Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast found 291 infections of "Sevnz.exe" rootkit virus!


  • This topic is locked This topic is locked
22 replies to this topic

#1 Dell_User7

Dell_User7

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 15 April 2018 - 06:05 PM

This happened on 4/11 of this year while doing a scan with Avast and MalwareBytes at the same time.

 

The avast scan froze at 30% on a full scan, after waiting for about 45 minutes, I cancelled the scan and 291 rootkit infections of "Sevnz.exe" were revealed! I suspect that there were way more infections of the rootkit not found yet. I immediately hit the recommended delete button on all 291 infections, but avast just locked up and froze, showing the busy circle but never removing the infections. (as far as I know)

 

Right afterwards, I booted into safe mode and backed up all my important files. 

After that I did various scans with Malwarebytes, different rootkit scanners but none of them found any infections except for possibly Gmer, which I can't understand just being a basic computer user. 

 

RogueKiller also found two suspicious infected entries in the registry, which I removed. 

 

How this infection started:

 

4/10

I downloaded a legit free (and supposed to be safe program) program from the official site called "Unetbootin" from this site "www.Unetbootin.github.lo" for burning a Iso to a usb drive.

 

I had previously downloaded and tried "Rufus" and "Iso to usb", which Voodoosheild gave no suspicious warnings before running.

 

However, when I ran UNetbootin, Voodooshield warmed me of letting the process "sevnz" run and the threat bar was close to the red area. I first looked up the process, only going to one site to read about what programs commonly use this process, and I read that it was usually a safe and trusted process to let run, and is commonly used in prgrams like 7zip for extracting the contents of archive packed files like zip, rar and Iso.

 

Without doing further research (my mistake), I let the program run and I was able to finally get a few different Iso's to correctly burn to my 14 gig usb drive. I was thrilled because I had already tried "Rufus" and "Iso to usb" and they kept having burn errors. I was also kind of in a hurry to get

a Linux distro installed on a friends laptop, so I didn't have the extra time to read more in-depth 

about a particular process or file.

 

4/11

Then the next day, I was on internet explorer (in the sandbox environment using Sandboxie) and while reading about a hard to find operating system, I got a basic web attack telling me that my system had been compromised and I wasn't able to click out of anything on the browser without terminating all of my processes within my sandbox environment. No big issue there, I just started a clean new sandbox environment and internet explorer was fine. 

 

However, this made me want to run a full scan with Avast (which is set to also search for hidden rootkits) just to be on the safe side, and then I discovered that my computer had likely been infected the day before after using the program "Unetbootin". Normally a safe and trusted program to use, but I guess the program got injected with a rootkit. Either that or avast was turning up a false positive.

But I believe that it is more likely that I am infected with a rootkit because avast found so many infected entries of the same file. (291+ Sevnz.exe rootkit infections)

 

I immediately looked up "Sevnz.exe rootkit" and several websites said that this rootkit was possibly 

a form of ransomware, but one of a wild variant type that doesn't encrypt your files.

After immediately booting into safe mode after avast froze on trying to remove the 291 infections, as well as Malwarebytes freezing up on it's scan, I checked all of my music and video files, and I found no foul play of file encryption. Thank goodness! Then I backed up all of my files to a external hard drive, before restarting my computer normally under my new and old admin accounts for testing. 

 

I do realize that this does not mean that all of my files were untouched from infection. 

 

But I can't be sure without receiving some professional help here. 

 

I want to be absolutely certain (as much as I possibly can) that my PC is clean from this nasty infection, or at least supplied with a good enough result to better direct me on what the best course of action would be. They say that if you know that you are infected by a rootkit (which I'm still not completely sure on) that you should re-partition and re-format your hard drive and re-install windows. I'm prepared to do this, if I have too. However, I don't have a Windows 7 Pro OEM Dell install CD, as my Dell computer only came with a Windows 8.1 install disc, but my computer came pre-installed with Windows 7 Professional, which I prefer. 

 

I did make a factory system image on a usb drive when I first got my new Dell desktop, so restoring my computer to it's pre-installed factory defaults is an option, without having to re-install windows. 

 

However, first I need to be advised on what type of rootkit infection (if I am in fact infected) I have and how to best go about removing it. Like weather or not restoring my system to it's factory installed defaults would be safe and effective solution against the rootkit, or if I could wind up just being "re-infected". I suspect that if I am infected, it is a user mode or kernal based rootkit infection. I say this because after rebooting my computer and creating a new admin account and a standard account (to quickly run some tests), I noticed that on both of those accounts, there have been obvious moditifcations to the right-click functions of AlZip, where the English text is replaced with Korean letters. I'm pretty sure that is not normal on ESTsoft's products. 

 

Since being on my new admin account, I have run a full virus scan with Avast and a few other rootkit scanners but they have found nothing. But this may be because the rootkit has now effectively hidden itself from being detected.

 

I also noticed that Avast still hangs indefinitely at 30% when doing a full virus scan on my old admin account, but on my new admin account (with a new password) avast was able to perform a full virus scan in about an hour and a half, and only got stuck around 30% for 10 minutes, unlike on my old admin account where avast hanged on 30% for over an hour and onward.

 

I am now logged into my new admin account in safe mode, and I will not be logging back into my old admin account, unless directed to do so.  

 

Also, I have since re-installed avast to help avast finish the full virus scan, as you sometimes have to do to get avast to work properly, so my history of the 291 rootkit infections have been wiped. I did the re-install on my new admin Windows account.

 

Following below are my frst and addition logs, as recommended to provide before posting my possible infection. Also, I have already backed up all of my important files, so I'm ready to perform any type of scan, reg edit or anything else that may be risky to perform. I also have a backup laptop to report back from if my main computer becomes unbootible from edits made in the registry. 

 

--

I should also mention that I may have an older infection done by Kaspersky labs, which I have been unable to uninstall, so new installs of av's always warm me to first uninstall Kaspersky first before installing the new av. I was reluctant to perform envasive methods before when inquiring aid from this forum, largely because I hadn't backed up all of my files before, so I was too worried about losing my files on my hard drive then, and not being able to boot into windows. But now, I'm fully prepared to do anything requested by the staff on Bleepingcomputer, to help clean my computer.

------------------------------------------



BC AdBot (Login to Remove)

 


#2 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 15 April 2018 - 06:07 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15.04.2018
Ran by Zar_Admin2 (administrator) on ZAR-UNITYV4-PC (15-04-2018 16:21:04)
Running from C:\Users\Zar_Admin2\Downloads
Loaded Profiles: Zar_Admin2 (Available Profiles: Zar-Unityv4 & Zar_Admin2)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files (x86)\baidu\SparkSafe\Spark.exe" -- "%1")
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [303928 2017-05-09] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [242392 2018-04-14] (AVAST Software)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [133400 2011-12-16] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-27] (Intel Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [646680 2017-12-19] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4291765073-3835710626-4147568939-1008\...\Run: [SandboxieControl] => C:\Program Files\Sandboxie_5.20 (64)\SbieCtrl.exe [799880 2017-10-30] (Sandboxie Holdings, LLC)
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{842EEBF7-5F77-4BA2-B7D1-7636C4167F86}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{93D7F91C-E7C8-4A14-A0D6-BF481CD4E433}: [NameServer] 84.200.69.80,84.200.70.40
 
Internet Explorer:
==================
HKU\S-1-5-21-4291765073-3835710626-4147568939-1008\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-4291765073-3835710626-4147568939-1008\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll [2018-01-25] (IObit)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre-9.0.4\bin\ssv.dll => No File
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre-9.0.4\bin\jp2ssv.dll [2018-03-06] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} -  No File
Toolbar: HKLM-x32 - No Name - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} -  No File
Handler: vipresg - No CLSID Value
 
FireFox:
========
FF DefaultProfile: 65mhg42b.default
FF ProfilePath: C:\Users\Zar_Admin2\AppData\Roaming\Mozilla\Firefox\Profiles\65mhg42b.default [2018-04-14]
FF Extension: (All Aboard) - C:\Program Files (x86)\Mozilla Firefox\distribution\extensions\@all-aboard-v1-5 [2017-07-29] [Legacy]
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_28_0_0_137.dll [2018-01-15] ()
FF Plugin: @java.com/DTPlugin,version=12.0.4.0 -> C:\Program Files\Java\jre-9.0.4\bin\dtplugin\npDeployJava1.dll [2018-03-06] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=12.0.4.0 -> C:\Program Files\Java\jre-9.0.4\bin\plugin2\npjp2.dll [2018-03-06] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_137.dll [2018-01-15] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-02-11] (Adobe Systems Inc.)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2017-05-09]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.duckduckgo.com/
CHR DefaultSearchURL: Default -> hxxps://duckduckgo.com/?q={searchTerms}
CHR DefaultSearchKeyword: Default -> duckdg
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default [2018-04-15]
CHR Extension: (Slides) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-04-15]
CHR Extension: (Docs) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-04-15]
CHR Extension: (Google Drive) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-04-15]
CHR Extension: (YouTube) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-04-15]
CHR Extension: (Spotify - Music for every moment) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnkjkdjlofllcpbemipjbcpfnglbgieh [2018-04-15]
CHR Extension: (Blue Bird) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\elhjijmekiobeohmhenmnccklpjakino [2018-04-15]
CHR Extension: (Sheets) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-04-15]
CHR Extension: (Google Docs Offline) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-04-15]
CHR Extension: (Windscribe - Free VPN and Ad Blocker) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnmpcagpplmpfojmgmnngilcnanddlhb [2018-04-15]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-15]
CHR Extension: (Ads Killer Adblocker Plus) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgbllmbdjgcalkoimdfcpknbjgnhjclg [2018-04-15]
CHR Extension: (Gmail) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-04-15]
CHR Extension: (Chrome Media Router) - C:\Users\Zar_Admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-04-15]
CHR HKLM\...\Chrome\Extension: [ccbpbkebodcjkknkfkpmfeciinhidaeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [eahebamiopdhefndnmappcihfajigkka] - hxxps://chrome.google.com/webstore/detail/eahebamiopdhefndnmappcihfajigkka
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ccbpbkebodcjkknkfkpmfeciinhidaeh] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-30] (SUPERAntiSpyware.com)
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-04-03] (Apple Inc.)
S3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7603408 2018-04-14] (AVAST Software)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [313640 2018-04-14] (AVAST Software)
S3 AVP16.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe [194000 2015-12-05] (Kaspersky Lab ZAO)
S3 CGVPNCliService; C:\Program Files\CyberGhost 5\Service.exe [65128 2016-08-08] (CyberGhost S.R.L)
S3 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2573520 2015-05-22] (Dell Inc.)
S2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-06-09] (Dell Inc.)
S2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [4354000 2017-07-25] (SecureMix LLC)
S2 IObitUnSvr; C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe [206096 2018-01-25] (IObit)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6479136 2018-03-27] (Malwarebytes)
S2 SbieSvc; C:\Program Files\Sandboxie_5.20 (64)\SbieSvc.exe [198792 2017-10-30] (Sandboxie Holdings, LLC)
S2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1915920 2014-04-04] (SoftThinks SAS)
S3 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31928 2016-04-22] (Dell Inc.)
S2 VoodooShieldService; C:\Program Files\VoodooShield\VoodooShieldService.exe [132944 2018-03-22] (VoodooSoft, LLC )
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-12-02] (Microsoft Corporation)
S2 WindscribeService; C:\Program Files (x86)\Windscribe\WindscribeService.exe [442472 2017-11-12] (Windscribe Limited)
S2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [73728 2012-02-08] (Atheros) [File not signed]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [196640 2018-04-14] (AVAST Software)
S3 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [227504 2018-04-14] (AVAST Software)
S3 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [199440 2018-04-14] (AVAST Software)
S3 aswblog; C:\Windows\System32\drivers\aswbloga.sys [343752 2018-04-14] (AVAST Software)
S3 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [57680 2018-04-14] (AVAST Software)
S1 aswHdsKe; C:\Windows\System32\drivers\aswHdsKe.sys [227784 2018-04-14] (AVAST Software)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [46968 2018-04-14] (AVAST Software)
S2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [147224 2018-04-14] (AVAST Software)
S3 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [111352 2018-04-14] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [84368 2018-04-14] (AVAST Software)
S3 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1026696 2018-04-14] (AVAST Software)
S1 aswSP; C:\Windows\System32\drivers\aswSP.sys [460520 2018-04-14] (AVAST Software)
S3 aswStm; C:\Windows\System32\drivers\aswStm.sys [205976 2018-04-14] (AVAST Software)
S3 aswTap; C:\Windows\System32\DRIVERS\aswTap.sys [44640 2014-07-02] (The OpenVPN Project)
S3 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [380528 2018-04-14] (AVAST Software)
R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [389816 2015-07-06] (Kaspersky Lab ZAO)
S3 DDDriver; C:\Windows\System32\drivers\DDDriver64Dcsa.sys [23760 2015-02-26] (Dell Computer Corporation)
S3 DellProf; C:\Windows\System32\drivers\DellProf.sys [24240 2015-05-22] (Dell Computer Corporation)
S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [40584 2015-08-27] (ThreatTrack Security)
S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [32400 2016-03-04] (ThreatTrack Security)
R1 gwdrv; C:\Windows\System32\DRIVERS\gwdrv.sys [33248 2015-05-29] (SecureMix LLC)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [55232 2018-04-14] ()
S1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [27552 2016-01-25] (REALiX™)
S3 IUFileFilter; C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IUFileFilter.sys [21928 2017-06-06] (IObit.com)
S3 IURegProcessFilter; C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IURegProcessFilter.sys [22416 2018-01-11] (IObit.com)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [478392 2015-06-22] (Kaspersky Lab ZAO)
R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [53432 2015-06-06] (Kaspersky Lab ZAO)
S1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [70000 2015-06-27] (Kaspersky Lab ZAO)
S2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [77728 2016-05-10] (AO Kaspersky Lab)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [181640 2015-12-05] (AO Kaspersky Lab)
S1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [237480 2016-05-24] (AO Kaspersky Lab)
S1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [943536 2016-05-24] (AO Kaspersky Lab)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [49240 2016-05-24] (AO Kaspersky Lab)
S3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [41144 2015-06-06] (Kaspersky Lab ZAO)
S3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [41648 2015-06-07] (Kaspersky Lab ZAO)
S1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [41352 2015-12-05] (AO Kaspersky Lab)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [65208 2015-06-11] (Kaspersky Lab ZAO)
R1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [103096 2015-06-16] (Kaspersky Lab ZAO)
S1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [187056 2015-06-23] (Kaspersky Lab ZAO)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193768 2018-04-15] (Malwarebytes)
S3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [112864 2018-04-15] (Malwarebytes)
S3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [44768 2018-04-15] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253664 2018-04-15] (Malwarebytes)
S3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [93816 2018-04-15] (Malwarebytes)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2015-07-28] (Intel Corporation)
S3 Neo_VPN-Zar; C:\Windows\System32\DRIVERS\Neo_0013.sys [28768 2014-12-11] (SoftEther VPN Project at University of Tsukuba, Japan.)
S2 npf; C:\Windows\system32\drivers\npf.sys [36600 2017-01-02] (Riverbed Technology, Inc.)
U0 Partizan; C:\Windows\SysWOW64\drivers\Partizan.sys [40304 2018-02-07] (Greatis Software)
S3 RTSUER; C:\Windows\System32\Drivers\RtsUer.sys [404184 2016-01-21] (Realsil Semiconductor Corporation)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SbieDrv; C:\Program Files\Sandboxie_5.20 (64)\SbieDrv.sys [209544 2017-10-30] (Sandboxie Holdings, LLC)
R1 SBRE; C:\Windows\system32\drivers\SBREdrv.sys [55384 2011-08-29] (Sunbelt Software)
S3 sbwtis; C:\Windows\System32\DRIVERS\sbwtis.sys [95608 2015-09-29] (ThreatTrack Security)
R3 tapwindscribe0901; C:\Windows\System32\DRIVERS\tapwindscribe0901.sys [45560 2017-09-13] (The OpenVPN Project)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2018-04-13] ()
S3 VSScanner; C:\Windows\System32\DRIVERS\vsscanner.sys [21064 2016-08-19] (VoodooSoft, LLC)
R2 WebExaminer; C:\Windows\system32\Drivers\WebExaminer64.sys [34408 2015-10-16] (ThreatTrack Security Inc.)
U3 aswbdisk; no ImagePath
S3 cpuz137; \??\C:\Users\ZAR-UN~1\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X] <==== ATTENTION
S3 FileMonitor; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [X]
S3 MFE_RR; \??\C:\Users\ZAR-UN~1\AppData\Local\Temp\mfe_rr.sys [X] <==== ATTENTION
S3 RegFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [X]
U2 TMAgent; no ImagePath
S3 UrlFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-04-15 16:21 - 2018-04-15 16:22 - 000019408 _____ C:\Users\Zar_Admin2\Downloads\FRST.txt
2018-04-15 16:19 - 2018-04-15 16:19 - 002403328 _____ (Farbar) C:\Users\Zar_Admin2\Downloads\FRST64.exe
2018-04-15 16:06 - 2018-04-15 16:06 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\Google
2018-04-15 03:25 - 2018-04-15 03:25 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\ECRSC
2018-04-15 03:04 - 2018-04-15 03:25 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\ESTSoft
2018-04-15 03:04 - 2018-04-15 03:04 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\Apple Computer
2018-04-15 03:02 - 2018-04-15 03:02 - 000000000 ____D C:\Users\Zar_Admin2\AppData\LocalLow\Apple Computer
2018-04-15 02:50 - 2018-04-15 02:58 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\ImgBurn
2018-04-14 22:16 - 2018-04-14 22:16 - 000460520 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000380528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000376536 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2018-04-14 22:16 - 2018-04-14 22:16 - 000205976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000196640 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000147224 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000111352 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000084368 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000046968 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000003910 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2018-04-14 22:16 - 2018-04-14 22:16 - 000001890 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2018-04-14 22:16 - 2018-04-14 22:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2018-04-14 22:16 - 2018-04-14 22:15 - 001026696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2018-04-14 22:16 - 2018-04-14 22:15 - 000343752 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbloga.sys
2018-04-14 22:16 - 2018-04-14 22:15 - 000227784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHdsKe.sys
2018-04-14 22:16 - 2018-04-14 22:15 - 000227504 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2018-04-14 22:16 - 2018-04-14 22:15 - 000199440 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsha.sys
2018-04-14 22:16 - 2018-04-14 22:15 - 000057680 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniva.sys
2018-04-14 22:07 - 2018-04-14 22:08 - 000178320 _____ (AVAST Software) C:\Users\Zar_Admin2\Downloads\avast_free_antivirus_setup_online_cnet2.exe
2018-04-14 22:06 - 2018-04-14 22:08 - 000000000 ____D C:\Users\Zar_Admin2\AppData\LocalLow\Mozilla
2018-04-14 22:05 - 2018-04-14 22:06 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\Mozilla
2018-04-14 22:05 - 2018-04-14 22:05 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\Mozilla
2018-04-14 22:02 - 2018-04-14 22:02 - 000000000 ____D C:\Users\Zar_Admin2\AppData\LocalLow\IObit
2018-04-14 21:42 - 2018-04-14 21:42 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\Intel Corporation
2018-04-14 21:42 - 2018-04-14 21:42 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\AVAST Software
2018-04-14 21:42 - 2018-04-14 21:42 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\CEF
2018-04-14 21:40 - 2018-04-15 16:11 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\Google
2018-04-14 21:40 - 2018-04-14 21:40 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\Apple Computer
2018-04-14 21:39 - 2018-04-14 22:08 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\IObit
2018-04-14 21:39 - 2018-04-14 21:39 - 000001379 _____ C:\Users\Zar_Admin2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-04-14 21:39 - 2018-04-14 21:39 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\Adobe
2018-04-14 21:39 - 2018-04-14 21:39 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\VirtualStore
2018-04-14 21:38 - 2018-04-14 21:38 - 000095760 _____ C:\Users\Zar_Admin2\AppData\Local\GDIPFONTCACHEV1.DAT
2018-04-14 21:34 - 2018-04-14 21:34 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\CrashDumps
2018-04-14 20:34 - 2018-04-14 20:34 - 000000000 ____D C:\Windows\pss
2018-04-14 20:21 - 2018-04-14 20:21 - 000644860 _____ C:\Users\Zar_Admin2\Desktop\regrunlog.txt
2018-04-14 18:59 - 2018-04-14 19:00 - 000000000 ____D C:\Users\Zar_Admin2\Desktop\TMRBLog
2018-04-14 18:59 - 2018-04-14 18:59 - 000000000 ____D C:\Users\Zar_Admin2\Desktop\log
2018-04-14 18:22 - 2018-04-14 20:11 - 000000000 ____D C:\EEK2
2018-04-14 18:18 - 2018-04-14 18:19 - 325670168 _____ C:\Users\Zar_Admin2\Desktop\EmsisoftEmergencyKit.exe
2018-04-14 15:53 - 2018-04-14 21:41 - 000000000 ____D C:\Users\Zar_Admin2
2018-04-14 15:53 - 2018-04-14 15:53 - 000000020 ___SH C:\Users\Zar_Admin2\ntuser.ini
2018-04-14 06:05 - 2018-04-14 06:06 - 000232160 _____ C:\TDSSKiller.3.1.0.16_14.04.2018_06.05.20_log.txt
2018-04-14 04:39 - 2018-04-14 04:39 - 000002011 _____ C:\Users\Zar_Admin2\Desktop\Remove Avira PC Cleaner.lnk
2018-04-14 04:39 - 2018-04-14 04:39 - 000001951 _____ C:\Users\Zar_Admin2\Desktop\Avira PC Cleaner.lnk
2018-04-14 04:23 - 2018-04-14 04:23 - 000055232 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2018-04-14 03:07 - 2018-04-14 03:07 - 000000000 ____D C:\Users\Zar-Unityv4\Pavark
2018-04-13 15:40 - 2018-04-14 17:37 - 000003820 _____ C:\Users\Zar_Admin2\Desktop\Rkill.txt
2018-04-11 22:54 - 2018-04-11 22:54 - 000001013 _____ C:\Users\Zar_Admin2\Desktop\UnHackMe.lnk
2018-04-11 22:54 - 2018-04-11 22:54 - 000000418 _____ C:\Windows\Tasks\UnHackMe Task Scheduler.job
2018-04-11 22:54 - 2018-04-11 22:54 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe
2018-04-11 22:53 - 2018-04-11 11:35 - 019081288 _____ (Greatis Software, LLC. ) C:\Users\Zar_Admin2\Desktop\unhackme_setup.exe
2018-04-11 22:18 - 2017-05-01 07:31 - 002724512 _____ (Sysinternals - www.sysinternals.com) C:\Users\Zar_Admin2\Desktop\procexp.exe
2018-04-11 22:01 - 2018-04-11 22:01 - 014999000 _____ (Trend Micro Inc.) C:\Users\Zar_Admin2\Desktop\RootkitBusterV5.0-1203x64.exe
2018-04-11 21:53 - 2018-04-11 21:53 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\D61A9133.sys
2018-04-11 21:47 - 2018-04-11 22:23 - 000000000 ____D C:\Users\Zar_Admin2\Desktop\mbar
2018-04-11 13:38 - 2018-04-11 13:38 - 000003421 _____ C:\Users\Zar_Admin2\Desktop\unetbootin-windows-657.exe.lnk
2018-04-10 12:28 - 2018-04-10 12:28 - 000001029 _____ C:\Users\Public\Desktop\ISO to USB.lnk
2018-04-10 12:28 - 2018-04-10 12:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ISO to USB
2018-04-10 12:28 - 2018-04-10 12:28 - 000000000 ____D C:\Program Files (x86)\ISO to USB
2018-04-09 22:11 - 2018-04-10 12:25 - 000000400 __RSH C:\ProgramData\ntuser.pol
2018-04-07 20:46 - 2018-04-07 20:46 - 000000000 ____D C:\ProgramData\SplitMediaLabs
2018-04-07 20:44 - 2018-04-07 21:10 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\SplitmediaLabs
2018-04-07 19:29 - 2018-04-15 16:03 - 000044768 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-04-07 19:28 - 2018-04-15 16:03 - 000253664 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-04-07 19:28 - 2018-04-15 16:03 - 000193768 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-04-07 19:28 - 2018-04-15 02:32 - 000093816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-04-07 19:28 - 2018-04-15 02:17 - 000112864 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-04-07 19:28 - 2018-04-14 17:36 - 000001994 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-04-07 19:28 - 2018-04-07 19:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-04-07 19:28 - 2018-03-19 12:57 - 000076192 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-04-07 16:19 - 2018-04-07 16:19 - 000000000 ____D C:\Users\Zar_Admin2\Documents\AceThinker
2018-04-07 16:19 - 2018-04-07 16:19 - 000000000 ____D C:\log
2018-04-07 16:18 - 2018-04-07 16:19 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\AceThinker
2018-04-07 16:18 - 2018-04-07 16:19 - 000000000 ____D C:\ProgramData\AceThinker
2018-04-07 16:18 - 2018-04-07 16:18 - 000001368 _____ C:\Users\Public\Desktop\AceThinker Video Master.lnk
2018-04-07 16:18 - 2018-04-07 16:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AceThinker
2018-04-07 16:18 - 2018-04-07 16:18 - 000000000 ____D C:\Program Files (x86)\AceThinker
2018-04-07 16:18 - 2017-01-02 11:53 - 000370424 _____ (Riverbed Technology, Inc.) C:\Windows\system32\wpcap.dll
2018-04-07 16:18 - 2017-01-02 11:53 - 000282360 _____ (Riverbed Technology, Inc.) C:\Windows\SysWOW64\wpcap.dll
2018-04-07 16:18 - 2017-01-02 11:53 - 000107768 _____ (Riverbed Technology, Inc.) C:\Windows\system32\Packet.dll
2018-04-07 16:18 - 2017-01-02 11:53 - 000098040 _____ (Riverbed Technology, Inc.) C:\Windows\SysWOW64\Packet.dll
2018-04-07 16:18 - 2017-01-02 11:53 - 000053299 _____ C:\Windows\SysWOW64\pthreadVC.dll
2018-04-07 16:18 - 2017-01-02 11:53 - 000036600 _____ (Riverbed Technology, Inc.) C:\Windows\system32\Drivers\npf.sys
2018-04-05 12:41 - 2018-04-05 12:41 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeyFinder
2018-04-05 12:41 - 2018-04-05 12:41 - 000000000 ____D C:\Program Files (x86)\Magical Jelly Bean
2018-04-04 12:38 - 2018-04-04 12:38 - 000000109 _____ C:\Users\Zar-Unityv4\AppData\Local\kritadisplayrc
2018-04-03 11:01 - 2018-04-03 11:01 - 000002419 _____ C:\Users\Zar_Admin2\Desktop\InstaGC2 - Chrome.lnk
2018-04-03 11:01 - 2018-04-03 11:01 - 000002375 _____ C:\Users\Zar_Admin2\Desktop\Zar - Chrome.lnk
2018-04-01 10:18 - 2018-04-01 10:18 - 000002308 _____ C:\Users\Zar-Unityv4\AppData\Local\recently-used.xbel
2018-03-24 16:58 - 2018-03-24 16:58 - 000004715 _____ C:\Users\Zar_Admin2\Desktop\snes9x-x64.exe.lnk
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-04-15 16:21 - 2018-01-26 13:00 - 000000000 ____D C:\FRST
2018-04-15 16:07 - 2009-07-14 01:13 - 000896288 _____ C:\Windows\system32\PerfStringBackup.INI
2018-04-15 16:07 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\inf
2018-04-15 16:03 - 2017-09-01 06:12 - 001138482 _____ C:\Windows\ntbtlog.txt
2018-04-15 03:44 - 2017-07-18 04:53 - 000004180 _____ C:\Windows\Sandboxie.ini
2018-04-15 03:43 - 2017-08-28 22:09 - 000000000 ____D C:\ProgramData\VoodooShield
2018-04-15 03:39 - 2014-12-20 23:38 - 000000000 ___RD C:\Sandbox
2018-04-15 03:36 - 2013-12-02 21:26 - 000000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2018-04-15 03:33 - 2014-01-17 22:05 - 000000000 ____D C:\ProgramData\softthinks
2018-04-15 03:25 - 2016-02-08 23:19 - 000000000 ____D C:\Users\Zar_Admin2\Documents\__The useful box__
2018-04-15 02:42 - 2009-07-14 00:45 - 000021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-04-15 02:42 - 2009-07-14 00:45 - 000021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-04-15 02:16 - 2009-07-14 01:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-04-14 22:16 - 2015-12-03 18:04 - 000000000 ____D C:\Windows\System32\Tasks\AVAST Software
2018-04-14 22:12 - 2017-11-19 13:31 - 000000000 ____D C:\ProgramData\AVAST Software
2018-04-14 22:10 - 2015-01-06 19:09 - 000000000 ____D C:\avast! sandbox
2018-04-14 21:35 - 2014-10-14 01:27 - 000000000 ____D C:\AdwCleaner
2018-04-14 20:55 - 2014-01-14 05:12 - 000000000 ____D C:\Users\Zar-Unityv4
2018-04-14 20:21 - 2017-07-18 07:44 - 000000000 ____D C:\Users\Public\Documents\regruninfo
2018-04-14 20:18 - 2017-07-18 07:44 - 000000000 ____D C:\ProgramData\RegRun
2018-04-14 19:31 - 2016-11-28 07:36 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\LocalLow\Mozilla
2018-04-14 19:16 - 2018-02-07 20:03 - 000000000 ____D C:\Program Files (x86)\UnHackMe
2018-04-14 17:54 - 2016-11-28 08:36 - 000001077 _____ C:\Users\Public\Desktop\Firefox.lnk
2018-04-14 17:28 - 2016-12-21 09:48 - 000000000 ____D C:\ProgramData\ProductData
2018-04-14 16:03 - 2014-06-05 06:31 - 000000000 ____D C:\Windows\Minidump
2018-04-14 16:03 - 2013-12-02 22:25 - 000270690 ____N C:\Windows\Minidump\041418-22448-01.dmp
2018-04-14 15:31 - 2014-01-22 00:45 - 000000000 ____D C:\Users\Zar_Admin2\Documents\A) My programs
2018-04-14 04:38 - 2014-07-15 15:55 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Local\CrashDumps
2018-04-13 03:06 - 2018-01-16 00:03 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2018-04-12 16:53 - 2014-03-16 04:45 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Local\ESET
2018-04-11 23:02 - 2017-07-18 07:44 - 000000000 ____D C:\Users\Zar_Admin2\Documents\RegRun2
2018-04-11 22:23 - 2014-07-01 21:18 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2018-04-11 21:53 - 2014-10-15 00:31 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-04-11 20:18 - 2017-07-29 18:33 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-04-11 20:18 - 2016-11-28 08:36 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-04-11 20:18 - 2014-03-13 03:04 - 000000000 ____D C:\Program Files\SUPERAntiSpyware
2018-04-11 19:38 - 2014-09-25 20:06 - 000007598 _____ C:\Users\Zar-Unityv4\AppData\Local\Resmon.ResmonCfg
2018-04-11 19:31 - 2014-01-24 02:11 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Local\Last.fm
2018-04-11 19:31 - 2014-01-24 02:07 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\foobar2000
2018-04-09 22:11 - 2009-07-13 23:20 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2018-04-08 22:29 - 2018-03-11 10:02 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\obs-studio
2018-04-08 18:34 - 2014-01-22 03:08 - 000024501 _____ C:\Users\Zar_Admin2\Documents\-All New Passwords-.txt
2018-04-07 21:10 - 2018-02-09 19:14 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\IObit
2018-04-07 21:10 - 2016-01-25 20:57 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\LocalLow\IObit
2018-04-07 21:10 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\registration
2018-04-04 12:38 - 2017-11-07 03:49 - 000023652 _____ C:\Users\Zar-Unityv4\AppData\Local\kritarc
2018-04-03 19:57 - 2017-04-19 21:23 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-04-01 10:18 - 2017-10-08 00:28 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Local\gtk-2.0
2018-04-01 10:18 - 2017-10-08 00:18 - 000000000 ____D C:\Users\Zar-Unityv4\.gimp-2.8
2018-03-30 13:00 - 2014-04-19 03:09 - 000000000 ____D C:\Users\Zar_Admin2\Documents\Finale Files
2018-03-23 19:47 - 2017-08-28 22:09 - 000000830 _____ C:\Users\Public\Desktop\Voodoo Shield.lnk
2018-03-23 19:47 - 2017-08-28 22:09 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VoodooShield
2018-03-23 19:47 - 2017-08-28 22:09 - 000000000 ____D C:\Program Files\VoodooShield
2018-03-23 02:09 - 2015-07-25 16:59 - 000022804 _____ C:\Users\Zar_Admin2\Documents\Music links and special info.txt
2018-03-20 18:20 - 2017-08-10 07:06 - 000002228 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-03-20 18:20 - 2017-08-10 07:06 - 000002187 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-03-20 16:29 - 2016-07-20 10:24 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\Skype
2018-03-18 18:57 - 2018-01-16 01:56 - 000000000 ____D C:\Users\Zar_Admin2\Documents\FlashIntegro
2018-03-18 08:48 - 2017-07-17 21:15 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller
2018-03-18 08:48 - 2016-11-28 06:29 - 000001378 _____ C:\Users\Public\Desktop\IObit Uninstaller.lnk
2018-03-18 08:48 - 2016-01-07 23:32 - 000001390 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller.lnk
2018-03-18 08:47 - 2016-01-25 20:56 - 000000000 ____D C:\ProgramData\IObit
2018-03-18 08:40 - 2018-03-11 07:21 - 000000000 ____D C:\Program Files (x86)\Windscribe
2018-03-16 13:10 - 2018-03-11 12:04 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\YouNow
 
==================== Files in the root of some directories =======
 
2017-08-11 10:25 - 2017-08-11 10:25 - 000001099 _____ () C:\Program Files\installer_prefs.json
2017-08-11 10:25 - 2017-08-11 10:25 - 000001208 _____ () C:\Program Files\server_tracking_data
2016-01-15 21:34 - 2016-01-15 21:34 - 000012908 _____ () C:\Program Files (x86)\installation_status.xml
2016-01-15 21:34 - 2016-01-20 21:34 - 000000687 _____ () C:\Program Files (x86)\installer_prefs.json
2016-01-15 21:34 - 2015-10-23 06:01 - 000000317 _____ () C:\Program Files (x86)\launcher.visualelementsmanifest.xml
2016-01-15 21:34 - 2015-10-09 18:04 - 000003072 _____ () C:\Program Files (x86)\Resources.pri
2016-01-15 21:34 - 2016-01-15 21:33 - 000000849 _____ () C:\Program Files (x86)\server_tracking_data
 
Some files in TEMP:
====================
2018-04-13 03:05 - 2017-08-11 02:36 - 001732864 _____ (Microsoft Corporation) C:\Users\Zar-Unityv4\AppData\Local\Temp\dllnt_dump.dll
2018-04-05 11:43 - 2018-04-05 11:43 - 000262144 _____ () C:\Users\Zar-Unityv4\AppData\Local\Temp\flac.exe
2018-03-23 19:46 - 2018-03-23 19:46 - 014485128 _____ (VoodooSoft, LLC                                             ) C:\Users\Zar-Unityv4\AppData\Local\Temp\InstallVoodooShield.exe
2018-04-05 11:43 - 2018-04-05 11:43 - 000581120 _____ () C:\Users\Zar-Unityv4\AppData\Local\Temp\lame.exe
2018-04-05 11:43 - 2018-04-05 11:43 - 000074752 _____ (Matthew T. Ashland) C:\Users\Zar-Unityv4\AppData\Local\Temp\MAC.exe
2018-04-05 11:43 - 2018-04-05 11:43 - 000074240 _____ () C:\Users\Zar-Unityv4\AppData\Local\Temp\oggdec.exe
2018-04-05 11:43 - 2018-04-05 11:43 - 000155136 _____ () C:\Users\Zar-Unityv4\AppData\Local\Temp\oggenc.exe
2018-04-14 19:01 - 2018-04-14 19:01 - 001458856 _____ (Sysinternals - www.sysinternals.com) C:\Users\Zar-Unityv4\AppData\Local\Temp\procexp64.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-03-29 02:55
 
==================== End of FRST.txt ============================


#3 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 15 April 2018 - 06:29 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15.04.2018
Ran by Zar_Admin2 (15-04-2018 16:22:24)
Running from C:\Users\Zar_Admin2\Downloads
Windows 7 Professional Service Pack 1 (X64) (2014-01-14 09:11:57)
Boot Mode: Safe Mode (with Networking)
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-4291765073-3835710626-4147568939-500 - Administrator - Disabled)
Guest (S-1-5-21-4291765073-3835710626-4147568939-501 - Limited - Disabled)
Zar-Unityv4 (S-1-5-21-4291765073-3835710626-4147568939-1000 - Administrator - Enabled) => C:\Users\Zar-Unityv4
Zar_Admin2 (S-1-5-21-4291765073-3835710626-4147568939-1008 - Administrator - Enabled) => C:\Users\Zar_Admin2
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avast Antivirus (Disabled - Out of date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Kaspersky Internet Security (Disabled - Up to date) {86367591-4BE4-AE08-2FD9-7FCB8259CD98}
AV: Malwarebytes (Disabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Disabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Kaspersky Internet Security (Disabled - Up to date) {3D579475-6DDE-A186-1569-44B9F9DE8725}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Disabled - Out of date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}
FW: Kaspersky Internet Security (Disabled) {BE0DF4B4-018B-AF50-0486-D6FE7C8A8AE3}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Accidental Damage Services Agreement (HKLM-x32\...\{EF85FEF4-EB92-4075-A6D2-5F519BB30A2C}) (Version: 2.0.0 - Dell Inc.)
AceThinker Video Master V4.6.1 (HKLM-x32\...\{CDD36B59-DF4F-4401-92FF-0FF8417CDF4C}_is1) (Version: 4.6.1 - AceThinker)
Adblock Plus for IE (32-bit and 64-bit) (HKLM\...\{C23EE7CE-C1A3-4F94-A8F0-9E0AC9C6DE6E}) (Version: 1.1 - Eyeo GmbH)
Adblock Plus for IE (HKLM-x32\...\{fd97d1e2-368a-4cd9-af63-8eeff938044a}) (Version: 1.1 - )
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.011.20038 - Adobe Systems Incorporated)
Adobe Flash Player 26 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 26.0.0.131 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.137 - Adobe Systems Incorporated)
ALSee 6.22 (HKLM-x32\...\ALSee_is1) (Version: v6.22 - ESTsoft Corp.)
ALShow 2.01 (HKLM-x32\...\ALShow_is1) (Version: v2.01 - ESTsoft Corp.)
ALZip 8.51 (HKLM-x32\...\ALZip_is1) (Version: v8.51 - ESTsoft Corp.)
Apple Application Support (32-bit) (HKLM-x32\...\{E92BB800-BCC5-4C25-8102-AC2C3B7C7C1E}) (Version: 5.5 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{9C912B1E-06DD-43EF-BB2B-45CB2C88BAAE}) (Version: 5.5 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{0A596141-97D5-45FA-9281-98DFAF48D579}) (Version: 10.3.2.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{52D87F32-70E4-4348-8148-C0B9F35B1314}) (Version: 2.3.0.177 - Apple Inc.)
ArtRage 5 (HKLM\...\{4B99BE6B-BDA2-40E5-8B5E-94ED80921418}) (Version: 5.0.5.0 - Ambient Design) Hidden
ArtRage 5 (HKLM\...\ArtRage 5 5.0.5.0) (Version: 5.0.5.0 - Ambient Design)
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 18.3.2333 - AVAST Software)
Avid License Control (HKLM-x32\...\{89A9B9EE-839E-4820-9450-2912C82F46AF}) (Version: 6.0.0 - Avid Technology, Inc.)
Avidemux 2.6 - 64bits (HKLM-x32\...\Avidemux 2.6 - 64bits (64-bit)) (Version: 2.6.7.8981 - )
Banctec Service Agreement (HKLM-x32\...\{42D68A86-DB1C-4256-B8C9-5D0D92919AF5}) (Version: 2.0.0 - Dell Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
BootDisk2BootStick 0.12 (HKLM-x32\...\BootDisk2BootStick) (Version: 0.12 - BooDaaLABs)
CamStudio 2.7.4 (HKLM\...\{04B83666-3A62-452B-85D3-70F8117F2329}_is1) (Version: 2.7.4 - CamStudio Open Source)
CCleaner (HKLM\...\CCleaner) (Version: 5.31 - Piriform)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
Complete Care Business Service Agreement (HKLM-x32\...\{0ECFCB07-9BFE-4970-ACA1-D568D982760B}) (Version: 2.0.0 - Dell Inc.)
Conexant SmartAudio HD (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.50.8.0 - Conexant)
Consumer In-Home Service Agreement (HKLM-x32\...\{F47C37A4-7189-430A-B81D-739FF8A7A554}) (Version: 2.0.0 - Dell Inc.)
CoolSoft VirtualMIDISynth 1.9.0 (HKLM-x32\...\CoolSoft VirtualMIDISynth) (Version: 1.9.0.0 - CoolSoft)
CyberGhost 6 (HKLM\...\CyberGhost 6_is1) (Version:  - CyberGhost S.R.L.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell Backup and Recovery - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 1.6.2.4 - Dell Inc.)
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.6.2.4 - Dell Inc.)
Dell Data Vault (HKLM\...\{2E55EEFD-2162-4A7D-9158-EDB0305603A6}) (Version: 4.3.4.0 - Dell Inc.) Hidden
Dell Digital Delivery (HKLM-x32\...\{693A23FB-F28B-4F7A-A720-4C1263F97F43}) (Version: 3.1.1002.0 - Dell Products, LP)
Dell Home Systems Service Agreement (HKLM-x32\...\{AB2FDE4F-6BED-4E9E-B676-3DCCEBB1FBFE}) (Version: 2.0.0 - Dell Inc.)
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.1.6664.93 - Dell)
Dell SupportAssistAgent (HKLM-x32\...\{3ED468C2-2235-4747-90AD-A7A34F0FE70A}) (Version: 1.2.2.8 - Dell)
Dell Update (HKLM-x32\...\{90437913-9D4D-4D9D-B438-B8664DF851E9}) (Version: 1.7.1007.0 - Dell Inc.)
Dell Wireless Driver Installation (HKLM-x32\...\{451517F1-7E41-400B-AA36-FB7E2563526D}) (Version: 9.0 - Dell)
Finale 2014 (HKLM-x32\...\Finale 2014) (Version: 2014.0.3163.2 - MakeMusic)
foobar2000 v1.2.9 (HKLM-x32\...\foobar2000) (Version: 1.2.9 - Peter Pawlowski)
Free Video Editor 7.3.0 (HKLM-x32\...\{c23a3d87-c9c5-49cd-9632-42d7491c17a2}_is1) (Version: 7.3.0 - ThunderSoft International LLC.)
FreeFixer (HKLM-x32\...\FreeFixer1.13) (Version: 1.13 - Kephyr)
GlassWire 1.2 (remove only) (HKLM-x32\...\GlassWire 1.2) (Version: 1.2.1110 - SecureMix LLC)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 65.0.3325.181 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.0.1351 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.4229 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.1.0.1006 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.4.220 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{6199B534-A1B6-46ED-873B-97B0ECF8F81E}) (Version: 1.23.216.0 - Intel Corporation)
IObit Uninstaller (HKLM-x32\...\IObitUninstall) (Version: 7.3.0.13 - IObit)
ISO to USB (HKLM-x32\...\{D08A30AC-A663-4EA8-8D81-B98E17F19F1C}_is1) (Version:  - isotousb.com)
iTunes (HKLM\...\{F0C7385A-9D20-45F3-8101-05D383885180}) (Version: 12.6.1.25 - Apple Inc.)
Java 7 Update 80 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F06417080FF}) (Version: 7.0.800 - Oracle)
Java 9.0.4 (64-bit) (HKLM\...\{885A3911-0760-5252-92C2-001B92997DEA}) (Version: 9.0.4.0 - Oracle Corporation)
Junk Mail filter update (HKLM-x32\...\{0BE9E708-5DC0-4963-9CFD-0AA519090E79}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Krita (x64) 3.3.2.1 (HKLM\...\Krita_x64) (Version: 3.3.2.1 - Krita Foundation)
Machete Lite 4.0 (HKLM-x32\...\{F95D23BF-7872-4B84-9BFC-DD2BF6A6F226}) (Version: 4.0.33 - MacheteSoft)
Magical Jelly Bean KeyFinder (HKLM-x32\...\KeyFinder_is1) (Version: 2.0.10.13 - Magical Jelly Bean)
Malwarebytes version 3.4.5.2467 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.4.5.2467 - Malwarebytes)
Microsoft .NET Framework 4.6 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.00081 - Microsoft Corporation)
Microsoft Expression Encoder 4 (HKLM-x32\...\Encoder_4.0.1651.0) (Version: 4.0.1651.0 - Microsoft Corporation)
Microsoft Expression Encoder 4 Screen Capture Codec (HKLM-x32\...\{952DCCD8-4039-46C8-BC8B-5C1EB6C8E130}) (Version: 4.0.1651.0 - Microsoft Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{38F03569-A636-4CF3-BDDE-032C8C251304}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{DD67BE4B-7E62-4215-AFA3-F123A800A389}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 59.0.2 (x64 en-US) (HKLM\...\Mozilla Firefox 59.0.2 (x64 en-US)) (Version: 59.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 53.0.3 - Mozilla)
Notation Composer 2.6.3 Trial (HKLM-x32\...\{9C20F41F-CD00-4EA9-BCC9-5D0855EF30C2}) (Version: 2.6.3 - Notation Software)
OBS Studio (HKLM-x32\...\OBS Studio) (Version: 21.0.1 - OBS Project)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
Premium Service Agreement (HKLM-x32\...\{C33AA6D6-F5EC-48F3-AFDC-8141345D473A}) (Version: 2.0.0 - Dell Inc.)
PrivaZer (HKLM-x32\...\PrivaZer) (Version: 2.32.0.0 - Goversoft LLC)
qBittorrent 4.0.4 (HKLM-x32\...\qBittorrent) (Version: 4.0.4 - The qBittorrent project)
QualxServ Service Agreement (HKLM-x32\...\{903679E8-44C8-4C07-9600-05C92654FC50}) (Version: 2.0.0 - Dell Inc.)
QuickTime 7 (HKLM-x32\...\{80CEEB1E-0A6C-45B9-A312-37A1D25FDEBC}) (Version: 7.78.80.95 - Apple Inc.)
RogueKiller version 12.12.0.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.12.0.0 - Adlice Software)
Sandboxie 5.22 (64-bit) (HKLM\...\Sandboxie) (Version: 5.22 - Sandboxie Holdings, LLC)
sfArk (HKLM-x32\...\sfArk) (Version:  - )
SFPack (HKLM-x32\...\Megota Software SFPack Uninstall) (Version:  - )
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Sibelius 7 OpenType Fonts (HKLM-x32\...\{7325A8DF-C8C3-4425-B0CA-8CAEE5E6464B}) (Version: 7.0.1 - Avid)
Skype™ 7.40 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.40.151 - Skype Technologies S.A.)
Smart Defrag 5 (HKLM-x32\...\Smart Defrag_is1) (Version: 5.2.0 - IObit)
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.6 - Sophos Limited)
SoulseekQt (HKLM-x32\...\SoulseekQt) (Version:  - )
SoulseekQt version 2016.4.24 (HKLM-x32\...\{8A4E1646-488C-4E5B-AC31-F784400E8D2D}_is1) (Version: 2016.4.24 - Soulseek LLC)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1250 - SUPERAntiSpyware.com)
SynthFont (HKLM-x32\...\SynthFont) (Version:  - )
System Requirements Lab Detection (HKLM-x32\...\{8112D57B-D1CD-4FC5-98DD-D40429782392}) (Version: 6.1.5.0 - Husdawg, LLC)
TAP-Windows 9.9.2 (HKLM\...\TAP-Windows) (Version: 9.9.2 - )
ThunderSoft Video to GIF Converter (1.5.1.0) (HKLM-x32\...\ThunderSoft Video to GIF Converter_is1) (Version: 1.5.1.0 - ThunderSoft)
UnHackMe 9.70 (HKLM-x32\...\UnHackMe_is1) (Version:  - Greatis Software, LLC.)
VideoPad Video Editor (HKLM-x32\...\VideoPad) (Version: 3.36 - NCH Software)
VoodooShield version 4.24 (HKLM\...\{A8644328-A66F-490E-B8FA-901FF649189D}_is1) (Version: 4.24 - VoodooSoft, LLC)
VSDC Free Video Editor version 5.8.5.803 (HKLM\...\VSDC Free Video Editor_is1) (Version: 5.8.5.803 - Flash-Integro LLC)
WaveLab 6 (HKLM-x32\...\WaveLabPro) (Version: 6.1.1.353 - Steinberg)
WavePad Sound Editor (HKLM-x32\...\WavePad) (Version: 5.68 - NCH Software)
Wavpack4Wavelab6 (HKLM-x32\...\{AB5668B8-1428-460F-AE02-999A598D6883}) (Version: 1.0.1 - RIL)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
Windscribe (HKLM-x32\...\{fa690e90-ddb0-4f0c-b3f1-136c084e5fc7}_is1) (Version: 1.80 Build 33 - Windscribe Limited)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-04-14] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-04-14] (AVAST Software)
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-04-14] (AVAST Software)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
ContextMenuHandlers1: [ALSee] -> {F4E6147B-C1F0-44AC-80EE-CE12622E421C} => C:\Program Files (x86)\ESTsoft\ALSee\ASSHLExt62_64.dll [2011-12-02] (ESTsoft Corp.)
ContextMenuHandlers1: [ALZip] -> {4EB37360-49E8-11D3-95B5-004033382980} => C:\Program Files (x86)\ESTsoft\ALZip\AZCTM64.dll [2017-09-14] (ESTsoft Corp.)
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-04-14] (AVAST Software)
ContextMenuHandlers1: [Baidu_Scan] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CB} =>  -> No File
ContextMenuHandlers1: [IObit Malware Fighter] -> {0BB81440-5F42-4480-A5F7-770A6F439FC8} =>  -> No File
ContextMenuHandlers1: [IObitUnstaler] -> {B19ED566-D419-470b-B111-3C89040BC027} => C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMenuRight.dll [2018-01-25] (IObit)
ContextMenuHandlers1: [PhotoStreamsExt] -> {89D984B3-813B-406A-8298-118AFA3A22AE} => C:\Program Files\Common Files\Apple\Internet Services\ShellStreams64.dll [2015-04-26] (Apple Inc.)
ContextMenuHandlers1: [SmartDefragExtension] -> {189F1E63-33A7-404B-B2F6-8C76A452CC54} => C:\Windows\System32\IObitSmartDefragExtension.dll [2016-03-25] (IObit)
ContextMenuHandlers2: [ALZip] -> {4EB37360-49E8-11D3-95B5-004033382980} => C:\Program Files (x86)\ESTsoft\ALZip\AZCTM64.dll [2017-09-14] (ESTsoft Corp.)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-04-14] (AVAST Software)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-27] (Malwarebytes)
ContextMenuHandlers4: [ALSee] -> {F4E6147B-C1F0-44AC-80EE-CE12622E421C} => C:\Program Files (x86)\ESTsoft\ALSee\ASSHLExt62_64.dll [2011-12-02] (ESTsoft Corp.)
ContextMenuHandlers4: [ALZip] -> {4EB37360-49E8-11D3-95B5-004033382980} => C:\Program Files (x86)\ESTsoft\ALZip\AZCTM64.dll [2017-09-14] (ESTsoft Corp.)
ContextMenuHandlers4: [IObitUnstaler] -> {B19ED566-D419-470b-B111-3C89040BC027} => C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMenuRight.dll [2018-01-25] (IObit)
ContextMenuHandlers5: [ALSee] -> {F4E6147B-C1F0-44AC-80EE-CE12622E421C} => C:\Program Files (x86)\ESTsoft\ALSee\ASSHLExt62_64.dll [2011-12-02] (ESTsoft Corp.)
ContextMenuHandlers5: [ALZip] -> {4EB37360-49E8-11D3-95B5-004033382980} => C:\Program Files (x86)\ESTsoft\ALZip\AZCTM64.dll [2017-09-14] (ESTsoft Corp.)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2015-07-28] (Intel Corporation)
ContextMenuHandlers6: [ALSee] -> {F4E6147B-C1F0-44AC-80EE-CE12622E421C} => C:\Program Files (x86)\ESTsoft\ALSee\ASSHLExt62_64.dll [2011-12-02] (ESTsoft Corp.)
ContextMenuHandlers6: [ALZip] -> {4EB37360-49E8-11D3-95B5-004033382980} => C:\Program Files (x86)\ESTsoft\ALZip\AZCTM64.dll [2017-09-14] (ESTsoft Corp.)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-04-14] (AVAST Software)
ContextMenuHandlers6: [IObitUnstaler] -> {B19ED566-D419-470b-B111-3C89040BC027} => C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMenuRight.dll [2018-01-25] (IObit)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-27] (Malwarebytes)
ContextMenuHandlers6: [SmartDefragExtension] -> {189F1E63-33A7-404B-B2F6-8C76A452CC54} => C:\Windows\System32\IObitSmartDefragExtension.dll [2016-03-25] (IObit)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {03A715ED-774A-4483-B2CA-61FC5B581AF4} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-06-13] (Piriform Ltd)
Task: {137FBA79-C59A-41B1-89A6-09531966981C} - System32\Tasks\{15727590-95BD-4CC1-9D7F-6A48E182B5E1} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\ESTsoft\ALPass\unins000.exe"
Task: {157390A4-5878-4321-AD55-2F38017A83E3} - \Norton Identity Safe\Norton Error Processor -> No File <==== ATTENTION
Task: {183DC3A7-8432-4A67-9F96-06D58D2502CA} - System32\Tasks\Uninstaller_SkipUac_Zar-Unityv4 => C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe [2018-01-29] (IObit)
Task: {19F85B9C-47E6-4FCA-AE63-0F994F99F199} - System32\Tasks\JavaUpdateSched => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2017-12-19] (Oracle Corporation)
Task: {1F0E2DE3-2545-409A-961A-BE7E276A16CC} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2017-02-14] (Apple Inc.)
Task: {3489A604-FF82-4C85-83BC-DDA3614A1084} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [2018-04-14] (AVAST Software)
Task: {7B99C03B-E530-4A08-8C01-B4A61FCBC107} - System32\Tasks\SmartDefrag_Update => C:\Program Files (x86)\IObit\Smart Defrag\AutoUpdate.exe [2016-07-22] (IObit)
Task: {8061BDF5-3CFE-450E-8298-5BDC67546471} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-02-09] (Adobe Systems Incorporated)
Task: {82C35C2E-B941-431C-99A7-0FC60A649F46} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-08-10] (Google Inc.)
Task: {A6DFF720-7D27-4F57-9E82-6AF45F4C16E6} - System32\Tasks\SmartDefrag_AutoAnalyze => C:\Program Files (x86)\IObit\Smart Defrag\AutoDefrag.exe [2016-06-06] (IObit)
Task: {A7F69A40-BA25-4916-9B33-9DA3F777C161} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-01-15] (Adobe Systems Incorporated)
Task: {AAA34808-E932-4A68-9936-EC57F9767A37} - \AVAST Software\Avast settings backup -> No File <==== ATTENTION
Task: {B5DF3968-E9C7-4CC3-8397-5B23CDB88EDE} - System32\Tasks\Dell SupportAssistAgent AutoUpdate => C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe [2016-04-22] (Dell Inc.)
Task: {D789AFBC-069E-47CE-95BE-B8B872ABBA04} - \Norton Identity Safe\Norton Error Analyzer -> No File <==== ATTENTION
Task: {D86739FD-8DFD-4274-AEFE-056721672A3F} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2018-04-14] (AVAST Software)
Task: {DFBA82AA-0DD7-403A-AE60-AA726F917989} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-08-10] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\UnHackMe Task Scheduler.job => C:\Program Files (x86)\UnHackMe\hackmon.exe$(Arg0)Greatis Software, LLC.?Part of RegRun Suite/UnHackMe software. hxxp:/www.greatis.com
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
Shortcut: C:\Users\Zar_Admin2\Downloads\ВИА Гра - Shortcut.lnk -> C:\Users\Zar_Admin2\Music\My music (last updated 1-22-14)\ВИА Гра () <==== Cyrillic
 
ShortcutWithArgument: C:\Users\Zar_Admin2\Desktop\Chucklepower7 - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 1"
ShortcutWithArgument: C:\Users\Zar_Admin2\Desktop\InstaGC2 - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 3"
ShortcutWithArgument: C:\Users\Zar_Admin2\Desktop\Zar - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Default"
 
==================== Loaded Modules (Whitelisted) ==============
 
2018-04-07 19:28 - 2018-03-12 15:09 - 002300192 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-03-20 18:20 - 2018-03-20 02:00 - 002683224 _____ () C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\swiftshader\libglesv2.dll
2018-03-20 18:20 - 2018-03-20 02:00 - 000127832 _____ () C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\swiftshader\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Users\Zar_Admin2\Documents\MicrosoftFixit50267.msi:$CmdZnID [26]
AlternateDataStreams: C:\Users\Zar_Admin2\Documents\Zone Alarm_SetupWeb_141_057_000.exe:$CmdTcID [64]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VipreEdgeProtection => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WebExaminer => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WebProxy => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2016-07-20 15:19 - 2018-04-11 22:54 - 000014364 _____ C:\Windows\system32\Drivers\etc\hosts
 
0.0.0.0 0123movies.com
0.0.0.0 12finance.com
0.0.0.0 12kotov.ru
0.0.0.0 1dnscontrol.com
0.0.0.0 adsrvr.org
0.0.0.0 adsymptotic.com
0.0.0.0 adturtle.biz
0.0.0.0 advertising.com
0.0.0.0 advmaker.su
0.0.0.0 agkn.com
0.0.0.0 akisho.ru
0.0.0.0 alphashoppers.com
0.0.0.0 altocloudmedia.com
0.0.0.0 amtomil.ru
0.0.0.0 appchucklegift.com
0.0.0.0 artolpo.ru
0.0.0.0 asedownloadgate.com
0.0.0.0 atwola.com
0.0.0.0 backupcdn.com
0.0.0.0 barrowsauer.bid
0.0.0.0 bestapps4ever161.download
0.0.0.0 bet-booom.ru
0.0.0.0 bfmio.com
0.0.0.0 bluekai.com
0.0.0.0 bonanzafortune.men
0.0.0.0 bundlessafevault.com
0.0.0.0 butcaketforthen.com
0.0.0.0 buzzrin.de
0.0.0.0 bywinners.men
0.0.0.0 carettuz.info
 
There are 514 more lines.
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-4291765073-3835710626-4147568939-1008\Control Panel\Desktop\\Wallpaper -> C:\Users\Zar_Admin2\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 84.200.69.80 - 84.200.70.40
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Amazon Music => "C:\Users\Zar-Unityv4\AppData\Local\Amazon Music\Amazon Music Helper.exe"
MSCONFIG\startupreg: Amazon Music Helper => "C:\Users\Zar-Unityv4\AppData\Local\Amazon Music\Amazon Music Helper.exe"
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: CyberGhost => "c:\program files\cyberghost 5\cyberghost.exe" /autostart /min
MSCONFIG\startupreg: iCloudDrive => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe
MSCONFIG\startupreg: iCloudServices => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: SUPERAntiSpyware => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSCONFIG\startupreg: Windscribe => "C:\Program Files (x86)\Windscribe\Windscribe.exe" -os_restart
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{E817676F-A5FA-4933-88BA-668BE555FA37}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{19569012-5B94-42D2-957D-671864486078}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{E5AAA507-021B-413A-AAF8-FFB99C4B44C5}C:\users\zar-unityv4\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\zar-unityv4\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{0D63D775-DF96-490E-A816-E413E79E3269}C:\users\zar-unityv4\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\zar-unityv4\appdata\roaming\spotify\spotify.exe
FirewallRules: [{7DB1F8B7-6704-4EAF-9CCE-A74064C24635}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{A3A6EC04-3730-4997-ABAE-D6F9EFCED1B3}] => (Allow) LPort=2869
FirewallRules: [{EA61DA85-0F2C-44C6-8A60-35FAB012CAA8}] => (Allow) LPort=1900
FirewallRules: [TCP Query User{35748454-D888-4896-8448-749627A612E7}C:\program files (x86)\soulseekqt\soulseekqt.exe] => (Allow) C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [UDP Query User{C94CDD04-525D-44A0-917E-62D865753CF7}C:\program files (x86)\soulseekqt\soulseekqt.exe] => (Allow) C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [{46B1A288-FC0F-42DE-B6B4-F8C484A35DB6}] => (Block) C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [{308E5EA2-B698-4D06-A85F-6801DED6D9FF}] => (Block) C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [{04A0FA2E-2E81-49F8-BA59-12517A949F20}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{4ACE9F6B-9A2B-4CB4-83A9-B247D7D34CDC}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{80C20388-1FBE-4ADB-9CE8-EC4E79D7B551}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{C91577E7-F19D-49F0-BADC-F0CB8A2EE503}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{E1388766-52DF-406C-835F-747F5EE10EA8}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{0F256AC4-65A7-445A-928A-B66E24F07E2B}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
FirewallRules: [{DEEDBD6F-AC34-4634-99FF-9AAA62436C76}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
FirewallRules: [{87A74092-CFB5-4D7A-9430-450F3453D49F}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{2C4450FF-64A1-4C26-8E4B-5CFBFFAD8EC0}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [TCP Query User{C7C267CD-8BE1-4E0D-8C2B-43FA7013FF1E}C:\users\zar-unityv4\appdata\local\amazon music\amazon music helper.exe] => (Allow) C:\users\zar-unityv4\appdata\local\amazon music\amazon music helper.exe
FirewallRules: [UDP Query User{2D80DF12-4782-4560-ACD7-401797AB5945}C:\users\zar-unityv4\appdata\local\amazon music\amazon music helper.exe] => (Allow) C:\users\zar-unityv4\appdata\local\amazon music\amazon music helper.exe
FirewallRules: [{DB66EB3F-7062-4BBF-9FD2-79543AF4A75C}] => (Block) C:\users\zar-unityv4\appdata\local\amazon music\amazon music helper.exe
FirewallRules: [{E83653EF-BFB0-4174-AE8A-1E49847E8FD6}] => (Block) C:\users\zar-unityv4\appdata\local\amazon music\amazon music helper.exe
FirewallRules: [{A533BDCD-F008-4382-8A63-49ABF3F36D50}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{38F0BC92-D2EB-47DA-BEF8-09AC19FB85B7}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{6E2D5171-4E74-45AC-AFF7-BB80C884E828}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{9FD6A4E3-D9E9-416A-BDB1-0B1933568083}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{194DE3FB-ED06-4ECC-B843-014EE4261BC1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Turok - Dinosaur Hunter\sobek.exe
FirewallRules: [{95A6ED5E-4EBB-45AF-98F0-C2CCC01483B2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Turok - Dinosaur Hunter\sobek.exe
FirewallRules: [{365D8AF0-1940-414D-A92D-FB03E90026E1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Turok - Dinosaur Hunter\editor.exe
FirewallRules: [{E9CCA826-17C2-49A3-A670-B47CC9EA3BF3}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Turok - Dinosaur Hunter\editor.exe
FirewallRules: [{0CDCE3D2-5FBE-415F-AE3D-FEA7E4D3E732}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{98707CB5-F911-4903-8064-0F76D418AB7A}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{53136A10-22AE-46FC-88DF-CAF8728FC8D9}] => (Block) LPort=445
FirewallRules: [{3006F7E0-801F-4A54-B5F8-5C0B9995B849}] => (Block) LPort=445
FirewallRules: [{178F256C-F509-48D8-A09A-8C77CD8CEC08}] => (Allow) C:\Program Files\iTunes\iTunes.exe
 
 
FirewallRules: [{D47F7A0C-7B8E-4D98-ABC6-8E57875A50B4}] => (Block) %ProgramFiles%\CCleaner\CCleaner64.exe
FirewallRules: [{8C0EAF4A-5BDA-4E14-9F66-822FD7FB29F2}] => (Block) %ProgramFiles%\CCleaner\CCleaner64.exe
FirewallRules: [{C2FE8B80-2B8B-4281-937C-17A047F68E34}] => (Block) %ProgramFiles%\Malwarebytes\Anti-Malware\mbam.exe
FirewallRules: [{1CAD712D-D77F-4A9E-9B98-2D813B3CC246}] => (Block) %ProgramFiles%\Malwarebytes\Anti-Malware\MBAMWsc.exe
FirewallRules: [{213CE0E4-2197-4C2C-BC87-79095E6D1B94}] => (Block) %SystemDrive%\Sandbox\Zar-Unityv4\InstaGC2\drive\C\Program Files (x86)\DearMob\5KPlayer\5KPlayer.exe
FirewallRules: [{D967BC58-7878-45A7-9EBA-401F441F98C7}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\VideoEditor.exe
FirewallRules: [{76F09763-8394-44CA-9B74-58148928F2C0}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\VideoEditor.exe
FirewallRules: [{2A9C58F6-C245-4E84-B297-025B32EB276C}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\Activation.exe
FirewallRules: [{C948C27F-689F-4CEF-B4F9-A1CFC0A1D71C}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\Activation.exe
FirewallRules: [{C06165B3-B1BF-4F37-9D80-426E427A1486}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\Updater.exe
FirewallRules: [{D219844D-EB5B-43DF-9163-1A18B0D0E5C0}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\Updater.exe
FirewallRules: [{22BBDF19-9607-4F84-B3AE-262D25054A3C}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe
FirewallRules: [{AE5260B2-F392-4AC4-8417-89B7778ED686}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe
FirewallRules: [TCP Query User{39F3F8CC-D537-4B66-A44F-DDF079CC990F}C:\program files (x86)\windscribe\wsappcontrol.exe] => (Allow) C:\program files (x86)\windscribe\wsappcontrol.exe
FirewallRules: [UDP Query User{09BA913B-C2EB-4CA0-9C52-0B778CD838B9}C:\program files (x86)\windscribe\wsappcontrol.exe] => (Allow) C:\program files (x86)\windscribe\wsappcontrol.exe
FirewallRules: [{AB862953-AF97-4434-AF1F-E297BF2D1DD5}] => (Block) C:\program files (x86)\windscribe\wsappcontrol.exe
FirewallRules: [{400A0CC6-2267-42E5-A77C-C634C6591F7C}] => (Block) C:\program files (x86)\windscribe\wsappcontrol.exe
FirewallRules: [{5D8D318A-8348-4B5E-A26E-7624712E163D}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{8BBDB9EA-E618-49F6-93B7-EB5D65100B8A}] => (Block) %ProgramFiles% (x86)\Magical Jelly Bean\keyfinder.exe
FirewallRules: [{9F03E553-BC24-49B3-986B-41A5F8AA8987}] => (Allow) C:\Program Files (x86)\AceThinker\AceThinker Video Master\AceThinker Video Master.exe
FirewallRules: [{4603135B-79D1-411B-AB59-7C77AAA01302}] => (Allow) C:\Program Files (x86)\AceThinker\AceThinker Video Master\AceThinker Video Master.exe
FirewallRules: [{85B34758-97A3-4a63-832A-9825D8777935}}] => (Allow) C:\Program Files (x86)\UnHackMe\wu.exe
FirewallRules: [{9187CF69-6824-487d-A9F0-AFF5C2C29BA9}}] => (Allow) C:\Program Files (x86)\UnHackMe\wu.exe
FirewallRules: [{85B34758-97A3-4a63-832A-9825D8777934}}] => (Allow) C:\Program Files (x86)\UnHackMe\regruninfo.exe
FirewallRules: [{9187CF69-6824-487d-A9F0-AFF5C2C29BA8}}] => (Allow) C:\Program Files (x86)\UnHackMe\regruninfo.exe
FirewallRules: [{FBE2BE10-B4E0-4391-928B-8354A468584D}] => (Allow) C:\Program Files (x86)\UnHackMe\RegRunInfo.exe
FirewallRules: [{176D1475-A912-49BF-AA48-80B9B6B3B32B}] => (Allow) C:\Program Files (x86)\UnHackMe\RegRunInfo.exe
FirewallRules: [{4A9490CE-53F8-459A-A31A-3FC1C0D9C804}] => (Allow) C:\Program Files (x86)\UnHackMe\wu.exe
FirewallRules: [{28154258-B782-487D-8D9C-622EC14C9DC1}] => (Allow) C:\Program Files (x86)\UnHackMe\wu.exe
FirewallRules: [{0DB81D2D-AA2B-4AFF-9C2F-9AE71BBBD3C3}] => (Allow) C:\Program Files (x86)\UnHackMe\RegRunInfo.exe
FirewallRules: [{7755AA29-73D7-401D-8145-BB44C4B5A764}] => (Allow) C:\Program Files (x86)\UnHackMe\wu.exe
FirewallRules: [{A61B45B1-385C-406E-8D7B-4BFFFA858719}] => (Allow) C:\Program Files (x86)\UnHackMe\RegRunInfo.exe
FirewallRules: [{92379099-B77E-4273-80F8-92178DC4C637}] => (Allow) C:\Program Files (x86)\UnHackMe\wu.exe
 
==================== Restore Points =========================
 
14-04-2018 22:03:15 Avast Free Antivirus restore point
 
==================== Faulty Device Manager Devices =============
 
Name: avast! Revert
Description: avast! Revert
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: aswRvrt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: VPN Client Adapter - VPN-Zar
Description: VPN Client Adapter - VPN-Zar
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: SoftEther VPN Project
Service: Neo_VPN-Zar
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/15/2018 04:05:01 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (04/15/2018 04:03:56 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Users\Zar_Admin2\Desktop\esetsmartinstaller_enu.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
Error: (04/15/2018 02:17:09 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (04/14/2018 10:11:58 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (04/14/2018 09:41:20 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Users\Zar_Admin2\Desktop\esetsmartinstaller_enu.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
Error: (04/14/2018 09:38:14 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (04/14/2018 09:36:56 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Users\Zar_Admin2\Desktop\esetsmartinstaller_enu.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
Error: (04/14/2018 09:34:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: aswmbr (MBR scan).exe, version: 1.0.1.2290, time stamp: 0x54b4df14
Faulting module name: ntdll.dll, version: 6.1.7601.23889, time stamp: 0x598d4c81
Exception code: 0xc0000005
Fault offset: 0x0002e49b
Faulting process id: 0xb58
Faulting application start time: 0x01d3d454cb2862bc
Faulting application path: C:\Users\Zar_Admin2\Documents\__The useful box__\aswmbr (MBR scan).exe
Faulting module path: C:\Windows\SysWOW64\ntdll.dll
Report Id: 2184e78b-404d-11e8-bc4a-c81f66248005
 
 
System errors:
=============
Error: (04/15/2018 04:10:53 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (04/15/2018 04:03:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (04/15/2018 04:03:53 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
 
Error: (04/15/2018 04:03:53 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{9E175B6D-F52A-11D8-B9A5-505054503030}
 
Error: (04/15/2018 04:03:47 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error: (04/15/2018 04:03:41 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (04/15/2018 04:03:34 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMChameleon service failed to start due to the following error: 
The driver was not loaded because the system is booting into safe mode.
 
Error: (04/15/2018 04:03:34 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.
 
Module Path: C:\Windows\system32\athihvs.dll
Error Code: 21
 
 
Windows Defender:
===================================
Date: 2016-04-14 20:16:47.303
Description: 
Windows Defender scan has been stopped before completion.
Scan ID:{5E6BB682-5C2D-4D9E-BBD1-129CF0EB4323}
Scan Type:AntiSpyware
Scan Parameters:Quick Scan
 
Date: 2016-02-24 13:06:03.657
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version:
Update Source:User
Signature Type:
Update Type:
Current Engine Version:
Previous Engine Version:1.1.12400.0
Error code:0x8050a003
Error description:This package does not contain up-to-date definition files for this program. For more information, see Help and Support. 
 
Date: 2015-08-19 00:03:53.021
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version:1.203.2523.0
Previous Signature Version:
Update Source:User
Signature Type:AntiSpyware
Update Type:Full
Current Engine Version:1.1.11903.0
Previous Engine Version:
Error code:0x80508001
Error description:A problem is preventing the program from starting. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support. 
 
Date: 2015-08-19 00:03:53.021
Description: 
Windows Defender has encountered an error trying to update the engine.
New Engine Version:1.1.11903.0
Previous Engine Version:
Update Source:User
Error Code:0x80508001
Error description:A problem is preventing the program from starting. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support. 
 
Date: 2015-08-18 23:32:09.959
Description: 
Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
Signatures Attempted:Current
Error Code:0x80070002
Error description:The system cannot find the file specified. 
Signature version:0.0.0.0
Engine version:0.0.0.0
 
Date: 2014-11-26 22:23:38.634
Description: 
Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
Signatures Attempted:Current
Error Code:0x80070002
Error description:The system cannot find the file specified. 
Signature version:0.0.0.0
Engine version:0.0.0.0
 
CodeIntegrity:
===================================
 
Date: 2014-04-26 00:31:52.150
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
Date: 2014-04-26 00:31:52.149
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
Date: 2014-04-26 00:31:52.147
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
Date: 2014-04-26 00:31:52.132
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
Date: 2014-04-26 00:31:52.129
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
Date: 2014-04-26 00:31:52.128
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
Date: 2014-04-26 00:31:52.111
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
 
Date: 2014-04-26 00:31:52.109
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-3340 CPU @ 3.10GHz
Percentage of memory in use: 22%
Total physical RAM: 8066 MB
Available physical RAM: 6271.57 MB
Total Virtual: 16130.18 MB
Available Virtual: 14397.52 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:909.81 GB) (Free:199.68 GB) NTFS
 
\\?\Volume{3068acc4-5bc8-11e3-908e-806e6f6e6963}\ (RECOVERY) (Fixed) (Total:21.67 GB) (Free:11.58 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: C422731E)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=21.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=909.8 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 19 April 2018 - 08:02 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ContextMenuHandlers1: [Baidu_Scan] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CB} =>  -> No File
ContextMenuHandlers1: [IObit Malware Fighter] -> {0BB81440-5F42-4480-A5F7-770A6F439FC8} =>  -> No File
Task: {157390A4-5878-4321-AD55-2F38017A83E3} - \Norton Identity Safe\Norton Error Processor -> No File <==== ATTENTION
Task: {AAA34808-E932-4A68-9936-EC57F9767A37} - \AVAST Software\Avast settings backup -> No File <==== ATTENTION
Task: {D789AFBC-069E-47CE-95BE-B8B872ABBA04} - \Norton Identity Safe\Norton Error Analyzer -> No File <==== ATTENTION
AlternateDataStreams: C:\Users\Zar_Admin2\Documents\MicrosoftFixit50267.msi:$CmdZnID [26]
AlternateDataStreams: C:\Users\Zar_Admin2\Documents\Zone Alarm_SetupWeb_141_057_000.exe:$CmdTcID [64]

BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre-9.0.4\bin\ssv.dll => No File
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} -  No File
Toolbar: HKLM-x32 - No Name - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} -  No File
Handler: vipresg - No CLSID Value
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [32400 2016-03-04] (ThreatTrack Security)
S3 cpuz137; \??\C:\Users\ZAR-UN~1\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X] <==== ATTENTION
S3 FileMonitor; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [X]
S3 MFE_RR; \??\C:\Users\ZAR-UN~1\AppData\Local\Temp\mfe_rr.sys [X] <==== ATTENTION
S3 RegFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [X]
S3 UrlFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
C:\Windows\System32\drivers\gfiutil.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download and run the Karspersky Removal program tool.
https://support.kaspersky.com/us/common/uninstall/1464#block1

Restart the computer in NORMAL MODE when completed.

Run the Farbar program and post a fresh FRST log for my review.

Let me know what problem persists.

#5 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 20 April 2018 - 04:48 AM

Hello Nasdaq, thank you so much for inquiring to help me with my concerns of possible computer infection. 

 

I ran the FRST tool and let it run the fixlog but after about one minute, the program stopped responding..I waited about another couple of minutes and then my computer 

stopped loading a lot from the busy light, but the frst tool was still unresponsive and hanged up, I had to force shutdown the program.

 

I then had to restart the computer myself, which also got hanged up and I ended up having to force shutdown the computer as well. 

 

Upon the restart, windows resumed my session at the first, but then eventually restarted like it should. 

 

I then ran the Kaspersky removal tool but my old version of Kaspersky was not detected, and I have no idea how to properly identify which version of Kaspersky

I have for proper removal.

 

I ran this tool before and had some help on choosing the right kaspersky version, but removal of the software was a failure after restart.

I believe that it was Kaspersky Internet security. 

 

I also had some assistance on running a fixlist on Frst to try and manually remove Kaspersky, but it ended up with me not being able to boot up to windows anymore, until I did a windows auto repair that loads my last successful boot up configuration setting. Then Kaspersky was back on my computer with every one of it's files.

 

I believe that when I installed Kaspersky, it changed my registry to where my computer won't work or boot up without using several Kaspersky files. 

 

Anyway, I am now on a new admin account, as I may have mentioned before, so my next frst log will fully represent my current logged in status. 

 

After restarting, I noticed that the Farbar tool is now gone, so I had to re-download it to produce a new frst log..

--------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 19.04.2018
Ran by Zar_Admin3 (administrator) on ZAR-UNITYV4-PC (20-04-2018 05:08:16)
Running from C:\Users\Zar_Admin3\Downloads
Loaded Profiles: Zar_Admin3 (Available Profiles: Zar-Unityv4 & Zar_Admin2 & Zar_Admin3)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files (x86)\baidu\SparkSafe\Spark.exe" -- "%1")
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie_5.20 (64)\SbieSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(VoodooSoft, LLC ) C:\Program Files\VoodooShield\VoodooShieldService.exe
(Windscribe Limited) C:\Program Files (x86)\Windscribe\WindscribeService.exe
(Atheros) C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(VoodooSoft, LLC ) C:\Program Files\VoodooShield\VoodooShield.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie_5.20 (64)\SbieCtrl.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(IObit) C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\DBRUpd.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Toaster.exe
() C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [242392 2018-04-14] (AVAST Software)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [298296 2018-03-25] (Apple Inc.)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [133400 2011-12-16] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-27] (Intel Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [646680 2017-12-19] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-4291765073-3835710626-4147568939-1009\...\Run: [SandboxieControl] => C:\Program Files\Sandboxie_5.20 (64)\SbieCtrl.exe [799880 2017-10-30] (Sandboxie Holdings, LLC)
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{842EEBF7-5F77-4BA2-B7D1-7636C4167F86}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{93D7F91C-E7C8-4A14-A0D6-BF481CD4E433}: [NameServer] 208.67.222.222,208.67.220.220
 
Internet Explorer:
==================
HKU\S-1-5-21-4291765073-3835710626-4147568939-1009\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-4291765073-3835710626-4147568939-1009\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll [2018-01-25] (IObit)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre-9.0.4\bin\jp2ssv.dll [2018-03-06] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
 
FireFox:
========
FF Extension: (All Aboard) - C:\Program Files (x86)\Mozilla Firefox\distribution\extensions\@all-aboard-v1-5 [2017-07-29] [Legacy]
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_28_0_0_137.dll [2018-01-15] ()
FF Plugin: @java.com/DTPlugin,version=12.0.4.0 -> C:\Program Files\Java\jre-9.0.4\bin\dtplugin\npDeployJava1.dll [2018-03-06] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=12.0.4.0 -> C:\Program Files\Java\jre-9.0.4\bin\plugin2\npjp2.dll [2018-03-06] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_137.dll [2018-01-15] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-02-11] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.duckduckgo.com/
CHR DefaultSearchURL: Default -> hxxps://duckduckgo.com/?q={searchTerms}
CHR DefaultSearchKeyword: Default -> duckdg
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default [2018-04-20]
CHR Extension: (Slides) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-04-16]
CHR Extension: (Docs) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-04-16]
CHR Extension: (Google Drive) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-04-16]
CHR Extension: (YouTube) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-04-16]
CHR Extension: (Spotify - Music for every moment) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnkjkdjlofllcpbemipjbcpfnglbgieh [2018-04-16]
CHR Extension: (Blue Bird) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\elhjijmekiobeohmhenmnccklpjakino [2018-04-16]
CHR Extension: (Sheets) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-04-16]
CHR Extension: (Google Docs Offline) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-04-16]
CHR Extension: (Windscribe - Free VPN and Ad Blocker) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnmpcagpplmpfojmgmnngilcnanddlhb [2018-04-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-16]
CHR Extension: (Ads Killer Adblocker Plus) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgbllmbdjgcalkoimdfcpknbjgnhjclg [2018-04-16]
CHR Extension: (Gmail) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-04-16]
CHR Extension: (Chrome Media Router) - C:\Users\Zar_Admin3\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-04-16]
CHR HKLM\...\Chrome\Extension: [ccbpbkebodcjkknkfkpmfeciinhidaeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [eahebamiopdhefndnmappcihfajigkka] - hxxps://chrome.google.com/webstore/detail/eahebamiopdhefndnmappcihfajigkka
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ccbpbkebodcjkknkfkpmfeciinhidaeh] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-30] (SUPERAntiSpyware.com)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2018-03-14] (Apple Inc.)
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7603408 2018-04-14] (AVAST Software)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [313640 2018-04-14] (AVAST Software)
S3 AVP16.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe [194000 2015-12-05] (Kaspersky Lab ZAO)
S3 CGVPNCliService; C:\Program Files\CyberGhost 5\Service.exe [65128 2016-08-08] (CyberGhost S.R.L)
S3 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2573520 2015-05-22] (Dell Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-06-09] (Dell Inc.)
R2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [4354000 2017-07-25] (SecureMix LLC)
S2 IObitUnSvr; C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe [206096 2018-01-25] (IObit)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6479136 2018-03-27] (Malwarebytes)
R2 SbieSvc; C:\Program Files\Sandboxie_5.20 (64)\SbieSvc.exe [198792 2017-10-30] (Sandboxie Holdings, LLC)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1915920 2014-04-04] (SoftThinks SAS)
S3 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31928 2016-04-22] (Dell Inc.)
R2 VoodooShieldService; C:\Program Files\VoodooShield\VoodooShieldService.exe [131920 2018-04-11] (VoodooSoft, LLC )
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-12-02] (Microsoft Corporation)
R2 WindscribeService; C:\Program Files (x86)\Windscribe\WindscribeService.exe [442472 2017-11-12] (Windscribe Limited)
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [73728 2012-02-08] (Atheros) [File not signed]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [196640 2018-04-14] (AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [227504 2018-04-14] (AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [199440 2018-04-14] (AVAST Software)
R0 aswblog; C:\Windows\System32\drivers\aswbloga.sys [343752 2018-04-14] (AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [57680 2018-04-14] (AVAST Software)
R1 aswHdsKe; C:\Windows\System32\drivers\aswHdsKe.sys [227784 2018-04-14] (AVAST Software)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [46968 2018-04-14] (AVAST Software)
R2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [147224 2018-04-14] (AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [111352 2018-04-14] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [84368 2018-04-14] (AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1026696 2018-04-14] (AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [460520 2018-04-14] (AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [205976 2018-04-14] (AVAST Software)
S3 aswTap; C:\Windows\System32\DRIVERS\aswTap.sys [44640 2014-07-02] (The OpenVPN Project)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [380528 2018-04-14] (AVAST Software)
R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [389816 2015-07-06] (Kaspersky Lab ZAO)
S3 DDDriver; C:\Windows\System32\drivers\DDDriver64Dcsa.sys [23760 2015-02-26] (Dell Computer Corporation)
S3 DellProf; C:\Windows\System32\drivers\DellProf.sys [24240 2015-05-22] (Dell Computer Corporation)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [76192 2018-03-19] ()
S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [40584 2015-08-27] (ThreatTrack Security)
S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [32400 2016-03-04] (ThreatTrack Security)
R1 gwdrv; C:\Windows\System32\DRIVERS\gwdrv.sys [33248 2015-05-29] (SecureMix LLC)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [55232 2018-04-14] ()
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [27552 2016-01-25] (REALiX™)
R3 IUFileFilter; C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IUFileFilter.sys [21928 2017-06-06] (IObit.com)
R3 IURegProcessFilter; C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IURegProcessFilter.sys [22416 2018-01-11] (IObit.com)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [478392 2015-06-22] (Kaspersky Lab ZAO)
R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [53432 2015-06-06] (Kaspersky Lab ZAO)
R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [70000 2015-06-27] (Kaspersky Lab ZAO)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [77728 2016-05-10] (AO Kaspersky Lab)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [181640 2015-12-05] (AO Kaspersky Lab)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [237480 2016-05-24] (AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [943536 2016-05-24] (AO Kaspersky Lab)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [49240 2016-05-24] (AO Kaspersky Lab)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [41144 2015-06-06] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [41648 2015-06-07] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [41352 2015-12-05] (AO Kaspersky Lab)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [65208 2015-06-11] (Kaspersky Lab ZAO)
R1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [103096 2015-06-16] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [187056 2015-06-23] (Kaspersky Lab ZAO)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193768 2018-04-16] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [112864 2018-04-20] (Malwarebytes)
R3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [44768 2018-04-20] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253664 2018-04-20] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [93816 2018-04-20] (Malwarebytes)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2015-07-28] (Intel Corporation)
S3 Neo_VPN-Zar; C:\Windows\System32\DRIVERS\Neo_0013.sys [28768 2014-12-11] (SoftEther VPN Project at University of Tsukuba, Japan.)
R2 npf; C:\Windows\system32\drivers\npf.sys [36600 2017-01-02] (Riverbed Technology, Inc.)
U0 Partizan; C:\Windows\SysWOW64\drivers\Partizan.sys [40304 2018-02-07] (Greatis Software)
S3 RTSUER; C:\Windows\System32\Drivers\RtsUer.sys [404184 2016-01-21] (Realsil Semiconductor Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SbieDrv; C:\Program Files\Sandboxie_5.20 (64)\SbieDrv.sys [209544 2017-10-30] (Sandboxie Holdings, LLC)
R1 SBRE; C:\Windows\system32\drivers\SBREdrv.sys [55384 2011-08-29] (Sunbelt Software)
S3 sbwtis; C:\Windows\System32\DRIVERS\sbwtis.sys [95608 2015-09-29] (ThreatTrack Security)
R3 tapwindscribe0901; C:\Windows\System32\DRIVERS\tapwindscribe0901.sys [45560 2017-09-13] (The OpenVPN Project)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2018-04-13] ()
R3 VSScanner; C:\Windows\System32\DRIVERS\vsscanner.sys [21064 2016-08-19] (VoodooSoft, LLC)
R2 WebExaminer; C:\Windows\system32\Drivers\WebExaminer64.sys [34408 2015-10-16] (ThreatTrack Security Inc.)
U1 aswbdisk; no ImagePath
S3 cpuz137; \??\C:\Users\ZAR-UN~1\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X] <==== ATTENTION
S3 FileMonitor; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [X]
S3 MFE_RR; \??\C:\Users\ZAR-UN~1\AppData\Local\Temp\mfe_rr.sys [X] <==== ATTENTION
S3 RegFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [X]
U2 TMAgent; no ImagePath
S3 UrlFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-04-20 05:08 - 2018-04-20 05:08 - 000021601 _____ C:\Users\Zar_Admin3\Downloads\FRST.txt
2018-04-20 05:07 - 2018-04-20 05:07 - 002404352 _____ (Farbar) C:\Users\Zar_Admin3\Downloads\FRST64.exe
2018-04-20 04:48 - 2018-04-20 04:48 - 000000000 _____ C:\Windows\SysWOW64\RMVR-SRVC-.1.0.0.1309_868.tiny.dmp
2018-04-20 04:45 - 2018-04-20 04:47 - 000000000 ____D C:\Users\Zar_Admin3\Downloads\kavremvr
2018-04-20 04:35 - 2018-04-20 04:35 - 000000000 ___HD C:\$AV_ASW
2018-04-20 04:25 - 2018-04-20 04:27 - 000005481 _____ C:\Users\Zar_Admin3\Downloads\Fixlog.txt
2018-04-20 04:24 - 2018-04-20 04:24 - 000000000 ____D C:\Users\Zar_Admin3\Downloads\FRST-OlderVersion
2018-04-19 03:45 - 2018-04-19 03:45 - 000001678 _____ C:\Users\Zar_Admin3\Desktop\procexp64.exe.lnk
2018-04-17 09:46 - 2018-04-19 09:42 - 000000000 ____D C:\Users\Zar_Admin3\Downloads\FD12Full (FreeDos_usb)
2018-04-17 08:47 - 2018-04-17 08:47 - 000003217 _____ C:\Users\Zar_Admin3\Desktop\rufus-2.18p.lnk
2018-04-17 05:40 - 2018-04-17 05:40 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Roaming\ESTSoft
2018-04-17 00:22 - 2018-04-17 00:24 - 000000770 _____ C:\Users\Zar_Admin3\Downloads\How to Check MD5 hash.txt
2018-04-16 21:20 - 2018-01-15 04:35 - 000000918 _____ C:\Users\Zar_Admin3\Desktop\Sandboxed Web Browser.lnk
2018-04-16 21:04 - 2018-04-16 21:04 - 000001709 _____ C:\Users\Public\Desktop\iTunes.lnk
2018-04-16 21:04 - 2018-04-16 21:04 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2018-04-16 21:04 - 2018-04-16 21:04 - 000000000 ____D C:\Program Files\iPod
2018-04-16 21:03 - 2018-04-16 21:04 - 000000000 ____D C:\Program Files\iTunes
2018-04-16 20:56 - 2018-04-16 20:56 - 000000000 ____D C:\Users\Zar_Admin3\AppData\LocalLow\IObit
2018-04-16 20:50 - 2018-04-16 20:52 - 272307016 _____ (Apple Inc.) C:\Users\Zar_Admin3\Downloads\iTunes64Setup.exe
2018-04-16 20:40 - 2018-04-16 20:40 - 006638114 _____ C:\Users\Zar_Admin3\Downloads\My_Itunes_Library.xml
2018-04-16 20:37 - 2018-04-16 20:37 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Local\Apple
2018-04-16 20:33 - 2018-04-16 20:33 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Local\Apple Computer
2018-04-16 19:21 - 2018-04-16 19:21 - 000003251 _____ C:\Users\Zar_Admin3\Desktop\FlicFlac v1.3 - Shortcut.lnk
2018-04-16 19:08 - 2018-04-16 19:08 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Local\Apps\2.0
2018-04-16 18:57 - 2018-04-16 22:09 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Roaming\foobar2000
2018-04-16 18:51 - 2018-04-16 18:51 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Roaming\AVAST Software
2018-04-16 18:51 - 2018-04-16 18:51 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Local\CEF
2018-04-16 18:41 - 2018-04-16 18:41 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Roaming\Intel Corporation
2018-04-16 18:40 - 2018-04-16 20:38 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Roaming\Apple Computer
2018-04-16 18:39 - 2018-04-16 18:39 - 000001379 _____ C:\Users\Zar_Admin3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-04-16 18:39 - 2018-04-16 18:39 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Roaming\Adobe
2018-04-16 18:39 - 2018-04-16 18:39 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Local\VirtualStore
2018-04-16 18:38 - 2018-04-16 18:38 - 000095760 _____ C:\Users\Zar_Admin3\AppData\Local\GDIPFONTCACHEV1.DAT
2018-04-16 17:52 - 2018-04-16 17:52 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Roaming\Google
2018-04-16 17:45 - 2018-04-16 21:01 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Roaming\IObit
2018-04-16 17:45 - 2018-04-16 17:51 - 000000000 ____D C:\Users\Zar_Admin3\AppData\Local\Google
2018-04-16 17:44 - 2018-04-16 18:40 - 000000000 ____D C:\Users\Zar_Admin3
2018-04-16 17:44 - 2018-04-16 17:44 - 000000020 ___SH C:\Users\Zar_Admin3\ntuser.ini
2018-04-16 02:11 - 2018-04-16 02:11 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\71579300.sys
2018-04-16 01:25 - 2018-04-16 01:25 - 000698368 _____ () C:\Users\Zar_Admin3\Downloads\dotNetDiskImager_0.7.347.27_Installer.exe
2018-04-15 20:07 - 2018-04-15 20:07 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\GlassWire
2018-04-15 19:32 - 2018-04-15 19:37 - 014178840 _____ (Malwarebytes Corp.) C:\Users\Zar_Admin3\Downloads\mbar-1.10.3.1001.exe
2018-04-15 19:30 - 2018-04-15 19:30 - 000007731 _____ C:\Users\Zar_Admin3\Documents\New rootkit post_.txt
2018-04-15 16:06 - 2018-04-15 16:06 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\Google
2018-04-15 03:25 - 2018-04-15 03:25 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\ECRSC
2018-04-15 03:04 - 2018-04-15 03:25 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\ESTSoft
2018-04-15 03:04 - 2018-04-15 03:04 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\Apple Computer
2018-04-15 03:02 - 2018-04-15 03:02 - 000000000 ____D C:\Users\Zar_Admin2\AppData\LocalLow\Apple Computer
2018-04-15 02:50 - 2018-04-15 02:58 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\ImgBurn
2018-04-14 22:16 - 2018-04-19 16:19 - 000004168 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2018-04-14 22:16 - 2018-04-19 09:29 - 000002047 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2018-04-14 22:16 - 2018-04-14 22:16 - 000460520 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000380528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000376536 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2018-04-14 22:16 - 2018-04-14 22:16 - 000205976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000196640 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000147224 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000111352 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000084368 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000046968 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2018-04-14 22:16 - 2018-04-14 22:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2018-04-14 22:16 - 2018-04-14 22:15 - 001026696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2018-04-14 22:16 - 2018-04-14 22:15 - 000343752 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbloga.sys
2018-04-14 22:16 - 2018-04-14 22:15 - 000227784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHdsKe.sys
2018-04-14 22:16 - 2018-04-14 22:15 - 000227504 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2018-04-14 22:16 - 2018-04-14 22:15 - 000199440 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsha.sys
2018-04-14 22:16 - 2018-04-14 22:15 - 000057680 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniva.sys
2018-04-14 22:07 - 2018-04-14 22:08 - 000178320 _____ (AVAST Software) C:\Users\Zar_Admin3\Downloads\avast_free_antivirus_setup_online_cnet2.exe
2018-04-14 22:06 - 2018-04-16 05:56 - 000000000 ____D C:\Users\Zar_Admin2\AppData\LocalLow\Mozilla
2018-04-14 22:05 - 2018-04-16 02:23 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\Mozilla
2018-04-14 22:05 - 2018-04-14 22:06 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\Mozilla
2018-04-14 22:02 - 2018-04-14 22:02 - 000000000 ____D C:\Users\Zar_Admin2\AppData\LocalLow\IObit
2018-04-14 21:42 - 2018-04-14 21:42 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\Intel Corporation
2018-04-14 21:42 - 2018-04-14 21:42 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\AVAST Software
2018-04-14 21:42 - 2018-04-14 21:42 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\CEF
2018-04-14 21:40 - 2018-04-15 16:11 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\Google
2018-04-14 21:40 - 2018-04-14 21:40 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\Apple Computer
2018-04-14 21:39 - 2018-04-14 22:08 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\IObit
2018-04-14 21:39 - 2018-04-14 21:39 - 000001379 _____ C:\Users\Zar_Admin2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-04-14 21:39 - 2018-04-14 21:39 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Roaming\Adobe
2018-04-14 21:39 - 2018-04-14 21:39 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\VirtualStore
2018-04-14 21:38 - 2018-04-14 21:38 - 000095760 _____ C:\Users\Zar_Admin2\AppData\Local\GDIPFONTCACHEV1.DAT
2018-04-14 21:34 - 2018-04-16 02:09 - 000000000 ____D C:\Users\Zar_Admin2\AppData\Local\CrashDumps
2018-04-14 20:34 - 2018-04-14 20:34 - 000000000 ____D C:\Windows\pss
2018-04-14 20:21 - 2018-04-14 20:21 - 000644860 _____ C:\Users\Zar_Admin2\Desktop\regrunlog.txt
2018-04-14 18:59 - 2018-04-14 19:00 - 000000000 ____D C:\Users\Zar_Admin2\Desktop\TMRBLog
2018-04-14 18:59 - 2018-04-14 18:59 - 000000000 ____D C:\Users\Zar_Admin2\Desktop\log
2018-04-14 18:22 - 2018-04-14 20:11 - 000000000 ____D C:\EEK2
2018-04-14 18:18 - 2018-04-14 18:19 - 325670168 _____ C:\Users\Zar_Admin2\Desktop\EmsisoftEmergencyKit.exe
2018-04-14 15:53 - 2018-04-14 21:41 - 000000000 ____D C:\Users\Zar_Admin2
2018-04-14 15:53 - 2018-04-14 15:53 - 000000020 ___SH C:\Users\Zar_Admin2\ntuser.ini
2018-04-14 06:05 - 2018-04-14 06:06 - 000232160 _____ C:\TDSSKiller.3.1.0.16_14.04.2018_06.05.20_log.txt
2018-04-14 04:39 - 2018-04-14 04:39 - 000002011 _____ C:\Users\Zar_Admin2\Desktop\Remove Avira PC Cleaner.lnk
2018-04-14 04:39 - 2018-04-14 04:39 - 000001951 _____ C:\Users\Zar_Admin2\Desktop\Avira PC Cleaner.lnk
2018-04-14 04:23 - 2018-04-14 04:23 - 000055232 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2018-04-14 03:07 - 2018-04-14 03:07 - 000000000 ____D C:\Users\Zar-Unityv4\Pavark
2018-04-13 15:40 - 2018-04-14 17:37 - 000003820 _____ C:\Users\Zar_Admin2\Desktop\Rkill.txt
2018-04-11 22:54 - 2018-04-11 22:54 - 000001013 _____ C:\Users\Zar_Admin2\Desktop\UnHackMe.lnk
2018-04-11 22:54 - 2018-04-11 22:54 - 000000418 _____ C:\Windows\Tasks\UnHackMe Task Scheduler.job
2018-04-11 22:54 - 2018-04-11 22:54 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe
2018-04-11 22:53 - 2018-04-11 11:35 - 019081288 _____ (Greatis Software, LLC. ) C:\Users\Zar_Admin2\Desktop\unhackme_setup.exe
2018-04-11 22:18 - 2017-05-01 07:31 - 002724512 _____ (Sysinternals - www.sysinternals.com) C:\Users\Zar_Admin2\Desktop\procexp.exe
2018-04-11 22:01 - 2018-04-11 22:01 - 014999000 _____ (Trend Micro Inc.) C:\Users\Zar_Admin2\Desktop\RootkitBusterV5.0-1203x64.exe
2018-04-11 21:53 - 2018-04-11 21:53 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\D61A9133.sys
2018-04-11 21:47 - 2018-04-16 02:49 - 000000000 ____D C:\Users\Zar_Admin2\Desktop\mbar
2018-04-11 13:38 - 2018-04-11 13:38 - 000003421 _____ C:\Users\Zar_Admin2\Desktop\unetbootin-windows-657.exe.lnk
2018-04-10 12:28 - 2018-04-10 12:28 - 000001029 _____ C:\Users\Public\Desktop\ISO to USB.lnk
2018-04-10 12:28 - 2018-04-10 12:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ISO to USB
2018-04-10 12:28 - 2018-04-10 12:28 - 000000000 ____D C:\Program Files (x86)\ISO to USB
2018-04-09 22:11 - 2018-04-17 09:50 - 000000400 __RSH C:\ProgramData\ntuser.pol
2018-04-07 20:46 - 2018-04-07 20:46 - 000000000 ____D C:\ProgramData\SplitMediaLabs
2018-04-07 20:44 - 2018-04-07 21:10 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\SplitmediaLabs
2018-04-07 19:29 - 2018-04-20 04:40 - 000044768 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-04-07 19:28 - 2018-04-20 04:40 - 000253664 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-04-07 19:28 - 2018-04-20 04:40 - 000112864 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-04-07 19:28 - 2018-04-20 04:40 - 000093816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-04-07 19:28 - 2018-04-16 17:39 - 000193768 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-04-07 19:28 - 2018-04-14 17:36 - 000001994 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-04-07 19:28 - 2018-04-07 19:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-04-07 19:28 - 2018-03-19 12:57 - 000076192 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-04-07 16:19 - 2018-04-07 16:19 - 000000000 ____D C:\Users\Zar_Admin3\Documents\AceThinker
2018-04-07 16:19 - 2018-04-07 16:19 - 000000000 ____D C:\log
2018-04-07 16:18 - 2018-04-07 16:19 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\AceThinker
2018-04-07 16:18 - 2018-04-07 16:19 - 000000000 ____D C:\ProgramData\AceThinker
2018-04-07 16:18 - 2018-04-07 16:18 - 000001368 _____ C:\Users\Public\Desktop\AceThinker Video Master.lnk
2018-04-07 16:18 - 2018-04-07 16:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AceThinker
2018-04-07 16:18 - 2018-04-07 16:18 - 000000000 ____D C:\Program Files (x86)\AceThinker
2018-04-07 16:18 - 2017-01-02 11:53 - 000370424 _____ (Riverbed Technology, Inc.) C:\Windows\system32\wpcap.dll
2018-04-07 16:18 - 2017-01-02 11:53 - 000282360 _____ (Riverbed Technology, Inc.) C:\Windows\SysWOW64\wpcap.dll
2018-04-07 16:18 - 2017-01-02 11:53 - 000107768 _____ (Riverbed Technology, Inc.) C:\Windows\system32\Packet.dll
2018-04-07 16:18 - 2017-01-02 11:53 - 000098040 _____ (Riverbed Technology, Inc.) C:\Windows\SysWOW64\Packet.dll
2018-04-07 16:18 - 2017-01-02 11:53 - 000053299 _____ C:\Windows\SysWOW64\pthreadVC.dll
2018-04-07 16:18 - 2017-01-02 11:53 - 000036600 _____ (Riverbed Technology, Inc.) C:\Windows\system32\Drivers\npf.sys
2018-04-05 12:41 - 2018-04-05 12:41 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeyFinder
2018-04-05 12:41 - 2018-04-05 12:41 - 000000000 ____D C:\Program Files (x86)\Magical Jelly Bean
2018-04-04 12:38 - 2018-04-04 12:38 - 000000109 _____ C:\Users\Zar-Unityv4\AppData\Local\kritadisplayrc
2018-04-03 11:01 - 2018-04-03 11:01 - 000002419 _____ C:\Users\Zar_Admin2\Desktop\InstaGC2 - Chrome.lnk
2018-04-03 11:01 - 2018-04-03 11:01 - 000002375 _____ C:\Users\Zar_Admin2\Desktop\Zar - Chrome.lnk
2018-04-01 10:18 - 2018-04-01 10:18 - 000002308 _____ C:\Users\Zar-Unityv4\AppData\Local\recently-used.xbel
2018-03-24 16:58 - 2018-03-24 16:58 - 000004715 _____ C:\Users\Zar_Admin2\Desktop\snes9x-x64.exe.lnk
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-04-20 05:08 - 2017-08-28 22:09 - 000000000 ____D C:\ProgramData\VoodooShield
2018-04-20 04:49 - 2009-07-14 00:45 - 000021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-04-20 04:49 - 2009-07-14 00:45 - 000021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-04-20 04:47 - 2013-12-02 21:26 - 000000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2018-04-20 04:44 - 2009-07-14 01:13 - 000896288 _____ C:\Windows\system32\PerfStringBackup.INI
2018-04-20 04:44 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\inf
2018-04-20 04:43 - 2017-09-01 06:12 - 001293296 _____ C:\Windows\ntbtlog.txt
2018-04-20 04:39 - 2009-07-14 01:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-04-20 04:25 - 2018-01-26 13:00 - 000000000 ____D C:\FRST
2018-04-19 03:45 - 2016-02-08 23:19 - 000000000 ____D C:\Users\Zar_Admin3\Documents\__The useful box__
2018-04-19 03:37 - 2017-07-18 04:53 - 000004672 _____ C:\Windows\Sandboxie.ini
2018-04-16 21:21 - 2014-12-20 23:38 - 000000000 ___RD C:\Sandbox
2018-04-16 20:56 - 2017-06-13 02:30 - 000002563 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2018-04-16 20:56 - 2017-06-13 02:30 - 000000000 ____D C:\Program Files (x86)\Apple Software Update
2018-04-16 18:37 - 2009-07-14 01:08 - 000032538 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2018-04-16 17:33 - 2017-08-28 22:09 - 000000830 _____ C:\Users\Public\Desktop\Voodoo Shield.lnk
2018-04-16 17:33 - 2017-08-28 22:09 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VoodooShield
2018-04-16 17:33 - 2017-08-28 22:09 - 000000000 ____D C:\Program Files\VoodooShield
2018-04-16 02:49 - 2014-07-01 21:18 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2018-04-15 03:33 - 2014-01-17 22:05 - 000000000 ____D C:\ProgramData\softthinks
2018-04-14 22:16 - 2015-12-03 18:04 - 000000000 ____D C:\Windows\System32\Tasks\AVAST Software
2018-04-14 22:12 - 2017-11-19 13:31 - 000000000 ____D C:\ProgramData\AVAST Software
2018-04-14 21:35 - 2014-10-14 01:27 - 000000000 ____D C:\AdwCleaner
2018-04-14 20:55 - 2014-01-14 05:12 - 000000000 ____D C:\Users\Zar-Unityv4
2018-04-14 20:21 - 2017-07-18 07:44 - 000000000 ____D C:\Users\Public\Documents\regruninfo
2018-04-14 20:18 - 2017-07-18 07:44 - 000000000 ____D C:\ProgramData\RegRun
2018-04-14 19:31 - 2016-11-28 07:36 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\LocalLow\Mozilla
2018-04-14 19:16 - 2018-02-07 20:03 - 000000000 ____D C:\Program Files (x86)\UnHackMe
2018-04-14 17:54 - 2016-11-28 08:36 - 000001077 _____ C:\Users\Public\Desktop\Firefox.lnk
2018-04-14 17:28 - 2016-12-21 09:48 - 000000000 ____D C:\ProgramData\ProductData
2018-04-14 16:03 - 2014-06-05 06:31 - 000000000 ____D C:\Windows\Minidump
2018-04-14 16:03 - 2013-12-02 22:25 - 000270690 ____N C:\Windows\Minidump\041418-22448-01.dmp
2018-04-14 15:31 - 2014-01-22 00:45 - 000000000 ____D C:\Users\Zar_Admin3\Documents\A) My programs
2018-04-14 04:38 - 2014-07-15 15:55 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Local\CrashDumps
2018-04-13 03:06 - 2018-01-16 00:03 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2018-04-12 16:53 - 2014-03-16 04:45 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Local\ESET
2018-04-11 23:02 - 2017-07-18 07:44 - 000000000 ____D C:\Users\Zar_Admin3\Documents\RegRun2
2018-04-11 21:53 - 2014-10-15 00:31 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-04-11 20:18 - 2017-07-29 18:33 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-04-11 20:18 - 2016-11-28 08:36 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-04-11 20:18 - 2014-03-13 03:04 - 000000000 ____D C:\Program Files\SUPERAntiSpyware
2018-04-11 19:38 - 2014-09-25 20:06 - 000007598 _____ C:\Users\Zar-Unityv4\AppData\Local\Resmon.ResmonCfg
2018-04-11 19:31 - 2014-01-24 02:11 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Local\Last.fm
2018-04-11 19:31 - 2014-01-24 02:07 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\foobar2000
2018-04-09 22:11 - 2009-07-13 23:20 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2018-04-08 22:29 - 2018-03-11 10:02 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\obs-studio
2018-04-08 18:34 - 2014-01-22 03:08 - 000024501 _____ C:\Users\Zar_Admin3\Documents\-All New Passwords-.txt
2018-04-07 21:10 - 2018-02-09 19:14 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Roaming\IObit
2018-04-07 21:10 - 2016-01-25 20:57 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\LocalLow\IObit
2018-04-07 21:10 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\registration
2018-04-04 12:38 - 2017-11-07 03:49 - 000023652 _____ C:\Users\Zar-Unityv4\AppData\Local\kritarc
2018-04-03 19:57 - 2017-04-19 21:23 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-04-01 10:18 - 2017-10-08 00:28 - 000000000 ____D C:\Users\Zar-Unityv4\AppData\Local\gtk-2.0
2018-04-01 10:18 - 2017-10-08 00:18 - 000000000 ____D C:\Users\Zar-Unityv4\.gimp-2.8
2018-03-30 13:00 - 2014-04-19 03:09 - 000000000 ____D C:\Users\Zar_Admin3\Documents\Finale Files
2018-03-23 02:09 - 2015-07-25 16:59 - 000022804 _____ C:\Users\Zar_Admin3\Documents\Music links and special info.txt
 
==================== Files in the root of some directories =======
 
2017-08-11 10:25 - 2017-08-11 10:25 - 000001099 _____ () C:\Program Files\installer_prefs.json
2017-08-11 10:25 - 2017-08-11 10:25 - 000001208 _____ () C:\Program Files\server_tracking_data
2016-01-15 21:34 - 2016-01-15 21:34 - 000012908 _____ () C:\Program Files (x86)\installation_status.xml
2016-01-15 21:34 - 2016-01-20 21:34 - 000000687 _____ () C:\Program Files (x86)\installer_prefs.json
2016-01-15 21:34 - 2015-10-23 06:01 - 000000317 _____ () C:\Program Files (x86)\launcher.visualelementsmanifest.xml
2016-01-15 21:34 - 2015-10-09 18:04 - 000003072 _____ () C:\Program Files (x86)\Resources.pri
2016-01-15 21:34 - 2016-01-15 21:33 - 000000849 _____ () C:\Program Files (x86)\server_tracking_data
 
Some files in TEMP:
====================
2018-04-13 03:05 - 2017-08-11 02:36 - 001732864 _____ (Microsoft Corporation) C:\Users\Zar-Unityv4\AppData\Local\Temp\dllnt_dump.dll
2018-04-05 11:43 - 2018-04-05 11:43 - 000262144 _____ () C:\Users\Zar-Unityv4\AppData\Local\Temp\flac.exe
2018-03-23 19:46 - 2018-03-23 19:46 - 014485128 _____ (VoodooSoft, LLC                                             ) C:\Users\Zar-Unityv4\AppData\Local\Temp\InstallVoodooShield.exe
2018-04-05 11:43 - 2018-04-05 11:43 - 000581120 _____ () C:\Users\Zar-Unityv4\AppData\Local\Temp\lame.exe
2018-04-05 11:43 - 2018-04-05 11:43 - 000074752 _____ (Matthew T. Ashland) C:\Users\Zar-Unityv4\AppData\Local\Temp\MAC.exe
2018-04-05 11:43 - 2018-04-05 11:43 - 000074240 _____ () C:\Users\Zar-Unityv4\AppData\Local\Temp\oggdec.exe
2018-04-05 11:43 - 2018-04-05 11:43 - 000155136 _____ () C:\Users\Zar-Unityv4\AppData\Local\Temp\oggenc.exe
2018-04-14 19:01 - 2018-04-14 19:01 - 001458856 _____ (Sysinternals - www.sysinternals.com) C:\Users\Zar-Unityv4\AppData\Local\Temp\procexp64.exe
2018-04-16 17:32 - 2018-04-16 17:32 - 014483888 _____ (VoodooSoft, LLC                                             ) C:\Users\Zar_Admin2\AppData\Local\Temp\InstallVoodooShield.exe
2018-04-16 19:05 - 2018-04-16 19:05 - 000262144 _____ () C:\Users\Zar_Admin3\AppData\Local\Temp\flac.exe
2018-04-16 19:05 - 2018-04-16 19:05 - 000581120 _____ () C:\Users\Zar_Admin3\AppData\Local\Temp\lame.exe
2018-04-16 19:05 - 2018-04-16 19:05 - 000074752 _____ (Matthew T. Ashland) C:\Users\Zar_Admin3\AppData\Local\Temp\MAC.exe
2018-04-16 19:05 - 2018-04-16 19:05 - 000074240 _____ () C:\Users\Zar_Admin3\AppData\Local\Temp\oggdec.exe
2018-04-16 19:05 - 2018-04-16 19:05 - 000155136 _____ () C:\Users\Zar_Admin3\AppData\Local\Temp\oggenc.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-04-19 04:16
 
==================== End of FRST.txt ============================

Edited by Dell_User7, 20 April 2018 - 05:13 AM.


#6 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 20 April 2018 - 05:06 AM

I also have a "fixlog" if you want to view it as well. And a aswmbr log from around 4-11, soon after avast warmed me of the "sevnz.exe" rootkit infection. I was only able to do a partial scan of aswmbr though, as it always crashes before the scan can fully complete. 

 

I'm a bit concerned that my default browser for internet explorer is the "spark browser" by Baidu. I never set such a entry. (as seen in the log provided) 

 

I did a scan yesterday for recently modified files on 4/11, and I noticed a LOT of java script runs within my sandboxie environment when I was using internet explorer. Right when I got hit with a scare warning that my security has been compromised. However, any modifications made from within the sandbox environment will not effect my real windows settings. Anyway, from outside that concern, I did not see anything of a major concern. (as far as I can tell)

 

I'm still super paranoid though that some malware or spyware is recording everything I do, Especially that a very well hidden rootkit is hanging around on my computer, just waiting for me to log into my bank and leak sensitive information to hackers. 

 

If you know of any good rootkit or spyware scanners that I could run, to help give myself a better peace of mind, I'm willing to try them. I do have super antispyware and have already done a scan with it a week ago but it only found some tracking cookies, nothing major. Perhaps I should do a scan with super antispyware again though. 

--

The following update below is posted only for my request for you to properly evaluate the information given and relate it to my situation at hand, and provide me with some needed insight as to what action I should take. Or weather or not I should even be concerned. This information is not intended to go slightly off course from your instruction on what to do next regarding my PC issue. No action will be taken with the information given below without your approval first.

 

https://removeviruswithease.blogspot.com/2018/04/sevnzexe-how-to-remove-it.html

 

I just found this interesting article on the sevnz.exe process! It sounds like this may be exactly what I got infected with. Apparently "sevnz.exe" is some kind of nasty advanced adware which also has potentially low level "rootkit" function. (would explain why avast first detected Sevnz as a rootkit) The article say's that the adware may slow down your internet, and I did experience a major reduction in my internet speed in the last week, soon after avast warmed me of the rootkit infection. some websites even would not even load, reported as a dns error.

 

The article say's that the sevnz adware is a very tricky and hard to remove adware that should be removed as soon as possible. It recommends two different aniti malware programs to help remove it, but I can't go to the plumbytes site at all, as it is blocked by malwarebtyes for some reason, and the other one, SpyHunter won't even be allowed to be installed and is quarintined by malwarebtyes. It's funny that SpyHunter state on their website that they believe that Malwarebtyes is blocking their software for competitive reasons and have a alternate installer provided. 

 

Anyway, according to the blog site, these two programs are highly recommended in finding and removing the Sevnz adware, but the site provides unsafe links to download the software, as tested without opening them on another browser within the sandbox, which is also blocked by Malwarebtyes. I went to the official site of SpyHunter and downloaded the software, to possibly use for later, but I did test execution on the installer and it was blocked by Malwarebtyes as well. Should I try one of these programs, or stay clear of them?

 

if you think it would be a good idea to run one of these programs, and you think that some of the information on the article is relevant to my issue, I will try them. 

Otherwise, I will disregard this new info on Sevnz.exe.

--

Thank you for your time and assistance, I await your next instructions. 


Edited by Dell_User7, 20 April 2018 - 06:14 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 20 April 2018 - 07:45 AM

Hi,

Remove this default opening page in Internet Explorer.
Internet Explorer Version 11 (Default browser: "C:\Program Files (x86)\baidu\SparkSafe\Spark.exe" -- "%1")

Then Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.
===
 

It's funny that SpyHunter state on their website that they believe that Malwarebtyes is blocking their software for competitive reasons and have a alternate installer provided.

It's the opinion that SpyHunter is not recommended. It's up to you to dequarnantine it. For now I do not think that you need it.
---

Please run this Malwarebytes Anti-Rootkit.

Follow the instructions in the thread below. Make sure to download the MBAR linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

Before you run the program make sure you follow the instructions under Section 5.
5. Unselect sectors and system below. Hit the scan button.

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the "mbar-log-TODAY'S-DATE.txt" log that is located in the MBAR folder here after.
<<<>>>

p.s.
We may need to use the big gun on this.

Launch FRST and copy/paste the following inside the text area. Once done, click on the Fix button. Afterwards, a file called fixlog.txt should appear on your desktop. Attach it in your nexy reply.
 

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::


You will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC...

Let me know and we will proceed.

#8 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 20 April 2018 - 10:13 AM

Okay, so SpyHunter is a no go. I have quarnantined the downloaded application, as recommended by MalwareBytes.

 

I looked in my internet explorer settings and I didn't find the spark browser set as my default browser. Not sure where to go to

set the default browser, but I changed my default home page from msn to my preferred search engine site. 

 

I reset my internet explorer settings. 

 

My scan with MalwareBytes Anti-rootkit found no threats, as well as my full MalwareBytes scan beforehand. Yay!

 

I also went ahead and did a scan with Adwarecleaner and it found 21 threats! I am now restarting my computer

to clean those threats, which are 6 AlToolbar threats, 7 threats of PUP's from Advanced Systemcare and 8 optional 

legacy threats..let me know if you still wish me to proceed with Frst commands. 

 

I have a spare laptop with Windows 7 and the internet and clean usb ready.

 

Also, I was reading more about the Sevnz process and how it is normally used with extracting files with 7Zip, as well as to

display usb drive information..is it possible that Avast was just spitting out a false positive? I'd love to think so.

Around that time on 4/10 - 4/12 I was trying to make one of my usb drives bootible with the great programs Rufus, Iso to

usb and UNetinBootin. Unfortunately,

 

UNetbootin may have come infected with the rootkit that I highly suspect that I have on my computer. Even though I downloaded

the program from the official site. (https://unetbootin.github.io/) 

 

When I first ran UNetBootin, VoodooShield warmed me of the process "Sevnz" wanting to run, and the threat bar was very close to

the red side, but I let the process run anyway because after doing a quick search, I thought that it's likely be safe

to run, but after Avast found over 290 infections of the process, I'm not sure now.

 

Next time I will definitely do more research before letting some unknown new process run in the wild. 

 

--

After restart, I went into safe mode to backup a few files and I did a scan with RogueKiller, which found

7 threat, 2 of which are suspicious path modifications made to the registry, which I removed. I saved a log

and it is provided below, in case you want to look over it. 

 

-

RogueKiller V12.12.0.0 (x64) [Jan 15 2018] (Free) by Adlice Software

 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : Zar_Admin3 [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 04/20/2018 11:58:53 (Duration : 00:23:53)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 6 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MFE_RR (\??\C:\Users\ZAR-UN~1\AppData\Local\Temp\mfe_rr.sys) -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MFE_RR (\??\C:\Users\ZAR-UN~1\AppData\Local\Temp\mfe_rr.sys) -> Deleted
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4291765073-3835710626-4147568939-1009\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4291765073-3835710626-4147568939-1009\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4291765073-3835710626-4147568939-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4291765073-3835710626-4147568939-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤
 
¤¤¤ Web browsers : 1 ¤¤¤
[PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.keyword [duckdg] -> Not selected
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] e9a143fd54a9d1d93610099c407c6f30
[BSP] 230b54b69523cba8e64ca2e5f8b470b3 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 22186 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 45518848 | Size: 931642 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
---------

Edited by Dell_User7, 20 April 2018 - 11:39 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 20 April 2018 - 12:50 PM

Sure looks like some false positives were identified.

Just to make sure run this scan.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===

Let me know of any issues with this computer.

#10 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 21 April 2018 - 02:35 AM

That's good to hear! Maybe Avast is the problem here! 

 

Well, I think that I can start to think positive now at this point

unless proven otherwise. 

 

I ran the full scan with Sophos and I turned off my internet

and left the computer alone for a couple of hours, then I came

back to a "all clean" message. 

 

I had already had Sophos on my computer and did a full scan about

a week ago and I was clean then. But it's always good to have

a second opinion. 

 

I'm guessing that there is no log to post on the forum since I was

all clean? No general new issues with my computer to report, except

for not being able to connect to the internet for a while after my scan was

done. Lately my internet has been cutting out or having trouble going

to simple websites for up to a whole hour before the internet works

again. I checked at the same time on another computer to see if 

the internet is out on that computer as well, and sometimes it is out,

and other times it is not and the internet is working fine.

 

So I'm not sure if it's just a problem with my router or my isp, or

the computers themselves. 

 

I was informed recently on my computer of a IP conflict with

another computer connected to my network. Also, I have been given

this message before. I'm not sure what to do to resolve it.

 

Other than that, the only other things I can mention that I think are

a bit odd is how since I've been alerted by Avast of a rootkit infection,

my computer has been lighting up the busy signal light every second 

without pause, and I don't believe that the computer used to do that before.

 

Also, the legacy software ALZip, which Adwarecleaner prompted to

remove for me, was showing mostly all korean text on the right click

options for zip archiving, which I didn't ever remember seeing before.

 

I have re-installed ALZip, and now when I right click, the right click options

are back in English, instead of in Korean. Very strange. 

 

I did find out that the company that makes ALZip is based in Korea, so maybe

that was just something weird that the software does on it's own.

I did not experience anything else unusual when using the software.

 

So does this mean that I am clean from a rootkit or adware infection?

 

I did run a scan with Gmer a week ago, and I think it might have found some

threats, but I'm not sure of that. I did save a log but I can't find that now.

 

I re-download Gmer (from Gmer.net) but Voodooshield blocks it and say's that the file is

not digitally signed or verified and the threat bar is close to the red, so I let Voodooshield

block Gmer. Should I run Gmer anyway and save a log?

 

Meanwhile, here is my log of AdwareCleaner:

----

# -------------------------------
# Malwarebytes AdwCleaner 7.1.0.0
# -------------------------------
# Build:    04-12-2018
# Database: 2018-04-19.1
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    04-20-2018
# Duration: 00:00:06
# OS:       Windows 7 Professional
# Cleaned:  21
# Failed:   0
 
 
***** [ Services ] *****
 
No malicious services cleaned.
 
***** [ Folders ] *****
 
Deleted       C:\ProgramData\ESTsoft
Deleted       C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESTsoft
Deleted       C:\Program Files (x86)\ESTsoft
Deleted       C:\Users\Zar-Unityv4\AppData\Roaming\ESTsoft
Deleted       C:\Users\Zar_Admin2\AppData\Roaming\ESTsoft
Deleted       C:\Users\Zar_Admin3\AppData\Roaming\ESTsoft
Deleted       C:\ProgramData\IObit\Advanced SystemCare V8
Deleted       C:\Program Files (x86)\Common Files\IObit\Advanced SystemCare V8
Deleted       C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare V8
Deleted       C:\Users\Zar-Unityv4\AppData\Roaming\IObit\Advanced SystemCare
 
***** [ Files ] *****
 
No malicious files cleaned.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks cleaned.
 
***** [ Registry ] *****
 
Deleted       HKLM\Software\Wow6432Node\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}
Deleted       HKLM\Software\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}
Deleted       HKLM\Software\Wow6432Node\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries cleaned.
 
***** [ Chromium URLs ] *****
 
Deleted       Ask
Deleted       Ask
Deleted       Ask
Deleted       Ask
Deleted       AOL
Deleted       AOL
Deleted       AOL
Deleted       AOL
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries cleaned.
 
***** [ Firefox URLs ] *****
 
No malicious Firefox URLs cleaned.
 
 
*************************
 
[+] Delete Tracing Keys
[+] Reset Winsock
 
*************************
 
 
########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

Edited by Dell_User7, 21 April 2018 - 03:04 AM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 21 April 2018 - 06:54 AM



Hi,

Press the windows key Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh winsock reset catalog

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===


If the Internet connection is still a problem take care of this.


Lately my internet has been cutting out or having trouble going

to simple websites for up to a whole hour before the internet works

again. I checked at the same time on another computer to see if

the internet is out on that computer as well, and sometimes it is out,

and other times it is not and the internet is working fine.

So I'm not sure if it's just a problem with my router or my isp, or
the computers themselves


Check with your internet Provider. I may be wrong but your Router may be going bad.

Keep me posted

#12 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 21 April 2018 - 07:58 AM

I've only had my new router for about a year now, so I think my router is good. This recent

behavior of my internet cutting out a few times is abnormal and usually I do not have this issue.

 

My internet has been working good all morning since it last cut out last night after doing the

Sophos scan. Should I still proceed anyway with the dns flush? I recently switched my DNS

servers to Open DNS from another set of servers based in Germany, do you think that

could be the cause? 

 

Also, I found the Gmer log I created back on the 14th of April, while on the second

admin account I created, a couple of day's after Avast alerted me of the rootkit

infection. Please review this log and let me know if anything looks out of place. 

Thank you!

--

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2018-04-14 16:19:06
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST1000DM rev.CC47 931.51GB
Running: 7nsj5ecw.exe; Driver: C:\Users\Zar_Admin2\AppData\Local\Temp\uxloipow.sys
 
 
---- Kernel code sections - GMER 2.2 ----
 
.text  C:\Windows\System32\win32k.sys!W32pServiceTable                                                                                      fffff96000115e00 7 bytes [C0, 4C, F3, FF, 01, 5A, F0]
.text  C:\Windows\System32\win32k.sys!W32pServiceTable + 8                                                                                  fffff96000115e08 3 bytes [C0, 06, 02]
 
---- User code sections - GMER 2.2 ----
 
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                 0000000076c11401 2 bytes JMP 765eb233 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                   0000000076c11419 2 bytes JMP 765eb35e C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                 0000000076c11431 2 bytes JMP 76669149 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                 0000000076c1144a 2 bytes CALL 765c4885 C:\Windows\syswow64\kernel32.dll
.text  ...                                                                                                                                  * 9
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                    0000000076c114dd 2 bytes JMP 76668a42 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17             0000000076c114f5 2 bytes JMP 76668c18 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                    0000000076c1150d 2 bytes JMP 76668938 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17             0000000076c11525 2 bytes JMP 76668d02 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                   0000000076c1153d 2 bytes JMP 765dfcc0 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                        0000000076c11555 2 bytes JMP 765e6907 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                 0000000076c1156d 2 bytes JMP 76669201 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                   0000000076c11585 2 bytes JMP 76668d62 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                      0000000076c1159d 2 bytes JMP 766688fc C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                   0000000076c115b5 2 bytes JMP 765dfd59 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                 0000000076c115cd 2 bytes JMP 765eb2f4 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20             0000000076c116b2 2 bytes JMP 766690c4 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31             0000000076c116bd 2 bytes JMP 76668891 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                   0000000077a6bfb0 14 bytes {MOV RAX, 0x7fef3382537; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread               0000000077a6be00 7 bytes [48, B8, E0, 54, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8           0000000077a6be08 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken                    0000000077a6bf70 7 bytes [48, B8, 10, 55, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8                0000000077a6bf78 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                        0000000077a6bf90 7 bytes [48, B8, 60, 57, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                    0000000077a6bf98 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile                 0000000077a6bfa0 7 bytes [48, B8, 90, 56, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8             0000000077a6bfa8 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                   0000000077a6bfb0 7 bytes [48, B8, 50, 54, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8               0000000077a6bfb8 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                 0000000077a6bfd0 7 bytes [48, B8, C0, 54, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8             0000000077a6bfd8 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx                  0000000077a6c020 7 bytes [48, B8, 40, 55, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8              0000000077a6c028 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx                 0000000077a6c030 7 bytes [48, B8, B0, 57, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8             0000000077a6c038 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                           0000000077a6c060 7 bytes [48, B8, 10, 56, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8                       0000000077a6c068 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile                0000000077a6c100 7 bytes [48, B8, 50, 56, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8            0000000077a6c108 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                         0000000077a6c280 7 bytes [48, B8, 80, 55, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                     0000000077a6c288 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                   0000000077a6ccf0 7 bytes [48, B8, 90, 57, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8               0000000077a6ccf8 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                         0000000077a6cd40 7 bytes [48, B8, 30, 57, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8                     0000000077a6cd48 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile            0000000077a6ce90 7 bytes [48, B8, 70, 56, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8        0000000077a6ce98 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread                0000000077a6be00 7 bytes [48, B8, E0, 54, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8            0000000077a6be08 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken                     0000000077a6bf70 7 bytes [48, B8, 10, 55, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8                 0000000077a6bf78 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                         0000000077a6bf90 7 bytes [48, B8, 60, 57, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                     0000000077a6bf98 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile                  0000000077a6bfa0 7 bytes [48, B8, 90, 56, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8              0000000077a6bfa8 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                    0000000077a6bfb0 7 bytes [48, B8, 50, 54, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                0000000077a6bfb8 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                  0000000077a6bfd0 7 bytes [48, B8, C0, 54, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8              0000000077a6bfd8 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx                   0000000077a6c020 7 bytes [48, B8, 40, 55, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8               0000000077a6c028 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx                  0000000077a6c030 7 bytes [48, B8, B0, 57, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8              0000000077a6c038 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                            0000000077a6c060 7 bytes [48, B8, 10, 56, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8                        0000000077a6c068 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile                 0000000077a6c100 7 bytes [48, B8, 50, 56, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8             0000000077a6c108 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                          0000000077a6c280 7 bytes [48, B8, 80, 55, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                      0000000077a6c288 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                    0000000077a6ccf0 7 bytes [48, B8, 90, 57, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                0000000077a6ccf8 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                          0000000077a6cd40 7 bytes [48, B8, 30, 57, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8                      0000000077a6cd48 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile             0000000077a6ce90 7 bytes [48, B8, 70, 56, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8         0000000077a6ce98 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread               0000000077a6be00 7 bytes [48, B8, E0, 54, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8           0000000077a6be08 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken                    0000000077a6bf70 7 bytes [48, B8, 10, 55, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8                0000000077a6bf78 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                        0000000077a6bf90 7 bytes [48, B8, 60, 57, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                    0000000077a6bf98 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile                 0000000077a6bfa0 7 bytes [48, B8, 90, 56, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8             0000000077a6bfa8 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                   0000000077a6bfb0 7 bytes [48, B8, 50, 54, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8               0000000077a6bfb8 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                 0000000077a6bfd0 7 bytes [48, B8, C0, 54, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8             0000000077a6bfd8 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx                  0000000077a6c020 7 bytes [48, B8, 40, 55, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8              0000000077a6c028 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx                 0000000077a6c030 7 bytes [48, B8, B0, 57, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8             0000000077a6c038 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                           0000000077a6c060 7 bytes [48, B8, 10, 56, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8                       0000000077a6c068 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile                0000000077a6c100 7 bytes [48, B8, 50, 56, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8            0000000077a6c108 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                         0000000077a6c280 7 bytes [48, B8, 80, 55, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                     0000000077a6c288 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                   0000000077a6ccf0 7 bytes [48, B8, 90, 57, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8               0000000077a6ccf8 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                         0000000077a6cd40 7 bytes [48, B8, 30, 57, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8                     0000000077a6cd48 6 bytes {ADD [RAX], AL; JMP RAX}
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile            0000000077a6ce90 7 bytes [48, B8, 70, 56, C5, 3F, 01]
.text  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8        0000000077a6ce98 6 bytes {ADD [RAX], AL; JMP RAX}
 
---- User IAT/EAT - GMER 2.2 ----
 
IAT    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW]         [7fee5cf2ec3] C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\chrome_child.dll
IAT    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle]   [7fee5cf2e8e] C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\chrome_child.dll
IAT    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW]       [7fee5cf2e78] C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\chrome_child.dll
IAT    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW]        [7fee5cf2ed9] C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\chrome_child.dll
IAT    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[812] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort]       [7fee5cf2f05] C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\chrome_child.dll
IAT    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW]        [7fee5cf2ec3] C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\chrome_child.dll
IAT    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle]  [7fee5cf2e8e] C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\chrome_child.dll
IAT    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW]      [7fee5cf2e78] C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\chrome_child.dll
IAT    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW]       [7fee5cf2ed9] C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\chrome_child.dll
IAT    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2152] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort]      [7fee5cf2f05] C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\chrome_child.dll
 
---- Registry - GMER 2.2 ----
 
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_15194991678812326@SetupOperations                                   ????????????p???BNmon???ibexusb.inf_amd64_neutral_48b6f41914370c44??????????????Extended Base????z??????????????v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\svchost.exe|Svc=Msiscsi|Name=@FirewallAPI.dll,-29003|Desc=@FirewallAPI.dll,-29006|EmbedCtxt=@FirewallAPI.dll,-29002|?|????????????n????age=???  ??z???r?????of ??????ot???????z????????2?????????????????????????ot??v2.10|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Private|Profile=Public|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=Msiscsi|Name=@FirewallAPI.dll,-29007|Desc=@FirewallAPI.dll,-29010|EmbedCtxt=@FirewallAPI.dll,-29002|?F???????z??????????.NTAMD64?????????????L??4???????????????????v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|Profile=Public|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=Msiscsi|Name=@FirewallAPI.dll,-29003|Desc=@FirewallAPI.dll,-29006|EmbedCtxt=@FirewallAPI.dll,-29002|??F???n?n?z?z???????????????????
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_15227989183812333@SetupOperations                                   ???????????????????????t????????????????????????????????????????????????????????????????????????????? Z??????????????????????????????????????????>??????????????\\?\STORAGE#Volume#_??_USBSTOR#Disk&Ven_&Prod_USB_Flash_Drive&Rev_1.00#4C531001410131112094&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}???????????{0.0.1.00000000}.{a8f298fd-d2b9-4a8f-8157-a17407c71b59}/00010000????????{0.0.0.00000000}.{69c56cef-1223-473e-97b7-5ceb08179ad7}/00010000????????{0.0.1.00000000}.{0835d17f-5ec2-4c00-8436-b49b922d23fb}/00010000??????\\?\WpdBusEnumRoot#UMB#2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_&PROD_USB_FLASH_DRIVE&REV_1.00#4C531001410131112094&0##{6ac27878-a6fa-4155-ba85-f98f491d4f33}????@input.inf,%stdmfg%;(Standard system devices)???????????????????? Z??????????????????????????>?????????????????????????????????????????????????????????????????????????????????????????????????????T???????????????T???????????_???????????_???????????_???????????_???????????_???????????????????????????
Reg    HKLM\SYSTEM\CurrentControlSet\services\MBAMChameleon@ProtectedRegistry                                                               ????????????????????????????\SystemRoot\System32\Drivers\mbamswissarmy.sys???????????????????4??????????{8ECC055D-047F-11D1-A537-0000F8753ED1}??????? ???????????????a????^?????????????????????MBAMChameleon???Malwarebytes Anti-Malware Real-Time Protection??Fl????????????N??????M??????????? ???????????????????m?,??????????????????????X?arP??????????-???????e(?MBAMProtection?ion??????????????????????????? ?????????????????????,????????????????????????? ???????????????????z?,???????????? ???????????? ?????????????????????,??????????ga ???????y???????????????s???LegacyDriver??????N???????????D?????{8ECC055D-047F-11D1-A537-0000F8753ED1}??????? :??????????????????????&???????&???  ?????????????????????? ???????????????????n?5????????\?????????tmtr????\?????????????????\??\C:\Windows\System32\drivers\TrueSight.sys???MBAMSwissArmy???????????????????? ?????????????????????,???????????????R?i??\Device\HarddiskVolume3\Windows\System32\DRIVERS\mbamchameleon.sys?\Device\HarddiskVolume3\PROGRAMDATA\MALWAREBYTES\?\Device\Ha
Reg    HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_15194991678812326@SetupOperations                                       ???????????2???:???????:???:???2???????2???;???;???1???1??<???????????@?LocalS??? ???????n?????????????,????????????????????????93??\??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IURegProcessFilter.sys?0???j?j?j?j?k?k?k?n?o?o?h???o?o?o?????j?k??@%systemroot%\system32\rascfg.dll,-32002????? ???????n?????????????,????????P?????????????<??????o??????????? ???????A???????eH?????????????????????????????????s????????????&???????????????????????????????&???????????????????????????/???&??????????????????????????????????????????????????????De????????????????????????????????I?????WUDFRd??????????IObit Uninstaller Service???????????????????? ?????????????????????????????????? ??????r.*p?avgvmm?aswvmm?????H?? ???????????????? ?????????????s???????????????????????y???Kaspersky Lab Interceptor and Filter?????????????????????????h???????????????h????????????????????(???????????????????(???????????????????(???h??????.??????e?@?????????????????????MFE_RR????@??????????????? ?????FltMgr???e???k?k?k?k?l?
Reg    HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_15227989183812333@SetupOperations                                       ????WH??EVER????????????????????????????????????????????????????????????????????????????????????wpdfs.inf:Microsoft.NTamd64:Basic_Install:6.1.7600.16385:wpdbusenum\fs??????????????????????????????????????? ?????????????????????,??$???6???????????????sall???????????w?????????l,-(??g?g????????????ME?????????????????t???????????????????t????????????????????????????????????????????????????????????????????????????????????????WpdFs????????????????????????????>???????????????????????????????e(???????????????????(???????????????????(???????????????????(??????D???v???????? ?????????????????? ???????????????????????????H??????6.1.7600.16385??DF???????????H????????:?????????????WPD FileSystem Volume Driver????????xt??wpdfs.inf???? ????????????????????????????$?????????????????????????????????????? ??????????????d???WpdFsGroup???????????E??? ?????????????????????,????????????????????????????????? ?????????????????????0??L????????? ??????(????????????????????????? $????????????????????0????????????&??????????????????????
Reg    HKLM\SYSTEM\ControlSet002\services\MBAMChameleon@ProtectedRegistry                                                                   ?????????????????????????w???????e???????????????????e??????????????????????????????assistant.exe??????????????????????4?malwarebytes_assistant.exe????????????????????????mbam.exe????????????????????????MbamPt.exe????????????????????????MBAMService.exe?tmp????????????????????mbamtray.exe????????????????????????mbamwow.exe????????????????????????MBAMWsc.exe??????????????????????????????????????? ?????????????????????,??????????????????skVo??MBAMChameleon???? ?????????????????????,???????????? ???????nD???????????.???????????????\??sG??? ???????n???????? ????,????????:??? ????????????????????c??????????????????????????????????????ar??????%?????????????8?????????????????system32\DRIVERS\farflt.sys?is??????????????????????MBAMFarflt?my???MBAMFarflt????????4?????????????FSFilter Activity Monitor????????????o???????e???????????????????e????:????????????n????Malwarebytes Anti-Ransomware????? ???????????????e??????????????????????????? ?????????????????????,????????????????????????????????? ?????????????????????,???
 
---- EOF - GMER 2.2 ----


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 21 April 2018 - 12:43 PM



Hi,

If it's not broken do not fix it.

GMER is my opinion not kept up to date.

When we want to check the BIOS we run this tool.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

#14 Dell_User7

Dell_User7
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 22 April 2018 - 06:00 AM

Yesterday I read about a new DNS server called Cloudflare from the MalwareBytes blog that claims to speed

up your internet by 5 times! (And add a good layer of security) I switched to that and I have noticed a good

jump in performance speed. I'm happy with it.

 

Still no issues to report on my internet dropping out again, so I think I don't need to reset

my internet settings. (unless I experience the internet cutting out again)

 

Okay, I will leave Gmer alone.

 

AswMBR is a great tool, when it works. I've already tried to run a full scan with it

before but it always crashes before the scan can complete. Any idea's why?

 

--

I was able to do a partial scan and save a log file before it crashed again..

when it crashed this time, it had just got done detecting another threat, which

I was not able to save and include in my log report because of the program

crashing, but I did take a snip image of what occuried..

 

 

AwsMBR_crash_zpstjfbgiwe.jpg

---

Also here is my partial log of what AswMBR was able to scan and

detect as threats, which appears to all

be Kaspersky related system files. These's files are *Locked*

 

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2018-04-22 07:01:19
-----------------------------
07:01:19.243    OS Version: Windows x64 6.1.7601 Service Pack 1
07:01:19.243    Number of processors: 4 586 0x3A09
07:01:19.243    ComputerName: ZAR-UNITYV4-PC  UserName: Zar_Admin3
07:01:19.976    Initialize success
07:01:19.992    VM: initialized successfully
07:01:19.992    VM: Intel CPU supported virtualized 
07:01:26.230    VM: supported disk I/O iaStor.sys
07:01:35.321    AVAST engine defs: 18042004
07:01:59.004    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
07:01:59.004    Disk 0 Vendor: ST1000DM CC47 Size: 953869MB BusType: 3
07:01:59.097    VM: Disk 0 MBR read successfully
07:01:59.097    Disk 0 MBR scan
07:01:59.097    Disk 0 Windows VISTA default MBR code
07:01:59.113    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
07:01:59.129    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        22186 MB offset 81920
07:01:59.144    Disk 0 Boot: NTFS     code=1
07:01:59.160    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       931642 MB offset 45518848
07:01:59.191    Disk 0 scanning C:\Windows\system32\drivers
07:02:16.124    Service scanning
07:02:19.855    Service cm_km C:\Windows\system32\DRIVERS\cm_km.sys **LOCKED** 5
07:02:24.464    Service kl1 C:\Windows\system32\DRIVERS\kl1.sys **LOCKED** 5
07:02:24.526    Service klbackupdisk C:\Windows\system32\DRIVERS\klbackupdisk.sys **LOCKED** 5
07:02:24.557    Service kldisk C:\Windows\system32\DRIVERS\kldisk.sys **LOCKED** 5
07:02:24.589    Service klflt C:\Windows\system32\DRIVERS\klflt.sys **LOCKED** 5
07:02:24.635    Service klhk C:\Windows\system32\DRIVERS\klhk.sys **LOCKED** 5
07:02:24.682    Service KLIM6 C:\Windows\system32\DRIVERS\klim6.sys **LOCKED** 5
07:02:24.698    Service klkbdflt C:\Windows\system32\DRIVERS\klkbdflt.sys **LOCKED** 5
07:02:24.713    Service klmouflt C:\Windows\system32\DRIVERS\klmouflt.sys **LOCKED** 5
07:02:24.745    Service kltdi C:\Windows\system32\DRIVERS\kltdi.sys **LOCKED** 5
07:02:24.776    Service Klwtp C:\Windows\system32\DRIVERS\klwtp.sys **LOCKED** 5
07:02:24.823    Service kneps C:\Windows\system32\DRIVERS\kneps.sys **LOCKED** 5
07:02:36.766    Modules scanning
07:02:36.766    Disk 0 trace - called modules:
07:02:36.797    ntoskrnl.exe CLASSPNP.SYS disk.sys aswArPot.sys ACPI.sys iaStor.sys hal.dll 
07:02:36.813    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009af8060]
07:02:36.813    3 aswArPot.sys[fffff8800540b356] -> nt!IofCallDriver -> [0xfffffa8007120620]
07:02:36.813    5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80070fb050]
07:02:37.439    AVAST engine scan C:\Windows
07:02:39.859    AVAST engine scan C:\Windows\system32
07:02:49.868    Disk 0 MBR has been saved successfully to "C:\Users\Zar_Admin3\Downloads\MBR.dat"
07:02:49.868    The log file has been saved successfully to "C:\Users\Zar_Admin3\Downloads\aswMBR.txt"
 
 
aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2018-04-22 07:01:19
-----------------------------
07:01:19.243    OS Version: Windows x64 6.1.7601 Service Pack 1
07:01:19.243    Number of processors: 4 586 0x3A09
07:01:19.243    ComputerName: ZAR-UNITYV4-PC  UserName: Zar_Admin3
07:01:19.976    Initialize success
07:01:19.992    VM: initialized successfully
07:01:19.992    VM: Intel CPU supported virtualized 
07:01:26.230    VM: supported disk I/O iaStor.sys
07:01:35.321    AVAST engine defs: 18042004
07:01:59.004    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
07:01:59.004    Disk 0 Vendor: ST1000DM CC47 Size: 953869MB BusType: 3
07:01:59.097    VM: Disk 0 MBR read successfully
07:01:59.097    Disk 0 MBR scan
07:01:59.097    Disk 0 Windows VISTA default MBR code
07:01:59.113    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
07:01:59.129    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        22186 MB offset 81920
07:01:59.144    Disk 0 Boot: NTFS     code=1
07:01:59.160    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       931642 MB offset 45518848
07:01:59.191    Disk 0 scanning C:\Windows\system32\drivers
07:02:16.124    Service scanning
07:02:19.855    Service cm_km C:\Windows\system32\DRIVERS\cm_km.sys **LOCKED** 5
07:02:24.464    Service kl1 C:\Windows\system32\DRIVERS\kl1.sys **LOCKED** 5
07:02:24.526    Service klbackupdisk C:\Windows\system32\DRIVERS\klbackupdisk.sys **LOCKED** 5
07:02:24.557    Service kldisk C:\Windows\system32\DRIVERS\kldisk.sys **LOCKED** 5
07:02:24.589    Service klflt C:\Windows\system32\DRIVERS\klflt.sys **LOCKED** 5
07:02:24.635    Service klhk C:\Windows\system32\DRIVERS\klhk.sys **LOCKED** 5
07:02:24.682    Service KLIM6 C:\Windows\system32\DRIVERS\klim6.sys **LOCKED** 5
07:02:24.698    Service klkbdflt C:\Windows\system32\DRIVERS\klkbdflt.sys **LOCKED** 5
07:02:24.713    Service klmouflt C:\Windows\system32\DRIVERS\klmouflt.sys **LOCKED** 5
07:02:24.745    Service kltdi C:\Windows\system32\DRIVERS\kltdi.sys **LOCKED** 5
07:02:24.776    Service Klwtp C:\Windows\system32\DRIVERS\klwtp.sys **LOCKED** 5
07:02:24.823    Service kneps C:\Windows\system32\DRIVERS\kneps.sys **LOCKED** 5
07:02:36.766    Modules scanning
07:02:36.766    Disk 0 trace - called modules:
07:02:36.797    ntoskrnl.exe CLASSPNP.SYS disk.sys aswArPot.sys ACPI.sys iaStor.sys hal.dll 
07:02:36.813    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009af8060]
07:02:36.813    3 aswArPot.sys[fffff8800540b356] -> nt!IofCallDriver -> [0xfffffa8007120620]
07:02:36.813    5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80070fb050]
07:02:37.439    AVAST engine scan C:\Windows
07:02:39.859    AVAST engine scan C:\Windows\system32
07:02:49.868    Disk 0 MBR has been saved successfully to "C:\Users\Zar_Admin3\Downloads\MBR.dat"
07:02:49.868    The log file has been saved successfully to "C:\Users\Zar_Admin3\Downloads\aswMBR.txt"
07:05:28.428    AVAST engine scan C:\Windows\system32\drivers
07:05:48.821    AVAST engine scan C:\Users\Zar_Admin3
07:06:10.782    Disk 0 MBR has been saved successfully to "C:\Users\Zar_Admin3\Downloads\MBR.dat"
07:06:10.813    The log file has been saved successfully to "C:\Users\Zar_Admin3\Downloads\aswMBR.txt"
 
 
aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2018-04-22 07:01:19
-----------------------------
07:01:19.243    OS Version: Windows x64 6.1.7601 Service Pack 1
07:01:19.243    Number of processors: 4 586 0x3A09
07:01:19.243    ComputerName: ZAR-UNITYV4-PC  UserName: Zar_Admin3
07:01:19.976    Initialize success
07:01:19.992    VM: initialized successfully
07:01:19.992    VM: Intel CPU supported virtualized 
07:01:26.230    VM: supported disk I/O iaStor.sys
07:01:35.321    AVAST engine defs: 18042004
07:01:59.004    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
07:01:59.004    Disk 0 Vendor: ST1000DM CC47 Size: 953869MB BusType: 3
07:01:59.097    VM: Disk 0 MBR read successfully
07:01:59.097    Disk 0 MBR scan
07:01:59.097    Disk 0 Windows VISTA default MBR code
07:01:59.113    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
07:01:59.129    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        22186 MB offset 81920
07:01:59.144    Disk 0 Boot: NTFS     code=1
07:01:59.160    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       931642 MB offset 45518848
07:01:59.191    Disk 0 scanning C:\Windows\system32\drivers
07:02:16.124    Service scanning
07:02:19.855    Service cm_km C:\Windows\system32\DRIVERS\cm_km.sys **LOCKED** 5
07:02:24.464    Service kl1 C:\Windows\system32\DRIVERS\kl1.sys **LOCKED** 5
07:02:24.526    Service klbackupdisk C:\Windows\system32\DRIVERS\klbackupdisk.sys **LOCKED** 5
07:02:24.557    Service kldisk C:\Windows\system32\DRIVERS\kldisk.sys **LOCKED** 5
07:02:24.589    Service klflt C:\Windows\system32\DRIVERS\klflt.sys **LOCKED** 5
07:02:24.635    Service klhk C:\Windows\system32\DRIVERS\klhk.sys **LOCKED** 5
07:02:24.682    Service KLIM6 C:\Windows\system32\DRIVERS\klim6.sys **LOCKED** 5
07:02:24.698    Service klkbdflt C:\Windows\system32\DRIVERS\klkbdflt.sys **LOCKED** 5
07:02:24.713    Service klmouflt C:\Windows\system32\DRIVERS\klmouflt.sys **LOCKED** 5
07:02:24.745    Service kltdi C:\Windows\system32\DRIVERS\kltdi.sys **LOCKED** 5
07:02:24.776    Service Klwtp C:\Windows\system32\DRIVERS\klwtp.sys **LOCKED** 5
07:02:24.823    Service kneps C:\Windows\system32\DRIVERS\kneps.sys **LOCKED** 5
07:02:36.766    Modules scanning
07:02:36.766    Disk 0 trace - called modules:
07:02:36.797    ntoskrnl.exe CLASSPNP.SYS disk.sys aswArPot.sys ACPI.sys iaStor.sys hal.dll 
07:02:36.813    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009af8060]
07:02:36.813    3 aswArPot.sys[fffff8800540b356] -> nt!IofCallDriver -> [0xfffffa8007120620]
07:02:36.813    5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80070fb050]
07:02:37.439    AVAST engine scan C:\Windows
07:02:39.859    AVAST engine scan C:\Windows\system32
07:02:49.868    Disk 0 MBR has been saved successfully to "C:\Users\Zar_Admin3\Downloads\MBR.dat"
07:02:49.868    The log file has been saved successfully to "C:\Users\Zar_Admin3\Downloads\aswMBR.txt"
07:05:28.428    AVAST engine scan C:\Windows\system32\drivers
07:05:48.821    AVAST engine scan C:\Users\Zar_Admin3
07:06:10.782    Disk 0 MBR has been saved successfully to "C:\Users\Zar_Admin3\Downloads\MBR.dat"
07:06:10.813    The log file has been saved successfully to "C:\Users\Zar_Admin3\Downloads\aswMBR.txt"
07:06:23.585    Disk 0 MBR has been saved successfully to "C:\Users\Zar_Admin3\Downloads\MBR.dat"
07:06:23.600    The log file has been saved successfully to "C:\Users\Zar_Admin3\Downloads\aswMBR.txt"
 
========End of log before crash=========

AwsMBR_crash_zpstjfbgiwe.jpg


Edited by Dell_User7, 22 April 2018 - 06:36 AM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 22 April 2018 - 07:36 AM

Hi,
 

Avas may be the cause of the problem running the aswMBR


As you said these are remnant of the Kaspersky program.

07:02:19.855 Service cm_km C:\Windows\system32\DRIVERS\cm_km.sys **LOCKED** 5
07:02:24.464 Service kl1 C:\Windows\system32\DRIVERS\kl1.sys **LOCKED** 5
07:02:24.526 Service klbackupdisk C:\Windows\system32\DRIVERS\klbackupdisk.sys **LOCKED** 5
07:02:24.557 Service kldisk C:\Windows\system32\DRIVERS\kldisk.sys **LOCKED** 5
07:02:24.589 Service klflt C:\Windows\system32\DRIVERS\klflt.sys **LOCKED** 5
07:02:24.635 Service klhk C:\Windows\system32\DRIVERS\klhk.sys **LOCKED** 5
07:02:24.682 Service KLIM6 C:\Windows\system32\DRIVERS\klim6.sys **LOCKED** 5
07:02:24.698 Service klkbdflt C:\Windows\system32\DRIVERS\klkbdflt.sys **LOCKED** 5
07:02:24.713 Service klmouflt C:\Windows\system32\DRIVERS\klmouflt.sys **LOCKED** 5
07:02:24.745 Service kltdi C:\Windows\system32\DRIVERS\kltdi.sys **LOCKED** 5
07:02:24.776 Service Klwtp C:\Windows\system32\DRIVERS\klwtp.sys **LOCKED** 5
07:02:24.823 Service kneps C:\Windows\system32\DRIVERS\kneps.sys **LOCKED** 5


Dell computer often use their own, non-standard MBR as a means of invoking factory restore.

If all is well I would leave it alone.

The Farbar program has a command to fix the MBR but I'm reluctant in suggesting it since the computer is running well.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users