01-17 20:34 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\gvbybhmp.sys
2018-01-12 12:09 - 2018-01-12 12:09 - 000079064 _____ (Malwarebytes) C:\windows\system32\Drivers\yaxe.sys
C:\windows\SysWOW64\pcixsoh

EmptyTemp:
*****************

Processes closed successfully.
Restore point was successfully created.
C:\windows\system32\GroupPolicy\Machine => moved successfully
C:\windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\System\CurrentControlSet\Services\pkjrfb" => removed successfully
pkjrfb => service removed successfully
"HKLM\System\CurrentControlSet\Services\sasgs" => removed successfully
sasgs => service removed successfully
"HKLM\System\CurrentControlSet\Services\unpariv" => removed successfully
unpariv => service removed successfully
"HKLM\System\CurrentControlSet\Services\ylefg" => removed successfully
ylefg => service removed successfully
"HKLM\System\CurrentControlSet\Services\ymnfffx" => removed successfully
ymnfffx => service removed successfully
"HKLM\System\CurrentControlSet\Services\ypdl" => removed successfully
ypdl => service removed successfully
"HKLM\System\CurrentControlSet\Services\intaud_WaveExtensible" => removed successfully
intaud_WaveExtensible => service removed successfully
"HKLM\System\CurrentControlSet\Services\iwdbus" => removed successfully
iwdbus => service removed successfully
"HKLM\System\CurrentControlSet\Services\orwgdx" => removed successfully
orwgdx => service removed successfully
C:\ProgramData\Temp => ":1CE11B51" ADS removed successfully
C:\Users\Mick\AppData\Local\cshdktv => moved successfully
C:\Users\Mick\AppData\Local\igfxmtc => moved successfully
C:\Users\Mick\AppData\Local\msrtzdb => moved successfully
C:\Users\Mick\AppData\Local\cwrxoit => moved successfully
C:\Users\Mick\AppData\Local\installer.dat => moved successfully
C:\Users\Mick\AppData\Roaming\17527 => moved successfully
C:\Users\Mick\AppData\Roaming\26973 => moved successfully
C:\Users\Mick\AppData\Roaming\4e93aa11-2d46-4980-a421-0a4ac759e5bf => moved successfully
C:\Users\Mick\AppData\Roaming\fc19ece2-6b3f-4f22-8758-9651ab9ca388 => moved successfully
C:\Users\Mick\AppData\Roaming\1eb766f2-fed1-4d33-9c39-2c8a972fd11f => moved successfully
C:\windows\system32\dswmr => moved successfully
C:\windows\system32\pcixsoh => moved successfully
C:\windows\system32\spidbkzsvc.exe => moved successfully
C:\windows\system32\lshoxvesvc.exe => moved successfully
C:\windows\system32\Drivers\dcuq.sys => moved successfully
C:\windows\system32\Drivers\daos.sys => moved successfully
C:\windows\system32\Drivers\weouusuw.sys => moved successfully
C:\windows\system32\Drivers\keuha.sys => moved successfully
C:\windows\system32\Drivers\gvbybhmp.sys => moved successfully
C:\windows\system32\Drivers\yaxe.sys => moved successfully
C:\windows\SysWOW64\pcixsoh => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 53007602 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 4802860 B
Edge => 0 B
Chrome => 0 B
Firefox => 98889428 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 1035467 B
systemprofile32 => 42425766 B
LocalService => 0 B
NetworkService => 13176 B
Mick => 96703500 B

RecycleBin => 6961 B
EmptyTemp: => 291.1 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 19:03:33 ====



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 09 February 2018 - 08:19 AM

The folders have been moved in FRST's quarantine. Everything moved there is harmless, and will be deleted once we run DelFix. And yes, FRST is pretty powerful indeed ;)

Since there are no signs of infection anymore in your logs, and you just told me that there are no more issues left to address, I guess we're done here. We'll wrap it up by running DelFix to delete the tools and logs that were used in this clean-up.

BWuhenj.pngDelFix
Follow the instructions below to download and execute DelFix.
  • Download DelFix and move the executable to your Desktop;
  • Right-click on DelFix.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options :
    • Activate UAC;
    • Remove disinfection tools;
    • Create registry backup;
    • Purge system restore;
    • Reset system settings;
  • Once all the options mentionned above are checked, click on Run;
  • After DelFix is done running, a log will open. Please copy/paste the content of the output log in your next reply;
Qt25440.pngTips, tricks, advice and recommendations

Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you.

Windows Updates

Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically.Keeping your programs up-to-date

Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like eLDnJfI.pngSecuniaPSI and y5YE7At.pngHeimdal Free will scan your system for outdated programs, and help you identify them, as well as update them.

Antivirus, Antimalware, Firewall and Anti-Exploit/Ransomware

Having a decent security setup (led by an Antivirus) is the most crucial step to protect a system. These programs are a layer of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Ideally, you should have on your system one Antivirus (never more than one installed at the time), one Antimalware (you can install multiple of these, assuming they do not conflict with each other and the other security programs installed), one Firewall and if you wish, one Anti-Exploit and/or Anti-Ransomware (since Ransomware are currently the most dangerous threat around and it can hit anywhere). Here are a few programs worth checking out if you don't have one yet.

Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products).

AntivirusAntimalwareFirewall
Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below.
  • 7p3JzTS.pngGlassWire - Has both a free and paid version (with different packages);
  • MQIMh6k.pngWindows Firewall Control - Gives you more control over your Windows Firewall;
  • 5RXGshU.pngTinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it;
Anti-Exploit/Anti-RansomwareWeb Browsers and Web Browsing

Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits.

Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install.
  • uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome and Mozilla Firefox, called uBlock on Opera);
  • HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera);
  • Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers);
  • NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers);
  • uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera);
  • LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser);
As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few:As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them.

Other recommendations

Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.

Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :gRvSooB.pngThe End!

And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on the forums and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member.

Do you have any questions before I close this thread? :)

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 heathconn

heathconn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 10 February 2018 - 02:22 AM

Thank you for your great help Aura.

Most of the programs you mentioned should be fine to work along side each other yes?

I will have a good look and see what works for me.

Great advice!

 

 

Log attached as requested..

 

 

# DelFix v1.013 - Logfile created 10/02/2018 at 18:06:04
# Updated 17/04/2016 by Xplode
# Username : Mick - MICK
# Operating System : Windows 8.1  (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Mick\Desktop\FRST-OlderVersion
Deleted : C:\TDSSKiller.3.1.0.15_25.01.2018_18.52.48_log.txt
Deleted : C:\Users\Mick\Desktop\Addition.txt
Deleted : C:\Users\Mick\Desktop\AdwCleaner.exe
Deleted : C:\Users\Mick\Desktop\AdwCleaner[S1].txt
Deleted : C:\Users\Mick\Desktop\Fixlog.txt
Deleted : C:\Users\Mick\Desktop\FRST.txt
Deleted : C:\Users\Mick\Desktop\FRST64.exe
Deleted : C:\Users\Mick\Desktop\RogueKiller_portable64.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #184 [Windows Update | 02/01/2018 09:19:02]
Deleted : RP #186 [Windows Defender Checkpoint | 02/02/2018 13:16:35]
Deleted : RP #188 [Restore Point Created by FRST | 02/09/2018 08:01:37]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users