Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to delete folder and file hiding Trojan:win32/tiggre!rfn


  • This topic is locked This topic is locked
7 replies to this topic

#1 edwindes

edwindes

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 21 March 2018 - 02:14 PM

I am on windows 7 desktop

 

I have a file folder and files within it that are hidden from view and have files/processes that run on my computer that I cannot kill or delete using the windows task bar. The processes are pckwldu.exe and zasmphe.exe.  The process zasmphe uses network resources.

 

The folder and files cannot be deleted either even in safe mode.

Trying to change the attribute of the folder and files using the CMD window in administrator mode with the "attrib *.* -h -s /s /d /l" on the folder/files in question returns a "Access Denied" prompt.

Trying to change the ownership of the folder does not work either. The "owner" is currently unknown.

 

I currently have Microsoft Essentials running. It detects the Trojan but is not able to delete it.  I have also run HitmanPro with similar results. i.e. it flags the folder and files but cannot delete them on reboot.

 

What follows are the results of running the FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018

Ran by Edwin (administrator) on EDWIN-PC (21-03-2018 12:54:42)
Running from C:\Users\Edwin\Downloads\FRST
Loaded Profiles: Edwin (Available Profiles: Edwin & Administrator)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(TOSHIBA CORPORATION) C:\Windows\System32\csdxungsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
() C:\Program Files (x86)\ExpressVPN\bootstrap\AMD64\nssm.exe
(Cirque Corporation) C:\Program Files\GlidePoint\glidesvc.exe
(Cirque Corporation) C:\Program Files\GlidePoint\glidesvc.exe
() C:\Program Files (x86)\ExpressVPN\xvpnd\xvpnd.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
() C:\Users\Edwin\AppData\Local\pckwldu\pckwldu.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Users\Edwin\AppData\Local\pckwldu\zasmphe.exe
() C:\Users\Edwin\AppData\Local\pckwldu\zasmphe.exe
() C:\Users\Edwin\AppData\Local\pckwldu\zasmphe.exe
() C:\Users\Edwin\AppData\Local\pckwldu\zasmphe.exe
() C:\Users\Edwin\AppData\Local\pckwldu\zasmphe.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587800 2017-12-19] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1460914560-228546869-938245398-1000\...\MountPoints2: {680946c6-4083-11e5-bfca-806e6f6e6963} - D:\setup.EXE /AUTORUN
HKU\S-1-5-21-1460914560-228546869-938245398-1000\...\MountPoints2: {9a2d5e34-450b-11e6-84ea-c860006ac5b7} - J:\setup.exe -a
HKU\S-1-5-21-1460914560-228546869-938245398-1000\...\MountPoints2: {e3eafb8e-4074-11e5-9aa4-806e6f6e6963} - D:\SETUP.EXE
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> 
Startup: C:\Users\Edwin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mouse - Shortcut.lnk [2015-09-10]
ShortcutTarget: Mouse - Shortcut.lnk ->  (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{111FEFDB-2742-417F-83A5-527C915164B4}: [DhcpNameServer] 10.126.0.1
Tcpip\..\Interfaces\{7DCAABAE-C185-4937-B33F-3EA438E598E8}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{C6B20517-F717-458D-861B-B75DEE050BE8}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{F0053169-BC32-42D2-B2BE-F7536A042F19}: [DhcpNameServer] 192.168.42.129
 
Internet Explorer:
==================
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: No Name -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> No File
BHO-x32: No Name -> {43D9786F-A485-683B-9B5B-ACC97ABC17FC} -> No File
BHO-x32: No Name -> {451C804F-C205-4F03-B48E-537EC94937BF} -> No File
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
DPF: HKLM-x32 {55A2C0CD-3DE8-4264-9637-A0B40B05714E} hxxps://col430-sec.mail.live.com/mail/MailMigrationCabFileHolder.aspx?n=522798928
Handler: WSIEChrome - {6D02ED5F-FD0D-4C4C -  No File
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File
 
FireFox:
========
FF DefaultProfile: cbvwez85.default-1520288222350
FF ProfilePath: C:\Users\Edwin\AppData\Roaming\Mozilla\Firefox\Profiles\cbvwez85.default-1520288222350 [2018-03-21]
FF Extension: (Name) - C:\Users\Edwin\AppData\Roaming\Mozilla\Firefox\Profiles\cbvwez85.default-1520288222350\Extensions\firefox@ghostery.com.xpi [2018-03-09]
FF Extension: (AdBlock) - C:\Users\Edwin\AppData\Roaming\Mozilla\Firefox\Profiles\cbvwez85.default-1520288222350\Extensions\jid1-NIfFY2CA8fy1tg@jetpack.xpi [2018-03-09]
FF HKU\S-1-5-21-1460914560-228546869-938245398-1000\...\Firefox\Extensions: [mozilla_cc3@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc3.xpi
FF Extension: (IDM Integration Module) - C:\Program Files (x86)\Internet Download Manager\idmmzcc3.xpi [2018-02-28]
FF HKU\S-1-5-21-1460914560-228546869-938245398-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Edwin\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\Edwin\AppData\Roaming\IDM\idmmzcc5 [2018-03-09] [Legacy] [not signed]
FF HKU\S-1-5-21-1460914560-228546869-938245398-1000\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi
FF Extension: (IDM integration) - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi [2017-12-20] [Legacy]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_27_0_0_130.dll [2017-09-25] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_130.dll [2017-09-25] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.161.2 -> C:\Program Files (x86)\Java\jre1.8.0_161\bin\dtplugin\npDeployJava1.dll [2018-03-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.161.2 -> C:\Program Files (x86)\Java\jre1.8.0_161\bin\plugin2\npjp2.dll [2018-03-19] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-02-03] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-02-03] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-02-11] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1460914560-228546869-938245398-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Edwin\AppData\Local\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin HKU\S-1-5-21-1460914560-228546869-938245398-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Edwin\AppData\Local\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin HKU\S-1-5-21-1460914560-228546869-938245398-1000: jpl.nasa.gov/NASAEyes -> C:\Users\Edwin\AppData\Roaming\JPL-NASA-Caltech\NASA's Eyes\npNASAEyes.dll [2017-08-11] (Jet Propulsion Laboratory)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR Profile: C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default [2018-03-21]
CHR Extension: (Slides) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-13]
CHR Extension: (Docs) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-13]
CHR Extension: (Google Drive) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (TV) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\beobeededemalmllhkmnkinmfembdimh [2015-08-11]
CHR Extension: (YouTube) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (HelloFax) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bocmleclimfnadgmcdgecijlblfcmfnm [2018-01-18]
CHR Extension: (Google Search) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Google News) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dllkocilcinkggkchnjgegijklcililc [2015-08-11]
CHR Extension: (Google Calendar) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn [2017-01-06]
CHR Extension: (Google Play Music) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fahmaaghhglfmonjliepjlchgpgfmobi [2018-03-13]
CHR Extension: (Google Finance) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcgckldmmjdbpdejkclmfnnnehhocbfp [2015-08-11]
CHR Extension: (Sheets) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-13]
CHR Extension: (ExpressVPN for Chrome) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgddmllnllkalaagkghckoinaemmogpe [2018-03-08]
CHR Extension: (Full Screen Weather) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkaebihfmbofclegkcfkkemepfehibg [2015-08-11]
CHR Extension: (Google Docs Offline) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (AdBlock) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2018-03-07]
CHR Extension: (Dictionary by Dictionary.com) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gikhgcaliglmioibbockkmjknfnepbdh [2015-08-11]
CHR Extension: (Google Photos) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcglmfcclpfgljeaiahehebeoaiicbko [2017-01-01]
CHR Extension: (Google Keep - notes and lists) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmjkmjkepdijhoojdojkdfohbdgmmhki [2018-03-20]
CHR Extension: (Google Play Music) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\icppfcnhkcmnfdhfhphakoifcfokfdhg [2016-06-07]
CHR Extension: (Zillow) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifccoboedmhjapdlpgkigibgnkmdjoh [2015-08-11]
CHR Extension: (Google Play) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\komhbcfkdcgmcdoenjcjheifdiabikfi [2015-08-11]
CHR Extension: (Google Maps) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2015-09-18]
CHR Extension: (Google Keep Chrome Extension) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpcaedmchfhocbbapmcbpinfpgnhiddi [2018-03-05]
CHR Extension: (Ghostery – Privacy Ad Blocker) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2018-03-08]
CHR Extension: (No Name) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nenlahapcbofgnanklpelkaejcehkggg [2018-03-14]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-22]
CHR Extension: (Send from Gmail (by Google)) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgphcomnlaojlmmcjmiddhdapjpbgeoc [2015-08-11]
CHR Extension: (Gmail) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-11]
CHR Extension: (Chrome Media Router) - C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-02-23]
CHR Profile: C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\System Profile [2018-03-19]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2018-03-01]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
HKLM\SYSTEM\CurrentControlSet\Services\twpvh <==== ATTENTION (Rootkit!)
 
S4 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2018-01-05] (Apple Inc.)
R2 ExpressVpnService; C:\Program Files (x86)\ExpressVPN\bootstrap\AMD64\nssm.exe [339168 2018-02-07] ()
R2 GlidePoint; C:\Program Files\GlidePoint\glidesvc.exe [261632 2013-06-12] (Cirque Corporation) [File not signed]
S4 HitmanPro38CrusaderBoot; C:\Users\Edwin\Downloads\hitmanpro_x64.exe [11605440 2018-03-08] (SurfRight B.V.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S4 WsAppService; C:\Program Files (x86)\Wondershare\WAF\2.1.6.0\WsAppService.exe [388608 2016-01-28] (Wondershare) [File not signed]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 7727C411; C:\Windows\system32\drivers\7727C411.sys [255928 2018-03-18] (Malwarebytes)
S3 expressvpnsplittunnel; C:\Program Files (x86)\ExpressVpn SplitTunnel Driver\driver\expressvpnsplittunnel.sys [18800 2018-02-07] ()
S3 glideps2; C:\Windows\System32\DRIVERS\glideps2.sys [30720 2013-06-12] (Cirque Corporation)
R3 glideusb; C:\Windows\System32\DRIVERS\glideusb.sys [99240 2009-06-09] (Cirque Corporation)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [55232 2018-03-21] ()
S4 hitmanpro37duringboot; C:\Windows\System32\drivers\hitmanpro37.sys [55232 2018-03-21] ()
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R1 MpKsl8883d85d; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{779A7639-0D4C-4D55-B286-6327DD6470D2}\MpKsl8883d85d.sys [58120 2018-03-21] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
R2 npf; C:\Windows\System32\drivers\npf.sys [35344 2011-02-11] (CACE Technologies, Inc.)
S3 tapexpressvpn; C:\Windows\System32\DRIVERS\tapexpressvpn.sys [35696 2017-11-03] (The OpenVPN Project)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
S3 WsAudio_Device(1); C:\Windows\System32\drivers\VirtualAudio1.sys [31080 2015-08-03] (Wondershare)
S3 WsAudio_Device(2); C:\Windows\System32\drivers\VirtualAudio2.sys [31080 2015-08-03] (Wondershare)
S3 WsAudio_Device(3); C:\Windows\System32\drivers\VirtualAudio3.sys [31080 2015-08-03] (Wondershare)
S3 WsAudio_Device(4); C:\Windows\System32\drivers\VirtualAudio4.sys [31080 2015-08-03] (Wondershare)
S3 WsAudio_Device(5); C:\Windows\System32\drivers\VirtualAudio5.sys [31080 2015-08-03] (Wondershare)
R3 lpsvyc; system32\drivers\svycfi.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-21 12:53 - 2018-03-21 12:54 - 000000000 ____D C:\Users\Edwin\Downloads\FRST
2018-03-21 12:26 - 2018-03-21 12:26 - 000000000 ____D C:\Users\Edwin\AppData\Local\snatcxe
2018-03-21 12:23 - 2018-03-21 12:23 - 000145232 ____N C:\Windows\system32\Drivers\mssbehko.sys
2018-03-21 11:52 - 2018-03-21 11:52 - 000001938 _____ C:\Users\Edwin\Desktop\Rkill.txt
2018-03-21 11:50 - 2018-03-21 11:50 - 000000000 ____D C:\Autoruns
2018-03-21 11:46 - 2018-03-21 11:46 - 000000000 ____D C:\Users\Edwin\AppData\Local\usdnwev
2018-03-21 10:29 - 2018-03-21 10:29 - 000000000 ____D C:\Users\Edwin\AppData\Local\rerbvwi
2018-03-21 10:22 - 2018-03-21 10:22 - 019709440 _____ (Luis Cobian, CobianSoft) C:\Users\Edwin\Downloads\cbSetup.exe
2018-03-21 10:00 - 2018-03-21 10:00 - 001652843 _____ C:\Users\Edwin\Downloads\Autoruns.zip
2018-03-21 09:44 - 2018-03-21 09:44 - 000000000 ____D C:\Users\Edwin\AppData\Local\sbbdtcz
2018-03-21 09:41 - 2018-03-21 09:42 - 000342944 _____ C:\Windows\system32\FNTCACHE.DAT
2018-03-21 09:05 - 2018-03-21 12:54 - 000000000 ____D C:\FRST
2018-03-21 09:05 - 2018-03-21 09:05 - 000000000 ____D C:\Users\Edwin\AppData\Local\svkxmbr
2018-03-21 08:54 - 2018-03-21 08:54 - 000055232 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2018-03-21 08:33 - 2018-03-21 08:33 - 000000000 ____D C:\Users\Edwin\AppData\Local\updicsr
2018-03-21 07:59 - 2018-03-21 07:59 - 000007808 _____ C:\Users\Edwin\Documents\cc_20180321_075923.reg
2018-03-21 07:32 - 2018-03-21 07:32 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\3467B666.sys
2018-03-21 07:29 - 2018-03-21 07:29 - 002267848 _____ (wj32 ) C:\Users\Edwin\Downloads\processhacker-2.39-setup.exe
2018-03-21 07:08 - 2018-03-21 07:08 - 000000000 ____D C:\Users\Edwin\AppData\Local\weoxpdn
2018-03-21 06:51 - 2018-03-21 06:51 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\37226494.sys
2018-03-21 06:27 - 2018-03-21 06:27 - 000000000 ____D C:\Users\Edwin\AppData\Local\svbpuwh
2018-03-20 18:10 - 2018-03-21 12:53 - 000000000 ____D C:\Users\Edwin\AppData\Local\pckwldu
2018-03-20 10:41 - 2018-02-13 12:17 - 000136384 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2018-03-20 10:41 - 2018-02-13 12:10 - 000655872 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2018-03-20 10:41 - 2018-02-13 08:05 - 001994752 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2018-03-20 10:41 - 2018-02-13 08:05 - 001560064 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2018-03-20 10:41 - 2018-02-13 08:05 - 000740864 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2018-03-20 10:41 - 2018-02-13 08:05 - 000600576 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2018-03-20 10:41 - 2018-02-13 08:05 - 000451072 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2018-03-20 10:41 - 2018-02-13 08:05 - 000380928 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2018-03-20 10:41 - 2018-02-13 08:05 - 000262144 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2018-03-20 10:41 - 2018-02-13 08:05 - 000237568 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2018-03-19 18:43 - 2018-03-19 18:43 - 000097344 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2018-03-19 18:42 - 2018-03-19 18:42 - 000000000 ____D C:\Program Files (x86)\Java
2018-03-19 18:14 - 2018-03-19 18:15 - 064333888 _____ (Oracle Corporation) C:\Users\Edwin\Downloads\jre-8u161-windows-i586.exe
2018-03-19 18:01 - 2018-03-19 18:01 - 003954912 _____ (Interactive Brokers LLC) C:\Users\Edwin\Downloads\tws-latest-windows-x86.exe
2018-03-19 09:08 - 2018-03-19 17:51 - 000000000 ____D C:\TWS API
2018-03-19 09:06 - 2018-03-19 09:07 - 004141056 _____ C:\Users\Edwin\Downloads\TWS API Install 972.18.msi
2018-03-19 09:02 - 2018-03-20 07:02 - 000000000 ____D C:\Jts
2018-03-19 09:02 - 2018-03-19 09:02 - 000001578 _____ C:\Users\Public\Desktop\Trader Workstation 4.0.LNK
2018-03-19 09:02 - 2018-03-19 09:02 - 000001578 _____ C:\ProgramData\Desktop\Trader Workstation 4.0.LNK
2018-03-19 09:02 - 2018-03-19 09:02 - 000000568 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Check for TWS Updates.lnk
2018-03-19 09:02 - 2018-03-19 09:02 - 000000044 _____ C:\Windows\ib.ini
2018-03-19 09:02 - 2018-03-19 09:02 - 000000000 ____D C:\Users\Edwin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Interactive Brokers
2018-03-19 08:49 - 2018-03-21 07:39 - 000000000 ____D C:\Users\Edwin\Desktop\mbar
2018-03-19 08:49 - 2018-03-19 08:49 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\35319162.sys
2018-03-19 08:40 - 2018-03-19 18:40 - 000000000 ____D C:\MATS
2018-03-19 08:40 - 2018-03-19 08:40 - 000000000 ____D C:\Users\Edwin\AppData\Local\ElevatedDiagnostics
2018-03-19 08:39 - 2018-03-19 08:39 - 000000000 ____D C:\Users\Edwin\AppData\Local\usrbozm
2018-03-19 08:38 - 2018-03-19 08:38 - 000221662 _____ C:\Users\Edwin\Downloads\MicrosoftProgram_Install_and_Uninstall.meta.diagcab
2018-03-19 08:12 - 2018-03-19 08:12 - 000000000 ____D C:\Users\Edwin\AppData\Local\upcdron
2018-03-19 08:07 - 2018-03-19 08:07 - 000085632 _____ C:\Users\Edwin\AppData\Local\GDIPFONTCACHEV1.DAT
2018-03-19 08:04 - 2018-03-19 08:04 - 000366978 _____ C:\Users\Edwin\Documents\cc_20180319_080357.reg
2018-03-19 07:53 - 2018-03-19 07:53 - 015333312 _____ (Piriform Ltd) C:\Users\Edwin\Downloads\ccsetup541pro.exe
2018-03-19 07:29 - 2018-03-19 07:29 - 000000000 ____D C:\Users\Edwin\AppData\Local\vdrtemz
2018-03-19 07:13 - 2018-03-19 18:43 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2018-03-19 07:13 - 2018-03-19 07:13 - 000110144 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2018-03-19 07:13 - 2018-03-19 07:13 - 000000000 ____D C:\Users\Edwin\AppData\Roaming\Sun
2018-03-19 07:13 - 2018-03-19 07:13 - 000000000 ____D C:\Program Files\Java
2018-03-19 07:07 - 2018-03-19 07:07 - 000000000 ____D C:\Users\Edwin\AppData\Local\wmcpaxk
2018-03-19 06:34 - 2018-03-19 06:34 - 000000000 ____D C:\Users\Edwin\AppData\Local\usaionr
2018-03-18 19:52 - 2018-03-18 19:52 - 000000000 ____D C:\ProgramData\Emsisoft
2018-03-18 19:49 - 2018-03-18 20:18 - 000000000 ____D C:\EEK
2018-03-18 19:48 - 2018-03-18 19:48 - 320133632 _____ C:\Users\Edwin\Downloads\EmsisoftEmergencyKit.exe
2018-03-18 19:40 - 2018-03-18 19:41 - 000015892 _____ C:\TDSSKiller.3.1.0.16_18.03.2018_19.40.41_log.txt
2018-03-18 19:30 - 2018-03-21 07:31 - 000192952 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2018-03-18 19:25 - 2018-03-18 19:25 - 000000000 ____D C:\Users\Edwin\AppData\Local\wemuckh
2018-03-18 18:57 - 2018-03-18 19:30 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\7727C411.sys
2018-03-18 18:57 - 2018-03-18 19:29 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-03-18 18:56 - 2018-03-21 07:39 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2018-03-18 18:55 - 2018-03-18 18:56 - 000015880 _____ C:\TDSSKiller.3.1.0.16_18.03.2018_18.55.56_log.txt
2018-03-18 18:54 - 2018-03-18 18:54 - 000006796 _____ C:\TDSSKiller.3.1.0.16_18.03.2018_18.54.06_log.txt
2018-03-18 18:54 - 2018-03-18 18:54 - 000000000 ____D C:\Users\Edwin\AppData\Local\wiextbs
2018-03-18 18:32 - 2018-03-18 18:32 - 000002122 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2018-03-18 18:32 - 2018-03-18 18:32 - 000000000 ____D C:\Program Files\Microsoft Security Client
2018-03-18 18:32 - 2018-03-18 18:32 - 000000000 ____D C:\Program Files (x86)\Microsoft Security Client
2018-03-18 18:29 - 2018-03-18 18:29 - 014178840 _____ (Malwarebytes Corp.) C:\Users\Edwin\Downloads\mbar-1.10.3.1001.exe
2018-03-18 18:03 - 2018-03-18 18:07 - 000000000 ____D C:\Windows\CryptoGuard
2018-03-18 18:02 - 2018-03-18 18:30 - 000000000 ____D C:\ProgramData\HitmanPro.Alert
2018-03-18 17:40 - 2018-03-18 17:41 - 404704180 _____ C:\Users\Edwin\Documents\today 03_18.reg
2018-03-18 12:45 - 2018-03-18 12:45 - 004616328 _____ (SurfRight B.V.) C:\Users\Edwin\Downloads\hmpalert3.exe
2018-03-18 11:53 - 2018-03-21 09:00 - 000012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2018-03-18 11:52 - 2018-03-18 11:52 - 000000000 ____D C:\Users\Edwin\AppData\Local\wmknsvp
2018-03-17 11:56 - 2018-03-17 11:56 - 000001752 _____ C:\Users\Public\Desktop\iTunes.lnk
2018-03-17 11:56 - 2018-03-17 11:56 - 000001752 _____ C:\ProgramData\Desktop\iTunes.lnk
2018-03-17 11:56 - 2018-03-17 11:56 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2018-03-17 11:56 - 2018-03-17 11:56 - 000000000 ____D C:\Program Files\iPod
2018-03-17 11:55 - 2018-03-17 11:56 - 000000000 ____D C:\Program Files\iTunes
2018-03-17 11:55 - 2018-03-17 11:55 - 000000000 ____D C:\Windows\System32\Tasks\Apple
2018-03-17 11:55 - 2018-03-17 11:55 - 000000000 ____D C:\Program Files (x86)\Apple Software Update
2018-03-17 11:54 - 2018-03-17 11:54 - 000000000 ____D C:\Program Files\Bonjour
2018-03-17 11:54 - 2018-03-17 11:54 - 000000000 ____D C:\Program Files (x86)\Bonjour
2018-03-17 09:09 - 2018-03-20 06:41 - 000000000 ____D C:\Program Files\Common Files\AV
2018-03-17 09:09 - 2018-03-17 17:55 - 000000000 ____D C:\ProgramData\Kaspersky Lab
2018-03-17 09:07 - 2018-03-17 09:07 - 000000000 ____D C:\ProgramData\Kaspersky Lab Setup Files
2018-03-15 10:26 - 2018-03-15 10:26 - 000085814 _____ C:\Users\Edwin\Downloads\Oakley Order Details.pdf
2018-03-14 19:25 - 2018-03-14 19:28 - 000000000 ____D C:\Program Files\VideoLAN
2018-03-14 19:21 - 2018-03-14 19:21 - 040159904 _____ C:\Users\Edwin\Downloads\vlc-3.0.1-win64.exe
2018-03-12 07:04 - 2018-03-12 07:04 - 162135728 _____ (Kaspersky Lab) C:\Users\Edwin\Downloads\kav18.0.0.405aben_es_fr_12609.exe
2018-03-11 15:14 - 2018-03-11 15:14 - 000000000 ____D C:\Windows.old
2018-03-11 14:37 - 2018-03-11 14:37 - 009156728 _____ (ESET, spol. s r.o.) C:\Users\Edwin\Downloads\eset_sysrescue_live_creator_enu.exe
2018-03-09 12:33 - 2018-03-21 08:01 - 000000000 ____D C:\Program Files (x86)\Internet Download Manager
2018-03-09 12:33 - 2018-03-20 19:03 - 000000000 ____D C:\Users\Edwin\AppData\Roaming\DMCache
2018-03-09 12:33 - 2018-03-19 16:39 - 000000000 ____D C:\Users\Edwin\AppData\Roaming\IDM
2018-03-09 12:33 - 2018-03-09 12:33 - 000001014 ____N C:\Users\Edwin\Desktop\Internet Download Manager.lnk
2018-03-09 12:33 - 2018-03-09 12:33 - 000000000 ____D C:\Users\Edwin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2018-03-09 12:33 - 2018-03-09 12:33 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2018-03-09 12:33 - 2018-03-09 12:33 - 000000000 ____D C:\ProgramData\IDM
2018-03-09 11:50 - 2018-03-09 11:50 - 000000000 ____D C:\Users\Edwin\AppData\Local\Apps\2.0
2018-03-09 00:38 - 2018-03-09 00:38 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\Edwin\Downloads\rkill.exe
2018-03-09 00:24 - 2018-03-09 00:24 - 116668640 _____ (Microsoft Corporation) C:\Users\Edwin\Downloads\msert.exe
2018-03-08 23:40 - 2018-03-08 23:40 - 000205976 _____ (AVAST Software) C:\Windows\system32\Drivers\asw4e027480359b8dee.tmp
2018-03-08 23:40 - 2018-03-08 23:40 - 000110328 _____ (AVAST Software) C:\Windows\system32\Drivers\asw84f8280e149fc08f.tmp
2018-03-08 22:56 - 2018-03-08 22:56 - 000000000 ____D C:\Users\Edwin\AppData\Roaming\AVAST Software
2018-03-08 22:55 - 2018-03-08 22:55 - 001026696 _____ (AVAST Software) C:\Windows\system32\Drivers\asw2fd80624f92c0236.tmp
2018-03-08 22:55 - 2018-03-08 22:55 - 000460520 _____ (AVAST Software) C:\Windows\system32\Drivers\asw979d7bd26db18379.tmp
2018-03-08 22:55 - 2018-03-08 22:55 - 000380528 _____ (AVAST Software) C:\Windows\system32\Drivers\asw1893ba1aa2ae2a6b.tmp
2018-03-08 22:55 - 2018-03-08 22:55 - 000343752 _____ (AVAST Software) C:\Windows\system32\Drivers\asw7e3281ba6da59242.tmp
2018-03-08 22:55 - 2018-03-08 22:55 - 000227504 _____ (AVAST Software) C:\Windows\system32\Drivers\asw3415604d46433cbf.tmp
2018-03-08 22:55 - 2018-03-08 22:55 - 000199440 _____ (AVAST Software) C:\Windows\system32\Drivers\aswc4dfbeb338f06b3d.tmp
2018-03-08 22:55 - 2018-03-08 22:55 - 000196648 _____ (AVAST Software) C:\Windows\system32\Drivers\asw462415787216dc7c.tmp
2018-03-08 22:55 - 2018-03-08 22:55 - 000146656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswc48af1947a29e823.tmp
2018-03-08 22:55 - 2018-03-08 22:55 - 000084368 _____ (AVAST Software) C:\Windows\system32\Drivers\asw3980146d688a70fe.tmp
2018-03-08 22:55 - 2018-03-08 22:55 - 000057680 _____ (AVAST Software) C:\Windows\system32\Drivers\asw8a07f817d0cfcb6f.tmp
2018-03-08 22:55 - 2018-03-08 22:55 - 000046968 _____ (AVAST Software) C:\Windows\system32\Drivers\asw9a3d0e7e0bb9a313.tmp
2018-03-08 22:55 - 2018-03-08 22:55 - 000000000 ____D C:\Program Files\AVAST Software
2018-03-08 22:30 - 2018-03-08 22:30 - 000178320 _____ (AVAST Software) C:\Users\Edwin\Downloads\avast_free_antivirus_setup_online_cnet_2.exe
2018-03-08 21:10 - 2018-03-18 18:30 - 000000000 ____D C:\ProgramData\HitmanPro
2018-03-08 21:04 - 2018-03-08 21:05 - 011605440 _____ (SurfRight B.V.) C:\Users\Edwin\Downloads\hitmanpro_x64.exe
2018-03-08 20:51 - 2018-03-08 20:51 - 069323904 _____ (Malwarebytes ) C:\Users\Edwin\Downloads\mb3-setup-consumer-3.4.4.2398-1.0.322-1.0.4256.exe
2018-03-08 20:49 - 2018-03-21 08:25 - 000000000 ____D C:\AdwCleaner
2018-03-08 20:49 - 2018-03-08 20:49 - 008222496 _____ (Malwarebytes) C:\Users\Edwin\Downloads\adwcleaner_7.0.8.0.exe
2018-03-08 19:51 - 2018-03-08 19:52 - 015065792 _____ (Microsoft Corporation) C:\Users\Edwin\Downloads\MSEInstall.exe
2018-03-08 18:56 - 2018-03-08 18:56 - 000000000 ____D C:\ProgramData\SystemAcCrux
2018-03-08 18:55 - 2018-03-08 19:13 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EaseUS Data Recovery Wizard
2018-03-08 18:55 - 2018-03-08 18:55 - 000000000 ____D C:\Program Files\EaseUS
2018-03-08 14:50 - 2018-03-08 14:50 - 000002012 _____ C:\Users\Public\Desktop\ExpressVPN.lnk
2018-03-08 14:50 - 2018-03-08 14:50 - 000002012 _____ C:\ProgramData\Desktop\ExpressVPN.lnk
2018-03-08 14:50 - 2018-03-08 14:50 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExpressVPN
2018-03-08 14:50 - 2018-03-08 14:50 - 000000000 ____D C:\ProgramData\ExpressVPN
2018-03-08 14:50 - 2018-03-08 14:50 - 000000000 ____D C:\Program Files (x86)\ExpressVpn Tap Driver
2018-03-08 14:50 - 2018-03-08 14:50 - 000000000 ____D C:\Program Files (x86)\ExpressVpn SplitTunnel Driver
2018-03-08 14:50 - 2018-03-08 14:50 - 000000000 ____D C:\Program Files (x86)\ExpressVPN
2018-03-08 14:47 - 2018-03-08 14:48 - 025491712 _____ (ExpressVPN) C:\Users\Edwin\Downloads\expressvpn_6.5.1.3605.exe
2018-03-08 14:28 - 2018-03-08 14:28 - 000000000 ____D C:\Users\Administrator\AppData\Local\zaaxsnp
2018-03-08 14:28 - 2018-03-08 14:28 - 000000000 ____D C:\Users\Administrator\AppData\Local\lscgbum
2018-03-08 11:00 - 2018-03-08 11:00 - 007326608 _____ (Tonec Inc.) C:\Users\Edwin\Downloads\idman630build7.exe
2018-03-08 09:01 - 2018-03-08 09:01 - 000000000 ____D C:\Program Files\Common Files\AVAST Software
2018-03-08 09:00 - 2018-03-08 22:53 - 000000000 ____D C:\ProgramData\AVAST Software
2018-03-08 08:21 - 2018-03-21 08:30 - 000000000 ____D C:\Windows\pss
2018-03-07 20:45 - 2018-03-07 20:45 - 000085632 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2018-03-07 20:45 - 2018-03-07 20:45 - 000001414 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-03-07 20:45 - 2018-03-07 20:45 - 000000020 ____N C:\Users\Administrator\ntuser.ini
2018-03-07 20:45 - 2018-03-07 20:45 - 000000000 ___RD C:\Users\Administrator\Virtual Machines
2018-03-07 20:45 - 2018-03-07 20:45 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Intel Corporation
2018-03-07 20:45 - 2018-03-07 20:45 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe
2018-03-07 20:45 - 2018-03-07 20:45 - 000000000 ____D C:\Users\Administrator\AppData\Local\Wondershare
2018-03-07 20:45 - 2018-03-07 20:45 - 000000000 ____D C:\Users\Administrator\AppData\Local\Google
2018-03-07 20:45 - 2018-03-07 20:45 - 000000000 ____D C:\Users\Administrator
2018-03-07 20:45 - 2015-09-16 08:55 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\TuneUp Software
2018-03-07 20:45 - 2015-08-16 16:21 - 000000000 ____D C:\Users\Administrator\AppData\Local\Microsoft Help
2018-03-07 20:45 - 2009-07-14 01:45 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Media Center Programs
2018-03-07 19:17 - 2018-03-07 19:17 - 000038462 _____ C:\Users\Edwin\Documents\coco_english-1716680.zip
2018-03-07 08:21 - 2018-03-14 08:48 - 000000000 ____D C:\Users\Edwin\AppData\Local\exhbdmp
2018-03-07 07:31 - 2018-03-07 07:31 - 025491712 _____ (ExpressVPN) C:\Users\Edwin\Documents\expressvpn_6.5.1.3605.exe
2018-03-05 21:33 - 2018-03-08 20:56 - 000000000 ____D C:\Program Files\WinZip
2018-03-05 21:33 - 2018-03-05 22:28 - 000000000 ____D C:\Users\Edwin\AppData\Local\WinZip
2018-03-05 21:33 - 2018-03-05 21:33 - 000003404 _____ C:\Windows\System32\Tasks\WinZip Update Notifier
2018-03-05 21:33 - 2018-03-05 21:33 - 000001926 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip.lnk
2018-03-05 21:33 - 2018-03-05 21:33 - 000001826 _____ C:\Users\Public\Desktop\WinZip.lnk
2018-03-05 21:33 - 2018-03-05 21:33 - 000001826 _____ C:\ProgramData\Desktop\WinZip.lnk
2018-03-05 21:33 - 2018-03-05 21:33 - 000000000 ____D C:\ProgramData\WinZip
2018-03-05 21:33 - 2018-03-05 21:33 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip 22.0
2018-03-05 21:32 - 2018-03-05 21:32 - 000000000 ____D C:\ProgramData\UniqueId
2018-03-05 16:38 - 2018-03-05 16:38 - 000000000 ____D C:\ProgramData\dbg
2018-03-05 16:28 - 2018-03-05 16:28 - 000000000 ____D C:\Program Files\Malwarebytes
2018-03-05 16:23 - 2018-03-05 21:21 - 000178890 _____ C:\Windows\ZAM_Guard.krnl.trace
2018-03-05 16:23 - 2018-03-05 16:46 - 000092479 _____ C:\Windows\ZAM.krnl.trace
2018-03-05 16:17 - 2018-03-05 16:17 - 000000000 ____D C:\Users\Edwin\Desktop\Old Firefox Data
2018-03-05 15:52 - 2018-03-05 15:52 - 000002301 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-03-05 15:52 - 2018-03-05 15:52 - 000002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-03-05 15:52 - 2018-03-05 15:52 - 000002260 _____ C:\ProgramData\Desktop\Google Chrome.lnk
2018-03-05 12:20 - 2018-03-19 08:59 - 000000000 ____D C:\Windows\Minidump
2018-03-05 12:04 - 2018-03-05 12:21 - 000000000 ____D C:\Temp
2018-03-05 11:55 - 2018-03-05 15:41 - 000000034 _____ C:\Users\Public\Documents\{DE764086-1C0A-4DD3-90BA-0B93BDD794BE}
2018-03-05 11:55 - 2018-03-05 15:41 - 000000034 _____ C:\ProgramData\Documents\{DE764086-1C0A-4DD3-90BA-0B93BDD794BE}
2018-03-05 11:55 - 2018-03-05 11:55 - 000000003 _____ C:\Users\Edwin\AppData\Local\wbem.ini
2018-03-05 11:54 - 2018-03-21 12:24 - 002888704 _____ (TOSHIBA CORPORATION) C:\Windows\system32\csdxungsvc.exe
2018-03-05 11:54 - 2018-03-05 11:54 - 000000000 ____D C:\Windows\SysWOW64\cwspzih
2018-03-05 11:54 - 2018-03-05 11:54 - 000000000 ____D C:\Windows\system32\cwspzih
2018-03-05 11:52 - 2018-03-05 11:52 - 000003072 _____ C:\Users\Edwin\AppData\Local\removeHN.exe
2018-03-05 11:51 - 2018-03-05 11:51 - 000000000 ____D C:\Users\Edwin\AppData\Roaming\et
2018-03-05 11:35 - 2018-03-20 18:54 - 000000000 ____D C:\Users\Edwin\Downloads\Compressed
2018-03-05 11:35 - 2018-03-05 11:35 - 000000000 ____D C:\Users\Edwin\Downloads\Video
2018-03-05 04:20 - 2018-03-05 04:20 - 000038424 _____ C:\Windows\uninstaller.dat
2018-03-01 09:38 - 2018-03-01 09:36 - 000226032 _____ (Tonec Inc.) C:\Windows\system32\Drivers\idmwfp.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-21 12:54 - 2009-07-13 20:34 - 019398656 _____ C:\Windows\system32\config\HARDWARE
2018-03-21 12:32 - 2009-07-13 22:45 - 000020912 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-03-21 12:32 - 2009-07-13 22:45 - 000020912 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-03-21 12:30 - 2009-07-13 23:13 - 000781790 _____ C:\Windows\system32\PerfStringBackup.INI
2018-03-21 12:30 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\inf
2018-03-21 12:28 - 2016-11-19 11:29 - 000000000 ____D C:\Users\Edwin\AppData\LocalLow\Mozilla
2018-03-21 12:26 - 2015-08-19 07:14 - 000007627 _____ C:\Users\Edwin\AppData\Local\Resmon.ResmonCfg
2018-03-21 12:24 - 2015-08-11 17:25 - 000000000 ____D C:\ProgramData\NVIDIA
2018-03-21 12:24 - 2009-07-13 23:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-03-21 07:02 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\system32\NDF
2018-03-20 18:43 - 2015-08-11 18:15 - 000000000 ____D C:\Program Files (x86)\QuoteTracker
2018-03-20 11:02 - 2015-08-13 19:50 - 000000000 ____D C:\Windows\system32\appraiser
2018-03-20 10:51 - 2015-08-11 17:23 - 000776166 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2018-03-19 18:43 - 2015-08-11 18:00 - 000000000 ____D C:\ProgramData\Oracle
2018-03-19 18:18 - 2015-08-12 06:18 - 000000000 ____D C:\Windows\system32\appmgmt
2018-03-19 17:02 - 2015-08-12 05:36 - 000000000 ____D C:\Users\Edwin\AppData\Roaming\MPC-HC
2018-03-19 09:02 - 2015-08-11 18:02 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Interactive Brokers
2018-03-19 08:59 - 2015-08-11 16:04 - 000336815 ____N C:\Windows\Minidump\031918-13930-01.dmp
2018-03-19 08:41 - 2015-08-11 16:04 - 000336815 ____N C:\Windows\Minidump\031918-33368-01.dmp
2018-03-19 08:36 - 2015-08-11 16:04 - 000336815 ____N C:\Windows\Minidump\031918-12152-01.dmp
2018-03-19 08:20 - 2015-08-11 16:04 - 000336815 ____N C:\Windows\Minidump\031918-10108-01.dmp
2018-03-19 08:09 - 2015-08-11 16:04 - 000336815 ____N C:\Windows\Minidump\031918-7690-01.dmp
2018-03-19 08:03 - 2016-10-18 17:38 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Handbrake
2018-03-19 08:03 - 2015-08-11 17:11 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Zen
2018-03-18 18:33 - 2017-04-28 13:06 - 000001945 _____ C:\Windows\epplauncher.mif
2018-03-18 13:22 - 2015-08-11 18:50 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-03-18 12:16 - 2016-11-19 11:28 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-03-17 11:55 - 2015-08-13 09:22 - 000002519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2018-03-17 11:55 - 2015-08-13 09:22 - 000000000 ____D C:\Program Files\Common Files\Apple
2018-03-17 11:47 - 2015-08-11 16:50 - 000000000 ____D C:\Program Files (x86)\Google
2018-03-14 19:52 - 2015-08-11 16:07 - 000000000 ____D C:\Users\Edwin
2018-03-08 14:50 - 2015-08-11 19:03 - 000000000 ____D C:\ProgramData\Package Cache
2018-03-08 08:27 - 2015-09-07 19:47 - 000000000 ____D C:\Program Files (x86)\Freemake
2018-03-07 20:45 - 2009-07-13 22:57 - 000001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2018-03-07 20:11 - 2016-04-25 17:08 - 000000000 ____D C:\dtscore
2018-03-05 16:45 - 2016-08-05 09:04 - 000000000 ____D C:\Users\Edwin\AppData\Local\thinkorswim
2018-03-05 16:36 - 2017-03-09 12:52 - 000000000 ____D C:\ProgramData\Lavasoft
2018-03-05 16:27 - 2015-08-11 17:58 - 000000000 ____D C:\Program Files\GlidePoint
2018-03-05 16:18 - 2015-08-11 18:50 - 000001164 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2018-03-05 16:18 - 2015-08-11 18:50 - 000001152 _____ C:\Users\Public\Desktop\Firefox.lnk
2018-03-05 16:18 - 2015-08-11 18:50 - 000001152 _____ C:\ProgramData\Desktop\Firefox.lnk
2018-03-05 15:41 - 2016-07-08 16:33 - 000000000 ____D C:\Program Files (x86)\Motorola
2018-03-05 12:22 - 2015-08-11 16:08 - 000001047 _____ C:\Users\Edwin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-03-05 12:02 - 2018-02-16 13:12 - 000000000 ____D C:\Users\Edwin\AppData\Local\Apowersoft
2018-03-05 11:56 - 2015-08-15 11:32 - 000000000 ____D C:\Program Files\Microsoft Office
2018-03-05 11:55 - 2015-08-11 17:48 - 000000000 ____D C:\ProgramData\Intel
2018-02-28 12:42 - 2017-07-11 07:53 - 000000000 ____D C:\Users\Edwin\AppData\Local\GoToMeeting
2018-02-28 11:23 - 2015-08-12 05:44 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2018-02-25 09:45 - 2015-08-12 05:43 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2018-02-19 19:37 - 2016-02-21 20:47 - 000000000 ____D C:\Windows\AutoKMS
 
==================== Files in the root of some directories =======
 
2017-12-12 08:31 - 2017-12-12 08:31 - 000030208 _____ (DTN Corporation) C:\Users\Edwin\IQ32.dll
1623-04-04 13:34 - 1623-04-04 13:34 - 000073216 ____N (Microsoft Corporation) C:\Users\Edwin\veiIUu.exe
1623-04-04 13:34 - 1623-04-04 13:34 - 000073216 ____N (Microsoft Corporation) C:\Users\Edwin\AppData\Roaming\AUeYUjIaR.exe
2017-03-21 08:35 - 2017-03-21 09:10 - 000012984 _____ () C:\Users\Edwin\AppData\Roaming\Requiem.log
2015-09-07 21:09 - 2015-09-07 21:10 - 000016960 ____T (Un4seen Developments) C:\Users\Edwin\AppData\Roaming\Microsoft\1eaadjc.dll
2015-09-07 21:12 - 2015-09-07 21:12 - 000218624 ____T (MultiMedia Soft) C:\Users\Edwin\AppData\Roaming\Microsoft\AdjMmsVista.dll
2015-09-07 21:09 - 2015-09-07 21:10 - 000018724 ____T () C:\Users\Edwin\AppData\Roaming\Microsoft\bass.dll
2015-09-07 21:09 - 2015-09-07 21:10 - 000014392 ____T (Un4seen Developments) C:\Users\Edwin\AppData\Roaming\Microsoft\kfgresk.dll
2015-09-07 21:09 - 2015-09-07 21:10 - 000014456 ____T () C:\Users\Edwin\AppData\Roaming\Microsoft\mjcriu.dll
2015-09-07 21:09 - 2015-09-07 21:10 - 000010816 ____T (Un4seen Developments) C:\Users\Edwin\AppData\Roaming\Microsoft\peaadje.dll
2015-09-07 21:09 - 2015-09-07 21:10 - 000028760 ____T ((: JOBnik! :) [Arthur Aminov, ISRAEL]) C:\Users\Edwin\AppData\Roaming\Microsoft\qwadjb.dll
2015-09-07 21:09 - 2015-09-07 21:10 - 000015424 ____T (Un4seen Developments) C:\Users\Edwin\AppData\Roaming\Microsoft\rsaadjd.dll
2015-09-07 21:09 - 2015-09-07 21:10 - 000098872 ____T (Un4seen Developments) C:\Users\Edwin\AppData\Roaming\Microsoft\~DFKe47cf0.tmp
1623-04-04 13:34 - 1623-04-04 13:34 - 000186368 _____ (Microsoft Corporation) C:\Users\Edwin\AppData\Local\IYNZcLqo.exe
2018-03-05 11:52 - 2018-03-05 11:52 - 000003072 _____ () C:\Users\Edwin\AppData\Local\removeHN.exe
2015-08-19 07:14 - 2018-03-21 12:26 - 000007627 _____ () C:\Users\Edwin\AppData\Local\Resmon.ResmonCfg
2018-03-05 12:20 - 2018-03-05 12:20 - 000001396 _____ () C:\Users\Edwin\AppData\Local\suit.log
2018-03-05 11:55 - 2018-03-05 11:55 - 000000003 _____ () C:\Users\Edwin\AppData\Local\wbem.ini
 
Some files in TEMP:
====================
2016-05-31 06:48 - 2016-04-22 10:01 - 000186640 ____N (AVG Technologies CZ, s.r.o.) C:\Users\Edwin\AppData\Local\Temp\avguirn_081049731071.exe
2016-04-18 18:14 - 2016-03-23 16:57 - 000186640 ____N (AVG Technologies CZ, s.r.o.) C:\Users\Edwin\AppData\Local\Temp\avguirn_08143225120.exe
2016-01-15 10:51 - 2015-12-08 08:23 - 000091048 ____N (AVG Technologies CZ, s.r.o.) C:\Users\Edwin\AppData\Local\Temp\avguirn_081886253988.exe
2016-08-23 06:46 - 2016-07-20 14:01 - 000186640 ____N (AVG Technologies CZ, s.r.o.) C:\Users\Edwin\AppData\Local\Temp\avguirn_081990941677.exe
2016-06-23 11:31 - 2016-05-18 13:03 - 000186640 ____N (AVG Technologies CZ, s.r.o.) C:\Users\Edwin\AppData\Local\Temp\avguirn_08339043740.exe
2016-07-27 06:46 - 2016-06-21 18:49 - 000186640 ____N (AVG Technologies CZ, s.r.o.) C:\Users\Edwin\AppData\Local\Temp\avguirn_08557156190.exe
2016-05-13 08:23 - 2016-04-14 17:29 - 000186640 ____N (AVG Technologies CZ, s.r.o.) C:\Users\Edwin\AppData\Local\Temp\avguirn_08611146959.exe
2016-02-23 18:51 - 2016-01-12 17:23 - 000179624 ____N (AVG Technologies CZ, s.r.o.) C:\Users\Edwin\AppData\Local\Temp\avguirn_08940563523.exe
2017-08-13 10:39 - 2017-08-11 09:29 - 000223160 ____N () C:\Users\Edwin\AppData\Local\Temp\EyesLauncher.exe
2018-03-08 22:28 - 2018-03-08 21:05 - 011605440 ____N (SurfRight B.V.) C:\Users\Edwin\AppData\Local\Temp\HitmanPro.exe
2018-03-18 18:04 - 2018-03-18 18:04 - 011605440 ____N (SurfRight B.V.) C:\Users\Edwin\AppData\Local\Temp\HitmanPro_x64.exe
2017-03-09 12:52 - 2017-03-09 12:52 - 000349144 ____N (Lavasoft) C:\Users\Edwin\AppData\Local\Temp\i2xe3lzm.axg.exe
2016-08-05 09:04 - 2018-03-05 12:20 - 000035680 ____N () C:\Users\Edwin\AppData\Local\Temp\i4jdel0.exe
2017-03-09 12:52 - 2017-03-09 12:52 - 016203936 ____N (Ellora Assets Corporation                                   ) C:\Users\Edwin\AppData\Local\Temp\m4n53abv.cpq.exe
2011-03-04 16:05 - 2011-03-04 16:05 - 008459800 ____N (Motorola) C:\Users\Edwin\AppData\Local\Temp\MotoHelper_2.0.45_Driver_5.0.0.exe
1999-12-20 07:04 - 1999-12-20 07:04 - 000056832 ____N () C:\Users\Edwin\AppData\Local\Temp\mpegc.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\drivers\mssbehko.sys -> Access Denied <======= ATTENTION
 
LastRegBack: 2018-03-09 18:41
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by Edwin (21-03-2018 12:55:00)
Running from C:\Users\Edwin\Downloads\FRST
Windows 7 Professional Service Pack 1 (X64) (2015-08-11 22:07:36)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1460914560-228546869-938245398-500 - Administrator - Disabled) => C:\Users\Administrator
Edwin (S-1-5-21-1460914560-228546869-938245398-1000 - Administrator - Enabled) => C:\Users\Edwin
Guest (S-1-5-21-1460914560-228546869-938245398-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1460914560-228546869-938245398-1002 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.011.20038 - Adobe Systems Incorporated)
Adobe Flash Player 27 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 27.0.0.130 - Adobe Systems Incorporated)
Apple Application Support (32-bit) (HKLM-x32\...\{D4C80B0C-CF67-43A7-90C3-466853543B54}) (Version: 6.3 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{B2A2E8AF-BC48-4191-B2C4-3846A19835CA}) (Version: 6.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{AA7D90D2-2387-4FA5-A3AF-96811BE49BFD}) (Version: 11.0.5.14 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{19589375-5C58-4AFA-842F-8B34744CCEAD}) (Version: 2.5.0.1 - Apple Inc.)
Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.14.3.0 - Asmedia Technology)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Click Install if prompted (HKLM-x32\...\{5A4AB1F7-3DAF-4C24-AF6B-9E8F57ED702D}) (Version: 1.0.6.0 - ExpressVpn) Hidden
DVDFab 9.1.2.2 (08/01/2014) (HKLM-x32\...\DVDFab 9_is1) (Version:  - Fengtao Software Inc.)
ExpressVPN (HKLM-x32\...\{B97E1AC2-1F11-43C0-90A7-22B158337D06}) (Version: 6.5.1.3605 - ExpressVPN) Hidden
ExpressVPN (HKLM-x32\...\{e87d0eca-dc93-4f55-bf74-0d155d8c6f07}) (Version: 6.5.1.3605 - ExpressVPN)
GlidePoint® Driver 3 (64-bit) (HKLM\...\{F2200E6E-EE0B-4076-B290-B41B248C5E53}) (Version: 3.7.1.64 - Cirque Corporation)
GlidePoint® Touchpad Driver 3.5 (HKLM\...\{444404F4-CB18-4079-9624-5315FF0D10A6}) (Version: 3.5.1.64 - Cirque Corp.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 64.0.3282.186 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
GoTo Opener (HKLM-x32\...\{351B54B2-1AFC-42A7-A8C0-9E05C26F0D1E}) (Version: 1.0.470 - LogMeIn, Inc.)
GoToMeeting 8.21.0.8404 (HKU\S-1-5-21-1460914560-228546869-938245398-1000\...\GoToMeeting) (Version: 8.21.0.8404 - LogMeIn, Inc.)
H&R Block California 2015 (HKLM-x32\...\{74A4BCDD-7550-49E3-922E-5FFDBE6536D1}) (Version: 1.15.5901 - HRB Technology, LLC.)
H&R Block Colorado 2015 (HKLM-x32\...\{6050545F-4278-40DD-9F98-A26F79018587}) (Version: 1.15.4201 - HRB Technology, LLC.)
H&R Block Colorado 2016 (HKLM-x32\...\{E474A63A-E3CC-43E5-AC86-C294918C6279}) (Version: 1.16.5101 - HRB Technology, LLC.)
H&R Block Deluxe + Efile + State 2015 (HKLM-x32\...\{E7BFC29A-9459-4534-9E35-BF1D66A18BAA}) (Version: 15.05.8101 - HRB Technology, LLC.)
H&R Block Deluxe + Efile + State 2016 (HKLM-x32\...\{E7065AD9-D2DB-423B-B853-8310038D7D42}) (Version: 16.05.6401 - HRB Technology, LLC.)
H&R Block Deluxe + Efile + State 2017 (HKLM-x32\...\{191D85BA-E6EA-4F97-8D2A-76A220043D87}) (Version: 17.05.6601 - HRB Technology, LLC.)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel Driver Update Utility (HKLM-x32\...\{ca4bc3a8-b99c-4416-90d8-351a8ceab458}) (Version: 2.2.0.2 - Intel)
Intel® Chipset Device Software (HKLM-x32\...\{98f335cd-0a32-4b3f-b74c-ef9480e834f0}) (Version: 10.0.27 - Intel® Corporation) Hidden
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Driver Update Utility 2.2 (HKLM-x32\...\{3EE9923D-3045-46AB-9CAA-E375993AEB4A}) (Version: 2.2.0.1 - Intel) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.4229 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.5.0.1026 - Intel Corporation)
Internet Download Manager (HKLM-x32\...\Internet Download Manager) (Version:  - Tonec Inc.)
IQFeed Client 5.2.7.0 (HKLM-x32\...\IQFeed Client) (Version: 5.2.7.0 - DTN)
iTunes (HKLM\...\{1D7D1271-5258-4F5A-B8C1-7176BF398782}) (Version: 12.7.3.46 - Apple Inc.)
Java 8 Update 161 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180161F0}) (Version: 8.0.1610.12 - Oracle Corporation)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version:  - )
Microsoft .NET Framework 4.7.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02558 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
MKVToolNix 17.0.0 (64-bit) (HKLM-x32\...\MKVToolNix) (Version: 17.0.0 - Moritz Bunkus)
MotoHelper MergeModules (HKLM-x32\...\{94CAC2F1-C856-47F4-AF24-65A1E75AEDB9}) (Version: 1.2.0 - Motorola) Hidden
Mozilla Firefox 59.0.1 (x64 en-US) (HKLM\...\Mozilla Firefox 59.0.1 (x64 en-US)) (Version: 59.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 58.0.2 - Mozilla)
MPC-HC 1.7.9 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.9 - MPC-HC Team)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Music Manager (HKU\S-1-5-21-1460914560-228546869-938245398-1000\...\MusicManager) (Version:  - Google, Inc.)
NVIDIA 3D Vision Controller Driver 340.50 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 340.50 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 341.44 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 341.44 - NVIDIA Corporation)
NVIDIA Graphics Driver 341.44 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 341.44 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
Pdf995 (installed by H&R Block) (HKLM-x32\...\Pdf995) (Version: 15.0s - )
PdfEdit995 (installed by H&R Block) (HKLM-x32\...\PdfEdit995) (Version:  - )
qBittorrent 2.9.11 (HKLM-x32\...\qbittorrent) (Version:  - )
QuoteTracker (HKLM-x32\...\QuoteTracker_is1) (Version:  - T2 API Technologies, LLC)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.92.115.2015 - Realtek)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Split Tunneling Driver (HKLM-x32\...\{F078B0B5-2F41-42C2-9162-B8C628D5E6FE}) (Version: 1.0.0.0 - ExpressVpn) Hidden
Subtitle Edit 3.5.4 (HKLM\...\SubtitleEdit_is1) (Version: 3.5.4.0 - Nikse)
Trader Workstation 4.0 (HKLM-x32\...\Trader Workstation 4.0) (Version:  - )
TWS API (HKLM-x32\...\{BFB69492-F72A-400E-AEEB-DA6567AF90CE}) (Version: 9.72.18 - IBG LLC)
Unlocker 1.9.2 (HKLM\...\Unlocker) (Version: 1.9.2 - Cedrick Collomb)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Windows XP Mode (HKLM\...\{1374CC63-B520-4f3f-98E8-E9020BF01CFF}) (Version: 1.3.7600.16423 - Microsoft Corporation)
WinPcap 4.1.2 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2001 - CACE Technologies)
WinZip 22.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C24119}) (Version: 22.0.12706 - Corel Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1460914560-228546869-938245398-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\Edwin\AppData\Local\GoToMeeting\8404\G2MOutlookAddin64.dll (LogMeIn, Inc.)
CustomCLSID: HKU\S-1-5-21-1460914560-228546869-938245398-1000_Classes\CLSID\{91A41FCC-BC02-42D8-A36E-0D27FF9BFFC8}\InprocServer32 -> C:\Users\Edwin\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1460914560-228546869-938245398-1000_Classes\CLSID\{CB2B673F-D441-4CD4-AFBE-DC4037CA4220}\InprocServer32 -> C:\Program Files\WinZip\adxloader64.WinZipExpressForOffice.dll ()
CustomCLSID: HKU\S-1-5-21-1460914560-228546869-938245398-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Edwin\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll (Google Inc.)
ShellIconOverlayIdentifiers: [ IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2017-06-23] (Tonec Inc.)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers1: [jZip] -> {E677C7AD-2B66-4539-AA29-3771A1CFEDA9} =>  -> No File
ContextMenuHandlers1: [WinZip] -> {E0D79304-84BE-11CE-9641-444553540000} => C:\Program Files\WinZip\wzshls64.dll [2017-12-11] (WinZip Computing, S.L.)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers3: [UnlockerShellExtension] -> {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} => C:\Program Files\Unlocker\UnlockerCOM.dll [2010-07-14] ()
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers4: [WinZip] -> {E0D79304-84BE-11CE-9641-444553540000} => C:\Program Files\WinZip\wzshls64.dll [2017-12-11] (WinZip Computing, S.L.)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2015-06-01] (Intel Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2015-02-03] (NVIDIA Corporation)
ContextMenuHandlers6: [UnlockerShellExtension] -> {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} => C:\Program Files\Unlocker\UnlockerCOM.dll [2010-07-14] ()
ContextMenuHandlers6: [WinZip] -> {E0D79304-84BE-11CE-9641-444553540000} => C:\Program Files\WinZip\wzshls64.dll [2017-12-11] (WinZip Computing, S.L.)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {144897D1-D9FF-42B8-B698-0EA5058B1C3F} - System32\Tasks\Microsoft\Microsoft Antimalware\MpIdleTask => c:\Program Files\Microsoft Security Client\\MpCmdRun.exe [2016-11-14] (Microsoft Corporation)
Task: {411C9580-BE2D-4ADE-B386-1DD7CDF6F7B1} - System32\Tasks\WinZip Update Notifier => C:\Program Files\WinZip\WZUpdateNotifier.exe [2017-12-11] (WinZip)
Task: {57BF1B14-32AA-40E0-B293-5A19525224C6} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\\MpCmdRun.exe [2016-11-14] (Microsoft Corporation)
Task: {6B0F5637-5EEE-40D4-8F29-3E7CE4D07E76} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2017-10-12] (Apple Inc.)
Task: {6F766B3F-8B3E-493C-A18B-570E4185DAAE} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-02-09] (Adobe Systems Incorporated)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
ShortcutWithArgument: C:\Users\Edwin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Trader Workstation 4.0.LNK -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /C "C:\Jts\StartTws.bat C:\Jts"
ShortcutWithArgument: C:\Users\Public\Desktop\Trader Workstation 4.0.LNK -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /C "C:\Jts\StartTws.bat C:\Jts"
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-08-11 17:24 - 2015-02-03 20:21 - 000115400 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2018-02-07 17:42 - 2018-02-07 17:42 - 000339168 _____ () C:\Program Files (x86)\ExpressVPN\bootstrap\AMD64\nssm.exe
2018-02-07 17:45 - 2018-02-07 17:45 - 008457344 _____ () C:\Program Files (x86)\ExpressVPN\xvpnd\xvpnd.exe
2015-06-01 22:00 - 2015-06-01 22:00 - 000102912 _____ () C:\Windows\System32\IccLibDll_x64.dll
2018-03-05 15:52 - 2018-02-21 21:57 - 004433752 _____ () C:\Program Files (x86)\Google\Chrome\Application\64.0.3282.186\libglesv2.dll
2018-03-05 15:52 - 2018-02-21 21:57 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\64.0.3282.186\libegl.dll
2018-02-07 17:45 - 2018-02-07 17:45 - 006164864 _____ () C:\Program Files (x86)\ExpressVPN\xvpnd\libxvclient.dll
2018-02-07 17:46 - 2018-02-07 17:46 - 000080512 _____ () C:\Program Files (x86)\ExpressVPN\xvpnd\windows\ExpressVPN.NetworkUtils.dll
2018-02-07 17:42 - 2018-02-07 17:42 - 000303104 _____ () C:\Program Files (x86)\ExpressVPN\xvpnd\windows\ExpressVPN.SplitTunnel.dll
2018-02-07 17:46 - 2018-02-07 17:46 - 000441472 _____ () C:\Program Files (x86)\ExpressVPN\xvpnd\windows\ExpressVPN.FilterManager.dll
2018-03-20 19:15 - 2018-03-20 19:15 - 000172544 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\13f2fe6beff5766a8aec20e7a3cd4308\IsdiInterop.ni.dll
2015-08-11 17:44 - 2011-04-30 01:28 - 000059904 ____N () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\54696711.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\7727C411 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\54696711.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\7727C411 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE restricted site: HKU\S-1-5-21-1460914560-228546869-938245398-1000\...\laserveradedomaina.com -> hxxp://laserveradedomaina.com
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 20:34 - 2018-03-05 16:27 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1460914560-228546869-938245398-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Edwin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: Apple Mobile Device Service => 2
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: bthserv => 3
MSCONFIG\Services: defragsvc => 3
MSCONFIG\Services: Fax => 3
MSCONFIG\Services: HitmanPro38CrusaderBoot => 2
MSCONFIG\Services: HitmanProScheduler => 2
MSCONFIG\Services: iPod Service => 3
MSCONFIG\Services: SCardSvr => 3
MSCONFIG\Services: SCPolicySvc => 3
MSCONFIG\Services: Spooler => 2
MSCONFIG\Services: TapiSrv => 3
MSCONFIG\Services: WsAppService => 2
MSCONFIG\startupreg: Aimersoft Helper Compact.exe => C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
MSCONFIG\startupreg: AvgUi => "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw
MSCONFIG\startupreg: BCSSync => "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
MSCONFIG\startupreg: DelaypluginInstall => C:\ProgramData\Wondershare\Player\DelayPluginI.exe
MSCONFIG\startupreg: IAStorIcon => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
MSCONFIG\startupreg: ISUSPM => "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: WinZip FAH => C:\Program Files\WinZip\FAHConsole.exe
MSCONFIG\startupreg: WinZip PreLoader => C:\Program Files\WinZip\WzPreloader.exe
MSCONFIG\startupreg: WinZip UN => C:\Program Files\WinZip\WZUpdateNotifier.exe
MSCONFIG\startupreg: Wondershare Helper Compact.exe => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [VirtualPC-In-TCP-1] => (Allow) %SystemRoot%\System32\vpc.exe
FirewallRules: [VirtualPC-In-UDP-2] => (Allow) %SystemRoot%\System32\vpc.exe
FirewallRules: [VirtualPC-In-UDP-1] => (Allow) %SystemRoot%\System32\vpc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{31ABF91F-CB91-4751-8054-B7E54903EBB4}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{AE4D36BF-39AD-460D-B5E4-87CE92D34604}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{8E3F2C32-A85C-4E05-9847-15B8B45A7F84}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{E99B35DB-E290-4737-8118-C589C57F7DC8}C:\program files (x86)\qbittorrent\qbittorrent.exe] => (Block) C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [UDP Query User{471605BC-EBB1-47A0-86D2-962BC5D734AC}C:\program files (x86)\qbittorrent\qbittorrent.exe] => (Block) C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [{94020E99-9BDD-48CF-9061-C33E2F39B97C}] => (Allow) %SystemRoot%\System32\vpc.exe
FirewallRules: [{546ACFBF-DD41-4710-AFCB-EB17C8B5385C}] => (Allow) %SystemRoot%\System32\vpc.exe
FirewallRules: [{665C3CBA-4A0D-4B43-98D8-91759914B80F}] => (Allow) %SystemRoot%\System32\vpc.exe
FirewallRules: [{DAE49187-B48D-4163-97BE-83628A092BA7}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
FirewallRules: [{FAF1E6F8-18BE-49BD-A1A9-B384602F9C3E}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{7BEF4D47-66BF-450F-B062-E130E857D023}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{01403DC5-4032-416B-A329-1AB8D0C24CB0}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{156D832A-500D-4DE1-8521-5641C734F140}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{48A835A0-94C1-4E20-9AF1-A678314D12F5}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [TCP Query User{6FF04319-16F6-450A-AAED-87B0DCDC6810}C:\programdata\oracle\java\javapath_target_35032598\javaw.exe] => (Allow) C:\programdata\oracle\java\javapath_target_35032598\javaw.exe
FirewallRules: [UDP Query User{3FEA80DA-45D0-4742-BC24-FB6C21025739}C:\programdata\oracle\java\javapath_target_35032598\javaw.exe] => (Allow) C:\programdata\oracle\java\javapath_target_35032598\javaw.exe
 
==================== Restore Points =========================
 
 
==================== Faulty Device Manager Devices =============
 
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
Name: ExpressVPN Tap Adapter
Description: ExpressVPN Tap Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: ExpressVPN
Service: tapexpressvpn
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/21/2018 12:24:21 PM) (Source: nssm) (EventID: 1018) (User: )
Description: Failed to read registry value AppDirectory:
The operation completed successfully.
 
Error: (03/21/2018 11:50:33 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Autoruns\autorunsc.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (03/21/2018 11:50:33 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Autoruns\Autoruns.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (03/21/2018 11:48:21 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\autorunsc.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (03/21/2018 11:48:21 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Autoruns.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (03/21/2018 11:47:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\autorunsc.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (03/21/2018 11:47:01 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Autoruns.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (03/21/2018 09:42:01 AM) (Source: nssm) (EventID: 1018) (User: )
Description: Failed to read registry value AppDirectory:
The operation completed successfully.
 
 
System errors:
=============
Error: (03/21/2018 12:28:51 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 12:28:51 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 12:28:51 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 12:28:51 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 12:28:51 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 12:28:51 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 12:28:51 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 12:28:51 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-2400 CPU @ 3.10GHz
Percentage of memory in use: 58%
Total physical RAM: 7129.13 MB
Available physical RAM: 2947.11 MB
Total Virtual: 14256.44 MB
Available Virtual: 9581.73 MB
 
==================== Drives ================================
 
Drive c: (Win 7) (Fixed) (Total:111.79 GB) (Free:50 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (Crucial 64GB) (Fixed) (Total:59.62 GB) (Free:49.34 GB) NTFS
Drive e: (Docs Bup) (Fixed) (Total:37.27 GB) (Free:9.9 GB) NTFS
Drive f: (My Docs) (Fixed) (Total:64.16 GB) (Free:36.14 GB) NTFS
Drive g: (Temp) (Fixed) (Total:6.98 GB) (Free:4.6 GB) NTFS
Drive h: (DRV1_VOL2) (Fixed) (Total:2.49 GB) (Free:0.33 GB) FAT32
 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 111.8 GB) (Disk ID: D3E78CB5)
Partition 1: (Active) - (Size=111.8 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 59.6 GB) (Disk ID: F43E6C93)
Partition 1: (Active) - (Size=59.6 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 76.3 GB) (Disk ID: 0AC6C13D)
Partition 1: (Active) - (Size=64.2 GB) - (Type=42)
Partition 2: (Not Active) - (Size=12.2 GB) - (Type=42)
 
========================================================
Disk: 3 (MBR Code: Windows XP) (Size: 37.3 GB) (Disk ID: 4F4B9E62)
Partition 1: (Not Active) - (Size=37.3 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================
 

 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 PM

Posted 21 March 2018 - 06:31 PM

Hi edwindes :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Copy/paste the following inside the text area:
    Start::
    CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
    CMD: bcdedit.exe /set {default} recoveryenabled yes
    End::
    
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 PM

Posted 26 March 2018 - 07:17 AM

Hi edwindes,

Are you still with me?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 edwindes

edwindes
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 26 March 2018 - 11:43 AM

Hi Aura,

Thanks for the response, I was able to solve the Trojan problem using EasyRE.  I'm clean once again!!



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 PM

Posted 28 March 2018 - 07:09 AM

That's good news! However, SmartService leaves a lot of stuff behind, and simply running FRST in the WindowsRE isn't enough to fully remove it, so if you could stay with me until I declare you clean, I would appreciate it :)

So, you ran FRST in the Windows RE, right?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 edwindes

edwindes
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 29 March 2018 - 02:34 PM

That's good news! However, SmartService leaves a lot of stuff behind, and simply running FRST in the WindowsRE isn't enough to fully remove it, so if you could stay with me until I declare you clean, I would appreciate it :)

So, you ran FRST in the Windows RE, right?

So after deleting the files and folders in which the Trojan was hiding I did a fresh install so I believe I'm set. You agree?



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 PM

Posted 29 March 2018 - 02:45 PM

You're set, yes :) Was there anything else, or that was it?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 PM

Posted 31 March 2018 - 10:02 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users